Formatting and Permissions for internal HDDs
114 views
Skip to first unread message
Gaijin
Nov 27, 2017, 12:22:51 AM11/27/17
to Qubes Users
In R3.2 I have some additional internal hard drives in my PC. I wanted
to format them to be encrypted so that they will match the disk
encryption of my main Qubes disk install, and so that I won't have to
enter the disk password every time I access the drives or attach them to
a VM. I have not been able to figure this out. Is this possible?
My other issue is that whether I encrypt the drive partitions with LUKS
or just make a ext4 partition, I can't access the drives after creating
them because they're assigned ownership to the root account. Normal
Qubes use is thru the dom0 account or the user account on the VMs, not
root. What would be a good permissions setting to allow dom0 or a VM
access the hard drives?
to format them to be encrypted so that they will match the disk
encryption of my main Qubes disk install, and so that I won't have to
enter the disk password every time I access the drives or attach them to
a VM. I have not been able to figure this out. Is this possible?
My other issue is that whether I encrypt the drive partitions with LUKS
or just make a ext4 partition, I can't access the drives after creating
them because they're assigned ownership to the root account. Normal
Qubes use is thru the dom0 account or the user account on the VMs, not
root. What would be a good permissions setting to allow dom0 or a VM
access the hard drives?
awokd
Nov 27, 2017, 5:26:22 AM11/27/17
to Gaijin, Qubes Users
On Mon, November 27, 2017 05:22, Gaijin wrote:
> In R3.2 I have some additional internal hard drives in my PC. I wanted
> to format them to be encrypted so that they will match the disk
> encryption of my main Qubes disk install, and so that I won't have to
> enter the disk password every time I access the drives or attach them to
> a VM. I have not been able to figure this out. Is this possible?
Yes, give them the exact same password as your primary and mount them by
> In R3.2 I have some additional internal hard drives in my PC. I wanted
> to format them to be encrypted so that they will match the disk
> encryption of my main Qubes disk install, and so that I won't have to
> enter the disk password every time I access the drives or attach them to
> a VM. I have not been able to figure this out. Is this possible?
UUID in both /etc/crypttab and /etc/fstab.
> My other issue is that whether I encrypt the drive partitions with LUKS
> or just make a ext4 partition, I can't access the drives after creating
> them because they're assigned ownership to the root account. Normal
> Qubes use is thru the dom0 account or the user account on the VMs, not
> root. What would be a good permissions setting to allow dom0 or a VM
> access the hard drives?
Don't remember having to do anything special with permissions, but review
the ones set on /var/lib/qubes if needed. Also see
https://www.qubes-os.org/doc/secondary-storage/ .
Gaijin
Nov 30, 2017, 10:58:58 PM11/30/17
to awokd, Qubes Users
On 2017-11-27 10:26, awokd wrote:
> On Mon, November 27, 2017 05:22, Gaijin wrote:
>> In R3.2 I have some additional internal hard drives in my PC. I wanted
>> to format them to be encrypted so that they will match the disk
>> encryption of my main Qubes disk install, and so that I won't have to
>> enter the disk password every time I access the drives or attach them to
>> a VM. I have not been able to figure this out. Is this possible?
>
> Yes, give them the exact same password as your primary and mount them by
> UUID in both /etc/crypttab and /etc/fstab.
Following your recommendation I tried encrypting the drive and having it
> On Mon, November 27, 2017 05:22, Gaijin wrote:
>> In R3.2 I have some additional internal hard drives in my PC. I wanted
>> to format them to be encrypted so that they will match the disk
>> encryption of my main Qubes disk install, and so that I won't have to
>> enter the disk password every time I access the drives or attach them to
>> a VM. I have not been able to figure this out. Is this possible?
>
> Yes, give them the exact same password as your primary and mount them by
> UUID in both /etc/crypttab and /etc/fstab.
mount in dom0 on boot. That works remembering the password, but it's not
optimal for all drives. That's fine for my backups drive, but I have
another data drive that I want to mount to different AppVMs. Mounting
that to dom0 on boot isn't a good idea. If I unmount an encrypted drive
from dom0 and attach it to an AppVM, I still need to enter the disk
decryption password from the AppVM to access the drive. This is a drive
I wanted to use between several AppVMs. Would I need to setup an
/etc/fstab in each AppVM for this?
