Are i need isolate internal windows ssd for security?

I have dual boot, every OS on different internal ssd are i need isolate internal windows ssd for security? I can see windows ssd on dom0, not on sys-usb

Yes, in principle, Windows can modify its own SSD in order to exploit a hypothetical bug in dom0, thus compromising your system.

Maybe you can try to mitigate this by attaching your Windows SSD to a dedicated VM. But read this carefully before doing it: How to use PCI devices | Qubes OS.

But also it can directly modify unencrypted /boot partition in your Qubes SSD and compromise it even easier. If you want to be really secure, you should remove the Qubes OS disk every time you boot Windows.

Apart from that, Windows can in principle compromise your BIOS and from it attack your Qubes installation, even if you are removing the SSD as I suggested above.

In summary, multibooting decreases your security. Still, it’s better than not using Qubes at all. See also:

This is expected, because internal disks are not USB devices.

1 Like

I see windows ssd when I Write on terminal “qvm-device block” and I can`t see it with “qvm-device pci”, for attaching windows ssd to a dedicated VM

You are right, it works in the same way for me. Perhaps this can help then?

1 Like

what`s the best for security, use alone qubes on internal ssd and windows on external ssd, or reverse ? because I cant isolate internal windows ssd, and need it important for graphics maker apps.

what`s your opinion are have another solution?

I guess the most secure way is to never let these two drives be connected simultaneously. But this is probably too much work; I wouldn’t make it.