Fully ephemeral encrypted and RAM appVMs / DVMs without live dom0.
If you don’t want to install dom0 live modes and you only need ephemeral encrypted appVMs / DVMs in default persistent dom0 or if you want add ephemeral encryption to your old appVMs:
- run in dom0 terminal:
qvm-pool set vm-pool -o ephemeral_volatile=True
qvm-volume config default-dvm:root rw False
qvm-volume config whonix-workstation-18-dvm:root rw False
(ps: and similar commands to other appVMs - change name appVM in commands)
- add this commands to
/rw/config/rc.localin appVM / dvm
for whonix-workstation-18-dvm and other whonix / kicksecure base appVMs / DVMs:
for i in {1..15}; do
if [ -b /dev/xvdc ] && mountpoint -q /volatile 2>/dev/null; then
break
fi
done
if ! mountpoint -q /volatile 2>/dev/null; then
mount /dev/xvdc /volatile || echo "Volatile mount failed"
fi
#
remount_dir() {
local dir="$1"
local volatile_dir="/volatile$dir"
mkdir -p "$volatile_dir"
[ -z "$(ls -A "$volatile_dir" 2>/dev/null)" ] && cp -a "/rw$dir/." "$volatile_dir/" 2>/dev/null || true
umount -l "$dir" 2>/dev/null || true
mount --bind "$volatile_dir" "$dir" || echo "Bind $dir failed"
}
#
mkdir -p /volatile/home
cp -a /rw/home/. /volatile/home/ 2>/dev/null || true
umount -l /home 2>/dev/null || true
mount --bind /volatile/home /home
remount_dir "/var/spool/cron"
remount_dir "/usr/local"
remount_dir "/var/lib/systemcheck"
remount_dir "/var/lib/canary"
remount_dir "/var/cache/setup-dist"
remount_dir "/var/lib/sdwdate"
remount_dir "/var/lib/dummy-dependency"
remount_dir "/var/cache/anon-base-files"
remount_dir "/var/lib/whonix"
USER_NAME="user"
USER_HOME="/home/$USER_NAME"
LOCAL_APP_DIR="$USER_HOME/.local/share/applications"
SYSTEM_DESKTOP="/usr/share/applications/pcmanfm-qt.desktop"
USER_DESKTOP="$LOCAL_APP_DIR/pcmanfm-qt.desktop"
mkdir -p "$LOCAL_APP_DIR"
if [ -r "$SYSTEM_DESKTOP" ]; then
if [ ! -e "$USER_DESKTOP" ]; then
cp "$SYSTEM_DESKTOP" "$USER_DESKTOP"
fi
sed -i "s|^Exec=.*|Exec=pcmanfm-qt $USER_HOME|" "$USER_DESKTOP"
fi
QTERMINAL_USER="$LOCAL_APP_DIR/qterminal.desktop"
if [ -r "/usr/share/applications/qterminal.desktop" ]; then
cp "/usr/share/applications/qterminal.desktop" "$QTERMINAL_USER"
# КЛЮЧЕВОЕ: bash -c с cd!
sed -i "0,/^Exec=/s|^Exec=.*|Exec=bash -c 'cd /home/user \&\& exec qterminal'|" "$QTERMINAL_USER"
fi
sleep 60
remount_dir "/rw"
for default-dvmand other debian / fedora base appVMs:
mount /dev/xvdc /volatile 2>/dev/null || true
remount_dir() {
local dir=$1
local volatile_dir=/volatile$dir
mkdir -p $volatile_dir
[ -z "$(ls -A $volatile_dir 2>/dev/null)" ] && cp -a "/rw$dir/." $volatile_dir/ 2>/dev/null || true
umount -l $dir 2>/dev/null || true
mount --bind $volatile_dir $dir || true
}
mkdir -p /volatile/home
cp -a /rw/home/. /volatile/home/ 2>/dev/null || true
umount -l /home 2>/dev/null || true
mount --bind /volatile/home /home
remount_dir /var/spool/cron
remount_dir /usr/local
sleep 60
remount_dir /rw
- create a systemd service for activate commands
root rw Falseat system startup
sudo nano /etc/systemd/system/rw.service
add this commands:
[Unit]
Description=root rw False
After=qubesd.service
Requires=qubesd.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/qvm-volume config default-dvm:root rw False
ExecStart=/usr/bin/qvm-volume config whonix-workstation-18-dvm:root rw False
[Install]
WantedBy=multi-user.target
Ctrl + O, Ctrl + X
(add similar ExecStart commands to other appVMs)
run in dom0 terminal:
sudo systemctl daemon-reload
sudo systemctl enable rw.service
Done.
If you don’t want to install dom0 live modes and you only need RAM appVMs / DVMs:
- Change dom0_mem=max: in /etc/default/grub. For example, to 10G. Run in dom0 terminal:
sudo nano /etc/default/grub
#change dom0_mem=max: -> dom0_mem=max:10240M
#click CTRL + O and CTRL + X
- Create new pool in dom0 RAM (varlibqubes pool not anti-forensic in the default persistent dom0). Run in dom0 terminal:
sudo mkdir -p /mnt/ram-pool
sudo mount -t tmpfs -o size=10G tmpfs /mnt/ram-pool
qvm-pool add rampool file --option revisions_to_keep=1 --option dir_path=/mnt/ram-pool
qvm-pool set rampool -o ephemeral_volatile=True
- Then, in Qube Manager create a new appVM, and select rampool Storage pool in the Advanced Options.
Done.
Default persistent dom0 will retain metadata about DVM launch!
See Reduce leakage of disposable VM content and history into dom0 filesystem · Issue #4972 · QubesOS/qubes-issues · GitHub