The way the βQubes OS in tmpfsβ implies that AppVMs are simply stored on an encrypted disk (SSD). The main trick is the SSD is encrypted with a detached header. Without the detached header file, your disk will be the same as empty disk. The file is stored somewhere else from the SSD.
We can make the task easier and donβt boot Qubes in RAM to make traceless/stateless system:
You can just mount the SSD`s filesystem containing your secret AppVMs files above the default file system containing public AppVMs files. So you will get two versions of the same AppVMs: secret and public.
When youβve done your secret daily work, you should stop all you secret AppVMs and unmount the disk (SSD filesystem). Then the public (non-secret) AppVMs becomes available on the lower (layer) file system directory. So youβre not leaving any trace of your work outside the encrypted SSD. You just need to hide your SSD`s detached header file.
If human right violators will force you to decrypt the system, you will boot to your Qubes OS, show you AppVMs and say that (secret;) SSD doesnβt contain any data. You can store your detached header file (16MB size) in a cloud file hosting service or somewhere else.
In general terms you will need to:
- Encrypt you SSD with a detached header [
cryptsetup] - Create a pool to store an AppVMs files (choose a storage directory) [
qmv-pool] - Mount the encrypted SSD to the AppVMs files storage directory [
mount] - Create an AppVMs in this pool [
qvm-create -P]
All needed terminal commands are available on this thread.
This method doesnβt change the OS system requirements. You just need to use non-compromising names for your AppVMs. And disable the swap, I guess.
I must warn you, there may be a slight difficulty in changing the parameters of both (secret and public) machines from Qubes Manager, private storage size, for example.