Adding cryptsetup-reencrypt support. First step into getting OEM predeployed QubesOS machines #464
Conversation
|
@kakaroto @flammit @mfc @osresearch @kylerankin: Please challenge this idea ASAP. |
|
@tlaurion I'm personally fine with allowing luks re-encryption. One approach we are working toward was using the Librem Key for decryption by adding OpenPGP smartcard support to LUKS. We are currently working with Debian toward this goal: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163 How do you think this approach would mesh with yours? I'd love to have an OEM-ready Qubes installer. The challenge with Qubes OEM images in the past was having resources with the expertise to build it. The Qubes team could do it but you would need to be willing to set up a consulting agreement with them and fund the effort. |
Perfectly :)
Apart from reencrypting OEM deployment from Heads, I think the solution would be to permit deployment of additional salt recipes in QubesOS installer's second stage. By permitting to import them from a USB key, OEM customization would be possible:
@kylerankin : What you think? |
tlaurion
changed the title
This addition permits deployment of customized OEM shipped QubesOS deployments.
The idea behind this is to be able to deploy preinstalled QubesOS trusthworthy machines and permit remote support over them on demand. This is an attempt to relaunch the idea behind QubesOS librem OEM install disk, but this time, including the deployment of a second AdminVM, permitting remote management, by a third party, on demand, through a tor hidden service. This onion hidden service is only available to remote management when both hidden hostname and attached public key are shared, and can be revoked at any time, while the AdminVM needs to be launched to permit remote management as a whole, leaving the user able to bypass and control that AdminVM deployments through dom0, on which the user controls everything. The Admin is an helper, not a complete machine owner: the user is the only one being truely in control of the system the whole time.
To do so, that second AdminVM, remotely SSH manageable through an hidden tor service would permit additional persona deployments through customized salt recipes.
The actual unresolved problem with OEM deploying QubesOS offline and not before user's eyes is that the user doesn't own his LUKS encrypted volume with delivered laptop. By using cryptsetup-reencrypt through Heads, the volume is reencrypted with user's keys upon reception and denies OEM responsibility of knowing LUKS original encryption key.
Even with SSD deleted pool related risks, the only data previously written to disk with precedent encryption key would be templates and base VMs deployements being deleted (deleted pools), so there is no real risks. Reencrypting a 240GB SSD drive takes 25 minutes from the user to really own his laptop, which IMHO is not a real problem considering the gains.
Heads' advanced menu could now include an option to reencrypt the LUKS encrypted volume.
The use case this fits in is:
OEM preparation of laptop and LibremKey/Nitrokey Pro V2:
Client ownership:
Client support:
Client is happy with his trustworty hardware and is feeling supported if in need.