After doing this setup multiple times now, I have written a far more detailed guide on how to manually setup your entire disk from scratch, including manual selection of encryption cyphers & iterations.
This is useful if you are building your system in a way that is different to standard Qubes Install, for example in a Dual Boot setup or just leave some space free at the end for future use, since by default Qubes will consume the entire disk you install to.
# Manual Disk Partitioning for Custom Installation of Qubes OS 4.2
# The following commands can either be run from the Qubes OS GUI Installer, the rescue mode, or a 3rd party boot tool/os that runs from memory.
# Step 0 assumes it's being run from the Qubes installer.
# Step 0: Switch to the terminal from the installer
# Press CTRL + ALT + F2 to access the terminal
# Step 1: View current partitions
lsblk # List all block devices
# Step 2: Reinitialize the drive as GPT to wipe all partitions
gdisk /dev/nvme0n1 # Open gdisk on the target drive
# Press 'o' to create a new empty GPT partition table
# Press 'n' to create a new partition
# 1. For Partition 1:
# - Enter: '1' (Partition Number)
# - First sector: Press 'Enter' (default)
# - Last sector: '+922M' (900MB size) # making this a little larger than the default 600M since it holds 3 kernels
# - Hex code: 'EF00 (EFI System)' - use 0700 for "basic data" (blank partition, Qubes will format it later)
# Press 'n' to create another partition
# 2. For Partition 2:
# - Enter: '2' (Partition Number)
# - First sector: Press 'Enter' (default)
# - Last sector: '+1024M' (1GB size)
# - Hex code: '8300 (Linux Filesystem for /boot)'
# Press 'n' to create another partition
# 3. For Partition 3:
# - Enter: '3' (Partition Number)
# - First sector: Press 'Enter' (default)
# - Last sector: Press 'Enter' (use remaining space)
# - Hex code: '8E00 (Linux LVM)'
# Press 'w' to write changes and exit
# Step 3 PREP:
cryptsetup benchmark # If performance is important, run this to determine the fastest
# encryption protocol specific to your system and change
# the below -c command to match it
# Step 3: Set up LUKS encryption with Argon2id and 10,000 iterations
cryptsetup luksFormat -c aes-xts-plain64 -s 512 --pbkdf argon2id -i 5000 -y --use-random /dev/nvme0n1p3
# This uses AES-XTS-512, Argon2id KDF with 5,000 iterations, and entropy (from --use-random)
# The # of iterations (defined by -i 5000) can also be set in "time" instead using: '--iter-time 5000' (5 seconds)
# Step 4: Open encrypted partition
cryptsetup open /dev/nvme0n1p3 luks # Open encrypted partition as 'luks'
# Step 5: Set up LVM on encrypted partition
pvcreate /dev/mapper/luks # Create physical volume
vgcreate qubes_dom0 /dev/mapper/luks # Create volume group
# Step 6: Create logical volumes
lvcreate -n swap -L 4096M qubes_dom0 # Create 4096MB (4GB) swap volume
# Step 7: Create thin pools
lvcreate -T -L 40960M qubes_dom0/root-pool # Create 40960MB (40GB) thin pool for root
lvcreate -T -l 99%FREE qubes_dom0/vm-pool # Create the 'vm-pool' thin pool with 99% of the available free space
# ^ 99% to leave a useful amount of free space for possible repair operations in future, feel free to use 100% instead
# Step 8: Check the size of the new vm-pool
lvs -o +lv_size --units m # Get the exact size of vm-pool (needed for optional step 9b)
# Step 9: Create logical volumes from thin pools
lvcreate -V40960M -T qubes_dom0/root-pool -n root # Create 40960MB (40GB) root logical volume
# Step 9b: Create vm-pool and give it alias 'vm'
#lvcreate -V<exact_size>M -T qubes_dom0/vm-pool -n vm # Replace <exact_size> with the size obtained from 'lvs'
# ^ this line may not be necessary, have left it here for reference in case it is
# Step 10: Format the 'root' and 'vm' volumes
mkfs.ext4 /dev/qubes_dom0/root # Format 'root' logical volume as EXT4
#mkfs.ext4 /dev/qubes_dom0/vm # Format 'vm' logical volume as EXT4
# ^ above line from old instructions - this is a 'thin_pool' managed by Qubes as such is not intended to be formatted at all
# Step 11: Prepare the swap volume
mkswap /dev/qubes_dom0/swap # Mark the swap volume as swap space
# Step 12: Deactivate all logical volumes
vgchange -an qubes_dom0 # Deactivate all logical volumes in the volume group
# Step 13: Close the LUKS device
cryptsetup close luks # Close the LUKS device
# Step 14: Return to installer
# Press CTRL + ALT + F6 to return to the Qubes OS installer GUI
# Recommended to reboot system before resuming installation
Great !
