Encrypting Drive Partitions to open in AppVM

I have added a new drive to a qubes box. I can partition the drive, and attach it to a qube, but it is not encrypted. I would like to know how to encrypt and whether or not to encrypt the partition or the whole device.

Specifically, my goal is to take one drive and split it into several partitions and attach at least one smaller partition to a qube while leaving the other(s) for future use or backup storage.

The documentation for block devices makes sense, but I do not see how to encrypt after install.

–edit
I noticed that if I format a partition in gui as ext4 there is a passwd LUKS option. I assume this is the answer and hope I did not waste any person’s time.

View the partition in “Disks” > click on “Additional partition options” > choose “Format Partition” > Ext4 (with LUKS)

then mount as described in docs: Block (storage) devices

1 Like

Yes. That’s what I was going to suggest you!

One other tip (which you may already be aware of): A whole lot of stuff people ask on Qubes is a general linux question. So a lot of that won’t be in the Qubes docs. But if instead you search for it online without the “Qubes” keyword, you might find what you are looking for.

(marked my post as the solution since the first post can’t be marked for that)

edit: I also changed the title to make it easier for people to find it in the future. If you feel it’s not correct, feel free to change it.

Thank you. I have not been a linux user for a long time. I did not know that LUKS was a part of ext4. I’ll increase the scope of my searches to outside the documentation next time.

1 Like

LUKS is not a part of Ext4. The utility is just combining the two
formatting procedures into one to make it easier.

1 Like

Hi there,

Not sure you’ve solved your case yet but some docs you should check:
https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/
(check out the keyfile to unencrypt without typing password)

And I’ve managed to decrypt + auto-mount the disk when AppVM starts with solution there:

I hope it helps.

Thank you,

1 Like

For multiple VMs and full automation you can also use

2 Likes

You can also add Zulu Crypt when you want to mount drive as READ ONLY in some environments.