🛡 Qubes OS live mode. dom0 in RAM. Non-persistent Boot. RAM-Wipe. Protection against forensics. Tails mode. Hardening dom0. Root read‑only. Paranoid Security. Ephemeral Encryption

Fully ephemeral encrypted appVMs / DVMs without live dom0.

If you don’t want to install dom0 live modes and you only need ephemeral encrypted appVMs / DVMs in default persistent dom0:

• run in dom0 terminal:

qvm-pool set vm-pool -o ephemeral_volatile=True
qvm-volume config default-dvm:root rw False
qvm-volume config whonix-workstation-18-dvm:root rw False
ps: and similar commands to other appVMs

• add this commands to /rw/config/rc.local in appVM / dvm

for default-dvmand other debian / fedora base appVMs:

timedatectl set-timezone Etc/UTC
for i in {1..15}; do
    if [ -b /dev/xvdc ] && mountpoint -q /volatile; then
        break
    fi
    sleep 1
done
mount /dev/xvdc /volatile 2>/dev/null || true
remount_dir() {
    local dir=\$1
    local volatile_dir=/volatile\$dir
    mkdir -p \$volatile_dir
    [ -z \"\$(ls -A \$volatile_dir 2>/dev/null)\" ] && cp -a \"/rw\$dir/.\" \$volatile_dir/ 2>/dev/null || true
    umount -l \$dir 2>/dev/null || true
    mount --bind \$volatile_dir \$dir || true
}
mkdir -p /volatile/home
cp -a /rw/home/. /volatile/home/ 2>/dev/null || true
umount -l /home 2>/dev/null || true
mount --bind /volatile/home /home
remount_dir /var/spool/cron
remount_dir /usr/local
sleep 60
remount_dir /rw

for whonix-workstation-18-dvm and other whonix / kicksecure base appVMs / DVMs:

for i in {1..15}; do
    if [ -b /dev/xvdc ] && mountpoint -q /volatile; then
        break
    fi
    sleep 1
done
mount /dev/xvdc /volatile 2>/dev/null || true
remount_dir() {
    local dir=\$1
    local volatile_dir=/volatile\$dir
    mkdir -p \$volatile_dir
    [ -z \"\$(ls -A \$volatile_dir 2>/dev/null)\" ] && cp -a \"/rw\$dir/.\" \$volatile_dir/ 2>/dev/null || true
    umount -l \$dir 2>/dev/null || true
    mount --bind \$volatile_dir \$dir || true
}
mkdir -p /volatile/home
cp -a /rw/home/. /volatile/home/ 2>/dev/null || true
umount -l /home 2>/dev/null || true
mount --bind /volatile/home /home
remount_dir /var/spool/cron
remount_dir /usr/local
remount_dir /var/lib/systemcheck
remount_dir /var/lib/canary
remount_dir /var/cache/setup-dist
remount_dir /var/lib/sdwdate
remount_dir /var/lib/dummy-dependency
remount_dir /var/cache/anon-base-files
remount_dir /var/lib/whonix
LOCAL_APP_DIR=\"/home/user/.local/share/applications\"
USER_HOME=\"/home/user\"
mkdir -p \$LOCAL_APP_DIR
if [ -r /usr/share/applications/pcmanfm-qt.desktop ]; then
    cp /usr/share/applications/pcmanfm-qt.desktop \$LOCAL_APP_DIR/pcmanfm-qt.desktop
    sed -i \"s|^Exec=.*|Exec=pcmanfm-qt \$USER_HOME|\" \$LOCAL_APP_DIR/pcmanfm-qt.desktop
fi
if [ -r /usr/share/applications/qterminal.desktop ]; then
    cp /usr/share/applications/qterminal.desktop \$LOCAL_APP_DIR/qterminal.desktop
    sed -i \"s|^Exec=.*|Exec=bash -c \\\"cd /home/user && exec qterminal\\\"\"|\" \$LOCAL_APP_DIR/qterminal.desktop
fi
sleep 60
remount_dir /rw

• create a systemd service for activate commands root rw False at system startup

sudo nano /etc/systemd/system/rw.service
add this commands:

[Unit]
Description=root rw False
After=qubesd.service
Requires=qubesd.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/qvm-volume config default-dvm:root rw False
ExecStart=/usr/bin/qvm-volume config whonix-workstation-18-dvm:root rw False

[Install]
WantedBy=multi-user.target

Ctrl + O, Ctrl + X
(add similar ExecStart commands to other appVMs)

run in dom0 terminal:

sudo systemctl daemon-reload
sudo systemctl enable rw.service

Done.

But default persistent dom0 will retain metadata about ephemeral DVM launch!
See Reduce leakage of disposable VM content and history into dom0 filesystem · Issue #4972 · QubesOS/qubes-issues · GitHub
Therefore, a forensic specialists will be able to detect numerous metadata entries and artifacts about the launch of ephemeral appVMs/DVMs. But, they will not be able to recover your session within the appVM / dvm, and private data, cache, passwords, or other sensitive information.