How to share data between 2 Qubes installations via USB in a sensible way?
221 views
Skip to first unread message
David Hobach
Jun 17, 2016, 12:52:21 PM6/17/16
to qubes-users
Dear users,
I wonder whether there's any sensible (= relatively secure) way of
sharing data between 2 Qubes installations via a single USB pen drive or
hard disk?
What are you using or do you have any thoughts?
Of course I assume that both installations have multiple VMs for which
you want to share data (i.e. Qubes_A has VM_1, VM_2, VM_3, ... and
Qubes_B has VM_1*, VM_2*, VM_3* and you want to share data as follows:
VM_1 -> VM_1*, VM_2 -> VM_2* and so on). The single VM solution is
obviously directly supported by Qubes.
I also consider having one USB drive per VM not practical.
Kind Regards
David
------------------------------------------------------------------
My proposal:
0. for each client VM you'll need a subfolder on that USB drive with a
dmcrypt container inside
1. Attach the USB drive to some usbshare VM ("server" VM) & mount it there
2. Run a ssh server in the usbshare VM, accessible for all client VMs
3. in your client VMs use e.g. sshfs to access the respective dmcrypt
container and decrypt it using a key local to the respective client VM
Mitigated attacks:
- USB driver attacks would be executed in the usbshare VM which doesn't
have access to any sensible data (all encrypted) --> USB drive does not
need to be trusted
- no VM can access another one's data without successfully compromising
the other VM or breaking the dmcrypt crypto
- other OSes cannot read the data and cannot modify it without being
noticed (integrity needs to be checked by the deployed crypto algorithms)
Possible attacks:
- ssh exploits (clients can try to attack the usbshare VM, the usbshare
VM might try to attack the client VMs via ssh vulnerabilities)
Feedback welcome!
I wonder whether there's any sensible (= relatively secure) way of
sharing data between 2 Qubes installations via a single USB pen drive or
hard disk?
What are you using or do you have any thoughts?
Of course I assume that both installations have multiple VMs for which
you want to share data (i.e. Qubes_A has VM_1, VM_2, VM_3, ... and
Qubes_B has VM_1*, VM_2*, VM_3* and you want to share data as follows:
VM_1 -> VM_1*, VM_2 -> VM_2* and so on). The single VM solution is
obviously directly supported by Qubes.
I also consider having one USB drive per VM not practical.
Kind Regards
David
------------------------------------------------------------------
My proposal:
0. for each client VM you'll need a subfolder on that USB drive with a
dmcrypt container inside
1. Attach the USB drive to some usbshare VM ("server" VM) & mount it there
2. Run a ssh server in the usbshare VM, accessible for all client VMs
3. in your client VMs use e.g. sshfs to access the respective dmcrypt
container and decrypt it using a key local to the respective client VM
Mitigated attacks:
- USB driver attacks would be executed in the usbshare VM which doesn't
have access to any sensible data (all encrypted) --> USB drive does not
need to be trusted
- no VM can access another one's data without successfully compromising
the other VM or breaking the dmcrypt crypto
- other OSes cannot read the data and cannot modify it without being
noticed (integrity needs to be checked by the deployed crypto algorithms)
Possible attacks:
- ssh exploits (clients can try to attack the usbshare VM, the usbshare
VM might try to attack the client VMs via ssh vulnerabilities)
Feedback welcome!
Franz
Jun 17, 2016, 3:32:45 PM6/17/16
to David Hobach, qubes-users
Probably I did understand what you are trying to achieve, but when I had to copy data between two Qubes installations made a backup of the first installation on a NAS and restored it on the second installation, changing the name of conflicting VMs before restore. Everything really easy and fast.
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57642AC5.4070100%40hackingthe.net.
For more options, visit https://groups.google.com/d/optout.
Andrew David Wong
Jun 18, 2016, 1:48:59 AM6/18/16
to Franz, David Hobach, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-17 12:32, Franz wrote:
> On Fri, Jun 17, 2016 at 1:52 PM, David Hobach
> <tri...@hackingthe.net> wrote:
>
>> Dear users,
>>
>> I wonder whether there's any sensible (= relatively secure) way
>> of sharing data between 2 Qubes installations via a single USB
>> pen drive or hard disk?
>>
>> What are you using or do you have any thoughts?
>>
>> [...]
"migration" as described here:
https://www.qubes-os.org/doc/backup-restore/#tocAnchor-1-1-4
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZOC+AAoJENtN07w5UDAwVIEP/jqTHcqYorkFVS/Y60A5s57P
EYQgnkIq3DYRZ7teJLCdKRjqROFcmBnLEjjn7TwRLePG0c0W38vawgHB/RNj+AAK
uLd0x4NF4oeUJeo3ts9nxLVTsTB/qcoSXE9ameWX+SWblyC1ivqStAn02Ayt/e4Z
4iDhjfr2Dm5Abgp4SySUNFYfs4F1Ov/7R1YQSHqT43gOPfOOHtpmpXcRgMZhRi6V
nfRwLAaAYRrcvTI4AkYU1USEyTttvTeZE6vo0Zxhut8KNo6DNN8oUjbOqyfNs//K
eQY6jZaQoGcnToUAwbOK48ebISYM0se3a7O1sWsmNmqBmt+FhKe+bI+3z+dR/HB4
crrFWvMSguh1FZcibdbvr6BxMueHZzBX0gNDy62Xd1CMK3wFHLuS2lWxPNM3RJSo
KfQA2Hq9fcc6DJhq1aI+LQi6BJNcSiKHJaufLRltWfzyFY3kKOcJHieaS3affOsa
vrYLr8cACuMpt0USflORo1mVYMVTxcO3IJT4z1xIRhFYtCqS7SZuk83DD0qoIbnU
3GLqSnpO/8EToNr6qoV5KwhgD9DKG1G7n0RIobGF+8RCerRLhY0j5aaRdo1IUW/8
NnaexunD9zW2NtHo5kDBwmeUEaXJ66ici9iOj7EfJMGSaE5dwrVfsGxIyLtHYf1h
YXAc7g6t8CcFYe/z5MWs
=O21o
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-06-17 12:32, Franz wrote:
> On Fri, Jun 17, 2016 at 1:52 PM, David Hobach
> <tri...@hackingthe.net> wrote:
>
>> Dear users,
>>
>> I wonder whether there's any sensible (= relatively secure) way
>> of sharing data between 2 Qubes installations via a single USB
>> pen drive or hard disk?
>>
>> What are you using or do you have any thoughts?
>>
>>
> Probably I did understand what you are trying to achieve, but
> when I had to copy data between two Qubes installations made a
> backup of the first installation on a NAS and restored it on the
> second installation, changing the name of conflicting VMs before
> restore. Everything really easy and fast.
>
This is the method I personally use. It's essentially a system
> Probably I did understand what you are trying to achieve, but
> when I had to copy data between two Qubes installations made a
> backup of the first installation on a NAS and restored it on the
> second installation, changing the name of conflicting VMs before
> restore. Everything really easy and fast.
>
"migration" as described here:
https://www.qubes-os.org/doc/backup-restore/#tocAnchor-1-1-4
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZOC+AAoJENtN07w5UDAwVIEP/jqTHcqYorkFVS/Y60A5s57P
EYQgnkIq3DYRZ7teJLCdKRjqROFcmBnLEjjn7TwRLePG0c0W38vawgHB/RNj+AAK
uLd0x4NF4oeUJeo3ts9nxLVTsTB/qcoSXE9ameWX+SWblyC1ivqStAn02Ayt/e4Z
4iDhjfr2Dm5Abgp4SySUNFYfs4F1Ov/7R1YQSHqT43gOPfOOHtpmpXcRgMZhRi6V
nfRwLAaAYRrcvTI4AkYU1USEyTttvTeZE6vo0Zxhut8KNo6DNN8oUjbOqyfNs//K
eQY6jZaQoGcnToUAwbOK48ebISYM0se3a7O1sWsmNmqBmt+FhKe+bI+3z+dR/HB4
crrFWvMSguh1FZcibdbvr6BxMueHZzBX0gNDy62Xd1CMK3wFHLuS2lWxPNM3RJSo
KfQA2Hq9fcc6DJhq1aI+LQi6BJNcSiKHJaufLRltWfzyFY3kKOcJHieaS3affOsa
vrYLr8cACuMpt0USflORo1mVYMVTxcO3IJT4z1xIRhFYtCqS7SZuk83DD0qoIbnU
3GLqSnpO/8EToNr6qoV5KwhgD9DKG1G7n0RIobGF+8RCerRLhY0j5aaRdo1IUW/8
NnaexunD9zW2NtHo5kDBwmeUEaXJ66ici9iOj7EfJMGSaE5dwrVfsGxIyLtHYf1h
YXAc7g6t8CcFYe/z5MWs
=O21o
-----END PGP SIGNATURE-----
David Hobach
Jun 19, 2016, 5:25:29 AM6/19/16
to Andrew David Wong, Franz, qubes-users
>>> I wonder whether there's any sensible (= relatively secure) way
>>> of sharing data between 2 Qubes installations via a single USB
>>> pen drive or hard disk?
>>>
>>> What are you using or do you have any thoughts?
>>>
>>> [...]
>>>
>> Probably I did understand what you are trying to achieve, but
>> when I had to copy data between two Qubes installations made a
>> backup of the first installation on a NAS and restored it on the
>> second installation, changing the name of conflicting VMs before
>> restore. Everything really easy and fast.
>>
>
> This is the method I personally use. It's essentially a system
> "migration" as described here:
>
> https://www.qubes-os.org/doc/backup-restore/#tocAnchor-1-1-4
That's indeed a good solution for rare accesses - especially from a
>>> of sharing data between 2 Qubes installations via a single USB
>>> pen drive or hard disk?
>>>
>>> What are you using or do you have any thoughts?
>>>
>>> [...]
>>>
>> Probably I did understand what you are trying to achieve, but
>> when I had to copy data between two Qubes installations made a
>> backup of the first installation on a NAS and restored it on the
>> second installation, changing the name of conflicting VMs before
>> restore. Everything really easy and fast.
>>
>
> This is the method I personally use. It's essentially a system
> "migration" as described here:
>
> https://www.qubes-os.org/doc/backup-restore/#tocAnchor-1-1-4
security point of view (From what I see the USB drive does not need to
be trusted as it can be mounted in some untrusted AppVM and the
encryption is done in dom0.).
I'm just not so sure if it's good for day-to-day use wrt to speed. So if
I want to modify one file on my USB drive, I have to restore the entire
backup (maybe 10GB or so), edit the file and then do a backup again? So
it would take 15min to edit a single file I guess?
Ideally I'd like to plug the USB drive in my machine and see the files
dedicated for VM_A inside that VM immediately (same for the other VMs).
Then I'd edit, maybe umount and then unplug the USB drive again.
Maybe I'm a little picky about speed, but I know that once users have to
use secure solutions that are slow, they'll go for totally insecure ones
that are fast. So I prefer to see people going to pretty secure ones
that are fast.
Thanks for the suggestion though - I hadn't considered it so far as I'm
not using the original Qubes backup solution (once again for speed
reasons - and yes, it adds 1-2 potential attack vectors).
Chris Laprise
Jun 19, 2016, 7:12:28 AM6/19/16
to David Hobach, Andrew David Wong, Franz, qubes-users
https://groups.google.com/d/msgid/qubes-users/20160607202924.GD1593%40mail-itl
If you are sharing between to similar vms (even if they're on different
systems) you can format the volume in vm with LUKS and specify a keyfile
in each vm using crypttab. No need to have dom0 format or decrypt the
volume.
Chris
David Hobach
Jun 27, 2016, 1:22:26 PM6/27/16
to qubes-users
On 06/19/2016 01:12 PM, Chris Laprise wrote:
>
>
> On 06/19/2016 05:25 AM, David Hobach wrote:
>>>>> I wonder whether there's any sensible (= relatively secure) way
>>>>> of sharing data between 2 Qubes installations via a single USB
>>>>> pen drive or hard disk?
>>>>>
>>>>> What are you using or do you have any thoughts?
>>>>>
>>>>> [...]
>>>>>
I think I identified the probably optimal solution: In short you can use
>
>
> On 06/19/2016 05:25 AM, David Hobach wrote:
>>>>> I wonder whether there's any sensible (= relatively secure) way
>>>>> of sharing data between 2 Qubes installations via a single USB
>>>>> pen drive or hard disk?
>>>>>
>>>>> What are you using or do you have any thoughts?
>>>>>
>>>>> [...]
>>>>>
some less known qvm-block tricks to mount files from one VM to another
and thus force all FS & USB attacks to happen inside your USB VM.
In long:
Run a service in dom0:
1. Every 3s check whether a specific USB drive was attached to the USB
VM (vendor & product ID match); if yes:
2. Mount it and iterate over the folders found there (--> USB driver &
filesystem parsing attacks only affect the usb VM)
3. If a folder found there matches a name of a list of VMs defined in
the script and that VM is started, mount the luks file in the folder to
that VM using qvm-block (qvm-block can mount files from one VM to
another), if it's not already mounted.
4. Each of these luks files can only be decrypted by the respective VM
via a key file that only that VM has. From dom0 we can locate that file
and do the necessary decrypt & mount operations as well. The service
should also provide a state in dom0 for other services to indicate for
which VMs it is currently active and can be active.
So assuming qvm-block is reasonably secure, only attacking the luks
implementation would still work to compromise VMs, but that's pretty
much it from my point of view. Plus the attacker might have to destroy
data he'd like to extract in order to get the attack done.
Drew White
Sep 4, 2016, 8:55:06 PM9/4/16
to qubes-users, tri...@hackingthe.net
How about you just have 1 USB device that you keep secure?
I have a 128GB device that I ONLY use for Qubes, and is completely secure and safe.
Why go to all the trouble of having things set up so weirdly?
I have all USB devices go immediately to dom0.
They don't auto-play, they don't auto-mount, they don't do anything like that. so I'm safe.
If I have a device that I want to attach to a VM, then I attach it to that VM. simple.
But I NEVER attach my Qubes drive to anything, UNLESS I really really have to..
And in that case...
I create a VM with no networking, get the data off, transfer from the drive through the secure virtual to another VM that has networking, then use that to send the data to the network.
All while the drive is being used by Qubes for VMs.
It's safe, and reliable the way it can be done. But only if you have your system secured and safe. (without having the need for a separate USB Guest to have everything attached to when it gets attached to the PC.)
David Hobach
Sep 5, 2016, 6:33:22 AM9/5/16
to Drew White, qubes-users
automatically? I guess no?
But that's what this was all about...
In short: I like to plug in my USB drive and have all the data I need
from that drive in all VMs in a matter of seconds (& in a secure way).
So I guess there was a misuderstanding.
Other than that I mostly agree with your Opsec standards.
At best I also wouldn't need to keep that drive secure, but since
there's hardware attacks around I better do it anyway.
Salmiakki
Sep 5, 2016, 2:56:51 PM9/5/16
to qubes-users, tri...@hackingthe.net
On Monday, June 27, 2016 at 7:22:26 PM UTC+2, David Hobach wrote:
> (qvm-block can mount files from one VM to
> another)
If this is true, why is it not a massive security issue?
Drew White
Sep 5, 2016, 11:36:26 PM9/5/16
to qubes-users, drew....@gmail.com, tri...@hackingthe.net
On Monday, 5 September 2016 20:33:22 UTC+10, David Hobach wrote:
> Yes, but can you attach data from a single drive to multiple VMs
> automatically? I guess no?
> Yes, but can you attach data from a single drive to multiple VMs
> automatically? I guess no?
Yes you can, it is scriptable.
> But that's what this was all about...
> In short: I like to plug in my USB drive and have all the data I need
> from that drive in all VMs in a matter of seconds (& in a secure way).
>
> So I guess there was a misuderstanding.
>
> Other than that I mostly agree with your Opsec standards.
>
> At best I also wouldn't need to keep that drive secure, but since
> there's hardware attacks around I better do it anyway.
The real issue is that with Qubes, it doesn't write back immediately when the device is attached, not does it update very well.
I can mount my drive under a VM, but Dom0 won't see the changes I made in DomU until I unmount an dallow the changes to be written, then unmount from Dom0, then remount in Dom0.
Reply all
Reply to author
Forward
0 new messages