Encrypted Secondary Drive? (is it? Is it needed?)

[Gaiko Kyofusho]

I installed a secondary drive on my computer a few weeks back then got sidetracked but now I am having space issues so need to move some things over to that drive.

The thing is I don't remember it being encrypted at any point which made me think:

1) Is it encrypted?

2) Does it need to be encrypted?

If its not, and it should be (ie good practice) is there a doc for that? I looked over the docs section, and poked around in general but didn't find much info?

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/09/2016 02:33 PM, Gaiko Kyofusho wrote:
> I installed a secondary drive on my computer a few weeks back then
> got sidetracked but now I am having space issues so need to move
> some things over to that drive.
>
> The thing is I don't remember it being encrypted at any point
> which made me think: 1) Is it encrypted?

If you don't know, probably it isn't.

> 2) Does it need to be encrypted?

It depends on what you are going to move on it and what level of
privacy do you want for it. However, since you can't be sure what you
will put on the future, I will encrypt it always.

> If its not, and it should be (ie good practice) is there a doc for
> that? I looked over the docs section, and poked around in general
> but didn't find much info?
>

You can use any tutorial for standard Linux distributions like Debian
or Fedora. Or you can use the original LUKS documentation:

https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#
2-setup
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYIyiAAAoJEBQTENjj7QilGzQP/RRYJQTDKRMFSXMG1ViertQa
dGKfkQcYuofSZYT0GC7oecxJekMC+Z1YO1JeFmhwI5J+u5z9/ppnNqW1FcUUbtZ/
jyr2BIFEIL/uL0qGXdXs+0EyXbS5zOMtenmeDJt65VRITKXRaWeZxQwAswog5d3k
4Bz4gceBCj366gA13VXfDbEupPILHu1Cdyhf9aul5tpe+0fVQXEm0Y+9IO71RtVY
dZoBWfzcjgMME8nSQDcjJC5lLEMmDe8Z81vlC6S6Jc5Sdauq4EePob7yExcl/9ix
Wll7Bcg0kS7+cOvzss1Q1Scd1ZsP2u73ENpaYDukoSOi9QR7GBo+8SgF9Gs30mk5
5BovuE7A6D4K42N713ehi49Fb4pkVqKQBN6EQCrknWjsVOeAKyeF5x3z7sEgBKz6
BkEsEEvW8L5adfg/Za0u37hfYARQ3ZhfZzTqntVRhHQihIvGICffAl9wZVJyfdxl
Steq4W82b2qBluLm/sDuY6/Kf4ufyKqjnDnQEzcsupfJH/smEejiVK6Qa9cQWxn2
VjgFJN2tG2GiQqf1YBhy88eJmpnPf0RkUMaWqTRllAkSv6MpSErpLpdLPL18YPOW
RtoACQXTaStywccFKrxH9uQYBdhcpiSD/Qs6/yDzRltuAHjctbbl2G4k2/asU6f7
NF2t2YZFMEKee785+DbR
=5jYn
-----END PGP SIGNATURE-----

[Zrubi]

On 11/09/2016 02:45 PM, donoban wrote:
>
> On 11/09/2016 02:33 PM, Gaiko Kyofusho wrote:

>> If its and it should be (ie good practice) is there a doc for

>> that? I looked over the docs section, and poked around in general
>> but didn't find much info?
>
>
> You can use any tutorial for standard Linux distributions like Debian
> or Fedora. Or you can use the original LUKS documentation:
>
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#
> 2-setup
>

And/Or you can read the related Qubes docs:
https://www.qubes-os.org/doc/secondary-storage/
https://www.qubes-os.org/doc/encryption-config/

--
Zrubi

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/09/2016 02:45 PM, donoban wrote:
> You can use any tutorial for standard Linux distributions like
> Debian or Fedora. Or you can use the original LUKS documentation:
>
> https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestion
s#
>
>
2-setup
>

You should do it on a VM with the hard disk attached to it. It should
point to something like /dev/xvdi , check dmesg for be sure.

