Protecting Dom0, While Accessing External USB From Dom0?

I want to bind folder root/var/lib/qubes/appvms to an external harddrive. In effect moving all the appvms to the external hard drive.

Dom0 needs access to the drive. But if the drive is malicious, then well… the whole system is compromised.

Is there a way I can setup a sys-usb just for this data stream, and firewall it to only allow access to/from certain folders on the USB hard drive?

Does this help?

2014 seems old, not sure it would apply even to 4.0

I think the USB part of this makes it inherently insecure.

You were talking about ghosting VMs on drives… why not do this on a secondary internal drive with an encrypted hidden volume? That way you can keep dom0 isolated and avoid the problems associated with USB drives.

I want the option to keep the ghost layer and primary computer separate. Without the external HD attached there would be no trace of its existence. If I make a hidden vault on the internal drive, the hidden vault would be easy to spot, as it will be large.

Well, can’t we have a USB drive handled by sys-usb, exporting the block device to dom0 ?

I’m pretty new to Qubes… but since Dom0 is the master of sys-usb… could sys-usb pipe back to dom0 thru a firewall?

If that wasn’t possible, lets imagine I setup the USB drive, such that it can only be accessed via an encrypted password.txt file on dom0… _ full disk encryption.

So now, I know this USB device can’t practically mount on any other computer.

At that point my risk would be hardware spychips (likely at the manufacture supply chain level)? Correct?

Okay… if I accept that risk, how is the best way to expose the drive to dom0, so I can bind to the encrypted container inside?

Lastly… lets imagine the drive has a spychip: What would be the tells to watch for/scan for/setup a monitor for?

It’s not entirely clear to me if dom0 is an allowable target with this contributed component, but maybe this is helpful:


I like that extra level of protection. Drilling down on it, I don’t know if it can expose dom0 to the data on the USB drive, like you said… unless I missed something in the documentation.