By the way, I recommend using Kicksecure and Whonix appVMs for ephemeral encryption of a private volume with /rw isolation. I also recommend reviewing this guide before using mine guide Anonymize hostname hardened template automatic installation of browser