mounting luks encrypted drive in appVM
208 views
Skip to first unread message
brians...@gmail.com
May 30, 2016, 6:46:25 PM5/30/16
to qubes-users
Hello,
I am trying to mount several encrypted (LUKS) internal HDDs into one of several AppVMs. Currently, I can attach the drive via the manager, followed by mounting it via password/mount commands but I was hoping to automate the process more. Is there a way I have auto-mounting in dom0 simplify the process for me? For example, if I add a crypttab/fstab entry, can I have attach the unencrypted drive in my AppVM, instead of the encrypted device?
Having to decrypt and mount each drive each time in each AppVM is somewhat laborious and I was hoping there would be a more straightforward approach.
Thanks
Brian
Chris Laprise
May 30, 2016, 8:35:25 PM5/30/16
to brians...@gmail.com, qubes-users
fstab, then set it up for that particular vm using /rw/config/rc.local.
Chris
Brian Santich
May 30, 2016, 9:05:43 PM5/30/16
to qubes-users, brians...@gmail.com, tas...@openmailbox.org
Hi Chris,
How do I give this VM access to the drive in question, before it starts up (and runs the custom script)? If I write a normal script to mount/decrypt the it doesnt work, in part, because it doesnt have access to the disk yet, which I can attach only after it has started up.
Brian
Chris Laprise
May 30, 2016, 9:51:38 PM5/30/16
to Brian Santich, qubes-users
to attach the drive to the vm. Actually, this rule could do all the
work: After qvm-block, use qvm-run to send the cryptsetup and mount
commands to the vm. Probably you don't need crypttab.
Chris
Marek Marczykowski-Górecki
May 31, 2016, 4:53:49 AM5/31/16
to Chris Laprise, Brian Santich, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
FWIW I have a script in dom0, which detect connected USB stick and
attach it automatically to selected VM. Then, wait for a signal to
detach it.
Here is the script:
- -----
while qubesdb-watch -d sys-usb /qubes-block-devices/sda/desc; do
qvm-block -a testbuilder sys-usb:sda
sleep 0.2
qvm-run -p testbuilder 'echo $$ > /tmp/usb-eject; kill -STOP $$'
qvm-block -d sys-usb:sda
notify-send -t 10 done
done
- -----
It attach "sda" from sys-usb to testbuilder VM. Then testbuilder VM can
request detach with:
kill -CONT `cat /tmp/usb-eject`
In practice I use this to conveniently write installation ISO for
testing and have a script with build the ISO, write it there then
request USB detach.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXTVEVAAoJENuP0xzK19csEIsH/1g8tduN2cLM5Mti2Q4g4Y6T
9q2L1UUgJWNypj51JHP/AJaYDGHHDX8BpnNSM6wWSiq9BS2elAo4SszSukdnZWql
tpwv26jkk9etws9WwtpgFoRAK0RKkUHasfp8yCqFZVERe7TY65HVtwRtrkxlMZ0z
h9Iy+4+qOWR11g55E5KTsAVl/WNAPaCM/wKAZ++4j1rxug9CEgQ97lhFBPraHVRE
swJ7p0llvwnUOcLjafWyyG5C0gdXKAHlMKcTzyHK5xycKt5ZBuK1BRSxp4nLy/+a
QvSV6o3lMnPpx3Kf0FpDnh6U9hBb8FVM0Mbt8hO0KkrBDv0mfyZ7uexxBSMTTWo=
=2tle
-----END PGP SIGNATURE-----
Hash: SHA256
attach it automatically to selected VM. Then, wait for a signal to
detach it.
Here is the script:
- -----
while qubesdb-watch -d sys-usb /qubes-block-devices/sda/desc; do
qvm-block -a testbuilder sys-usb:sda
sleep 0.2
qvm-run -p testbuilder 'echo $$ > /tmp/usb-eject; kill -STOP $$'
qvm-block -d sys-usb:sda
notify-send -t 10 done
done
- -----
It attach "sda" from sys-usb to testbuilder VM. Then testbuilder VM can
request detach with:
kill -CONT `cat /tmp/usb-eject`
In practice I use this to conveniently write installation ISO for
testing and have a script with build the ISO, write it there then
request USB detach.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXTVEVAAoJENuP0xzK19csEIsH/1g8tduN2cLM5Mti2Q4g4Y6T
9q2L1UUgJWNypj51JHP/AJaYDGHHDX8BpnNSM6wWSiq9BS2elAo4SszSukdnZWql
tpwv26jkk9etws9WwtpgFoRAK0RKkUHasfp8yCqFZVERe7TY65HVtwRtrkxlMZ0z
h9Iy+4+qOWR11g55E5KTsAVl/WNAPaCM/wKAZ++4j1rxug9CEgQ97lhFBPraHVRE
swJ7p0llvwnUOcLjafWyyG5C0gdXKAHlMKcTzyHK5xycKt5ZBuK1BRSxp4nLy/+a
QvSV6o3lMnPpx3Kf0FpDnh6U9hBb8FVM0Mbt8hO0KkrBDv0mfyZ7uexxBSMTTWo=
=2tle
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages