lending of files
20 views
Skip to first unread message
john.davi...@openmailbox.org
Jul 22, 2016, 8:03:59 PM7/22/16
to qubes...@googlegroups.com
hi.
i have following setup:
* an external drive holds some truecrypt containers.
* i attach this drive to sys-usb
* i attach the block device to a data vm. this vm decrypts the
container, but never uses any of it.
* i use the data per open in vm or copying it to an appvm that needs
it.
this has the following implications:
* sys-usb: can't read the data, but could only destroy it (i can't do
anything about this)
* data-vm: knows the secret and can access any files. it is trusted,
since only decrypts and passes the data to other vms.
* appvm: it only gets the data it is given the right to access (it can
modify data if open in vm is used)
this works well except for some cases:
a) i want to use a big file in some vm, but don't want the vm to change
it. -> i have to use copy to vm, which takes time
b) i want to use a folder in some vm and change the data (e.g. a set of
files i have to modify at the same time (latex etc.)) . -> i need to
copy the data to the appvm, edit it, copy it back and copy it onto the
encrypted device
c) i want to use multiple files, but don't change them (e.g. i want to
hear music, so i have to copy the folder of audio files to a vm)
to solve this some mechanism of "lending" a file/folder would be nice
(with the option to make the files read only).
this would stop unnecessary coping and increase the usability of such a
setup.
1) is there already such a feature? (or is something like this
planned?)
2) if not: would you consider implementing such a feature?
a possible way of implementing it would be to dynamically create some
virtual block device (containing one or multiple files or folders,
possibly read only), expose them to dom0 and use the current qubes
manager to attach them to a vm.
all of this wrapped in a convenient script used in the data-vm.
3) is my idea for implementation already possible using some existing
linux tools?
-john
i have following setup:
* an external drive holds some truecrypt containers.
* i attach this drive to sys-usb
* i attach the block device to a data vm. this vm decrypts the
container, but never uses any of it.
* i use the data per open in vm or copying it to an appvm that needs
it.
this has the following implications:
* sys-usb: can't read the data, but could only destroy it (i can't do
anything about this)
* data-vm: knows the secret and can access any files. it is trusted,
since only decrypts and passes the data to other vms.
* appvm: it only gets the data it is given the right to access (it can
modify data if open in vm is used)
this works well except for some cases:
a) i want to use a big file in some vm, but don't want the vm to change
it. -> i have to use copy to vm, which takes time
b) i want to use a folder in some vm and change the data (e.g. a set of
files i have to modify at the same time (latex etc.)) . -> i need to
copy the data to the appvm, edit it, copy it back and copy it onto the
encrypted device
c) i want to use multiple files, but don't change them (e.g. i want to
hear music, so i have to copy the folder of audio files to a vm)
to solve this some mechanism of "lending" a file/folder would be nice
(with the option to make the files read only).
this would stop unnecessary coping and increase the usability of such a
setup.
1) is there already such a feature? (or is something like this
planned?)
2) if not: would you consider implementing such a feature?
a possible way of implementing it would be to dynamically create some
virtual block device (containing one or multiple files or folders,
possibly read only), expose them to dom0 and use the current qubes
manager to attach them to a vm.
all of this wrapped in a convenient script used in the data-vm.
3) is my idea for implementation already possible using some existing
linux tools?
-john
David Hobach
Jul 24, 2016, 7:41:52 AM7/24/16
to john.davi...@openmailbox.org, qubes...@googlegroups.com
> a possible way of implementing it would be to dynamically create some
> virtual block device (containing one or multiple files or folders,
> possibly read only), expose them to dom0 and use the current qubes
> manager to attach them to a vm.
implemented. Just not via GUI.
Similar:
https://groups.google.com/forum/#!topic/qubes-users/RgXwqnpnADw
Reply all
Reply to author
Forward
0 new messages