[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypted devices... where open them?

To: xen-users@xxxxxxxxxxxxxxxxxxxx
From: Andy Smith <andy@xxxxxxxxxxxxxx>
Date: Wed, 1 Jul 2020 10:36:34 +0000
Delivery-date: Wed, 01 Jul 2020 10:37:39 +0000
List-id: Xen user discussion <xen-users.lists.xenproject.org>
Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc

Hello,

On Wed, Jul 01, 2020 at 10:59:41AM +0200, Christoph wrote:
> I have some crypted (LUKS) devices which I use in some domU's.
> It is better to passthrough a crypted devices and open it in domU or
> passthrough an already opened plain device to a domU?

I open them inside the domU because not all domUs require encrypted
storage. Also some of them are managed by the guest administrators and I
don't know the key material - it's not stored in the dom0 storage at all.

I would have thought that opening it in dom0 would be slightly less
secure as anyone who is root in dom0 can read the block device as if
it was not encrypted. Obviously anyone with root in a privileged
domain can read the memory of a guest and get the key material out
of that anyway, but that would require a bit of motivation at least.

Cheers,
Andy

Follow-Ups:
- Re: Crypted devices... where open them?
  - From: Christoph

References:
- Crypted devices... where open them?
  - From: Christoph

Prev by Date: Crypted devices... where open them?
Next by Date: Re: Crypted devices... where open them?
Previous by thread: Crypted devices... where open them?
Next by thread: Re: Crypted devices... where open them?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.