For a portable QubesOS installation on a External USB 1TB highspeed (1000MBps write speed/1050MBps read speed) SSD, with a requirement to have two Luks encrypted partitions (QOS+Storage), what is the best configuration?
With my current internal 256GB Nvme QOS install, I only have 80GB free space, so am being cautious with the USB install. I want to store the backups right in the storage partition for both the USB install as well as the internal install. If Qubes crashes irretrievably, I must be able to install and recover in less time.
I am looking for mainly these things here:
Can I install on one partition of the HDD while the other partition is used for storage?
If yes, can/should one or both partitions be Luks encrypted before the install?
If there is a need to extend the size of the install partition (hypothetically speaking) at a later date, will it be possible to increase the Luks encrypted install partition size by shrinking the Luks encrypted storage partition?
Please donât give the security risk disclaimer; this portable will only be used on my uncompromised machines in different cities, and I understand the risks. Traveling light, is the goal.
If you choose to install qubes on external drive, you should prepare a uefi recovery system (or qubes os installation medium) to recover uefi entry in case its wiped.
I didnât get what you mean by best configuration.
I donât like the Idea, what if the problem is in your drive.
But since you have 2 system, that would be okay.
Yes
If you donât have nothing to hide, encryption not needed.
Itâs possible, simply encrypt your new partition, add pv, then configure crypttab.
Thank you. "best configuration" relates to the questionsâŚsorry if it was unclear. If there was no flexibility, then I would have had to fix the size of the installation partition right at the beginning anticipating my use of it. From your reply, I donât. I can fix it at 300-350GB until requirement changes.
"qubes crashes"
Drive problem will be like fate. lol. Although I donât prefer to leave it to it, there is ALWAYS an inevitable point of no return.
But, from my âaboutâ 14 -15 installs so far, crashes have been mostly because of some kernel upgrade, driver issues etc. Since I was in trying mode, I just reinstalled each time, and âfortunately without/possibly because of noâ loss of any data. And I believe, each time the problem could have been probably solved. Recently I have been stubborn against the problems - tinkering with files, even grub.cfg which is not to be modified, and with good results.
Only twice have I got Ext4 errors, that is likely due to disk errors.
"nothing to hide"
Everybody who wear clothes have something to hide. lol.
That apart, the encryption is to prevent infection of files, if ever, from the only fact that it was an open unencrypted drive, even from a seemingly uncompromised machine. Just a paranoid precaution.
Thanks again, I will mark this as the solution.
Sorry, I couldnât figure out how to use the Block quote properly.
The settings take up the mount points for /, /boot/efi, /boot and swap. As soon as I reach the ext4 300GiB vm-pool entry, it demands a mount point. When I choose /var or /home to set it temporarily, it just freezes. I need to segregate the remaining volume into vm-pool and an extra storage partition as mentioned in the OP.
What should I do now?
Try partitioning from an alternative OS and directly select the partitions? How do I create the Volume groups then?
Thanks.
Edit:
Just figured out. Blivet Gui.
Issue:
No options for setting mount point for root/swap
Also, options like LVM thin provisioning, standard partition etc are not the same. In Blivet device types are âPartition, LVM2 Volume Group, Btrfs Volumeâ only.
Setting mount point is available only for Btrfs volume and not for LVM2 Volume Group.
Blivet throws error for not setting mount points for root and swap, but doesnât provide option to set it.
What am I missing? Should I go through commandline?
@51lieal, thanks I went through it. I will try it at some point, but I donât want the boot to be encrypted at the moment.
Just the same default configuration of QubesOS, with the extra portion of the disk to be used as storage/backup.
I donât want to tinker too much into encryption now since I am testing this outâŚdonât want to spend time debugging issues.
I am thinkin that I will just format the disk into two partitions: one for qubes (352GB) and the remaining for storage, then install with default paramaters in the qubes partition, luks encrypt the storage partition later.
oh i forgot one thing, it use flashdrive for boot and efi partition.
your layout would be :
/dev/nvme0n1p1 for /boot/efi
/dev/nvme0n1p2 for /boot
/dev/nvme0n1p3 for lvm (root and vm)
I am using a highspeed SSD
/dev/sda1 for /boot/efi
/dev/sda2 for /boot
/dev/sda3 for lvm (root and vm-pool)
/dev/sda4 storage
So I should be encrypting both sda3 and sda4. I need luks2 encryption.
And after installation will the gui be demanding password for both partitions separately?