It’s on my burndown.
I few weakpoints I’d like to solve: The qubes are overt. They can load to overt or pd layer. In my ideal solution they would never even show unless pd layer is unlocked. I couldn’t find anyway to do this without a full dom0 binding.
Next: removing frictions. The attaching USB drives for the external PD layer is too much friction. The solution would be an auto attach script that works by recognizing some unique identifier of the drive, so that it works regardless of USB attached devices state.
If anyone has been able to script this please share your script.
As soon as I get it polished to my liking I’ll make a guide.
But the essence of it is binding/unbinding qubes to a Veracrypt vault. You can setup 2 layers, 1 on the internal drive, 1 on the USB drive. The external drives are speed constrained. I don’t know if this is an artifact of sys-usb that can be overcome. But the speeds I’m getting are 1/10 the drive potential. This is something I’d like to resolve before making a guide.
I borrowed much from: @SteveC , Split veracrypt