Convert To Trusted file

QubesOS has a “Convert To Trusted PDF” feature, why can’t I use it for other files?
I want to copy keepass and text files from a USB stick to a recently installed QubesOS vaultVM, but I am not sure that they are not contaminated.
I’m not a computer or OS expert, but aren’t kdbx and text files dangerous, and I’m not comfortable connecting the USB stick to vaultVM.
Am I worrying too much?

1 Like

You can also convert image files. Since trusted files are bitmap of the original pdf or image, the conversion process will not work for an arbitrary file type.

I type all of my keepassxc entries manually in my vault vm and never touch it with a USB stick. I don’t think you are worrying too much, it’s valuable to have long term confidence that your vault qube is secure. That said, I’m curious to know if copying text via ctl-shift-c/v is reasonably secure for this purpose. As I recall, qvm-copy into a vault qube is ill-advised.

I typed keepassxc entries manually too.
But it is impossible to manually type documents with a large number of characters.
There will be tons of mistakes.
I also want to know ctl-shift-c/v is safe.

By the way, when you back up vault files, do you copy the files to a disposable and then connect the USB stick to the disposable and then copy the files? I do.

I don’t like the idea of backing up clean files to a USB stick that may be contaminated.
Do you even think about keeping the USB stick safe?
I don’t know anyone around me who uses QubesOS, so I’d like to know how other Qubes users do it.

Kinda similar: I create a disposable qube which has no netvm (thus is completely offline). Attach an encrypted USB to that. And run QubesOS backup tool for my vault qube.

Check these two videos for an answer:

My approach is to use two vms, the default (black) vault qube that I only touch manually and a separate (blue) vault qube that does not have networking, but does “allow” qvm-copy of documents. In particular, I allow qvm-copy of documents to/from a disposable sys-usb qube.

I also set the default disposable vm on the blue vault qube (debian) to my dvm-print template (fedora) which is allowed networking but is firewalled to only allow access to a VLAN with a printer. This VLAN has no WAN access. The black vault qube has no disposable template.

Going back to the original question, qvm-convert-pdf and qvm-convert-img
are discreet programs that aim to simplify the representation of PDF and
image files to a form where it is less likely that malware could lurk.

I do the same with office files, converting them to basic text - so
removing the risks from macros and complexity. Of course, in many cases,
(and the same goes for PDF) it’s exactly the macros and complexity that
makes the other format so useful.
This is where use of offline disposables is so useful - it doesn’t matter
if the file is contaminated because Qubes aims to keep it in a safe
space. (If the files contains malware that can escape the qube, either
to other qubes or dom0, that’s different.)

It is quite straightforward to examine a text file to see if it contains
other (hidden) material.
For Keepass I would think the cleanest thing to do would be to export
the data (I think only HTML is available, unfortunately).

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

I see. I can copy it to vault after I clean it that way.
It was hard for me to copy text files manually.

Depends on the template. fedora-36 also has csv and xml, but debian-11 only has html and csv options available. Seems like csv would be a better option than html, but I’m no expert of file types and security.

qvm-copy from the vault database for backup seems reasonable here, but would qvm-copy of a keepassxc backup from another qubes to the vault be a security risk?

I prefer to use the built-in Qubes backup and restore tools for enhanced security.

For security, I never copy anything into my vault. All data in the vault was manually entered by me (e.g., typed) or generated there (e.g., randomly-generated passwords). When I back up that data, I don’t copy it out of the vault. I simply back up the entire vault qube (along with any other qubes I want to back up) using the built-in Qubes backup tool. I believe this is likely to be the safest workflow for most Qubes users, especially less-experienced users, as it follows the intended design pattern and minimizes the risk of user error.


Do you not use some sort of external USB memory stick?

another question for @adw : Do you use ctl+shift+c to copy generated passwords to other qubes from the vault?

Adding a link to the qubes documentation that I think answers this question. Sometimes it’s good to go back and revisit these pages after years of experience with Qubes! :smirk:

I do. If you use the built-in Qubes backup tool, then it creates an encrypted backup file that you can store wherever you like, including on a USB drive.

Yes. Copying out of the vault is fine. It’s just copying into the vault that’s risky. (Of course, risk is relative and context-dependent.)

What I’ve done in the past to backup my kdbx is export it as csv, and then store that in a brsnd new luks encrypted partition on a usb drive, then at least I know that partition is clean.

I’ll mount that in a disposable, open the csv in a text editor, then ctrl-shift-c/v into a text file in Vault, name it with .csv, then import that into keepass in Vault.

Probably kind of overkill, but everyone’s threat model is different…

How did you verify that PARTITION IS CLEAN?
I am not sure if my usb stick is clean.

They said - “brsnd new luks encrypted partition”

This is a separate issue.
If you have serious doubts don’t use it.
You do not have the capability to (a) determine if it is “clean”, and
(b) do anything about it if not.
(This is not to belittle you - it’s a statement of fact for most users)

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

Yes that is exactly right. As you say, I am not capable of determining if my USB stick is clean or not. Hence I doubt my USB stick.
I do not have any serious concerns about my USB stick. However, I am concerned because I used to use it for windows.
I am not sure if the new USB stick I am buying is safe.
I don’t know if formatting it and creating a new luks encrypted partition will make it completely safe.

Doubt is an illness that comes from knowledge and leads to madness.

A doubt without an end is not even a doubt.

What is “completely” doing here?
Formatting and creating a new encrypted partition is a good thing to do.
Whether it is enough will depend on what (you think) has happened, and
you must make a reasoned judgement on that.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

Yes you are absolutely correct. I am endlessly suspicious.
I say “completely” because there is a type of malware that infects the firmware of USB sticks.
I’m not computer literate enough to know if it’s safe to format it and get a new luks.

I wish there was a way to check the security of USB flash drives like pgp signatures so I can feel safe.

I am in the process of slowly learning by using QubeOS, researching, asking others, and reading books every day, hoping to one day have the understanding and knowledge to make my own decisions like you.

Thank you for always being willing to answer beginner’s questions.

I should say “relatively” clean, since i created a new encrypted partition, and did not mount the outer drive into the vm

Seeing as this has gained a decent amount of discussion already, I’m compelled to ask: Can you give me a rough hypothetical about what the attack vector is for clipboard copying in to the vault? Is it that the Qube itself may be compromised and thus you don’t really have control over what is on the clipboard in that Qube at the time you copy to the global clipboard?

Would that not still just be text? Is there some concern that a particularly obscure set of text entered in to a Keepass DB could crass it or execute something? Bit confused on that one and would love clarification, perhaps this needs to be split off, but I only ask as it has been discussed more than once here already.