So, I am using windows and willing to install Qubes along side it. But dual booting qubes is considered unsafe as someone with access to windows can easily modify bootloader of qubes OS.
So, I was thinking may be I can install qubes OS on a partition /dev/sda3 and use the built in encryption. But install bootloader on a removable USB 3.0 drive /dev/sdb1, if it’s even possible. And then install windows 10 on /dev/sda1. That way, QubesOS partition will be encrypted while accessing windows 10 and bootloader will not be available to be tempered with as it’s on a USB 3.0 drive.
So, whenever I need to access my Qubes setup, I will connect the bootloader USB drive and then boot into the /dev/sda3, decrypt and use.
Is it doable? And if yes, will I be able to use other USB devices, sys-usb? or not?
need some configuration, so your /dev/sdb (usb 3.0 flashdrive) will not take affect.
Okay, I am gonna give it a try. And post the screenshot once done. What type of configurations are you talking about? I might need it if I can’t figure it out. Will let you know in few hours.
You’ll want the bootloader on /dev/sdb.
Depending on your machine, it may not be possible, or you may need to
change the system configuration to enable booting from external USB.
Again, this (and the use of a sys-usb) will entirely depend on how your
machine is configured. If you have only 1 USB controller, (controller
not port), then you wont be able to use a sys-usb.
In any case, the controller for the port you will be booting from will
have to be attached to dom0, and any devices you attach to it will be
attached to dom0. This is a security risk
And I did manage to install bootloader on a USB 3.2, for some reason USB 2.0 won’t work for this. However, I could not set the Device type to LVM thin provisioning, it was greyed out at standard partition. And I also didn’t made swap as I have more than 16 gigs of ram.
So, now if I connect the usb 3 device, I can dycrypt sda3, partition where qubes is installed, and use qubes as normal. No sys-usb though as I have only one usb controller.
Is it good enough? I mean via anonymity point of view. Or is there something that I missed?
By the way, your tutorial returned an error, probably because of usb 2. But then I didn’t try with usb 3.
I was considering this not for dual booting but to protect my boot loader from MITM. Instead I went the route of coreboot and librem key to protect my bootloader.
However I’m curious about this setup. Once qubes os is loaded, are you able to remove the USB or will it crash the system?