Skip any /etc/cryptotab or similar configuration. Once your hard disk
is proplery formated it will be auto detected when you attach it to a
VM and it will be ask for the passphrase.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYIymtAAoJEBQTENjj7QilLQUQAJC5txNimwbK/621KTdTAb4d
jbZDuOf99/Dz+lZWuqnVKAx26oePqiKZ9b7aqNDhZhr8OOxvntzrtwldaKsnM9O5
7fFAb21DXU4ZOQ5Vb3OZO49ZNu0RQPQHTEowXE+SkBJFhMSb3V5v8VxBoAIgeqoe
hPlSyLkaMC2zAjSTkRVa8N2CqP5Y6k/OjiyiucayNNFGLQtrtI8dKK2xkC03eZJd
XcrX+VluBtm4mY/3FJzXMWH0kJYSprFyrW+/t1Gjs6SlxLpLUp+hcqv4lejSeTcb
JLHPjtwSadtuP3TlGbESSNH9pu5OzXSL89GEFqZ76Z1vmPcfmyhWeHMnXWRYoKmd
dNyipuJ2I0wSMiMoYVUFFO5tsIHuOJsGNKeK1CzgFfdMmXQ9bmFIStrcbwMHdhkU
uBsPAPvAtJaVlTKMztbLUbjcgh/IXhST+TBqwUpU7nWh7UGU7/xxDhCJuNc/eGt2
e9H0hxjXOOB1A2h2iuxK80Co0c/7HPR1oR0AAkV4ea5ZD2cC5DGf7CYAg0JNh6vK
7nJnBome77XEUqlh2i7hMVOgjriTbRWK9FsH1ecUprmtrgqVCVSc+Zzx9aGZv8bu
Zlnoeghpo1Srmb9lWKACHyufYFnvn3pBXtPFWxJE3JLmX3MZkNP2LwkrZ36yb1Hb
KsZCJ826trJ9JNNwl4Gz
=6PYK
-----END PGP SIGNATURE-----

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/09/2016 02:48 PM, Zrubi wrote:
> And/Or you can read the related Qubes docs:
> https://www.qubes-os.org/doc/secondary-storage/
> https://www.qubes-os.org/doc/encryption-config/
>

Oops, since he didn't find it I assumed it doesn't exist :|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYIynwAAoJEBQTENjj7QilKooQAKwBtxFbQPwpsPoMBlhmHVaj
3b5JrKALdM2ZVoUGmoM0zwfIJHxP3knxGi+0QWSmrWXFajQ0BJ7y29r6n+DG8YG0
mCgP6J5+L95r2DpEcrGeVQIrlsBbe3ZzVi+9SzstS1j6GtyZCLrCGyN9JOee5K8x
vMUdEgRaJ1JI6GguFTgDUXuGThV0rQHssaceu5TPoCYM52tXMyLdHCz5rKI76DuL
AAcAjcMC3VJO11OuPjikQSRt/KYfHFnmASqKrQ1NxlomT0w737FXPlCWr89OH7Ub
OpXrkjM8wPENEeMm+uKu6H7oGE2Ekg016qkyyVcTF2QdSnKGTuyh5VmaFVQkCe0w
1jQT25/aSSas4H2Bx1yjx3ML5+FjTvBl8OCt2wscrNJWa5Dzq7M0bmMK0CXP/7rZ
DbUsc7d3Pv+5jEO0eLHZmY1fOc9xfetMivK3D24VECzjgmudqyTEtnaCD9XKTHPj
ExSWbh+F5HGewfiSKEfGd45TKNEO0b63UDP0Gt8gQy7jwdB5VL8jsP91qD21yYhQ
195MjWgD8ouwDcBTZntuXQBs5EIu2v9xtQwJatvZ07l0RJUZGnwJH0bHflXuCwJy
AIE/PcPboYAA9sfnHbJYCj++RXQMBWM1V4lTY4ID78doBRG79uz1Hy1lISYpcppT
FQTtQa3ADLboKUTwRAj5
=JhzP
-----END PGP SIGNATURE-----

[Desobediente]

If you just want to move files in the old fashion way and not entire AppVM in the sense that the AppVMs should remain in the original drive, in other words, if you want to be able to remove the other hard drive from the system and will useit mainly for storage of large files,

then the answers are more questions:

is your qubes system encrypted?

do you need the files to be encrypted?

