I want to add an extra, encrypted (internal) 2TB hard drive to my existing Qubes 4.2 desktop system for archive useage only. But how do I do this please with the following requirements?
- Drive not to be bootable on startup.
- Drive to be accessible through the Qubes Devices widget for use on selected vm’s of my choosing only when needed.
- Drive to be encrypted in such a way, that if I subsequently remove the drive from the Qubes box, the entire drive will still be encrypted, but accessible on another computer if I enter the encryption info.
I could partition this 2TB drive with GPT in the gParted program with the desired 3 subpartitions, but I’m not seeing anything on searches about what I would need to do for the encryption. I also expect I would need to add the drive somehow for dom0 to recognize its presence.
Attach your disk from dom0 to some qube (e.g. disposable qube).
Use cryptsetup CLI tool or some GUI wrapper to encrypt your disk/partition/file container:
dm-crypt/Encrypting a non-root file system - ArchWiki
When you decrypt your LUKS container, it should be available in the Qubes Devices to be attached to some other qube.
Sorry for the delay in responding MellowPoison. Your suggestion looks like exactly, what I need. I will give it a go and report back with the results. cheers
Partial success, but now stopped. Created three new partitions with gParted. Installed drive in desktop box. Drive showed up in Qubes devices as /sda1, /sda2 and /sda3. Tried mounting a partition in a vm and encrypting from dom0 (no cryptsetup available directly from the mounted vm), but couldn’t figure out how to identify the partition in dom0’s terminal. So I tried directly from dom0 without mounting to a separate vm. I seem to have successfully encrypted the three partitions from dom0 using (for example):
cryptsetup luksFormat /dev/sda1
then typing YES and entering the password twice.
Now when /sda is mounted in Qubes Devices to a vm, the three encrypted partitions show up in thunar. Clicking on one brings up the prompt box to enter the password. However after entering the password, the activity wheel briefly spins, there is an error message that the partition cannot be mounted and that partition disappears from the thunar menu. Do I have a file attribute problem and need to somehow chown the partition, or is the problem somewhere else in my process please? I’m stuck now.