Hello!
I am new to Qubes, just installed in yesterday. The experience is unusual, but I am getting a grip of it. I believe that for my security model a password decryption is insufficient. This mainly comes from the fact that I do not trust entering critical information via my keyboard after reading a Kaspersky article about the easiness with which any input could be stolen.
(Source: https://www.kaspersky.com/blog/when-going-offline-doesnt-help/9078/)
Interestingly, this vulnerability exists for practically all types of keyboards except some very special-purpose ones built with this vulnerability in mind (shielded keyboards). With this vulnerability, a neighbor could snoop on the keyboard input, while even being several floors away! (Evil Neighbor Attack? Ha!).
For these reasons, Iād really want to avoid using my keyboard to decrypt Qubesā hard drive and a USB stick seems to be a good compromise. I was looking for implementations, and with a normal Debian install this is rather straightforward, a good example is LUKS with USB unlock by āMaurits van der Scheeā. After choosing my default dom0 to be Debian 12, I suspected that I could implement this with Qubes, but then I remembered that Qubes is deservingly suspect of USB devices, so it probably wonāt allow to mount a USB stick as a part of a LUKS decryption script, or this would be trickier than with a normal Debian.
Did anyone try this with Qubes? I attach the script used to mount and use the USB stick for Debian 11 by van der Schee (details are in the link above) - Iād appreciate greatly comments on whether the script below would work (probably not) or on how to modify it for it to work. I am aware of the risks regarding possessing a USB stick for decryption (that it can be stolen, etc.), my risk model accounts for it.
cat << "END" > luksunlockusb
#!/bin/sh
set -e
if [ ! -e /mnt ]; then
mkdir -p /mnt
sleep 3
fi
for usbpartition in /dev/disk/by-id/usb-*-part1; do
usbdevice=$(readlink -f $usbpartition)
if mount -t vfat $usbdevice /mnt 2>/dev/null; then
if [ -e /mnt/$CRYPTTAB_KEY.lek ]; then
cat /mnt/$CRYPTTAB_KEY.lek
umount $usbdevice
exit
fi
umount $usbdevice
fi
done
/lib/cryptsetup/askpass "Insert USB key and press ENTER: "
END