QubesOS on a USB flash drive good practice?


I would like to have my QubesOS on a 1TB USB Flash Drive so I can move it from place to place and boot on different computers.
All my internal disks are fully encrypted.

Now I am considering this solution because I would have to allow the boot from USB in my Bios security options.
As for now, someone who has physical access to my hardware has to bypass Bios password to be able to boot on an USB Live an try anything… By allowing boot from USB is removing one security.

Should I be concerned? All my internal disks are fully encrypted.

Thank you,

Even if you ignore the security concers, it will be slow. very-very slow.

Well the SanDisk USB 3.2 has pretty decent perfs (420Mb/s).
I don’t think I need much more or am I wrong?

well, if it is really bring that perf, than you are right. it should be OK.

Regarding security, I would configure my BIOS to require password for every boot and/or for modifying the boot order.

The other concern about using ‘other machinses’, that those may be infected with persistent malware. Those can infect your USB drive too, and this way those can compromise your Qubes installation…

1 Like

Do you have EFI/boot partitions on USB drive that you insert to boot from your internal disk? But then you’d already have allowed boot from USB in BIOS. Or you disks are not fully encrypted and you have EFI/boot partitions that could be tampered with.

There are just too many things that skilled and prepared attacker can do with physical access to your PC. So just BIOS password will stop only some random unskilled/unprepared attacker. Whether you need to protect yourself from skilled/prepared attacker depends on your threat model.

The main concern would be inserting untrusted USB devices in the same USB controller that your USB drive with Qubes is connected to.

1 Like

Indeed! With this in mind, I will give up the idea of a bootable USB drive!

I’ve done this when testing out different Qubes installs, it works okay on a high-end usb drive. Wasn’t too slow, but starting/stopping VM’s took quite some time.
You either need to forgo a sys-usb or have multiple usb controllers in your system

If you want a Secure OS on a Flash Drive, Consider Tails OS.


Which allows one to install some other software on the Flash Drive to use with Tails. But that non standard software might cause some security hazards.

I know that each install of Qubes, as it is installed bare metal, is only for that one model of computer.

I have thought that one might try to run Qubes from an external drive through a faster port than USB. I am not sure if one can get those ports to boot up. And once again has some unique security concerns with hardware not normally used for such. That is - Not Tested.

1 Like

Possible? Probably.
Good practice? No.

TAILS seems like a solid option if you’re looking for semi-persistence and Tor.