[solved] Need advice - large data on external NVME (cryptomator) - how to attach for security

Hello community,

The situation:
i have a large amount of data today in one of my offline-AppVMs (500 GB).

The idea:
move all the data to an encrypted (veracrypt or cryptomator) - external - NVME storage.
Attach on every startup the external drive to the Notebook (i have no problems if the access is slower via USB 3.0).

The “problem”
If i want to attach every time the usb-nvme to the notebook, the connection is assigned to the sys-usb machine. Also - other usb drives will be assigned to this one. I want to avoid this situation that my “secure” drive is attached to the same machine as the “unsecure” usb-sticks.
Would it be ok to clone the sys-usb - and somehow to allow my usb-nvme ONLY to connect to the separate sys-usb2 in order to isolate this from other usb devices?

Maybe it is possible to assign one of the 2 usb ports of my T470 to a specific sys-usb ONLY?

By this approach i would always attach my drive after startup to the notebook (directly connected via separate sys-usb → then the AppVM where i want to work with my data).

Did someone tried this approach? Are there some big vulnerabilities which have to be considered (i would attach this usb drive direct to one of the 2 USB ports of my t470). The other port is connected to a usb-hub with other usb devices .

Why this approach?
i like the way Tails OS is designed. Use the HW only for OS purpose - keep your Data on a separate usb storage (makes me also more independent of the OS i use).
I i do not need to access my data in the Qubes session today - i can start the notebook withhout attached nvme (i know, similar approach is just to not let the AppVM start when using QOS). Just a different approach. The main point is - how to attach a “trusted and secure” usb device to Qubes and keep it separate from others.
I am just trying different approaches - no special purpose behind this. Want also to avoid to copy every time all my content (from backup storage) to the notebook after re-install.

best regards

1 Like

hi

If you think your USB ports could attack your drive, I’d say that you should not use an USB drive.

An upcoming Qubes OS feature will allow to assign a given physical port to a list of qubes instead of exposing the device to sys-usb, although the device is still physically connected to sys-usb :woman_shrugging:

An alternative that would be more secure in my opinion, if you really need this, would be to have a second offline computer with the drive, connect it to your computer using an ethernet cable, and expose the drive at block level (using iSCSI) over a VPN. Then, in Qubes OS, you will need a VPN qube to connect to this. This is not super practical but I don’t see how to make a more secure local storage.

2 Likes

Advice No 1 seems to be the best one for now. Waiting für QOS update.

Thank you

1 Like

If the USB drive is encrypted, sys-usb will only see encrypted traffic. It can’t read or alter the i/o going to the drive without breaking the data. There is no confidentiality issue, but it could lead to integrity problem like the drive being wiped.

You should just not unlock the drive in sys-usb to expose it to another qube, instead, you should assign the drive to a qube and unlock it there, so sys-usb only see encrypted LUKS data.

Maybe it’s ok enough for your use case.

2 Likes

Yes, didnt consider this.

Integrity is not crucial. I habe several backups there. One for Wirkung only.

Thanks

1 Like

Can we attach a specific USB Device (device ID) automatically to a Qube when connecting it to sys-usb?

Maybe this Guide for setting up a Trezor (Hardware Wallet) in a App Qube could serve as an inspiration?

2 Likes