Making sys-usb disposable

When installing Qubes, I elected to use a sys-usb VM. As an extra layer of security, I would like to make this VM disposable such that if a malicious USB is inserted, the damage would be limited to that disposable VM’s session.

  1. Does it make sense that using a disposable VM for sys-usb would improve security?
  2. Is it possible to make sys-usb disposable? Ideally it would automatically start upon OS startup, and my usb keyboard and mouse would be recognized automatically. Other sys-usb features would ideally operate the same in this disposable version.
  3. Could the same logic apply to other sys- VMs, such as sys-net (the perimeter networking VM), sys-firewall (the internal networking VM), and sys-whonix (the Tor proxy networking VM)?

Have a read of DisposableVM Customization | Qubes OS.
sys-usb works just fine in this way, the others should too.

2 Likes