I want to have separate file systems (templates) for personal stuff, work, social media, work archive, and untrusted things. Im.bothered by giving discord access to all of my files every time i want to share some picture. But this seems inefficient. Can App VMs see the files of other AVMs if they share the same template? Ive checked the documentation but it focuses on tips for AVMs over explaining how it protects data.
No. App qubes inherit their root filesystems (read-only) from their templates. App qubes don’t share anything with each other (except for disposables based on app qubes that function as disposable templates).
2 Likes
See also:
Inheritance and persistence,
Trusting your templates,
Note on treating app qubes’ root filesystem non-persistence as a security feature
1 Like
Qubes AppVMs have 4 virtual disks:
- xvda, for the root filesystem
- xvdb, for data storage
- xvdc, for swap and temporary modifications on /
- anx xvdd, for the VM kernel
All those disks contents, except the xvdb, are loaded from the template and are discarded after shutting the VM down. The xvdb is the only one that keeps it’s contents after shutdown.
So the contents you put in one appVM cannot affect the other, since they are stored in different disks from different VMs
Also, the AppVM system disks (xvda, c and d) come from some kind of snapshot of the template. You can find out more here: Template implementation | Qubes OS
2 Likes