While I’m thankful for your response, my scenario is different,
Imagine that I’m logged into my personal VM, doing some personal browsing at a library. I lock the laptop and walk towards a shelf to grab a book. The screen locker doesn’t encrypt the disk. So a dedicated attacker, in my case it would be a private investigator hired by some high profile politician I’m doing research on, he could snatch my laptop and use skilled individuals to bypass the screen lock.
The same could happen due to a direct snatching while I’m doing personal browsing, I use qubes for personal and work. I don’t want my research-work VM to be compromised. Data at rest in my case needs to be encrypted.
No, it’s the same - that thread explores ways to encrypt a qube. If you
are using it the qube data will be decrypted. If you are not, it will be
encrypted on the decrypted Qubes system.
Dont ignore the value in securing your data where possible in every
qube. You dont need to have “encrypted qubes” to get this significant
increase in security.
(If you are concerned with forensic analysis consider issues on
encrypted volatile volumes and swap, and running qubes processing your
research-work data in ramdisk based qubes.)
I think we are talking past each other.
Whatever solution you choose to use to secure the data in Research-work
Can you explain in what circumstances Research-work would not be protected
if personal is running and you have used an encrypted pool?
Equally, if you have encrypted the data in Research-work, in what
circumstances would it not be protected when you are using personal?
Note that encrypting the data has the advantage that you have a far more
granular solution. You could still be running Research-work but the data
would be protected: you could be accessing “generic data” in Research-work
while “specific data” was still encrypted.
Of course, depending on where you are and what threats you are
considering, all this might just be theatre. Do not under estimate the
importance of an informed threat analysis.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.