Locking qubes

is there a way to lock or put a password on qubes? I read a thread about this which was talking about encryption on a qube by qube basis but it seemed unrelated

I need a way to prevent starting some qubes without a password first, or from preventing their usage from someone with physical access

think of it as a screen lock but limited to chosen qubes. this is not about advanced security or encryption but equal to logging out of your facebook account

2 Likes

If it’s not about encryption, what’s the point then? If it’s not encrypted and a pass lock is all you want, you must be aware that you can still mount the vm image in dom0 and access all its contents, without the need for a password.

If you want to prevent that, create an encrypted container (cryptsetup, veracrypt, cryptomator) or encrypt files with gpg.

You could then have it prompt you to unlock it when the vm starts.

4 Likes

You could then have it prompt you to unlock it when the vm starts.

can you expand on this? i am familiar with luks containers, are you saying this would be different opposed to them and act more like a login at the boot of a vm?

Create a luks container, then make a script that when the vm launches, a terminal window opens and prompts you for the password, then it mounts the container to a directory accessible to you.

The following script will configure everything for you (a 500Mb container will be created, if you want to change the size, edit the dd command):

#!/bin/bash

filename="encrypted_container"

# Create luks container
dd if=/dev/urandom of=/home/user/$filename bs=1M count=500
sudo cryptsetup luksFormat /home/user/$filename
sudo cryptsetup open /home/user/$filename luks-$filename
sudo mkfs.ext4 /dev/mapper/luks-$filename
sudo cryptsetup close luks-$filename

# Create unlock script
cat << EOF > /home/user/unlock_container.sh
dir="/home/user/encrypted_dir"
mkdir -p \$dir
sudo xterm -e "while ! cryptsetup open $filename luks-$filename; do false; done"
sudo mount /dev/mapper/luks-$filename \$dir
sudo chown -R user \$dir
EOF

# Create autostart file
mkdir -p /home/user/.config/autostart
cat << EOF > /home/user/.config/autostart/unlock_container.desktop
[Desktop Entry]
Type=Application
Name=Unlock luks container
Exec=/home/user/unlock_container.sh
EOF

# Make everything executable
chmod +x /home/user/unlock_container.sh
chmod +x /home/user/.config/autostart/unlock_container.desktop

Just copy it into a file, and launch it.

2 Likes

thank you, this is an excellent solution that i can work with