For backing up data: How to connect a USB drive directly to dom0

I know one should NEVER do this, for security reasons, but consider this:

I want to back up massive amounts data from many, many qubes directly to a USB drive mounted on dom0 (without having to manually copy things between various qubes). And in my case, the machine is a) offline, the b) the USB drive is brand-new, and c) the OS will be completely reinstalled after the backup. I can absolutely accept the remaining security risk in this case.

So after having physically connected the USB drive to the machine to be backed up, how do I recognize the USB drive and how do I mount it directly to dom0? What are the complete commands?

You probably have, but I’ll mention it anyways – have you considered the Qubes backup utility:

This will let you easily backup from as many Qubes as you want. The only inconvenience in this case is that it will be in a format that only Qubes understands – so you wouldn’t have access to the files directly.

Also, what would be the advantage of attaching the USB stick to dom0 as opposed to each VM? I think at the dom0 you only have access to the machine images (not files directly).

And finally on another note: I do not think it would be advisable to guide people on how to break Qubes’ security model for convenience – especially not in a public forum where many others will see and may not be fully aware of the consequences.

If you have to do this, then the danger is that your USB device will
have malware that attacks persistent means of storage - MBR, the USB
controller itself, etc. These will survive a reinstall.
Buying a new USB drive (in person) removes the possibility of a
targetted attack: don’t let the drive out of your hands at purchase.

If you want to continue, having considered and accepted the security
implications, then that’s fine.
You need not do this in Qubes - any live distro will allow you to
decrypt and mount the Qubes partition, and then mount the individual
qube storage partitions, (found in /dev and linked under familiar names
in /dev/qubes_dom0)
If you want to use your existing Qubes, the you may have to remove the
parameter at boot that masks the USB controllers from dom0 -
rd.qubes.hide_all_usb .
Once you have access to the USB, then you can mount it in dom0:

mkdir /mnt/source
mkdir /mnt/destination
mount /dev/sdX /mnt/destination

Then you should be able to mount the individual qube private drives, and
copy out the data. (I assume that you only want /home from each qube)

mkdir /mnt/destination/SOURCE
mount vm-SOURCE-private /mnt/source
cp -rv /mnt/source/home/user /mnt/destination/SOURCE
umount /mnt/destination/source

Obviously there is scope for automating this using a basic bash script
that iterates over the contents of ls /dev/qubes-dom0/vm-*private

Thank you!

The one question left: rd.qubes.hide_all_usb does not appear in /etc/default/grub and /boot/efi/EFI/qubes/xen.cfg is empty. So where else do I find rd.qubes.hide_all_usb?

And how can I know which “devX” in /dev is the USB drive?

If it’s not obvious, by which devX only appears when you plug the drive in.

Also, consider mounting your source read only. Or creating a snapshot and mounting that.

I see nothing here that precludes the use of qvm-backup. You would still be much, much safer using it.

The Qubes backup system is intentionally designed to allow for file recovery without any Qubes-specific tools. See:

1 Like

Thanks for the pointer. I’ve been through that process. Just didn’t know how to phrase it. But I should have mentioned it.

No worries. I just think it’s a very important feature for users to be aware of, in case they ever need it.

1 Like

Thank you all for your help!

1 Like