So basically, you can use each of the 4 SSD’s for storing data, just not as a “span”. On one you install Qubes, and the others you use for VM storage.
For example, if you have 4 internal drives, say they’re represented as /dev/sda, … , /dev/sdd
You could decide to layout like this:
/dev/sda: Qubes (dom0, etc)
/dev/sdb: Backup VM pool
/dev/sdc: VM pool
/dev/sdd: VM pool
This will use all your available storage, just spread over the multiple drives.
If you’ve already installed Qubes, it’s probably on /dev/sda. Which means you have /dev/sdb, /dev/sdc, and /dev/sdd left to partition as VM pools.
For each drive, steps to create a VM pool on it: (following the guide on the Qubes-OS website)
- You want the drive to be encrypted, so set up a LUKS volume on it: (this will completely erase all data on the drive)
You can set it up for encryption by doing this in a dom0 terminal (use the same passphrase as the main Qubes disk to avoid a second password prompt at boot):
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb
sudo blkid /dev/sdb
Note the device’s UUID. (use this instead of “b209…” in the examples)
- Edit /etc/crypttab to automount the new volume by doing:
sudo nano /etc/crypttab
- Add the following to this file:
(change both “b209…” for your device’s UUID from blkid in both places)
luks-b20975aa-8318-433d-8508-6c23982c6cde UUID=b20975aa-8318-433d-8508-6c23982c6cde none
- Reboot the computer so the new luks device appears at /dev/mapper/luks-b209… (your UUID will be different)
That leaves us with an encrypted drive, now we create the pools necessary for qubes VM storage.
- Create the physical volume: (substitute your UUID)
sudo pvcreate /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde
- Create the LVM volume group, named “volumesdb”: (substitute your UUID and drive letter)
sudo vgcreate volumesdb /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde
- Create the logical volume: (substitute “poolsdb” with whichever drive letter you are using)
sudo lvcreate -T -n poolsdb -l +100%FREE volumesdb
- Create a Qubes pool on the logical volume:
qvm-pool --add poolsdb_qubes lvm_thin -o volume_group=volumesdb,thin_pool=poolsdb,revisions_to_keep=2
- By default all new VM’s are created on the main SSD, in your case probably /dev/sda, so when creating VM’s, specify which pool to create them on like this:
“qvm-create -P poolsdb_qubes --label red unstrusted-hdd”
That creates a qubes pool on a logical volume on a logical volume group on a physical volume on a LUKS encrypted drive, which sounds complicated but is just what Qubes needs to store VM’s on it.
Repeat those steps for the two remaining drives (/dev/sdc, /dev/sdd) substituting drive letters and UUIDs as needed.
This will give you three SSDs you can save individual VMs to. Now you just need to partition your qubes on to the different disks. If I had a large “backup VM” that stored tons of data and was expected to be very large, I would put it on it’s own pool, for example poolsdb. All my personal VMs and templates could go on poolsdc, and everything work-related could go on poolsdd. Thus, all drives are being used, and I’d be less likely to run out of space.
To answer the second part of your post:
It should be the same security as the rest of your Qubes install, it’s just an encrypted storage drive, Qubes still runs the VMs exactly the same as if they were on /dev/sda.
Hope that helps, let me know if you have questions
Disclaimer: it’s been quite a while since I’ve had to do this myself, I might be a bit rusty on how I had set things up.