Encryption of app vms?

This may be a silly question and I don´t see it elsewhere with a search.

I rather suspect that this isn´t possible, but, can I encrypt individual vms? My system is encrypted in a general sense of course on startup and I can encrypt standalone vms such as Kali, but what about the vms that I create as app vms? Can they be encrypted?

Sorry if this has been covered elsewhere.


1 Like
1 Like

I don’t know LVM yet (rather ZFS) so forget my vocabulary, but isn’t it possible to create, at installation, another LV or VG to store them ? So not like the swap is created (along dom0_root), I mean in parallel.
The storing partition could even be unencrypted, only the per-domain files would be inside their own encrypted containers ?

Again me. Why we would want that?

I like the idea of an added layer of encryption. We all have different requirements so whatś right for you might not suit for me, and vice versa obviously.

I can install standalone vms and use LUKS to encrypt those. This works for most that Iǘe tried. But for example I´d like whonix to be encrypted.

Is it possible to install whonix (gw & ws) so that it functions as it would in say virtualbox with the xfce environment? That is, another install outside the ´native´ whonix that is installed with qubes. Iḿ not sure if going that way would give me an option when installing of encrypting the os.

I may be asking too much of qubes at this time, and as you say, it may not be of interest to many, but I like to know if its possible.



This is discussed dozens of times. Qubes concept considers all app qubes already compromised, and I am constantly waiting for a plausible reason why we would want to do such things, except for experimenting if something works, which could also lead beginners reading that to a possible sense of a false security.

Did you read those two posted github issues?

The one who’s in dom0, can do anything.

1 Like

Did you? At a border, they could ask you to decrypt your system, or you’re denied entry. You enter your encryption password, but hidden AppMVs stay hidden.

Moreover, since an adversary who has access to dom0 can do pretty much anything, it would be very difficult to hide the existence of certain AppVMs


I would really like to know at which country’s border would stop at that point…

Hidden volume in TrueCrypt looks like empty space, when you enter a special password. It’s impossible to prove its existence.

IIRC you can even store data in the normal crypted volume concurrently.

I’ve read this, and I came up with an idea, tell me if that’s nuts :

  • you create a normal volume and a hidden one
  • you create a “normal” appVM, and a “hidden” appVM, in their respective volumes, but with the same name and options
  • when launching the appVM, you’re asked for a password to decrypt the volume
  • depending on the password, you launch either the normal or the hidden one

How would anyone be able to distinguish between them, even in the logs ?

Again - how. I’m asking why. And not if, but when. Under which threat model?

I meant, you create only ONE appVM, only the disk would be stored elsewhere.

Haven’t you seen the recent tweets of Joanna having to backup and remove some domains before going to London ? Look for her “LHR” post

1 Like

No, because I don’t use Tweet, Facebook, etc, but would like to check if youpost me the links. Thanks in advance

1 Like

I’m suggesting to read their explanations for why. A normal border agent not suspecting anything about you will not stop you after seeing a few “normal” AppVMs.

But even if they make a full copy of your disk for later analysis, I don’t believe it’s possible to find out properly hidden doubly encrypted AppVMs. I don’t understand Marek’s comment about side channels. I expect that such hidden AppVMs are minimized vaults with virtually no software running, just text files entered by hand.

Me neither, but you don’t need an account to read a few things.
Maybe use google wisely ?! But you asked nicely so you’re forgiven, for this time ^^ The tweets’ comments have a bit of context.
PS: edit for posterity ^^ The tweets are in fact from 2015 ! Didn’t check the date ^^ Also, the tweets links are available on the top of the first github link provided, that’s how I found em.

A bit off-topic, but is steganography still a thing ?

1 Like

Thanks zithro, I don’t use Google, too. Of course I tried, but on searx, I didn’t get anything useful for “Joanna Rutkowska removed domains before going to London”, nor for “twitter Joanna qubes lhr”.

Anyway, did she bring her backup with her to London, or she restored the one left at home, on her arrival back home? Where is encrypting appVMS (subject of this topic) fits in here?

As I said, asking “how to” without knowing “why” is not a good asked question.

For example, if OP asked: “I want to go to London via airplane and I want to bring my kdbx stored in vault with me. Would be encrypted vault the best way not to risk any normal custom officer to mess with it? My threat model is normal-to-low”, that would be a proper question to be answered

And i would say, he might do it, but what I’d do is that I’d use 2fa, and I’d only bring kdbx with me, without key file. No custom officer can break into my kdbx without it, and can’t force me to give it to him/her. Once arrived, I 'd ask my sister at home to send me key file over secure channel. No harm if the key alone is compromised (that is why I’d bring one factor with me) - after received, immediately generating new one and use it while there. On my departure, I delete both. At the custom, I can’t be asked anything to give - I don’t have them. Once arrived back - simply restore kdbx and old key from the backup, just as Joanna, as I understand English, did.

What IT projects need is not IT Security professionals only, but mostly Information security professionals.

You will be simply turned away at the border for not decrypting your device.

Device, or password database? In which country?