[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypted devices... where open them?


  • To: xen-users@xxxxxxxxxxxxxxxxxxxx
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Wed, 1 Jul 2020 10:36:34 +0000
  • Delivery-date: Wed, 01 Jul 2020 10:37:39 +0000
  • List-id: Xen user discussion <xen-users.lists.xenproject.org>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc

Hello,

On Wed, Jul 01, 2020 at 10:59:41AM +0200, Christoph wrote:
> I have some crypted (LUKS) devices which I use in some domU's.
> It is better to passthrough a crypted devices and open it in domU or
> passthrough an already opened plain device to a domU?

I open them inside the domU because not all domUs require encrypted
storage. Also some of them are managed by the guest administrators and I
don't know the key material - it's not stored in the dom0 storage at all.

I would have thought that opening it in dom0 would be slightly less
secure as anyone who is root in dom0 can read the block device as if
it was not encrypted. Obviously anyone with root in a privileged
domain can read the memory of a guest and get the key material out
of that anyway, but that would require a bit of motivation at least.

Cheers,
Andy



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.