I’m still struggling with “the perfect” partitionning, pondering between BTRFS, EXT4, LVM2, …
Question: You mention 922M = 900MB, but I can’t find what that first “M” refers to as none (that I found) equals to 900 MB
For critics, please:
NVMe0n1 256GB for sysrun (swap, tmp, log)
NVMe1n1+NVMe2n1 2TB RAID1 for dom0 and domU
# Manual Disk Partitioning for Custom Installation of Qubes OS 4.2.x
# The following commands can either be run from the Qubes OS GUI Installer,
# the rescue mode, or a 3rd party boot tool/os that runs from memory.
# Step 0 assumes it's being run from the Qubes installer.
# Step 0: Switch to the terminal from the installer
# Press CTRL + ALT + F2 to access the terminal
# Step 1: View current partitions
=> lsblk # List all block devices
# Step 2: Reinitialize the drive as GPT to wipe all partitions
# A: NVME0n1
=> gdisk /dev/nvme0n1 # Open gdisk on the target drive
# Press 'o' to create a new empty GPT partition table
# Press 'n' to create a new partition (NVMe0n1p1)
=> 1 # For selecting Partition 1:
# - First sector: Press 'Enter' (default)
# - Last sector: '+1024M' (1GB size) # A little larger than default 600M since 3+ kernels
# - Hex code: 'EF00 (EFI System)' - use 0700 for "basic data" (blank partition, Qubes will format it later)
=> n # to create another partition (NVMe0n1p2)
=> 2 # For Partition 2:
# - First sector: Press 'Enter' (default)
# - Last sector: '+2048M' (2GB size)
# - Hex code: '8300 (Linux Filesystem for /boot)'
=> n # to create another partition (NVMe0n1p3)
=> 3 # For selecting Partition 3:
# - First sector: Press 'Enter' (default)
# - Last sector: '+192G' (192GB size) Press 'Enter' (will conatin swap, tmp, log)
# - Hex code: '8E00 (Linux LVM)'
=> n # to create another partition (NVMe0n1p4)
=> 4 # For selecting Partition 4:
# - First sector: Press 'Enter' (default)
# - Last sector: Press 'Enter' (use all remaining)
# - Hex code: '8E00 (Linux LVM)' #(reserved for ZFS use later)
=> w # to write changes and exit
# B: NVME1n1+NVMe2n1 !! Need further intel to make it RAID1 between NVMe1n1 et NVMe2n1
=> gdisk /dev/nvme1n1 # Open gdisk on the target drive
# Press 'o' to create a new empty GPT partition table
# Press 'n' to create a new partition (NVMe1n1p1)
=> 1 # For selecting Partition 1:
# - First sector: Press 'Enter' (default)
# - Last sector: '+504G' (504GB size)
# - Hex code: '8E00 (Linux LVM)'
=> n # to create a new partition (NVMe0n1p2)
=> 2 # For selecting Partition 2:
# - First sector: Press 'Enter' (default)
# - Last sector: Press 'Enter' (use all remaining)
# - Hex code: '8E00 (Linux LVM)' # Reserved for ZFS later
=> w #to write changes and exit
# Step 3 Crypto PREP:
=> cryptsetup benchmark # If performance is important, run this to determine the fastest
# encryption protocol specific to your system and change
# the below -c command to match it
# Step 3b Crypto: Set up LUKS
=> cryptsetup luksFormat -c aes-xts-plain64 -s 512 --pbkdf argon2id -i 5000 -y --use-random /dev/nvme1n1p1
# This uses AES-XTS-512, Argon2id KDF with 5,000 iterations, and entropy (from --use-random)
# The # of iterations (defined by -i 5000) can also be set in "time" instead using: '--iter-time 5000' (5 seconds)
# Step 4: Open encrypted partition
=> cryptsetup open /dev/nvme0n1p3 luks # Open encrypted partition as 'luks'
# Step 4.1: Set up LVM on encrypted partition
=> pvcreate /dev/mapper/luks # Create physical volume
=> vgcreate qubes_sysvol /dev/mapper/luks # Create volume group for sys-run
# Step 4.2: Create thin pool
=> lvcreate -n swap -L 65536M qubes_sysvol # Create 64GB swap volume
=> lvcreate -n /tmp -L 32768M qubes_sysvol # Create 32GB temp1 volume
=> lvcreate -n /var/tmp -L 32768M qubes_sysvol # Create 32GB temp2 volume
=> lvcreate -n /var/log -L 73728M qubes_sysvol # Create 72GB log volume
# Step 5: Open encrypted partition !! need more intel for RAID1
=> cryptsetup open /dev/nvme1n1p1 luks # Open encrypted partition as 'luks'
# Step 5.1: Set up LVM on encrypted partition
=> pvcreate /dev/mapper/luks # Create physical volume
=> vgcreate qubes_root /dev/mapper/luks # Create volume group for root
# Step 5.2: Create thin pool
=> lvcreate --type raid1 -m 1 -T -L 81920M -n qubes_dom0/root-pool # Create 80GB 'root' thin pool for root
=> lvcreate --type rvgchange -an qubes_dom0 # Deactivate all logical volumes in the volume groupaid1 -m 1 -T -l 100%FREE qubes_dom0/vm-pool # Create 404GB 'vm-pool' thin pool (could be 99% to spare some for potential repair operation)
# Step 6: Check the size of the new vm-pool
=> lvs -o +lv_size --units m # Get the exact size of vm-pool (needed for optional step 9b)
# Step 7: Create logical volumes from thin pools
=> lvcreate -V81920M -T qubes_dom0/root-pool -n root # Create 80GB root logical volume
# Step 9b: Create vm-pool and give it alias 'vm'
=> lvcreate -V413696M -T qubes_dom0/vm-pool -n vm # exact size obtained from step6
# Step 8: Format the 'root' and 'vm' volumes
mkfs.ext4 /dev/qubes_dom0/root # Format 'root' logical volume as EXT4
#mkfs.ext4 /dev/qubes_dom0/vm # Format 'vm' logical volume as EXT4
# ^ above line from old instructions - this is a 'thin_pool' managed by Qubes as such is not intended to be formatted at all
# Step 9: Prepare the swap volume
mkswap /dev/qubes_sysvol/swap # Mark the swap volume as swap space
# Step 10: Deactivate all logical volumes
vgchange -an qubes_dom0 # Deactivate all logical volumes in the volume group
vgchange -an qubes_sysvol # Deactivate all logical volumes in the volume group
# Step 12: Close the LUKS device
cryptsetup close luks # Close the LUKS device
# Step 13: Return to installer
# Press CTRL + ALT + F6 to return to the Qubes OS installer GUI
# Recommended to reboot system before resuming installation
I wanted to give HALF of my SSD to Qubes once, and leave the other half empty. The customizable setup wanted me to individually specify all of the internal partitions, and I didn’t want to change any of them. But unfortunately I had no idea what the normal settings were.
I ended up having to partition the SSD in two halves by a different method (gparted on another system); then it was easy enough to just let Qubes have the first of the two partitions.