Suggestions for running media server?
32 views
Skip to first unread message
Anon
Sep 2, 2016, 5:34:00 PM9/2/16
to qubes...@googlegroups.com
I'm looking for some suggestions for running a "maximally-secure" media
server that will access an encrypted USB hard drive for it's storage. It
can and probably should be read-only to the media-server software.
A few possibilities I can think of listed from assumed lowest security
to highest security:
1) run the media server in the sys-usb VM.
2) stop sys-usb VM and run another VM that doesn't start on boot but has
access to all the USB devices and is run manually after boot
3) run another VM that only has one "locked down" dedicated USB device
and remove that device from sys-usb VM permanently
4) run another VM that accesses the storage through sys-usb (I am
unfamiliar with this, but assmue it's possible)
The media-server software will by non-proprietary (DLNA compliant) and open.
All thoughts are welcome, including those that say "don't do it." If
there's something else I should be reading instead, please let me know.
Thanks.
server that will access an encrypted USB hard drive for it's storage. It
can and probably should be read-only to the media-server software.
A few possibilities I can think of listed from assumed lowest security
to highest security:
1) run the media server in the sys-usb VM.
2) stop sys-usb VM and run another VM that doesn't start on boot but has
access to all the USB devices and is run manually after boot
3) run another VM that only has one "locked down" dedicated USB device
and remove that device from sys-usb VM permanently
4) run another VM that accesses the storage through sys-usb (I am
unfamiliar with this, but assmue it's possible)
The media-server software will by non-proprietary (DLNA compliant) and open.
All thoughts are welcome, including those that say "don't do it." If
there's something else I should be reading instead, please let me know.
Thanks.
Connor Page
Sep 2, 2016, 6:20:03 PM9/2/16
to qubes-users
No. 4 makes sense. sys-usb shouldn't know the encryption keys. encrypted block device can be attached to a server vm where it would be appropriately decrypted and mounted, possibly from dom0 via qvm-run (you can start a vm, attach storage, decrypt and mount it by a short script using qvm-* command line tools) . server software should be run as a different user that can't login or use sudo. enabling services is a bit tricky in template-based vms, so the easiest solution is to create a small template with just the bare necessities for the server software, enable the service in it and then use it just for one server vm.
I would suggest attaching that server vm to a separate firewall vm. that way allowing incoming traffic in iptables should be both easier and more secure. firewall rules are created in different scripts in proxyvm vs netvm and appvm. follow Qubes documentation and don't forget to make scripts executable :)
although I used to run file and web servers on a Qubes PC I now tend to think that Qubes is meant to protect clients, not servers.
I would suggest attaching that server vm to a separate firewall vm. that way allowing incoming traffic in iptables should be both easier and more secure. firewall rules are created in different scripts in proxyvm vs netvm and appvm. follow Qubes documentation and don't forget to make scripts executable :)
although I used to run file and web servers on a Qubes PC I now tend to think that Qubes is meant to protect clients, not servers.
P.S. Qubes networking uses NAT so LAN won't actually see any broadcast messages from the server unless it runs in a netvm.
Reply all
Reply to author
Forward
0 new messages