I’m adding an additional security layer to my offline VM.
By using a separate encrypted storage device with its own LUKS passphrase, even if the offline VM were somehow compromised, it would not be able to access or enumerate anything on that storage. In other words, the VM remains functionally isolated from the underlying data.
How is a VM functionally isolated from the storage it:
- Unlocks (knows the secret to)
- Uses for read/write operation
Please also note that after this
sudo cryptsetup luksOpen /dev/sdb1 myencrypted
the unencrypted drive can be attached to any VM. All that is required is a user-side mistake to attach the device to the wrong VM.
I do consider this a security problem. We discussed it in this thread: