Extend vm-pool instead of adding another pool.
: You don’t need to juggle qubes between two pools like in the secondary storage setup.
: Chances of data loss due to drive failure are higher.
1. Locate the device, partition it (if you want)
Locate the device you want to add to the pool using lsblk or other tools.
The algorithm for encrypted partition is a bit different, follow secondary storage : Example setup of second drive until you end up with an auto-mounted luks partition, after that continue with the step 2.
2. Add it to the pool
pvcreate $device
vgextend $vg $device
lvextend -l +100%FREE $pool
$deviceis the device you want to add to the pool. Most likely partition on a physical device, like/dev/sdb1,/dev/nvme1p1, or/dev/mapper/mydevicenameif you’re using encrypted partition.$vgis the lvm volume group. You can list them usingvgs. Most likely you have only one group. If you have more, you can deduct which one you need from outputs ofpvsorlvs. See which group is used for qubes’ lvs or to which group your existing qubes drive belongs to.$poolis the lvm pool to extend.vm-poolby default, but you can list logical volumes and pools usinglvs, it will be listed in the “pool” column for logical volumes of your virtual machines as well as a separate entry.
3. Profit?
This is very flexible. As you can see, almost anything can be used as the $device, be it physical device, partition, or encrypted partition. Same with the pool, you can add different amount of volume to it, not necessarily all free space available in the volume group. See man lvextend.
Booting with encrypted devices
On qubes, systemd-cryptsetup handles decryption during boot. It always tries available passphrases before prompting the user for a password. If you have multiple partitions with the same passphrase, you’ll only need to enter it once.
If, on the other hand, you want to have multiple partitions with different passphrases unlocked during boot, you will encounter the fact that qubes splash screen doesn’t tell what you’re currently unlocking. It does not matter. You can enter passphrases in any order, systemd-cryptsetup will figure out what goes where by itself. Even with that, it might be hard to figure out what’s going on if you make a typo in one of your passphrases, so let’s get more information printed anyway.
There are two ways to print the device name when prompted for a passphrase during boot:
Make plymouth (program responsible for the splash screen) print the device name
Idk, feel free to contribute… This topic might be a good starting point
Disable plymouth, enjoy the beauty of the console
- Add the following parameters to
GRUB_CMDLINE_LINUXin/etc/default/grub:rd.plymouth=0 plymouth.enable=0 - Generate the config:
# If you're using BIOS grub2-mkconfig -o /boot/grub2/grub.cfg # If you're using UEFI grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg
for newly installed systems (not upgraded in-place) older than 4.0, you should only run grub2-mkconfig -o /boot/grub2/grub.cfg, see this topic
This disables plymouth and leaves you with concise console output and prompts. If you want verbose console during boot, you can remove quiet parameter from GRUB_CMDLINE_LINUX.
Alternatively, if you don’t want to do any of these, but get stuck entering passphrases, you can simply press ESC to exit into console.
Notes
As is, with disabled plymouth, you’ll end up with UUIDs of devices in the passphrase prompt. I think you can assign aliases to partitions in /etc/crypttab instead…