Standard PC with 1 internal drive and Windows installed on it, no encryption. This installation is supposed to serve as a decoy and contain only regular data on it in the open for everyone to see upon an examination: music, family photos, netflix etc.
-An external SSD drive ( small and compact in size similar to a USB drive ) with QubesOS installed on it and encrypted with LUKS for activism purposes.
-When I am done using Windows I will always shut down the PC before I plug in the external SSD with Qubes
-When I am done using Linux I always shut down the PC and take the external drive out before booting into Windows.
-I will never share files between the two and never mount the Windows interal disk while I am using Qubes
-The external drive (Qubes) will never be plugged in while using Windows
Are there any security implications to this approach ? Or any traces left on the PC upon a forensics investigation assuming the external drive (Qubes) is nowhere to be found ?
In theory this practice should be bulletproof ? Except for a cold boot attack which I am not worried about due to the fact that it is extermely unlikely
I wouldn’t do this if your threat model is high enough.
We don’t know about the closed-source chip backdoors. They may be collecting device IDs.
If they collect device IDs, and Windows links your non-activism activity to you and other device IDs, and suddenly, here is Qubes on this device and it’s collected by Management Engine while you run Qubes and Microsoft has a backdoor allowing it to get this data (and the device ID is saved) and send it to Microsoft under the sea servers, then ME will have stored you are using two OSs, a secret OS and a normal OS. It’s more sus than just using Qubes or Windows. It depends on where you are doing this activism, but I would be worried about Microsoft products using closed source code to interface with Intel ME or AMD backdoors for exfiltration and for that data to contain information extracted from Qubes sessions.
I am not a security researcher and this could be technically impossible and therefore irrelevant, but I would be concerned.
The friendly police officers install some forbidden data to your windows and you get busted with it at the next border.
It is like the drugs that get attached by means of magnets to your car at a filling station in order to charge you with drug offenses at the next corner where friendly police man number 2 does a “routine check”.
Would it be noticeable if IME was neutered or disabled?
Assuming you are using UEFI, they would likely acknowledge the EFI boot partition for Qubes. This is a dead giveaway. Unless the EFI boot partition is on the external SSD?