Qubes Dom0 Folders That Leave Forensic Footprints?

I’m looking to bind all the folders that leave forensic footprints to redirect to a Veracrypt container.

What folders should I bind?

1 Like

Perhaps I’m missing something, but this sounds like one of those things that no one should want to do, since the entire Qubes OS installation is already LUKS-encrypted.

1 Like

…and if you’re compelled to decrypt by state sponsored criminals in costumes… better not rely on that level of defense in a world gone full dystopian tyranical.

Qubes could have pd built right in…but state sponsored criminals would know that. If you hack a solution together using 3rd party tools, your chances of avoiding detection are much better in my opinion.


Have a look at these articles for a threat model: VeraCrypt - Free Open-Source Disk Encryption - Documentation - Hidden Volume and VeraCrypt - Free Open-Source Disk Encryption - Documentation - Hidden Operating System.

If you are doing things that would make you target of adversaries for sure, they either will:

  1. Wait to steal your laptop/PC from you while working in your hidden OS/volume (and they will study you thoroughly before they act), or
  2. They will torture you so you would confess even whatnots.

No one will let you go if you answer - no I don’t have any hidden whatnot, if you come to a situation to be asked that…

Everything else is overkill beside what Qubes already offers.

I would say it could make sense to make a deniable encryption a default enabled option.
Like, Qubes OS always “reserves” some allocated data pool for deniable encryption. If you do not use it, there are just some random data. If you create a key, you can use it for VMs.

Also, our log management is a mess :frowning:


This is not the threat model under consideration. The threat model is more like random checks of random people. “Oh, look, you have something encrypted! You must be hiding something. Show us immediately all your secrets! Ok, I see that you are using Windows to watch Youtube. Next one.”


Sorry but this is nonsense. The rules of the game are different everywhere. Sure, there are countries where the possibility of such things are more likely, But life generally plays out within a spectrum between extremes, not in black and white scenarios. There are plenty of reasons to reduce our footprint in the world and plenty of situations where it would be more advantageous to reveal less information about previous activities.

1 Like

@Emily I was searching for something unrelated and ran across this. It doesn’t address what you are asking but it’s related.


@necker I absolutely agree. I just referred to @Emily’s threat model - “world gone full dystopian tyrannical”. In such a world, I can’t agree there are shades of gray. Just black. I also emphasized that if anyone is targeted by an adversary, no Qubes, or VeraCrypt will help him/her.
So, maybe this is nonsense, but that doesn’t change the fact.

To be clear: “polishing” Qubes by reducing footprint of our activities in it is absolutely necessary.
But using VeraCrypt on one hand and shared folders across VMs on the other hand is overkill as I see it, and actually those are extremes for me.
Maybe I am wrong, but not that stubborn not to accept threat models in which using this is justified. On the contrary.


I understand your assumption but I would at least argue that “a world gone full dystopian tyrannical” describes a global context, not necessarily local conditions. While there are certainly implications to living in such a world, I wouldn’t say that the same inferences should be made for all individuals.

It’s possible that there is still enough freedom and choice for certain individuals to make calculated attempts to preserve their integrity and well-being.

1 Like

Wrong? Only you could know such a thing. A threat model is very unique and personal. It deals with perceived threats, so it’s not a matter of “right or wrong”. It’s empirical. It can’t be “proved”, only validated. It’s useful or it’s not.

Exactly. All the mindless shit your average CNN watching, social media addicted statist zombie would have on their laptop.

…I do not agree.
Nor am I a defeatist.
Monolithic criminal enterprises (governments), have always been a few steps behind the cypherpunks.


I understand the rationale behind hidden volumes, but that’s not what the OP described, or at least not how I interpreted it. It sounded like the goal was just to encrypt all files that “leave forensic footprints,” which they already are. This is the basic rationale for FDE rather than mere file-level encryption.

The hedge is against state sponsored criminals in monkey suits coercing system decryption.

What the criminals should see is a system typical of your average mindless social media user. Logs only map to the hidden layer when the hidden layer is mounted. When it’s not mounted the logs should log as usual, leaving plenty a trial for forensics to follow to mindless state approved social media, but never seeing the hidden layer.

1 Like

Thanks for clarifying what you had in mind. There have been several discussions about this over the years. Here are some relevant issues:

You can probably also find some relevant threads by searching the mailing list archives.


Looking over the links, it looks like the community sees the writing on the wall, and is looking for solutions. But none implemented yet.

A little foresight goes along way. I want something viable now. I don’t think we have too much time before the rest the world looks like China and its outposts of Canada, Australia.

This dystopian steamroller isn’t going to stop anytime soon. We need something now.

it seems if every log folder was bound to a pd vault layer then we have working plausible deniability for coerced decryption.

Most cases the criminals won’t go much deeper if there’s plenty of red-herring data left in the overt layer logs.

If they do go for second level forensics, then the swap partition needs to be dealt with.

A) How/where can I get a complete list of folders where footprints end up?

B) What is the best way to prevent ghost layer data from ending up in swap? Or clearing the swap completely when exiting the ghost layer or shutting down the system?

1 Like

Also, 12 years ago, Joanna discussed another aspect of encrypted disks/hidden volumes, then with the TrueCrypt developers, too

Sorry, but I see this as a misconception of Qubes. For me, it would be the same as someone would want to additionally harden safes (VMs) in a bank vault (dom0), even with hiding them behind that picture on the wall in the vault, or even behind the wall itself in the vault.

Some will look for regular safes, but depending on the content, for sure there will be some looking for hidden safes. And they will find it.

And the misconception is: whoever is able to break into the vault, isn’t capable to break the safes and find the safe behind the picture/wall in the vault.