Hello,
before editing the documentation page How to copy and move files | Qubes OS by adding a new section, I would like to discuss that section here.
BEGIN
Double door system
Imagine, you want to copy a secret file from a more trusted qube X to a less trusted qube Z. It could be disastrous to copy the wrong secret to qube Z. To avoid such accidents, you could install a double door system. To do so, setup an intermediate qube Y “between” qube X and qube Z. You should copy the secret file from qube X to qube Y and then move it from qube Y to qube Z. You should not copy it from X to Z directly (can be enforced by using the qrexec policy manager). This way, you can check that the file (when being in qube Y) is really the right secret file before moving it to qube Z.
Another use case for a double door system: Imagine you want to copy a file from a less trusted qube X to a more trusted qube Z but sanitize it before (i.e. make it more trusted). If you sanitize the file in qube X then an attacker could replace the sanitized version of that file with a malicious one again before you can copy it to qube Z. If you sanitize the file in qube Z then you qube Z could become compromised if you accidently open it the normal way (not in a disposable qube). So, a solution could be a double door system: Setup an intermediate qube Y “between” qube X and qube Z and allow copying from qube X to qube Y and from qube Y to qube Z but not from qube X to qube Z directly. Then copy your file from qube X to qube Y, open it there in a disposable qube, sanitize the file in that disposable qube and finally move the sanitized file from qube Y to qube Z. In case you have accidently opened the unsanitized version of that file in qube Y then you can throw qube Y away without losing any data in qube X or Z.
END
Of course, the idea applies also for copying text via clipboard.
What do you think? Is it worth to mention the idea of such a double door system? Is there a better solution? Is there a security benefit at all? Or is it even more insecure?
Best regards,
tokideveloper