mounting luks encrypted drive in appVM

208 views
Skip to first unread message

brians...@gmail.com

unread,
May 30, 2016, 6:46:25 PM5/30/16
to qubes-users
Hello,

I am trying to mount several encrypted (LUKS) internal HDDs into one of several AppVMs. Currently, I can attach the drive via the manager, followed by mounting it via password/mount commands but I was hoping to automate the process more. Is there a way I have auto-mounting in dom0 simplify the process for me? For example, if I add a crypttab/fstab entry, can I have attach the unencrypted drive in my AppVM, instead of the encrypted device?

Having to decrypt and mount each drive each time in each AppVM is somewhat laborious and I was hoping there would be a more straightforward approach.

Thanks

Brian

Chris Laprise

unread,
May 30, 2016, 8:35:25 PM5/30/16
to brians...@gmail.com, qubes-users
I would search for examples of adding external drives to crypttab and
fstab, then set it up for that particular vm using /rw/config/rc.local.

Chris

Brian Santich

unread,
May 30, 2016, 9:05:43 PM5/30/16
to qubes-users, brians...@gmail.com, tas...@openmailbox.org
Hi Chris,

How do I give this VM access to the drive in question, before it starts up (and runs the custom script)? If I write a normal script to mount/decrypt the it doesnt work, in part, because it doesnt have access to the disk yet, which I can attach only after it has started up.

Brian
 

Chris Laprise

unread,
May 30, 2016, 9:51:38 PM5/30/16
to Brian Santich, qubes-users
You could add a udev rule to dom0 that executes a 'qvm-block -a' command
to attach the drive to the vm. Actually, this rule could do all the
work: After qvm-block, use qvm-run to send the cryptsetup and mount
commands to the vm. Probably you don't need crypttab.

Chris

Marek Marczykowski-Górecki

unread,
May 31, 2016, 4:53:49 AM5/31/16
to Chris Laprise, Brian Santich, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
FWIW I have a script in dom0, which detect connected USB stick and
attach it automatically to selected VM. Then, wait for a signal to
detach it.

Here is the script:
- -----
while qubesdb-watch -d sys-usb /qubes-block-devices/sda/desc; do
qvm-block -a testbuilder sys-usb:sda
sleep 0.2
qvm-run -p testbuilder 'echo $$ > /tmp/usb-eject; kill -STOP $$'
qvm-block -d sys-usb:sda
notify-send -t 10 done
done
- -----

It attach "sda" from sys-usb to testbuilder VM. Then testbuilder VM can
request detach with:
kill -CONT `cat /tmp/usb-eject`

In practice I use this to conveniently write installation ISO for
testing and have a script with build the ISO, write it there then
request USB detach.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXTVEVAAoJENuP0xzK19csEIsH/1g8tduN2cLM5Mti2Q4g4Y6T
9q2L1UUgJWNypj51JHP/AJaYDGHHDX8BpnNSM6wWSiq9BS2elAo4SszSukdnZWql
tpwv26jkk9etws9WwtpgFoRAK0RKkUHasfp8yCqFZVERe7TY65HVtwRtrkxlMZ0z
h9Iy+4+qOWR11g55E5KTsAVl/WNAPaCM/wKAZ++4j1rxug9CEgQ97lhFBPraHVRE
swJ7p0llvwnUOcLjafWyyG5C0gdXKAHlMKcTzyHK5xycKt5ZBuK1BRSxp4nLy/+a
QvSV6o3lMnPpx3Kf0FpDnh6U9hBb8FVM0Mbt8hO0KkrBDv0mfyZ7uexxBSMTTWo=
=2tle
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages