I’m brainstorming ways to ensure that all changes to app vm or disposable vm volumes are not written as plaintext, (this is entirely separate from the blanket luks encryption of the entire system).
Lvm has a peculiar requirement that snapshots all originate from data on the same VG. there’s a way to make it work but it plays with some quite finicky PV/VG settings that might make the system broken on an unplanned reboot.
For app VMs and disposable VMs, I want to use the lower-level dm snapshot from lvm to storage outside of the VG, which allows me to put the snapshot (of, say, root or private) on separately encrypted storage, whether ephemeral or vault-like.
E.g. With root I’d have a plain text readonly origin (from a template root snapshot on lvm) and an encrypted ephemeral change volume elsewhere that is disposed of in vm shut down.