Re: Crypted devices... where open them?

[<J.Witvliet@xxxxxxxxx>]

The root user of dom0 might / should be different from the root user of the domU.

From: "Andy Smith" <andy@xxxxxxxxxxxxxx>
Date: Wednesday, 1 July 2020 at 12:46:32
To: "xen-users@xxxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Crypted devices... where open them?

Hello,

On Wed, Jul 01, 2020 at 10:59:41AM +0200, Christoph wrote:
> I have some crypted (LUKS) devices which I use in some domU's.
> It is better to passthrough a crypted devices and open it in domU or
> passthrough an already opened plain device to a domU?

I open them inside the domU because not all domUs require encrypted
storage. Also some of them are managed by the guest administrators and I
don't know the key material - it's not stored in the dom0 storage at all.

I would have thought that opening it in dom0 would be slightly less
secure as anyone who is root in dom0 can read the block device as if
it was not encrypted. Obviously anyone with root in a privileged
domain can read the memory of a guest and get the key material out
of that anyway, but that would require a bit of motivation at least.

Cheers,
Andy

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid
 voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind
 resulting from the risks inherent in the electronic transmission of messages.