I need r4.1 for paranoid backup-restore and android-x86 natively without needing to do this 4.0.4 dom 0 hack covered here: notes/InstallingAndroid.md at master · unman/notes · GitHub
But I want the stability and security benefits of 4.0.4 for my daily driver and critical operations.
I’m assuming my android-vms will be targeted and hacked. So having them only accessible on r4.1 is ideal for me. Also disposability of both r4.1 and the android vms is ideal.
I’m realizing it’s killing me time wise for backup management to have all my qubes (appvms) on the same drive as the OS, especially when or if something happens to dom 0.
The documentation here Secondary storage | Qubes OS says appvms on secondary storage, but templates on main drive. I don’t want that. If possible I’d like all vms including templates on secondary storage. Hopefully with the added benefit of being able to use them on both r4.1 and 4.0.4.
I may be mistaken but I thought appvms and templates in the backend are basically the same thing, just vms but with different sharing of file structures. So I’m hoping templates and appvms on a single secondary storage device is not a problem.
In critical data containing vms, for additional security (encryption at rest) I’ll add an additional layer of veracrypt containers using a different passphrase that r4.1 never sees, just in case there are flaws that might expose data that 4.0.4 wouldn’t.
For how I choose to boot between r4.1 or 4.0.4 I plan to use separate drives, physically removing and install one or the other, rather then trying to achieve some dual booting trickery.
Physically changing the drives as needed will also allow me to maintain my librem key boot loader integrity check on my 4.0.4 install… I think… Will have to test. But if I remember correctly once I had to do something with windows, swapped out the drive, coreboot said “tampering detected”, I chose ignore, then later I put the qubes drive back in and the tampering detection disappeared and was green ok again.
So is all this possible, especially keeping the templates and appvms on a secondary drive. And also usable across both my 4.0.4 and r4.1 installs, as there is some data sharing that would be needed.
Thank you all.