Hi, I’ve been out of Qubes for a month or so playing with Arch Linux, getting myself into hardening this Linux image and I’ve learnt a lot.
I managed to create a volatile system and this got me wondering… When changes are applied to, let’s say, a Disposable VM, and this writes are written into the disposable filesystem overlay… How are this writes protected against forensics?
In RAM overlays is simple, once a system shutdown happens, it gets deleted. It could also be done with the sdmem utility to wipe the RAM overlay after the DispVM dies.
But what about Overlay filesystems running in the disk? The container gets discarded, but the contents are not wiped afaik (and that’s ideal, i don’t want constant writes into my SSD).
Is there a way to make that Overlay filesystem encrypted with a random key that resides in RAM and gets discarded after the DispVM dies, rendering the disk Overlay FS container unreadable after?
AFAIK there is no OverlayFS in the implementation of disposables and there is no anti-forensic protection (besides the full-disk encryption of the whole system). What we currently have is the RAM-based disposables that some use for anti-forensics.
But what about Overlay filesystems running in the disk? The container gets discarded, but the contents are not wiped afaik (and that’s ideal, i don’t want constant writes into my SSD).
Wiping a section of an SSD is impossible and harmful for hardware. For conventional disposables, you can use in-VM tmpfs mounts instead and e.g. symlink ~/.mozilla or other dirs. This is also useful for RAM qubes as it consumes ram from Xen, not from “disk” (i.e. from dom0’s RAM).
Is there a way to make that Overlay filesystem encrypted with a random key that resides in RAM and gets discarded after the DispVM dies, rendering the disk Overlay FS container unreadable after?
RAM qubes currently use ephemeral keys for volatile volumes.
Note that as a whole Qubes is not focused on anti-forensics, especially with default logging.
tysm for your reply. the design of qubes os is truly wonderful 
I’ll start looking into those RAM dispvms