If you’re using UEFI then during OS installation it should automatically create a separate boot menu entry and you can use UEFI boot menu at boot time to select which menu entry to boot from e.g. something like this:
There is a guide about encrypted /boot:
Playing with qubes
Is a rewrite of my old notes, Qubes OS Installation - Detached encrypted boot and header
Thank you @kaizer and @dum0 for donating to qubes so that I could rewrite this guide.
I’d recommend that you try in VM first, before doing it on your machine, so that you can also learn and understand too.
This is UEFI based only.
Prerequisite :
QubesOS Installation Medium.
2 Drives for separated Root and Boot/EFI Partition, and we would call them with :
Root = /dev/nvme…
And you can also check archlinux wiki for a reference:dm-crypt/Encrypting an entire system - ArchWiki
Less data is left unencrypted, i.e. the boot loader and the EFI system partition, if present
Yes, your firmware or Qubes OS boot files could be compromised from Linux as well.
General & Security What is Qubes OS? Qubes OS is a security-focused operating system that allows you to organize your digital life into compartments called “qubes.” If one qube is compromised, the others remain safe, so a single cyberattack can...
Also relevant info on multibooting:
guidelines carefully.
One problem is that when you dual or multiboot, even if you are using encryption on your Qubes installation, /boot is still unprotected and could be maliciously modified by the other OS, possibly leading to Qubes itself being maliciously modified.
The other problem is firmware security - for example the other system could infect the BIOS firmware, which might enable compromise or spyi…
