Opengl, passwords, crypt, vpn and docs
70 views
Skip to first unread message
Eva Star
Jun 27, 2016, 9:18:28 PM6/27/16
to qubes-users
1) VPN doc say at the first part that need to add "network-manager" and enable it. At the second part it's without "network-manager". When/On what situations I need I enable?
2) At the second part of VPN doc. How exactly DNS line at vpnclient.config must be written ?
vpn_dns '1.2.3.4.5 2.3.4.5.6'
Is it correct line?
3) I'm worry about hdd encryption by cryptosetup. Is it strong by default? We can not choose ALGs at installer...
3.1) How can I change password for my LUKS drive ? Maybe docs page about that?
3.2) How can I reencrupt full disk with ALG? What ALG is used by default?
3.3) How to increase number of iterations to count password hash?
3.4.0) Is it possible to install other crpt.software to dom0 and make container to store vms on it (layer 2 for some vms)? Will QM work when vms not accessible before container will be mounted by user manually ?
3.4.1) Why we have option to start VMs with mounded ISO from other VMs (--cdrom=VMNAME:/path/to/some.iso) , but we can not start the same way raw image? (qvm-start somevm --image=othervm:/path/to/raw/image.img)
Maybe with such options it will be possible to have some CryptoVm with some superprivate images and crypt them on VM? I'm talking about some easy way to add layer 2 of encryption to some VMs without additional software at dom0
4) OpenGL PV - Have Xen some graphic accelerations? As I remember, I read somewhere that Marek wrote that it have, but Qubes Team made decision to switch it off, because it expands a vector of attack. But why not to give users possibility to enable it for some VMs? Maybe for VMs without Network (multimedia VMs).
5) "Files" not start every time when I click on shortcut to start it :-/ Time to time only after 3 clicks it starts.
Andrew David Wong
Jun 28, 2016, 8:43:53 AM6/28/16
to Eva Star, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-27 18:18, Eva Star wrote:
> 3) I'm worry about hdd encryption by cryptosetup. Is it strong by
> default? We can not choose ALGs at installer...
It uses cryptsetup (LUKS/dm-crypt) under the hood. You can configure
the settings manually from the command line by following the
instructions here:
https://www.qubes-os.org/doc/encryption-config/
> 3.1) How can I change password for my LUKS drive ? Maybe docs page
> about that? 3.2) How can I reencrupt full disk with ALG? What ALG
> is used by default? 3.3) How to increase number of iterations to
> count password hash?
All three of these questions are answered (or should be answered) by
the cryptsetup man page and/or FAQ:
http://linux.die.net/man/8/cryptsetup
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
> 3.4.0) Is it possible to install other crpt.software to dom0 and
> make container to store vms on it (layer 2 for some vms)? Will QM
> work when vms not accessible before container will be mounted by
> user manually ?
This sounds like it falls under the "per-VM encryption" idea that has
been discussed extensively on these lists over the years. See this
issue, for example:
https://github.com/QubesOS/qubes-issues/issues/1293
> 5) "Files" not start every time when I click on shortcut to start
> it :-/ Time to time only after 3 clicks it starts.
Is it this?
