What does Qubes backup save?
45 views
Skip to first unread message
Anil Eklavya
Jul 28, 2019, 10:34:11 AM7/28/19
to qubes-users
Can someone clarify exactly what all does Qubes Backup save and restore? To me this is important because I am fairly sure my Qubes installation has been compromised, if not at dom0, then certainly for some VMs, including sys-net (which includes sys-usb). Most probable reason is Evil Maid Attack as I found one screw on my laptop missing, which was earlier there. I know this attack could be accomplished even without opening the laptop up, but someone might have tampered with the laptop and may also have used the USB.
In such a case, if I backup and restore to a new installation, will the VMs still be compromised because they will be restored completely, or will they be fresh in the sense that only my data will be restored, along with a few basics like the specification of VM?
Will it be preferable to use something like rsync for taking separate backups of the data on VMs?
awokd
Jul 28, 2019, 3:03:40 PM7/28/19
to qubes...@googlegroups.com
Anil Eklavya:
To my knowledge, Qubes Backup backs up root and private volumes of
selected VMs, their definitions from qubes.xml, their templates, and
dom0 ~/*. If I suspected compromise though (are you sure the screw
wasn't just stripped and fell out somewhere?), I wouldn't trust backups
made from it either. Restoring AppVMs to a new machine from backups made
prior to compromise would be safest if you know exactly when it
happened, and that the backup media hasn't been tampered with. You could
maybe use rsync to copy the potentially infected files out, but make
sure it's by itself on a dedicated network behind a firewall that only
permits rsync connections to the rsync server. Other option would be to
pull the hard drive, attach it to a USB-SATA converter, and very
carefully mount it on a known good machine in a disposable VM without a
network connection to extract the (possibly bad) data. Then, securely
dispose of the laptop and hard drive. Make sure to use new passphrases
on the new hardware in case a keylogger was installed on the old.
selected VMs, their definitions from qubes.xml, their templates, and
dom0 ~/*. If I suspected compromise though (are you sure the screw
wasn't just stripped and fell out somewhere?), I wouldn't trust backups
made from it either. Restoring AppVMs to a new machine from backups made
prior to compromise would be safest if you know exactly when it
happened, and that the backup media hasn't been tampered with. You could
maybe use rsync to copy the potentially infected files out, but make
sure it's by itself on a dedicated network behind a firewall that only
permits rsync connections to the rsync server. Other option would be to
pull the hard drive, attach it to a USB-SATA converter, and very
carefully mount it on a known good machine in a disposable VM without a
network connection to extract the (possibly bad) data. Then, securely
dispose of the laptop and hard drive. Make sure to use new passphrases
on the new hardware in case a keylogger was installed on the old.
Reply all
Reply to author
Forward
0 new messages