Hello, Qubers. Looking for guidance/opinions/best practices.
My current storage configuration is pretty simple:
- main disk (SSD) contains Qubes (dom0 + templates + VMs etc.)
- all other disks (HDDs) contain regular/personal (non-system) data
- all disks (SSD + HDDs) are encrypted with LUKS (same passphrase) and managed by LVM
I’m aware of the official article on how to add Secondary storage – I’m not interested in placing different VMs on different disks. All I really want to do is have some HDDs auto-mount on certain Qubes/VMs.
These are the possibilities I can see so far:
- add all HDDs to dom0’s crypttab so that they get decrypted with the same passphrase during Qubes OS startup + mount all partitions/logical volumes inside dom0 as well.
- add all HDDs to dom0’s crypttab so that they get decrypted with the same passphrase during Qubes OS startup. Leave the mounting part to the specific Qubes/VMs.
- Forget about dom0: just leave both decryption and mounting to the specific Qubes/VMs.
The greatest advantage of 1 and 2 is that I can type in the LUKS passphrase only once (during the Qubes OS startup) and not worry about LUKS key files.
That’s for the decryption part, though. When it comes to the mounting part, option 1 doesn’t sound that great, because mounting the volumes inside dom0 doesn’t seem to also mount them in the Qubes/VMs.
Option 3 would be unpractical if I were to do that for multiple Qubes/VMs, multiple times a day. The only way to make it simpler would be to use key files to automatically decrypt the volumes, but I’m trying to avoid that.
I’m left with option 2, which also feels closer to the Qubes philosophy in that I’m not making all those extraneous HDDs available inside dom0, because I’m only mounting them inside specific VMs.
What do you think of those options? Am I missing one that may work better in that scenario?