https://github.com/QubesOS/qubes-issues/issues/2085
If so, looks like the fix is already in the testing repo.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXcnEAAAoJENtN07w5UDAwXmkQAIXr/On/ctMU1Z1dbFWYApPs
2JqJTwkSmAY7aImAxjrlfdrvNL369pEdX1L8EurQJo4dYDZuXI/TEpp0eoh7+Bji
w+PdSNcgZvIDNG2WPJEwWS8QEnKl6TVxHjUpY4KbNvyAaXU2Uh2uXxkvKcj/yFrq
nC3YcRaSHIV2Cdf00GyRNrSeGMpguKNiR/V+ymyECdlhDRlVSEJTzuD2/iLT0Tbi
6wtdmdIsg2wiTYyCDokYrYF9qxEY+plQ9Do8F799Lxpy/Uzy/jFiSjhSs5pbQk4B
mOt6lXqTqNdsrCmJksPX0NvJswyshn0WeergJnDiJncyYCkiF2yvLV4dwgB1RXfH
fPmd5FTvh9y6exJBg93roCcNUQWYA23ZSjSGdSXi5nMDN97vV8fdOBdImZ7XODEQ
nZrfokQ2mhhbWlrDPn7UlLO/yPwgAL6/GXN8WtxDAXYcahcuy9d66eyf8YoGAJ/N
O4dcwTuNfV80Vc9hWzJYErfxxIbegBp5EF4OwE3zv6Y0qOg0iQasxzFa0C6Imh9M
7hNPQT6nDpMmSQ/FLJXkGeuAnawwkjjkTDEum1MDWL2kl+l5iUHATa6mLdVlRsGL
ncFsdyZAgL4yWdTaPR2U8Ibx1vK3D7/YF9o20kuHFmf7Mudj+vednklejOXvusRn
z+bw5QMlD/S4z7sw8F3x
=DgRg
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-06-27 18:18, Eva Star wrote:
> 3) I'm worry about hdd encryption by cryptosetup. Is it strong by
> default? We can not choose ALGs at installer...
the settings manually from the command line by following the
instructions here:
https://www.qubes-os.org/doc/encryption-config/
> 3.1) How can I change password for my LUKS drive ? Maybe docs page
> about that? 3.2) How can I reencrupt full disk with ALG? What ALG
> is used by default? 3.3) How to increase number of iterations to
> count password hash?
the cryptsetup man page and/or FAQ:
http://linux.die.net/man/8/cryptsetup
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
> 3.4.0) Is it possible to install other crpt.software to dom0 and
> make container to store vms on it (layer 2 for some vms)? Will QM
> work when vms not accessible before container will be mounted by
> user manually ?
been discussed extensively on these lists over the years. See this
issue, for example:
https://github.com/QubesOS/qubes-issues/issues/1293
> 5) "Files" not start every time when I click on shortcut to start
> it :-/ Time to time only after 3 clicks it starts.
https://github.com/QubesOS/qubes-issues/issues/2085
If so, looks like the fix is already in the testing repo.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXcnEAAAoJENtN07w5UDAwXmkQAIXr/On/ctMU1Z1dbFWYApPs
2JqJTwkSmAY7aImAxjrlfdrvNL369pEdX1L8EurQJo4dYDZuXI/TEpp0eoh7+Bji
w+PdSNcgZvIDNG2WPJEwWS8QEnKl6TVxHjUpY4KbNvyAaXU2Uh2uXxkvKcj/yFrq
nC3YcRaSHIV2Cdf00GyRNrSeGMpguKNiR/V+ymyECdlhDRlVSEJTzuD2/iLT0Tbi
6wtdmdIsg2wiTYyCDokYrYF9qxEY+plQ9Do8F799Lxpy/Uzy/jFiSjhSs5pbQk4B
mOt6lXqTqNdsrCmJksPX0NvJswyshn0WeergJnDiJncyYCkiF2yvLV4dwgB1RXfH
fPmd5FTvh9y6exJBg93roCcNUQWYA23ZSjSGdSXi5nMDN97vV8fdOBdImZ7XODEQ
nZrfokQ2mhhbWlrDPn7UlLO/yPwgAL6/GXN8WtxDAXYcahcuy9d66eyf8YoGAJ/N
O4dcwTuNfV80Vc9hWzJYErfxxIbegBp5EF4OwE3zv6Y0qOg0iQasxzFa0C6Imh9M
7hNPQT6nDpMmSQ/FLJXkGeuAnawwkjjkTDEum1MDWL2kl+l5iUHATa6mLdVlRsGL
ncFsdyZAgL4yWdTaPR2U8Ibx1vK3D7/YF9o20kuHFmf7Mudj+vednklejOXvusRn
z+bw5QMlD/S4z7sw8F3x
=DgRg
-----END PGP SIGNATURE-----
Chris Laprise
Jun 28, 2016, 9:57:14 AM6/28/16
to Eva Star, qubes-users
On 06/27/2016 09:18 PM, Eva Star wrote:
> 1) VPN doc say at the first part that need to add "network-manager"
> and enable it. At the second part it's without "network-manager".
> When/On what situations I need I enable?
When using a proxy vm to run the vpn client, you can either enable
> 1) VPN doc say at the first part that need to add "network-manager"
> and enable it. At the second part it's without "network-manager".
> When/On what situations I need I enable?
network manager or you can setup the client (e.g. openvpn, etc.)
manually in the CLI. So the CLI method with scripts doesn't require
enabling network manager in the proxy vm.
>
> 2) At the second part of VPN doc. How exactly DNS line at
> vpnclient.config must be written ?
>
> |vpn_dns '1.2.3.4.5 2.3.4.5.6' |
>
> Is it correct line?
setenv vpn_dns '1.2.3.4.5 2.3.4.5.6'
Chris
Eva Star
Jun 28, 2016, 10:52:32 PM6/28/16
to qubes-users, evado...@gmail.com
This sounds like it falls under the "per-VM encryption" idea that has
been discussed extensively on these lists over the years. See this
issue, for example:
https://github.com/QubesOS/qubes-issues/issues/1293
No, it's not like it's discussed on the link. I'm about using other software for creating such container(s) for some vms, because this will decrease vector of attacks at situations when cryptsetup will be compromised. At such situations other software on layer 2 will help!
Maybe yes, it can be "per vm", but somehow it must use any software for this operations.
Eva Star
Jul 3, 2016, 7:47:10 AM7/3/16
to qubes-users
Please, somebody who can. Add the information to qubes-issue that we need to user other software then cryptsetup to crypt AppVMs containers (For layer 2)
Andrew David Wong
Jul 3, 2016, 11:32:49 AM7/3/16
to Eva Star, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
issue. Please clarify the proposed feature. What is the threat model?
What is the benefit? What does "layer 2" mean in this context?
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
Bg1Ofo3euwrrzRDZccPoyY9F2rkj8K+AvVAWBLFeparSPzs8BeUIRHIhTaOwzATi
fYxH5tE/0lqllfzbEpaAUMmmt7Vj8npQ7XEms9fA5lH2eJ/9b9mF/xmFcb3dh1Ai
Q1avgpnZSniIq0fVjZycYCCDwwvpRsYj88Orp9Vj+KU5ku7fEyZOTbA0UCe1PxBK
STAq/7/9uKWfCEi6mTwohdbM+KXPPYaenKz/j0tGkzgGHCsZw9LQFggXqsWIPwDl
Qy69PlTnTIAbK8GmLg22eRCQjlM1GYE8WH9XGDvZ02U+a2K5m1wGDc81GTrtmEhB
bLIM+N+qS4Cu8pUhzA4IeWLd/cR0IwDbvWucdB7cZ3U/NUFzGql3kHMi6V/XPeRw
ZXZ6AgK4Soz3au1FJIMEuhUWP8e2/2Q8HPNI/Ex40ap1bbYFjFL8Nuu8vXk0o2TP
8Wdhxi7o5/YqCVUDQnhLgLbOihtISZf9o0C5JLO3O9FJbTKATDlrhxx9yxMpLR20
tAYuTHSwGh6kNnc4dhI0VzEK5LiVXuwBHsnFZhJZc2uRksvYlQt5FW0Hv61ATwG7
A7EpfE+vgCoFzruDfTQs699jWkMTj4VxbRWR9UNSBUs0U6zQAp1qBouBpdd+Po4q
kCz+POydheuio0M2rKtX
=/nsP
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages