Unman,
I was just making sure I wasn't missing something or there wasn't a better way. Anyways, I can't set this up in a DispVM because you cannot PCI passthrough to a VM while it is running(?)
Very Respectfully,
Sam Hentschel
That has definitely cleared up some of my misinformation. Certainly it would be safer to do it file by file, and I could use qvm-copy to move it back and forth to vault and back. However, I still need to be able to open the drives in the first place before I can even do that. So I think using qvm-block to attach the device to an encryption VM (specifically for decrypting drives) and then passing the files to and from vault before detaching should suffice.
What are your thoughts on this solution? I believe this should only keep ciphertest on sys-usb, the unencrypted stuff on the encryption VM (which would be disconnected from the network) and files would be safely moved to and from vault via qvm-move-to-vm.
This seems about the same conclusion I came to in my reply to Jean-Philippe. Using qvm-block -a to attach it to an encryption or DispVM that would touch the plaintext and then copy to and from the vault.