[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypted devices... where open them?



what about the rw performance? I think it should be a little bit
performant if I open it in dom0 already? cryptsetup/LUKS uses AFAIK the
AES extensions of cpu... does it use it in a domU to?

---
------
Greetz

Am 01.07.2020 12:36, schrieb Andy Smith:
Hello,

On Wed, Jul 01, 2020 at 10:59:41AM +0200, Christoph wrote:
I have some crypted (LUKS) devices which I use in some domU's.
It is better to passthrough a crypted devices and open it in domU or
passthrough an already opened plain device to a domU?

I open them inside the domU because not all domUs require encrypted
storage. Also some of them are managed by the guest administrators and
I
don't know the key material - it's not stored in the dom0 storage at
all.

I would have thought that opening it in dom0 would be slightly less
secure as anyone who is root in dom0 can read the block device as if
it was not encrypted. Obviously anyone with root in a privileged
domain can read the memory of a guest and get the key material out
of that anyway, but that would require a bit of motivation at least.

Cheers,
Andy



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.