Qubes OS Install on a 1TB SSD USB. Best configuration for two separate partitions (installation + Storage)?

dracoren · September 20, 2022, 8:47am

For a portable QubesOS installation on a External USB 1TB highspeed (1000MBps write speed/1050MBps read speed) SSD, with a requirement to have two Luks encrypted partitions (QOS+Storage), what is the best configuration?

With my current internal 256GB Nvme QOS install, I only have 80GB free space, so am being cautious with the USB install. I want to store the backups right in the storage partition for both the USB install as well as the internal install. If Qubes crashes irretrievably, I must be able to install and recover in less time.

I am looking for mainly these things here:

Can I install on one partition of the HDD while the other partition is used for storage?
If yes, can/should one or both partitions be Luks encrypted before the install?
If there is a need to extend the size of the install partition (hypothetically speaking) at a later date, will it be possible to increase the Luks encrypted install partition size by shrinking the Luks encrypted storage partition?

Please don’t give the security risk disclaimer; this portable will only be used on my uncompromised machines in different cities, and I understand the risks. Traveling light, is the goal.

Thank you.

51lieal · September 20, 2022, 1:57pm

If you choose to install qubes on external drive, you should prepare a uefi recovery system (or qubes os installation medium) to recover uefi entry in case its wiped.

I didn’t get what you mean by best configuration.

I don’t like the Idea, what if the problem is in your drive.
But since you have 2 system, that would be okay.

Yes

If you don’t have nothing to hide, encryption not needed.

It’s possible, simply encrypt your new partition, add pv, then configure crypttab.

dracoren · September 20, 2022, 2:23pm

Thank you.
"best configuration" relates to the questions…sorry if it was unclear. If there was no flexibility, then I would have had to fix the size of the installation partition right at the beginning anticipating my use of it. From your reply, I don’t. I can fix it at 300-350GB until requirement changes.

"qubes crashes"
Drive problem will be like fate. lol. Although I don’t prefer to leave it to it, there is ALWAYS an inevitable point of no return.
But, from my ‘about’ 14 -15 installs so far, crashes have been mostly because of some kernel upgrade, driver issues etc. Since I was in trying mode, I just reinstalled each time, and ‘fortunately without/possibly because of no’ loss of any data. And I believe, each time the problem could have been probably solved. Recently I have been stubborn against the problems - tinkering with files, even grub.cfg which is not to be modified, and with good results.
Only twice have I got Ext4 errors, that is likely due to disk errors.

"nothing to hide"
Everybody who wear clothes have something to hide. lol.
That apart, the encryption is to prevent infection of files, if ever, from the only fact that it was an open unencrypted drive, even from a seemingly uncompromised machine. Just a paranoid precaution.

Thanks again, I will mark this as the solution.
Sorry, I couldn’t figure out how to use the Block quote properly.

dracoren · September 21, 2022, 10:36am

I tried to do a custom install to achieve the following configuration

The settings take up the mount points for /, /boot/efi, /boot and swap. As soon as I reach the ext4 300GiB vm-pool entry, it demands a mount point. When I choose /var or /home to set it temporarily, it just freezes. I need to segregate the remaining volume into vm-pool and an extra storage partition as mentioned in the OP.

What should I do now?
Try partitioning from an alternative OS and directly select the partitions? How do I create the Volume groups then?
Thanks.

Edit:
Just figured out. Blivet Gui.

Issue:
No options for setting mount point for root/swap
Also, options like LVM thin provisioning, standard partition etc are not the same. In Blivet device types are “Partition, LVM2 Volume Group, Btrfs Volume” only.
Setting mount point is available only for Btrfs volume and not for LVM2 Volume Group.
Blivet throws error for not setting mount points for root and swap, but doesn’t provide option to set it.
What am I missing? Should I go through commandline?

51lieal · September 21, 2022, 12:26pm

Take a look at my guide in here ignore the detach header things.

dracoren · September 21, 2022, 1:20pm

@51lieal, thanks I went through it. I will try it at some point, but I don’t want the boot to be encrypted at the moment.
Just the same default configuration of QubesOS, with the extra portion of the disk to be used as storage/backup.
I don’t want to tinker too much into encryption now since I am testing this out…don’t want to spend time debugging issues.

I am thinkin that I will just format the disk into two partitions: one for qubes (352GB) and the remaining for storage, then install with default paramaters in the qubes partition, luks encrypt the storage partition later.

51lieal · September 21, 2022, 1:24pm

just ignore this

---# header partition
n
3
(enter)
(enter)
(enter)

w
Y

then adjust partition size with yours and you have the same configuration with the default.

don’t follow anything after this

After completion, switch back to shell with ctrl + alt + f2

dracoren · September 21, 2022, 1:26pm

Great! Thanks.
I will check it out now, and confirm.

51lieal · September 21, 2022, 1:31pm

oh i forgot one thing, it use flashdrive for boot and efi partition.
your layout would be :
/dev/nvme0n1p1 for /boot/efi
/dev/nvme0n1p2 for /boot
/dev/nvme0n1p3 for lvm (root and vm)

dracoren · September 21, 2022, 2:48pm

I am using a highspeed SSD
/dev/sda1 for /boot/efi
/dev/sda2 for /boot
/dev/sda3 for lvm (root and vm-pool)
/dev/sda4 storage

So I should be encrypting both sda3 and sda4. I need luks2 encryption.
And after installation will the gui be demanding password for both partitions separately?