{"id":13593253,"url":"https://github.com/rustybird/qubes-split-dm-crypt","last_synced_at":"2025-04-09T02:32:59.928Z","repository":{"id":77873515,"uuid":"67700211","full_name":"rustybird/qubes-split-dm-crypt","owner":"rustybird","description":"Isolate secondary storage dm-crypt and LUKS header processing to Qubes OS DisposableVMs","archived":false,"fork":false,"pushed_at":"2025-03-30T13:07:40.000Z","size":93,"stargazers_count":23,"open_issues_count":0,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-30T14:22:08.096Z","etag":null,"topics":["disposablevm","dm-crypt","encryption","luks","qubes"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"0bsd","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rustybird.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-0BSD","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-09-08T12:15:02.000Z","updated_at":"2025-03-30T13:14:31.000Z","dependencies_parsed_at":"2023-02-28T08:00:42.149Z","dependency_job_id":null,"html_url":"https://github.com/rustybird/qubes-split-dm-crypt","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustybird%2Fqubes-split-dm-crypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustybird%2Fqubes-split-dm-crypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustybird%2Fqubes-split-dm-crypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustybird%2Fqubes-split-dm-crypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rustybird","download_url":"https://codeload.github.com/rustybird/qubes-split-dm-crypt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247965751,"owners_count":21025431,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["disposablevm","dm-crypt","encryption","luks","qubes"],"created_at":"2024-08-01T16:01:18.401Z","updated_at":"2025-04-09T02:32:54.920Z","avatar_url":"https://github.com/rustybird.png","language":"Shell","funding_links":[],"categories":["VM-Hardening","Proxy and VPN Tools"],"sub_categories":["Security"],"readme":"# _Split dm-crypt_ for Qubes R4.0\n\n\n**Isolates device-mapper based secondary storage encryption (i.e. not\nthe root filesystem) and LUKS1 header processing to DisposableVMs.**\n\nInstead of directly attaching an encrypted LUKS1 partition from a source\nVM such as sys-usb to a destination VM and decrypting it there, it works\nlike this:\n\n1. The encrypted partition is attached from the source VM to an offline\n   _device DisposableVM_ configured not to parse its content in any way:\n   The kernel partition scanners, udev probes, and UDisks handling are\n   disabled.\n\n2. From there, the LUKS1 header is sent to a (short-lived) offline\n   _header DisposableVM_ prompting for the password, and the encryption\n   key is sent back to the device DisposableVM, which validates that it\n   received an AES-XTS key and creates the dm-crypt mapping.\n\n3. Finally, the decrypted partition is attached from the device\n   DisposableVM to the destination VM.\n\n**If the destination VM is compromised, it does not know the password or\nencryption key. It also cannot easily exfiltrate decrypted data to the\ndisk in a form that would allow an attacker who seizes the disk contents\nlater to read it.** (But see below for caveats.)\n\n\n## Usage\n\n```\nqvm-block-split attach|at|a [--ro] [\u003ck\u003e] [\u003cdst-vm\u003e] \u003csrc-vm\u003e:\u003cdevice\u003e\n                detach|dt|d                         \u003csrc-vm\u003e:\u003cdevice\u003e\n\n                overwrite-everything-with-random    \u003csrc-vm\u003e:\u003cdevice\u003e\n                overwrite-header-with-random        \u003csrc-vm\u003e:\u003cdevice\u003e\n                overwrite-header-with-format [\u003ck\u003e]  \u003csrc-vm\u003e:\u003cdevice\u003e\n                overwrite-header-with-shell  [\u003ck\u003e]  \u003csrc-vm\u003e:\u003cdevice\u003e\n                modify-header-with-shell     [\u003ck\u003e]  \u003csrc-vm\u003e:\u003cdevice\u003e\n\nThe \u003cdst-vm\u003e argument defaults to yet another DisposableVM.\n\u003ck\u003e stands for an optional --key-file=[\u003ckey-vm\u003e:]\u003cfile\u003e argument.\n```\n\nAs seen above, **the `qvm-block-split` attach/detach commands accept a\nsubset of the familiar `qvm-block` syntax**, and some other commands are\nincluded:\n\n- Fully overwrite a device with random data\n\n- Overwrite just the LUKS1 header with random data\n\n- Format a new LUKS1 device with modern crypto parameters: AES-XTS with\n  256+256 (instead of 128+128) bit keys, SHA512 (instead of SHA1) PBKDF2\n  key derivation with 5 (instead of 0.1) seconds iteration time\n\n\n## Remaining attacks\n\n- After detaching, the password and/or key will linger in more RAM\n  locations than without _Split dm-crypt_. Until there is a way to wipe\n  the DisposableVMs' memory, and `qvm-block-split` is modified not to\n  pass the key through dom0's memory, **power off your computer when\n  memory forensics is a concern.**\n\n- If both the destination VM and the source VM/disk are compromised,\n  they could establish a covert channel using e.g. read and write access\n  patterns, slowly saving some amount of decrypted data to the disk.\n\n- If the source VM/disk is compromised and successfully exploits the\n  header DisposableVM using a malicious LUKS1 header, a known AES-XTS\n  key could be sent to the device DisposableVM and used to present\n  malicious device content to the destination VM to potentially exploit\n  it as well. **Be suspicious if you do not see the expected filesystem\n  data in the destination VM. Or simply use a DisposableVM as the\n  destination VM.**\n\n- **Don't forget to overwrite your disk with random data before creating\n  a LUKS1 volume on it.** Otherwise, a compromised destination VM could\n  trivially save decrypted data to the disk in its free space, by\n  encoding each bit as an unmodified (still empty or in some other way\n  nonrandom-looking) or modified (random-looking) 128 bit AES block.\n\n\n## Installation\n\n1. Copy `vm/` to a DisposableVM Template's _TemplateVM_ (e.g.\n   `fedora-XX`) - not to the DisposableVM Template _itself_ (e.g.\n   `fedora-XX-dvm`).\n\n   Inspect the code, and `sudo make install`; also install the `pv`\n   (Pipe Viewer) package to be able to run the\n   `overwrite-everything-with-random` command. Shut down the TemplateVM\n   when finished.\n\n2. Copy `dom0/bin/qvm-block-split` to dom0, e.g. into `~/bin/`, inspect\n   the code extra carefully, and `chmod +x` the script.\n\n3. Either make your DisposableVM Template from step 1 the system-wide\n   default:\n\n        qubes-prefs default_dispvm fedora-XX-dvm\n\n   Or just let _Split dm-crypt_ know what it is:\n\n        echo TEMPLATE_FOR_DISPVMS=fedora-XX-dvm \u003e/etc/split-dm-crypt.conf\n\n\n## Safety warning\n\nThe code's error handling is strict, and I haven't experienced any data\nloss during development. Nevertheless, this is an early release. Please\n**ensure you have a backup of all drives that are connected to your\ncomputer.**\n\n\n## Redistribution\n\n_Split dm-crypt_ is under public domain equivalent license, see the\nLICENSE-0BSD file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frustybird%2Fqubes-split-dm-crypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frustybird%2Fqubes-split-dm-crypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frustybird%2Fqubes-split-dm-crypt/lists"}