is there a way to lock or put a password on qubes? I read a thread about this which was talking about encryption on a qube by qube basis but it seemed unrelated
I need a way to prevent starting some qubes without a password first, or from preventing their usage from someone with physical access
think of it as a screen lock but limited to chosen qubes. this is not about advanced security or encryption but equal to logging out of your facebook account
2 Likes
If it’s not about encryption, what’s the point then? If it’s not encrypted and a pass lock is all you want, you must be aware that you can still mount the vm image in dom0 and access all its contents, without the need for a password.
If you want to prevent that, create an encrypted container (cryptsetup
, veracrypt
, cryptomator
) or encrypt files with gpg
.
You could then have it prompt you to unlock it when the vm starts.
4 Likes
You could then have it prompt you to unlock it when the vm starts.
can you expand on this? i am familiar with luks containers, are you saying this would be different opposed to them and act more like a login at the boot of a vm?
Create a luks container, then make a script that when the vm launches, a terminal window opens and prompts you for the password, then it mounts the container to a directory accessible to you.
The following script will configure everything for you (a 500Mb container will be created, if you want to change the size, edit the dd
command):
#!/bin/bash
filename="encrypted_container"
# Create luks container
dd if=/dev/urandom of=/home/user/$filename bs=1M count=500
sudo cryptsetup luksFormat /home/user/$filename
sudo cryptsetup open /home/user/$filename luks-$filename
sudo mkfs.ext4 /dev/mapper/luks-$filename
sudo cryptsetup close luks-$filename
# Create unlock script
cat << EOF > /home/user/unlock_container.sh
dir="/home/user/encrypted_dir"
mkdir -p \$dir
sudo xterm -e "while ! cryptsetup open $filename luks-$filename; do false; done"
sudo mount /dev/mapper/luks-$filename \$dir
sudo chown -R user \$dir
EOF
# Create autostart file
mkdir -p /home/user/.config/autostart
cat << EOF > /home/user/.config/autostart/unlock_container.desktop
[Desktop Entry]
Type=Application
Name=Unlock luks container
Exec=/home/user/unlock_container.sh
EOF
# Make everything executable
chmod +x /home/user/unlock_container.sh
chmod +x /home/user/.config/autostart/unlock_container.desktop
Just copy it into a file, and launch it.
2 Likes
thank you, this is an excellent solution that i can work with