Encryption of app vms?

zithro · February 25, 2022, 8:26pm

I meant, you create only ONE appVM, only the disk would be stored elsewhere.

zithro · February 25, 2022, 8:28pm

Haven’t you seen the recent tweets of Joanna having to backup and remove some domains before going to London ? Look for her “LHR” post

enmus · February 25, 2022, 8:34pm

No, because I don’t use Tweet, Facebook, etc, but would like to check if youpost me the links. Thanks in advance

fsflover · February 25, 2022, 8:36pm

I’m suggesting to read their explanations for why. A normal border agent not suspecting anything about you will not stop you after seeing a few “normal” AppVMs.

But even if they make a full copy of your disk for later analysis, I don’t believe it’s possible to find out properly hidden doubly encrypted AppVMs. I don’t understand Marek’s comment about side channels. I expect that such hidden AppVMs are minimized vaults with virtually no software running, just text files entered by hand.

zithro · February 25, 2022, 9:18pm

Me neither, but you don’t need an account to read a few things.
Maybe use google wisely ?! But you asked nicely so you’re forgiven, for this time ^^ The tweets’ comments have a bit of context.
PS: edit for posterity ^^ The tweets are in fact from 2015 ! Didn’t check the date ^^ Also, the tweets links are available on the top of the first github link provided, that’s how I found em.

Preping for travel into hostile env (LHR). No GPG in the coming days
Nice to be back home with all my VMs again Qubes makes it easy to “desensitivize” my laptop and then restore back

A bit off-topic, but is steganography still a thing ?

enmus · February 25, 2022, 10:07pm

Thanks zithro, I don’t use Google, too. Of course I tried, but on searx, I didn’t get anything useful for “Joanna Rutkowska removed domains before going to London”, nor for “twitter Joanna qubes lhr”.

Anyway, did she bring her backup with her to London, or she restored the one left at home, on her arrival back home? Where is encrypting appVMS (subject of this topic) fits in here?

As I said, asking “how to” without knowing “why” is not a good asked question.

For example, if OP asked: “I want to go to London via airplane and I want to bring my kdbx stored in vault with me. Would be encrypted vault the best way not to risk any normal custom officer to mess with it? My threat model is normal-to-low”, that would be a proper question to be answered

And i would say, he might do it, but what I’d do is that I’d use 2fa, and I’d only bring kdbx with me, without key file. No custom officer can break into my kdbx without it, and can’t force me to give it to him/her. Once arrived, I 'd ask my sister at home to send me key file over secure channel. No harm if the key alone is compromised (that is why I’d bring one factor with me) - after received, immediately generating new one and use it while there. On my departure, I delete both. At the custom, I can’t be asked anything to give - I don’t have them. Once arrived back - simply restore kdbx and old key from the backup, just as Joanna, as I understand English, did.

What IT projects need is not IT Security professionals only, but mostly Information security professionals.

fsflover · February 25, 2022, 10:09pm

You will be simply turned away at the border for not decrypting your device.

enmus · February 25, 2022, 10:11pm

Device, or password database? In which country?

zithro · February 25, 2022, 10:14pm

There you can read a border agent can ask you for the LUKS password, and it was LHR (London Heathrow), so at least England (or whole UK ?), and I know the US have the same policy. Maybe all Five-eyes countries ?

enmus · February 25, 2022, 10:40pm

Unanswered questions so far:

Anyway, did she bring her backup with her to London, or she restored the one left at home, on her arrival back home?
Where is encrypting appVMS (subject of this topic) fits in there?
Device, or password database?

And the new ones

What about her passwords there? How she logged in anywhere?
What the OP is trying to protect so that he/she needs to encrypt AppVM?
From whom?
What AppVM (offline, online, disp, vault.)?

I’d give to a custom my LUKS password, but they couldn’t use anything in there that could compromise my privacy.

And he’s accustomed to Qubes? No really, I haven’t been recently in the USA. How it could work? Would they ask me to open each qube to show them what is in there?

slcoleman · February 25, 2022, 10:54pm

For the border crossing situation mentioned above I have a rather unusual possibility for you.

First get yourself an Opal 2.0 compliant SSD (any Samsung SSD should do) and activate the device to turn on encryption with a non-default key. Format the device and create a partition table as normal. Unlock the “shadow MBR” with your key and format the device again and create your partitions for your VMs to live on and install.

What does this do? When the device is still locked anybody looking at it will just see a normal partition table but an empty drive. Once the shadow MBR is unlocked the actual partitions will appear and will be usable just like a normal SED device. Once the SED is powered down its back to the default MBR and it being an empty drive to anyone who might inspect it. Putting the drive into any computer without unlocking it first its just a blank SSD drive. Everything on that drive is encrypted so even if they do a binary copy of the device thinking that they can recover data off of a blank/erased device all they will have is garbage. You just need to store a binary key somewhere so you can unlock the shadow MBR to use it.

zithro · February 26, 2022, 2:03am

Now if if that isn’t polluting a topic, I don’t know what is, sorry Brad ^^
My answers to all the questions are hidden below (cause too long), and I’d like to go back on topic cause I’m also interested ^^

Couldn’t you install them the way you installed Kali ? Of course you’ll miss the security of templating.

Off-topic

To Enmus

Your 1st question show you didn’t even read the tweets and the comments ! >.<
Backup → remove → travel → get back → restore. As for how she did there, ask her ? Only she knows ^^
Also, read the many articles on the web about people asked to give away devices, social media passwords, etc. A simple search (q=border+customs+passwords) gives dozens of articles (example, with a few solutions).

In cases like that, there are many ways to store your passwords encrypted somewhere and recover them, being locally on a device (hidden containers) or remotely (a file that you can download). You can even (regular) mail yourself as explained in the article.
Protection from what ? Zee germans ! (You have to be a bit old to know this movie ref ^^). Seriously though, from anyone ! There are many use cases for many different people.

Seriously o_O ?! ^^ You know there are IT guys behind them, right ?

Anyways, encrypting appVMs (so their data) is the solution to a problem, plausible deniability. Which hidden containers can help with.

To slcoleman

Or now, hidden HARDWARE containers, didn’t know about that, thanks @slcoleman !
Isn’t that the ultimate way to conceal software ? Hardware is way harder to break.
Your linked doc looks as just an update of the spec. I wanted to read more but there are dozen links provided, do you have one to recommend ?

Can you write data to the normal/empty partition ? Like “innocent” normal stuff, without breaking the encrypted one ?

enmus · February 26, 2022, 4:09am

Offtopic

Thanks for your response. All you quoted, I wrote I’d do it (2FA (including mailing 2nd factor, why not, or the way I proposed), not bringing anything with me (like Joanna did) so my LUKS password would not be of a great help to them, I don’t have social media accounts, etc…) I’m sorry English is not my first language, so I wasn’t clear by the methods. I agree with all of them because I wouldn’t have them too (with me, or at all). But trying to “smuggle” encrypted whatever greatly increases the risk, as even written there - so don’t do it - that was my point, because YOU HAVE TO LIE, which makes “attack surface” bigger. Remember the concept - keep it minimal? Find another way to have it on your destination, and as for alternative way, we have to know what it is you are trying to have with you that you can’t go there without.

When you go online - say goodbye to your privacy, that’s why you have to use Qubes and dispVM (meaning not to bring online anything with you). Same is for real life. When you go out of your home, don’t bring your privacy with you (on a laptop or on a cell phone, among other things) otherwise say goodbye to it.

I hope I clarified my points, resting assured that the polluting of a polluted (at least by lying there’s nothing else on the device) - is actually purifying. I find it just dangerous and not responsible to tell people that by encrypting their whatever, they will be safe at the custom. To me, it just tells that you probably have never been in such a situation and you don’t know how it is to be held in a detention even for an unfortunate set of circumstances, but happily resolved. I know. Never lie to a cop.

Rokokur · February 26, 2022, 9:20am

Yes, this has been discussed endless number of times and each time you act like you have not been provided and endless list of highly credible reasons why this is an extremely important feature request.

Per app vim encryption must come to Qubes.

unman · February 26, 2022, 2:11pm

As always, when this is discussed, people slide between encrypted
qubes and hidden qubes.
They are completely different.

If you want encrypted qubes you can do this right now.
Create a new lvm pool on a new encrypted device, register that pool with
Qubes, and use it to create new qubes.
When you want to use such a qube, decrypt the container, and use the
qube as you will - when you are finished, close the encrypted
container.
(You could do this with multiple pools, of course, and script the
encryption/startup.)
This will guard against the opportunistic thief who takes your machine
when you are using it, (so the main luks device is decrypted), but those
qubes are not decrypted and not in use.

If you want a RAM based qube you can do this right now, by creating a
pool in RAM, and running qubes there. This adds a little to the security
of a stock disposable.

Neither of these are hidden.
It’s much more difficult to guard against forensic analysis which may
show that qubes have been used, although they do not apparently exist on
the system.
(People who discuss this often want plausible deniability.)
I don’t see many people being really clear about what they want, what the
security benefits will be, providing concrete solutions, or even
steps toward those solutions. I do see a lot of vague hopes.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

zithro · February 26, 2022, 5:18pm

I’ve tried to ! (I’ve slightly edited my quote to be clearer)

This is not a totally hidden appVM, but without the correct password it shows an innocuous one.

Brad · February 26, 2022, 7:06pm

I´m glad to see my post sparked useful conversation. I enjoyed it and I learnt about hidden app vms which was something else in the back of mind as well. Some of it is above my paygrade but unman´s idea of an LVM pool and the process after that I like. I have no idea how to do that but I do see that option when installing qubes and I have a laptop I can experiment on. Iĺl investigate this.

I don´t know if the hidden possibility by zithro is possible but I can try that one straight away.

I also wonder how hard border people would go after you. If your high profile sure, but in general would they even understand qubes and how it works? I don´t travel except across our borders here so its not a thing, but then again anything is possible.

Thanks for all of the contributions. Its all useful.

fsflover · February 28, 2022, 12:54pm

Is there a guide anywhere? I expect that it also can make the corresponding qubes faster. Would be great for disposables.

unman · February 28, 2022, 3:47pm

github.com

unman/notes/blob/master/Really_Disposable_Qubes.md

## Disposable qubes
In normal use qubes are created on, and changes written to, the disk. There is also extensive logging and signs of the qube are scattered in a number of places.
Sometimes, you want to create a qube which does not leave these traces.  
You can do this relatively simply, by creating a RAM based storage area and using it for a new storage pool.
The qube will persist until the RAM disk is deleted, or the machine is shut down.

A script like this in dom0, will create tmpfs RAM disk, create a new storage pool in that disk, and create a new qube using that pool.  
tmp_qubes.sh:  
```
#!/bin/bash
mkdir /home/user/tmp
sudo mount -t tmpfs -o size=2G new /home/user/tmp/
qvm-pool add -o revisions_to_keep=1 -o dir_path=/home/user/tmp/ newer file 
qvm-create new -P newer -t debian-11  -l purple --property netvm=tor
qvm-run new firefox-esr
```

You can remove the qube, and some of the associated artifacts by script in dom0.  
rmtmp_qube.sh:  
```

This file has been truncated. show original

tripleh · February 28, 2022, 4:39pm

@unman Looks mostly good, but one should use ramfs instead of tmpfs as the latter can be swapped whereas the former cannot. Or disable swap globally…