If you are willing to accept common knowledge as advice, then yes, you shall encrypt everything every time, unless there are reasons not to. For example, encrypted disks will make data unavailable to data recovery for an obvious reason. If the data is not sensitive and it should remain forever recoverable, that could be a reason not to encrypt data, but that is one exception of the above rule.

Anyway, if this is your case, it should be simple as attaching the disk into any AppVM and running the GNOME Disks application. I'm not sure what's the name of that in the KDE and XFCE desktops, but i know that if you call it via terminal, it's gnome-disks.

From there it should be straightforward, but there is this tutorial in the Tails website if you want: https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html

[gaikokuji...@gmail.com]

In the future I would probably store large files (or collections of large files like music) but for now I had in mind at least storing some of my templateVM copies as I have a backup copy of each template (and the WinHVM is taking up an esp large amt of space).

As for my Qubes system, its def encrypted, that part I am sure of.

My general thought is, better to be safe than sorry. The exception I could think of is if I had short-term bkups (I do "long term" bkups on an ext drive) on this drive they are encrypted but most everything else I figure, why not encrypt?

So gnome-disks, I think that will be pretty straight forward, but when I want to open it I'd have to go to a VM -> file manager and enter a passwd everytime ... I think? (trying to wrap my head around this). If I wanted something a bit automatic like the https://www.qubes-os.org/doc/secondary-storage/ option, is there a way the drive could automatically be mounted/decrypted so that template backups could be accessed (and updated, wouldn't want out of date templates).

Thx!

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-11-09 08:38, gaikokuji...@gmail.com wrote:
> My general thought is, better to be safe than sorry. The exception I could think of is if I had short-term bkups (I do "long term" bkups on an ext drive) on this drive they are encrypted but most everything else I figure, why not encrypt?
>

I agree. Modern encryption is very inexpensive (in the sense of being low overhead), especially if your CPU supports AES-NI.

> If I wanted something a bit automatic like the https://www.qubes-os.org/doc/secondary-storage/ option, is there a way the drive could automatically be mounted/decrypted so that template backups could be accessed (and updated, wouldn't want out of date templates).

I use that method. To have the drive automatically mounted and decrypted on each boot, I added a keyfile in LUKS, then added the drive in /etc/fstab and /etc/crypttab (pointing to the keyfile in dom0).

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYI8AzAAoJENtN07w5UDAwo/8QAKO8tRY+lrFEn2VQ+l58qBQ7
j1GTgDO2iiSjMZdLeOdoeK3lND1tOU0s9/qG7ARVWjJlyYrcpikLgwryUwgXVhjO
jZs7KuxMc2prFGM4WwPXIcWHLfmhSB7iRx867BOoA6+DX/dPRtm8w6UsSF++ABjO
AuzRd14uq9IUGlfGeAyCIoHD0IQgY7I2N4HMdes9FYfzJu9asgd8VNjfgxWd+hyn
liGnsnucO0FJ2CUrf2qNUeOGWaNGwvwb2yazWAoaOAmQ8lSezb65hNNjDFuxdQFC
aZ7hfLduNTfHOH5zJYGDbyypHHeXbZdt3HPt3v/nuSxdZW7cP3PUZMWR8xvNID0W
71yYoIa26Kaj0stLxuf5TIhPukAfp0FUEJzuJOJXPZJlRUvLO37LYa21laSSUbcY
o2YFWc7c6mXc2+1/jOFrZfhymmVLfTndgOxVJvx4FRaQ0hulotRfjKgBx95m6aH3
NM1HQzAaDYaZlfTcN5O77QVDtwrwxrA1fqc8kmDCSs7i/seK4xKvawolOu9bpVHl
HQhfStbkx4+tOzZ0mqhzRgDNtZ6q82cvLkfEH2QJmADpH0bsezFXlzA4nfervbuV
mytRfKfJgQVslVtL67ZIwmHQn8ZTslfOfUo5pNDcUzKK0vIOItmjkJJNI9GJz7Od
/PcLWPao6hA7JAGzcat6
=2r29
-----END PGP SIGNATURE-----

[raah...@gmail.com]

I have an external usb drive I use as a backup I encrypted even though qubes backups is encrypted. its so very easy. why not? I don't think it can hurt, can it?

Pretty sure I did it right from the file manager.