[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypted devices... where open them?

To: xen-users@xxxxxxxxxxxxxxxxxxxx
From: "J. Roeleveld" <joost@xxxxxxxxxxxx>
Date: Wed, 01 Jul 2020 13:32:49 +0200
Delivery-date: Wed, 01 Jul 2020 11:33:23 +0000
List-id: Xen user discussion <xen-users.lists.xenproject.org>

On Wednesday, July 1, 2020 10:59:41 AM CEST Christoph wrote:
> Hi
> 
> I have some crypted (LUKS) devices which I use in some domU's.
> It is better to passthrough a crypted devices and open it in domU or
> passthrough an already opened plain device to a domU?
> 
> --
> ------
> Greetz

I would suggest it depends on who "owns" the domUs.

If the domU is not owned by the same person as who owns dom0, then the 
decryption should be handled in the domU as dom0 should not have access to the 
decription keys.

If you own both dom0 and domU, you can decide where to use the decryption 
keys.
In this case, I would decrypt it on the dom0. The reason being:

1) the dom0 should have less exposure, which means it will be more difficult 
to break into and grab the keys

2) the data will be accessible anyway as long as the drive is "decrypted", 
which means as long as the machine is powered, the keys are not really needed.

--
Joost

Follow-Ups:
- Re: Crypted devices... where open them?
  - From: Niels Dettenbach

References:
- Crypted devices... where open them?
  - From: Christoph

Prev by Date: Re: Crypted devices... where open them?
Next by Date: Re: Crypted devices... where open them?
Previous by thread: Re: Crypted devices... where open them?
Next by thread: Re: Crypted devices... where open them?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.