From 05b1f4a99f0486ff475d3fa8c14a2834cf052a47 Mon Sep 17 00:00:00 2001 From: Galland Date: Tue, 21 Aug 2018 15:52:11 +0200 Subject: [PATCH 1/2] Setup example of an encrypted second HDD on R4.0 This is too complex and error prone not to facilitate users' lives with an example of the few commands needed to perform this. --- configuration/secondary-storage.md | 36 +++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/configuration/secondary-storage.md b/configuration/secondary-storage.md index 1506f020..3df92535 100644 --- a/configuration/secondary-storage.md +++ b/configuration/secondary-storage.md @@ -20,7 +20,7 @@ Qubes 4.0 is more flexible than earlier versions about placing different VMs on For example, you can keep templates on one disk and AppVMs on another, without messy symlinks. These steps assume you have already created a separate [volume group](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create) and [thin pool](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation) (not thin volume) for your HDD. -See also [this example](https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks) if you would like to create an encrypted LVM pool (but note you can use a single logical volume if preferred, and to use the `-T` option on `lvcreate` to specify it is thin). +See also [this example](https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks) if you would like to create an encrypted LVM pool (but note you can use a single logical volume if preferred, and to use the `-T` option on `lvcreate` to specify it is thin). You can find the commands for this example applied to Qubes at the bottom of this R4.0 section. First, collect some information in a dom0 terminal: @@ -50,6 +50,40 @@ For example: In theory, you can still use file-based disk images ("file" pool driver), but it lacks some features such as you won't be able to do backups without shutting down the qube. +#### Example HDD setup #### + +Assuming the secondary hard disk is at /dev/sdb (it will be completely erased), you can set it up for encryption by doing in a dom0 terminal (use the same passphrase as the main Qubes disk to avoid a second password prompt at boot): + + sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb + sudo blkid /dev/sdb + +Note the device's UUID (in this example "b209..."), we will use it as its luks name for auto-mounting at boot, by doing: + + sudo nano /etc/crypttab + +And adding this line (change both "b209..." for your device's UUID from blkid) to crypttab: + + luks-b20975aa-8318-433d-8508-6c23982c6cde UUID=b20975aa-8318-433d-8508-6c23982c6cde none + +Reboot the computer so the new luks device appears at /dev/mapper/luks-b209... and we can then create its pool, by doing this on a dom0 terminal (substitute the b209... UUIDs with yours): + + # First create the physical volume + sudo pvcreate /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde + # we will use for example "qubes" as the (LVM volume group name) + sudo vgcreate qubes /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde + # and then use "poolhd0" as the (LVM thin pool name) + sudo lvcreate -T -n poolhd0 -l +100%FREE qubes + #finally we will tell Qubes to add a new pool on the just created thin pool + sudo qvm-pool --add poolhd0_qubes lvm_thin -o volume_group=qubes,thin_pool=poolhd0,revisions_to_keep=2 + +By default VMs will be created on the main Qubes disk, to create them on this secondary HDD do the following on a dom0 terminal: + + #Finally we can create new VMs (here untrusted-hdd) on the secondary hard disk + qvm-create -P poolhd0_qubes --label red unstrusted-hdd + + + + ### R3.2 ### In dom0: From 4469689453f3b443ab767a897ba1a92bab8e8bd1 Mon Sep 17 00:00:00 2001 From: Galland Date: Wed, 22 Aug 2018 12:35:16 +0200 Subject: [PATCH 2/2] comments as text lines --- configuration/secondary-storage.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/configuration/secondary-storage.md b/configuration/secondary-storage.md index 3df92535..16357fd4 100644 --- a/configuration/secondary-storage.md +++ b/configuration/secondary-storage.md @@ -67,23 +67,28 @@ And adding this line (change both "b209..." for your device's UUID from blkid) t Reboot the computer so the new luks device appears at /dev/mapper/luks-b209... and we can then create its pool, by doing this on a dom0 terminal (substitute the b209... UUIDs with yours): - # First create the physical volume +First create the physical volume + sudo pvcreate /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde - # we will use for example "qubes" as the (LVM volume group name) + +Then create the LVM volume group, we will use for example "qubes" as the : + sudo vgcreate qubes /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde - # and then use "poolhd0" as the (LVM thin pool name) + +And then use "poolhd0" as the (LVM thin pool name): + sudo lvcreate -T -n poolhd0 -l +100%FREE qubes - #finally we will tell Qubes to add a new pool on the just created thin pool + +Finally we will tell Qubes to add a new pool on the just created thin pool + sudo qvm-pool --add poolhd0_qubes lvm_thin -o volume_group=qubes,thin_pool=poolhd0,revisions_to_keep=2 -By default VMs will be created on the main Qubes disk, to create them on this secondary HDD do the following on a dom0 terminal: +By default VMs will be created on the main Qubes disk (i.e. a small SSD), to create them on this secondary HDD do the following on a dom0 terminal: - #Finally we can create new VMs (here untrusted-hdd) on the secondary hard disk qvm-create -P poolhd0_qubes --label red unstrusted-hdd - ### R3.2 ### In dom0: