Qubes OS does offer a blocking instance to shield your Dom0 from attacks via USB called
sys-usb. In case you have set up such a qube, you need to specifically dedidate a USB device to another qube before you can actually use it. Example: you have a USB webcam which you plug into your Qubes OS machine. By default, the webcam will be assigned to
sys-usb from which you can assign it to another qube / VM if needed.
You may ask: What’s the risk associated with USB devices? Check out the answer here:
The connection of an untrusted USB device to dom0 is a security risk since the device can attack an arbitrary USB driver (which are included in the linux kernel), exploit bugs during partition-table-parsing or simply pretend to be a keyboard. There are many ready-to-use implementations of such attacks, e.g. a USB Rubber Ducky. The whole USB stack is put to work to parse the data presented by the USB device in order to determine if it is a USB mass storage device, to read its configuration, etc. This happens even if the drive is then assigned and mounted in another qube.
So all in all this is great that you can use
sys-usb as a bouncer - but, in worst case scenarios, you can find yourself locked out of your system as state here:
Assigning a USB keyboard will deprive Dom0 VM of a keyboard. Since a USB controller assignment survives reboot, you may find yourself unable to access your system.
Some while ago, I skipped this warning and was locked out of my device. Below I want to provide a short, rather dirty workaround in case you still want to get access to your Qubes-based encrypted data immediately:
- Download gparted or any other tool that allows you to boot a small linux via USB and boot it to get a shell
- Now decrypt the LUKS partition of Qubes OS and assign it to a virtual device:
sudo cryptsetup open /dev/sda$ qubes
- Enter your passphrase for Qubes OS Full Disk Encryption
- Create mountpoint:
- Mount virtual device to mountpoint:
mount /dev/mapper/qubes_dom0_root /mnt/final
- You can now access your Quebos OS system files and also access the folder where the VMs are stored:
- There, you will find a list of all your VMs - just cd into the one where your assets are stored that you intend to extract. You will find different
.imgfiles and also a
$VM-name.conffile which is not of interest. The
private.imgfile is the one we intend to mount.
file private.imgwill show you that in case of a standard fedora-25 appvm, the img consists of a ext4 filesystem which we now mount.
- create mountpoint:
mount private.img /mnt/emails/
- Now it depends on what you intend to restore - for instance, if you want to access your old emails in Thunderbird,
cd /mnt/emails/home/user/.thunderbirdfor instance
- Now put in a second USB stick and mount it:
mount /dev/$USB2 /mnt/extern/. Now copy the data to the external USB stick:
cp -r $profile /mnt/extern/and
umount /mnt/extern/. Done