Want to use the standard LUKS password of my Qubes install also for the Qubes Backup and store it in plaintext inside dom0.
The kicksecure wiki has some good security advice:
But I am still really not sure if this is okay to do.
Does this compromise my security in some way?
I mean the encryption key for the LUKS partition is in RAM anyway?
Or does this really open some new attack vectors?
Not really. The passphrase used to unlock the LUKS device is only used to unlock the key used by LUKS. This is why you can have multiple passphrases to unlock your LUKS device, if the passphrase was the key you would not be able to have multiple passphrases, and changing the passphrase would require re-encrypting the whole disk 
The LUKS key is in memory, not your passphrase.
Normally, dom0 should stay unaffected by qubes activities. I think it is safe to store your passphrase on dom0 as long as you did not allow a qube to reach dom0 through a weird custom qrexec script (users can be creative!) and that only you can access the machine physically when it’s unlocked.
This is not really good, but I can’t say it’s bad, you should see how convenient other options are for you and if it’s fine per your threat model.
That’s what I meant is it not called encryption key? Should I have said master key?
BTW how secure is it to leave qubes in xscreenssaver unattended?
I think the best way to do backups is just use the same passphrase from the whole Qubes partition and just create a new LUKS partition on the backup drive and create backups there unencrypted. I think this wouldn’t reduce security at all??
It depends on your threat model.
This is not a very useful reply for newbies. Which example threat models are affected by leaving the machine locked?
I can think of someone catching you while your machine is running unlocked, then they will be able to unencrypt all your backups with that passphrase.
How do you all store/manage your many device/backup passphrases? Not just Qubes but in general
Do you reuse your normal LUKS keys ?
Hi @Mirai, you seem to be a little confused about how LUKS actually works, and that is causing you to misassociate some concepts as being identical.
When you create a LUKS partition, the algorithm generates a “ridiculously” long prime number. This number then becomes your LUKS key.
6,​703,​903,​964,​971,​298,​549,​787,​012,​499,​102,​923,​063,​739,​682,​910,​296,​196,​688,​861,​780,​721,​860,​882,​015,​036,​773,​488,​400,​937,​149,​083,​451,​713,​845,​015,​929,​093,​243,​025,​426,​876,​941,​405,​973,​284,​973,​216,​824,​503,​042,​047 
This is what is stored in RAM, and is used to encrypt every write to your LUKS partition, and to decrypt every time you read from your LUKS partition.
This is not your LUKS passphrase (the thing the user types in to “unlock” the drive).
Here’s a good analogy.
Let’s say you have a storage cupboard with a mechanical key lock on it. (For the purposes of this analogy, just forget about lock-picking for now 
)
You want to be able to allow multiple people to open that storage cupboard, and you want each of them to be able to access all of the compartments inside. Ok, so just give them each a copy of the physical key, and problem solved, right?
Well, if you did that, every time you wanted to revoke someone’s access to the storage cupboard, you’d have to get a new mechanical lock, distribute everyone a set of new keys, etc etc. A lot of headaches…
So, imagine putting a single physical key inside a safe. The lock on the safe is a keypad.
You can have multiple number combinations open the safe to get the physical key, but your number combination will not open the storage cupboard on its own.
That physical key stays the same for the life of the storage cupboard, or until is it compromised, whichever comes first.
Storage cupboard = LUKS partition
Physical key = LUKS key
Keypad combination = LUKS passphrase
You are going to get the response “It depends” a lot on this forum unless you specifically define your circumstances (which you are, of course, under no obligation to disclose ).
That is because without knowing your specific circumstances, there are way too many variables to consider to be able to give you advice that we would consider to be even remotely useful to you. And we don’t want to give you advice that doesn’t help you…
Hope this helps