Hello Qubes community,
I’m exploring a setup where I can launch TemplateVMs and AppVMs from a secondary drive. Specifically, this drive would be a hidden encrypted volume (Veracrypt hidden volumes) that I decrypt using Veracrypt or Zulucrypt directly from dom0. Once decrypted, I’d like to manage it via a simple bash script that mounts the disk containing these “hidden” VMs whenever needed.
The goal is to keep these VMs isolated and only accessible on demand, enhancing security and deniability in certain scenarios.
I’m fully aware of the risks involved, including:
Running Veracrypt or Zulucrypt in dom0, which could introduce vulnerabilities to the core system even if i thinks that can be hardened enough to be safe.
General risks associated with hidden partitions, such as potential data loss and possible detection by advanced forensics
Has anyone experimented with something similar? What are the best practices i should consider to minimize these risks? I’d appreciate any advice, code snippets, or pointers to relevant documentation.
Future Development Ideas:
- An anti-forensic cleaning bash script to automatically remove any traces (e.g., logs or metadata) that could indicate the volume was ever mounted.
Thanks in advance for your insights!