With most of my devices not running Qubes OS, I always encrypt the boot partition. I go even further by using a detached luks header for the main partition, which is hosted on an encrypted USB drive. The USB drive is decrypted using a keyfile that is located on the encrypted boot partition. The point of this is to have a form of 2FA and to make the main partition seem like it is just random data. The first 16M are wiped with random data, so the only recognizable partitions are the EFI and boot partitions. I do this for the sake of plausible deniability. The USB drive is also easy to destroy in an emergency situation and I can at a later time pull a backup of the header that is stored online. It may sound a bit over the top, but I do believe it makes sense. I handle the decrypting of the USB drive using the keyfile with an initramfs script, which also handles the decrypting of the main partition with a password and the header on the USB drive.
While this works great for other distros, I’m struggling to reproduce this on a Qubes OS device. I already have an installation and I couldn’t find anything on how to get it to decrypt the boot partition nor how I can configure it to use the detached header.
I’m really curious whether anyone has any insights into this or whether there are any development plans for anything relating to this. Either way, it feels like this is going to require a substantial amount of tinkering.
There is BusKill, but it only serves as a solution while the device is on and within reach. The goal here is to have a solution for when the device is both off and on, and when the device is in reach and out of reach. There always is the longer and more manual solution of wiping the header on shutdown, booting into a live distro with a backup of the header to restore the header and then reboot into Qubes OS. However, I really wish there was a simpler solution for this.