Since tar does not support any encryption capabilities I was looking for a solution to encrypt and decrypt files directly within dom0. I found ccrypt as the most simple and secure solution. But this would also require a dom0 installation…
Option B, make a no network minimal template based appVM and install ccrypt and pilot all via dom0: sending files to appVM → make a qvm-run --pass-io … to do the encryption remotely and pass it back to dom0 but this also sounds like a complex workaround.
Where is the data coming from and where is it going to, i.e. will it be de/encrypted on different operating systems?
Or maybe even LUKS/dm-crypt. Not the standard way for encrypting files but you don’t need to install anything in dom0.
It will be only used in dom0. I am coding an automated minimal Debian script and for some appVMs I would also like to automatically push some secrets (bookmarks, keys, vpn config files etc.) This will will be stored in a separate folder (in dom0). I would like to backup this folder / move it to a 2nd Qubes OS installation therefore it should be encrypted when leaving dom0.
Awesome, this is enough for my use case. Thanks!
PS: Here some more details
Performing such activity in dom0 is generally not recommended.
You can use gpg without installing any software, but it complains about missing the pin entry option.
gpg --pinentry-mode loopback --passphrase 1234 --symmetric myfile.txt
gpg --pinentry-mode loopback --passphrase 1234 -o myfile.txt -d myfile.txt.gpg
Don’t know if there is a better way to enter the password, but it does work.