Love this for the hardened security and forensics properties. But there’s a lot going on. Could you explain to a novice the exact steps they need to take 1 by 1 to gain all the forensics benefits of this.
Step 1. Copy script to Dom0 and then restart.
Step 2. This is the most confusing to me. I restart, click overlay-live mode. Now what can I expect? Do all my Qubes gain the ephemeral protection by default? Both app vms and standalone qubes? If not, why? And does ephemeral means that any data that was accessed few minuets ago no longer exist if a live system is accessed and forensically examined? How does a user know what data is still forensically obtainable within a live running system and what isn’t at any given moment for super critical data? Is there a way users can be notified if a Qube has ephemeral protection or not in case they mess it up by renaming or never set it up right from the start such as the notification that a live session is running but for ephemeral encryption as well for qubes that have it and if it isn’t there then they know something may be wrong? Also if this is true that not all qubes are protected during live running system from forensics, does that mean all the other qubes a user has are just like using a live usb stick where data is only gone during shutdown/reboot?
Also there seems to be two concepts here. Ephemeral DVMs and ram dvms.
The initial post mentions there are two Ephemeral DVMs. Why are only two Ephemeral DVMs created specifically? And ram dvms are just basic ones that loose data only on reboot and all current qubes a user has are ram dvms by default when launched in live grub modes?
Also I noticed pools. “this pool resides entirely in dom0’s ram”. Why does the pool the live qubes are running in matter? And is it using dom0’s memory? Is that not dangerous to have untrusted live qubes using same memory space as dom0’s?! Are the ephemeral dvms and all current qubes on a users current system before using this script in a different pool?
Also what is this mention of root vs volatile mentioned now and then. If a qube is in live mode, home data does not persist a reboot, correct?
Thank you for making all this and responding to users and refining the post again and again to truly make it better and better. Incredible work.