Qubes custom install with Detached Luks

Hi, I’m trying to Install Qubes 4.0.4 & Qubes 4.1R1 on my SSD, with luks header detached to my pendrive.

I have create the logical volumes but for some strange reasons the partition are not getting detected in GUI.

Can anybody help me please.

Thanks



The logical volumes are created but it’s not detected when i click on refresh to load my custom partition. Even if it says it’s already mounted.

You didn’t mention having seen this, so I’m dropping it here in case it helps at all. It doesn’t contain the exact answer to your question but might contain some relevant hints.

I’m trying to do a whole disk encryption leaving the header and boot-loader on the USB drive. So I don’t want the boot partition to be stored on the storage device. Hence I don’t need to create two partitions. I would like the whole disk to be encrypted without any boot files.

I have seen the documentation prior to the installation.

Something wrong with this???

You have to refresh disk first then select disk and choose advanced.
The document is somewhat outdated.

I tried that, Didn’t work. I tried to refresh the disk in terminal also on the re-scan option provided on the GUI still the disk isn’t getting detected in the GUI.

It’s work with 4.1 i’ve tried with latest 12-06 and 26-06 iso. I’m still researching how to make it work with encrypted /boot and detachable luks header.

It’s been a while since I did a custom install with Qubes but I remember having difficulties with manual partitioning and finalizing. I wiped the drive and for some reason I still got some error message saying there was not enough space or some problem with my setup.

I removed my SSD from my laptop and connected it via external usb hard drive caddy. I had no problems with a custom install then.

I don’t know if this helps with your specific setup but you could try it this way.

Yes, I tired on 26/06 latest kernel. Normal installation works fine but detached luks header custom installation isn’t working.

I always wipe the disk completely with zero’s to begin with.

dd if=/dev/urandom of=/dev/sdd status=progress
dd if=/dev/zero of=header.img bs=16M count=1
cryptsetup luksFormat /dev/sdd --header header.img
cryptsetup luksOpen /dev/sdd luks --header header.img

creating lvm on luks

pvcreate /dev/mapper/luks
vgcreate qubes_dom0 /dev/mapper/luks
lvcreate -n swap -L 10G qubes_dom0
lvcreate -T -l +100%FREE qubes_dom0/pool00
lvcreate -V1G -T qubes_dom0/pool00 -n root
lvextend -L +210G /dev/qubes_dom0/root

creating file system
mkfs.ext4 /dev/mapper/qubes_dom0-root
mkswap /dev/mapper/qubes_dom0-swap

mounting

mount /dev/mapper/qubes_dom0-root /
swapon /dev/mapper/qubes_dom0-swap

setting up pendrive with two partition of type Ext4 and efi.
mkfs.fat -F32 /dev/sdf
mkfs.ext4 /dev/sdf1

I have only gotten this far, After many retries only once i could see the partition in GUI and i have no idea how i got it that time. I’m retrying with different options still GUI shows my disk blank without lvm.

If you go further please do help me, i will still be working on this and make it work.

Thanks for your time and replies. Glad you are also trying to do the same thing as me. hopefully together and with the help of qubes community we can do this.

Yes, I tried wiping my disk removing adding,reloading. it didn’t work but thanks for your suggestion. I will keep trying out to find possible solution.

Is there any command you want to issue with that? even it’s succeed it’s not detached luks ‘header’.

it should be /dev/sdf1 and /dev/sdf2 right ?

are you want to build fde root and detachable /boot on usb ?

Yes typo it’s sdf1 and sdf2.

I want /boot to be on separate USB.

If you want just fde + bootloader in usb, installer are smart enough to did this.
Just select 2 disk on installer. Then you can select automatic and wipe all data.
if you wonder how installer did this, you can select custom then select automatic partitioning (you can change your fs type first, then click on automatic partitioning, doesn’t matter what are file type is, installer will create bootloader on usb).

This way be careful not to create a sys-usb, your system will crash.

No, I want to install FDE on my SSD but the header,/boot and grub to be installed on my USB.
So without USB I cannot boot qubes.

With what i talked before, it’s same, the different is header in root. but still you won’t ever can boot if you lost the usb.
The only way you can boot if you lose is make a bootloader again with qubes rescue and enter the disk passphrase.

I understand that I cannot boot without the USB but that’s the setup i’m looking for. I’m stuck at the GUI not detected the qubes_dom0/root.

Try installing with this step you won’t need to configure anything.

The following type of installation work with detached header?

https://www.skrilnetz.net/bullet-proof-data-encryption-with-luks-and-a-detached-header/

The most difficult part is getting the GUI detect the luks, Users have to decrypt and then init 1 to load the gui again to detect partition.

Update : So, Basically after spending hours into this

Here’s what i found out. The pendrive should contain 4 partitions

  1. /boot/efi
  2. /boot
  3. header
  4. boot files

The qubes installation cannot install the /boot on efi file system. so formatting to ext4 will wipe the header.