Unlocking/decrypting Qubes with a USB stick as an option?

Hello!

I am new to Qubes, just installed in yesterday. The experience is unusual, but I am getting a grip of it. I believe that for my security model a password decryption is insufficient. This mainly comes from the fact that I do not trust entering critical information via my keyboard after reading a Kaspersky article about the easiness with which any input could be stolen.
(Source: https://www.kaspersky.com/blog/when-going-offline-doesnt-help/9078/)

Interestingly, this vulnerability exists for practically all types of keyboards except some very special-purpose ones built with this vulnerability in mind (shielded keyboards). With this vulnerability, a neighbor could snoop on the keyboard input, while even being several floors away! (Evil Neighbor Attack? Ha!).

For these reasons, I’d really want to avoid using my keyboard to decrypt Qubes’ hard drive and a USB stick seems to be a good compromise. I was looking for implementations, and with a normal Debian install this is rather straightforward, a good example is LUKS with USB unlock by ‘Maurits van der Schee’. After choosing my default dom0 to be Debian 12, I suspected that I could implement this with Qubes, but then I remembered that Qubes is deservingly suspect of USB devices, so it probably won’t allow to mount a USB stick as a part of a LUKS decryption script, or this would be trickier than with a normal Debian.

Did anyone try this with Qubes? I attach the script used to mount and use the USB stick for Debian 11 by van der Schee (details are in the link above) - I’d appreciate greatly comments on whether the script below would work (probably not) or on how to modify it for it to work. I am aware of the risks regarding possessing a USB stick for decryption (that it can be stolen, etc.), my risk model accounts for it.

cat << "END" > luksunlockusb
#!/bin/sh
set -e
if [ ! -e /mnt ]; then
    mkdir -p /mnt
    sleep 3
fi
for usbpartition in /dev/disk/by-id/usb-*-part1; do
    usbdevice=$(readlink -f $usbpartition)
    if mount -t vfat $usbdevice /mnt 2>/dev/null; then
        if [ -e /mnt/$CRYPTTAB_KEY.lek ]; then
            cat /mnt/$CRYPTTAB_KEY.lek
            umount $usbdevice
            exit
        fi
        umount $usbdevice
    fi
done
/lib/cryptsetup/askpass "Insert USB key and press ENTER: "
END

The USB devices are accessible in initramfs by default, so it should work the same way as for any Linux OS.

You are doing what?
Choose Debian12 as dom0???
I don’t believe, that it’s possible without very deep technical knowledge about the parts, that forms Qubes OS and the functionality of Xen hypervisor.
You have to compile all the qubes specific parts by yourself, because it exists no qubes dom0 repo for debian.
You don’t have a dom0 update repo for debian, so you have to compile all fixes for dom0 and to manage the update process by yourself.

But yes, debian-12 dom0 currently doesn’t exist.

Maybe I did not understand the initial Qubes settings correctly, apologies. There was a choice during installation to have either “Fedora” or “Debian” as “default” (in templates configuration as I am now rechecking in the manual) and I’ve chosen Debian - I thought that this was my choice of a basis for dom0, but apparently I am mistaken, sorry!
I will take a closer look into checking how to do what I want with Qubes… Apparently I’d have to see how to do it for Fedora instead of Debian

No problem. Your choose between Fedora and Debian was for the default template, when you create a new qube.
Dom0 is currently on fedora 37 and imho exists no plan to switch it to another distribution.
As far as i know, usb-access to dom0 opens a much more bigger hole in the security design of qubes as the (theoretical) keyboard password sniffing…