Accessing a usb-sys blocked and encrypted Qubes OS Partition

Since a USB controller assignment survives reboot, you may find yourself unable to access your system. (link)

Qubes OS does consider all USB devices by default as potentially evil. So in case you are serious about USB-based attacks on your Qubes-OS environment, you might want to install an USB qube such as sys-usb. A more detailed explanation could be found here:

The connection of an untrusted USB device to dom0 is a security risk since dom0, like almost every OS, reads partition tables automatically and since the whole USB stack is put to work to parse the data presented by the USB device in order to determine if it is a USB mass storage device, to read its configuration, etc. This happens even if the drive is then assigned and mounted in another qube.

The concept of sys-usb is to act as a secure man-in-the-middle between your dom0 and your USB device so that in case of a compromise, only the sys-usb environment gets compromised. sys-firewall is executing a similar function but focused on the Internet instead of the USB device.

So further steps on how to install the sys-usb can be found here – I especially recommend to read the following section:

Warning USB keyboard cannot be used to type the disk passphrase if USB controllers were hidden from dom0. Before hiding USB controllers make sure your laptop keyboard is not internally connected via USB (by checking output of lsusbcommand) or that you have a PS/2 keyboard at hand (if using a desktop PC). Failure to do so will render your system unusable.

Bang! I skipped that part obviously and didn’t have a PS/2 keyboard at hand – bad choice – RTFM! next time. I was basically locked out of my system.

Below I want to provide a short workaround in case you still want to get access to your Qubes-based encrypted data immediately:

  1. Download gparted or any other tool that allows you to boot a small linux via USB and boot it to get a shell
  2. Now decrypt the LUKS partition of Qubes OS and assign it to a virtual device:
    sudo cryptsetup open /dev/sda$ qubes
  3. Enter your passphrase for Qubes OS Full Disk Encryption
  4. Create mountpoint: mkdir /mnt/final
  5. Mount virtual device to mountpoint: mount /dev/mapper/qubes_dom0_root /mnt/final
  6. You can now access your Quebos OS system files and also access the folder where the VMs are stored: cd /mnt/final/var/lib/qubes/appvms
  7. There, you will find a list of all your VMs – just cd into the one where your assets are stored that you intend to extract. You will find different .img files and also a $VM-name.conf file which is not of interest. The private.img file is the one we intend to mount. file private.img will show you that in case of a standard fedora-25 appvm, the img consists of a ext4 filesystem which we now mount.
  8. create mountpoint: mkdir /mnt/emails
  9. mount private.img /mnt/emails/
  10. Now it depends on what you intend to restore – for instance, if you want to access your old emails in Thunderbird, cd /mnt/emails/home/user/.thunderbird for instance
  11. Now put in a second USB stick and mount it: mkdir /mnt/extern
  12. mount /dev/$USB2 /mnt/extern/
  13. Now copy the data to the external USB stick: cp -r $profile /mnt/extern/
  14. umount /mnt/extern/

That’s it – pretty much straightforward.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s