Help? sys-usb Creation and Use?

Hello, I have a couple questions and I’ll try to be simple as possible.

1. I’ve heard its a good practice to make multiple sys-usb VMs.

2. I’d like to create a system where I can setup a sys-usb and then delete it and make a new one. Like a disposable glove for VMs and USB devices. Can anyone help explain to me how I need to create a sys-usb? I see there already is one in qubes. Do I just clone this and attach the clone to other VMs? Or will that not work?

3. I notice when I do attach a USB device to qubes I get multiple options. Like one says sda another is sda1 another is sys-usb with numbers… I think its only three options when I plug in a USB drive. My question here is… which of these should I click on for the best security? I’m guessing if I click one its less secure then if I do another? Can you help?

As far as I understand this is only in the case where your computer has multiple USB hubs.

In this case, what you want is a disposable sys-usb. It should be well documented here: (tip: always search on the Qubes docs)

I think this has to do if you’re attaching the whole disk (block device) or the partition inside it. But I’m not too informed on it.

Quoting from https://www.qubes-os.org/doc/block-devices/#using-the-gui-to-attach-a-drive:

Note: attaching individual partitions (e.g. sys-usb:sda1 ) can be slightly more secure because it doesn’t force the target AppVM to parse the partition table. However, it often means the AppVM won’t detect the new partition and you will need to manually mount it inside the AppVM.

That’s exactly what I was looking for. Thanks!

Thank you guys!