>> My other issue is that whether I encrypt the drive partitions with LUKS
>> or just make a ext4 partition, I can't access the drives after creating
>> them because they're assigned ownership to the root account. Normal
>> Qubes use is thru the dom0 account or the user account on the VMs, not
>> root. What would be a good permissions setting to allow dom0 or a VM
>> access the hard drives?
>
> I think if you mount them as part of boot you will have less trouble.
> Don't remember having to do anything special with permissions, but review
> the ones set on /var/lib/qubes if needed. Also see
> https://www.qubes-os.org/doc/secondary-storage/ .
drive at boot. I have this issue on 2 different machines running R3.2.
These are new, blank HDDs that dom0 recognizes when I boot up. They're
set with rw for the Owner root and in the root Group, which only has r,
Others are r as well. Should I be chown-ing these from the AppVMs so
that the User account there can manipulate them? I'm a bit new to *nix
disk permissions...
awokd
Dec 1, 2017, 5:52:45 AM12/1/17
to Gaijin, Qubes Users
On Fri, December 1, 2017 03:58, Gaijin wrote:
> On 2017-11-27 10:26, awokd wrote:
>> On Mon, November 27, 2017 05:22, Gaijin wrote:
>
> Following your recommendation I tried encrypting the drive and having it
> mount in dom0 on boot. That works remembering the password, but it's not
> optimal for all drives. That's fine for my backups drive, but I have
> another data drive that I want to mount to different AppVMs. Mounting
> that to dom0 on boot isn't a good idea. If I unmount an encrypted drive
> from dom0 and attach it to an AppVM, I still need to enter the disk
> decryption password from the AppVM to access the drive. This is a drive
> I wanted to use between several AppVMs. Would I need to setup an
> /etc/fstab in each AppVM for this?
Generally speaking, if something is hard to do in Qubes that means you are
> On 2017-11-27 10:26, awokd wrote:
>> On Mon, November 27, 2017 05:22, Gaijin wrote:
>
> Following your recommendation I tried encrypting the drive and having it
> mount in dom0 on boot. That works remembering the password, but it's not
> optimal for all drives. That's fine for my backups drive, but I have
> another data drive that I want to mount to different AppVMs. Mounting
> that to dom0 on boot isn't a good idea. If I unmount an encrypted drive
> from dom0 and attach it to an AppVM, I still need to enter the disk
> decryption password from the AppVM to access the drive. This is a drive
> I wanted to use between several AppVMs. Would I need to setup an
> /etc/fstab in each AppVM for this?
using it wrong! Accessing the same data drive from different AppVMs or
dom0 breaks their isolation. Consider always mounting the data drive in
one VM and using qvm-copy/move-to-vm to move data files between AppVMs.
Can't think of a secure way to mount that automatically.
>>> My other issue is that whether I encrypt the drive partitions with LUKS
>>> or just make a ext4 partition, I can't access the drives after creating
>>> them because they're assigned ownership to the root account. Normal
>>> Qubes use is thru the dom0 account or the user account on the VMs, not
>>> root. What would be a good permissions setting to allow dom0 or a VM
>>> access the hard drives?
>>
>> I think if you mount them as part of boot you will have less trouble.
>> Don't remember having to do anything special with permissions, but
>> review
>> the ones set on /var/lib/qubes if needed. Also see
>> https://www.qubes-os.org/doc/secondary-storage/ .
>
> That permissions issue is still there even if I mount the encrypted
> drive at boot. I have this issue on 2 different machines running R3.2.
> These are new, blank HDDs that dom0 recognizes when I boot up. They're
> set with rw for the Owner root and in the root Group, which only has r,
> Others are r as well. Should I be chown-ing these from the AppVMs so
> that the User account there can manipulate them? I'm a bit new to *nix
> disk permissions...
changing your group owner to match, and review
https://www.qubes-os.org/doc/secondary-storage/ again.
From what I can tell of your scenario, I'd:
1. Mount encrypted data drive on boot
2. Start "data" appvm that lives in this encrypted drive per the secondary
storage article
3. Use qvm-move/copy commands to share data between AppVMs
Reply all
Reply to author
Forward
0 new messages