Store virtual machines in a container without leaving traces on the OS

qn00r3 · October 7, 2023, 8:33pm

Hello. I use LUKS encryption.
I want to store all my virtual machines in a container using Veracrypt or Zulucrypt.
My question: Is it possible to get rid of traces of the existence of my virtual machines when the container is encrypted?

fsflover · October 11, 2023, 7:46pm

Hi @qn00r3, welcome to the Community! Could you clarify what you mean by “store all my virtual machines in a container”? How are you using the containers? Are you running them in dom0 or in VMs? In the latter case, this questions is probably not Qubes-specific, and you should be able to find some information on Veracrypt/Zulucrypt forums.

Also, maybe this issue is relevant:

github.com/QubesOS/qubes-issues

Reduce leakage of disposable VM content and history into dom0 filesystem

opened 05:32PM - 12 Apr 19 UTC

brendanhoar

T: enhancement help wanted C: other privacy P: default

**The problem you're addressing (if any)** Considerable information about the h…istory of disposable VM usage, as well as some contents of data from inside disposable VM leaks into the filesystem of dom0 and in most cases, survives reboots. In particular, the leakage into the xfwm4-*.state files (and lack of cleanup) is particular disturbing. e.g. in dom0 rm disp_files.txt # if exists rm disp_contents.txt # if exists sudo grep -rn '/' -e 'disp[0-9]' --exclude-dir={dev,proc,sys} | sort > disp_contents.txt sudo find / -name \*disp[0-9]\* | sort > disp_files.txt # matches references to disposable VM names in filenames Some findings on files related to disposable VMs (via disp_files.txt): 1. snapshots/volatile volumes for disposable VMs that were not shutdown correctly in the past (found in /dev/qubes_dom0/ and /dev/mapper/ ) 2. xml config files for the same in /etc/libvirt/libxl/ and /run/libvirt/libxl/ 3. appmenus for the same in /home/admin/.local/share/ 4. qrexec files for the same in /run/qubes/ 5. qubes.db pid and sock files for the same in /run/qubes/ 6. linux mapper links for the same in /run/udev/links/{\x2fmapper,\x2fqubes_dom0}/ 7. directories for the above in /var/lib/qubes/appvms/ 8. libxl logs for every(!!!) disposable VM ever run in this Qubes install in /var/log/libvirt/libxl/ 9. qubes logs for every(!!!) disposable VM ever run in this Qubes install in /var/log/qubes/ 10. xen console logs for every(!!!!) disposable VM ever run in this Qubes install in /var/log/xen/console/ Some finding related to files *containing* references to disposable VMs in dom0 (via disp_contents.txt): 1. Current and many historical disposable VM references are found in files in /run/udev/data/b253* files/nodes. 2. xfwm4*.state files in /home/admin/.cache/sessions/ contains *many references* to disposable VM *WINDOW TITLES* (application names, web site names, etc.) since the installation of the Qubes install (as well as current session). 3. .xsession-errors* in ~ reference many disposable VM names 4. /home/admin/.config/pulse/{guid}-stream-volumes.tdb a binary file appears to have 0..n matches on disp[0-9]. 5. /etc/lvm/backup/qubes_dom0 has current disp VM names plus some that weren't shutdown cleanly. 6. /etc/lvm/backup/qubes_dom0_* files have historical disp VM names. 7. /var/log/qubes/qubes.log* references historical disp VM names. 8. The systemd journal has a ton of historical disp VM references. 9. /var/lib/qubes/qubes.xml contains a lot of historical disp VM references. 10. /var/lib/backups/qubes/qubes*.xml contains a lot of historical disp VM references. 11. /var/lib/xen/userdata* contains a lot of historical disp VM references. 12. /var/lib/logrotate/logrotate.status contains a lot of historical disp VM references. **Describe the solution you'd like** 1. Triage of types of data leaking into dom0. 2. Based on types of data, develop a Qubes policy on eliminating, reducing, cleaning or ignoring the leaked data. 3. Based on type/policy, institute efforts to reduce the content stored into dom0 (at all vs. short term vs long term). **Where is the value to a user, and who might that user be?** All users who may want the historical content of the disposable VM usage not to be memorialized. Journalists, security researchers, etc. **Describe alternatives you've considered** None appear to cover 100% of use cases. Perhaps TAILS in an HVM might reduce it the most. **Additional context** **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #3504 (similar, but does not provide a focus on specific leakage into dom0) #4408 (anti-forensics on swap files only) #1819 (anti-forensics request only covers the block devices for the VM) #1293 (similar to 1819) #3360 (specific to dom0 logging only) #2024 (emulating Tails' approach, dom0 leakage still possible)

qn00r3 · October 12, 2023, 2:43pm

Hello. I continue to study Qubes OS. Right now I have a few thoughts in my head about implementing containers.
How I imagine it:

Install Veracrypt/Zulucrypt in dom0.
Allocate 500 gigabytes of free space on your SSD disk, create a container of 500 gigabytes in size.
Create new virtual machines and save them in an encrypted container.
Thus, until the password for the container (where my virtual machines are stored) is entered, Qubes OS should not know about the existence of virtual machines in the encrypted container.

At the moment I don’t know if it’s possible to implement everything that I wrote above. I continue to study Qubes OS.
Question: Is it technically possible to implement what I wrote?
If this is possible, which way should I look? What can I read that could help me?
At the moment I found an article that in my opinion can help me, this is:

At the moment, on my second computer I am using Windows OS, I allocated 500 gigabytes of free space and created an encrypted container.
I installed Virtual Box Portable on an encrypted container, and all my virtual machines are stored in the encrypted container, Windows OS does not know about the existence of my virtual machines.
Windows OS does not know that I have Virtual Box installed on my computer.

I want to do the same with Qubes OS. That’s why I came looking for help. Thank you for your time.

SteveC · October 12, 2023, 5:49pm

Hi. (I wrote the Split Veracrypt online book you linked to. OK it’s not an online book but it was pretty long.)

Based on your description I don’t see how Windows can not know about your Virtual Box installation–you’re running it from a windows session, right? Now it may not be visible to someone looking at your system (even someone who can poke around in the menys) until you decrypt the container it’s on, but I am sure it has left traces in your windows registry.

The good news is you’re in the right place to do it better. There’s no reason you can’t keep your containers inside another container if using veracrypt. (I never did work out how to put virtual machines in an encrypted container, but I believe it’s possible–I’d have to look more at pools and the like.)

If you don’t want dom0 to know about any of this I would not install veracrypt on dom0. I would instead install it on a VM (as I described in the post you linked). (That’s good policy anyway–avoid if at all possible installing things on dom0.) Even then it will still probably show up in dom0 menus and so forth unless you install the command-line version of veracrypt.

I’m not completely sure what you want, but based on what you said (and my hopefully-not-too-far-off-the-mark interpretation of it), I’d think about a VM whose sole function is to mount and decrypt the big container (the one that contains everything else). I’d make that a minimal template with veracrypt (command line) installed. You can write a bash script to mount and decrypt the container (and of course veracrypt will mount the decrypted version of it as well). (The bash script will have to prompt for the password, PIM, etc.) You can then detach and attach the little containers within the big containers to wherever you want them to go–e.g., to a dedicated VM that has libreoffice installed on it. This is the point at which my split veracrypt would step in, decrypting those containers and connecting them to the clients. I don’t know how this would relate to actually storing VMs in the big container though; perhaps it wouldn’t work at all for that in which case please disregard my suggestion.

fsflover · October 13, 2023, 1:05pm

Looks related:

qn00r3 · October 14, 2023, 3:48am

All these days I read the forum, documentation, re-read and re-read what @SteveC and @fsflover wrote to me
All this is hard for me, I’m not a Linux master, but I understand something. My native language is not English, which adds to the difficulty in learning information.

What conclusion have I come to?

I see that all the people who are in one way or another connected with the development of the Qubes OS are very categorical about encrypted virtual machines, one can only guess what the reason for this is.
But I myself see little point in this, I prefer the idea of an encrypted container and storing all virtual machines on an encrypted container (possibly because I used something similar on Windows for a long time), but then it makes sense to hide all traces on OS Qubes, but as I understand it is not that simple based on this answer:
Source: hxxps://github.com/QubesOS/qubes-issues/issues/4444#issuecomment-433662984
Author: andrewdavidwong
Comment: One way to do it might be to store them on a hidden encrypted volume, but all traces of their existence outside of the hidden volume would have to be eliminated, which would be very difficult.
Explanation: An error occurred: Sorry, new users can only put 2 links in a post.
At the moment I am considering 2 options in which I can encrypt my data and use the Qubes OS:

2.1. Use an external encrypted SSD disk that I will connect inside a specific virtual machine (most likely a one-time use one), install portable applications on this disk that store data (FTP/SSH/VNC and others). Inspired by this post:

2.2. Implement secondary storage as described in the documentation secondary storage.

I still can’t imagine how everything will work with this option, this comment worries me:

In fact, when I first learned about the existence of the Qubes OS, I was very inspired and bought a new laptop for this operating system, but with each new day, plunging deeper and deeper into the documentation and forum, fear and depression began to permeate me.
For a very long time I could not bring myself to write a message on the forum, apparently I was stalling for time, thinking that I did not understand something or, on the contrary, I understood that this was not at all what it seemed at first glance.
But now I have calmed down, I have the options that I described above, and I will see how they look in implementation.

For my tasks I need:

Using a browser.
Using FTP, SSH, VNC, RDP.
Using various messengers.
Using an email client.
Using an IDE for programming.
Using of programs for reverse engineering.
Using a graphic editor to process photographs.
Using crypto wallets.

Perhaps I can use portable versions of some programs that will store confidential data and I can install these programs on an external encrypted drive.

If anyone has any ideas for implementing encryption for my purposes, I would be happy to hear from you.
Thank you for your time.