Hello community,
The situation:
i have a large amount of data today in one of my offline-AppVMs (500 GB).
The idea:
move all the data to an encrypted (veracrypt or cryptomator) - external - NVME storage.
Attach on every startup the external drive to the Notebook (i have no problems if the access is slower via USB 3.0).
The “problem”
If i want to attach every time the usb-nvme to the notebook, the connection is assigned to the sys-usb machine. Also - other usb drives will be assigned to this one. I want to avoid this situation that my “secure” drive is attached to the same machine as the “unsecure” usb-sticks.
Would it be ok to clone the sys-usb - and somehow to allow my usb-nvme ONLY to connect to the separate sys-usb2 in order to isolate this from other usb devices?
Maybe it is possible to assign one of the 2 usb ports of my T470 to a specific sys-usb ONLY?
By this approach i would always attach my drive after startup to the notebook (directly connected via separate sys-usb → then the AppVM where i want to work with my data).
Did someone tried this approach? Are there some big vulnerabilities which have to be considered (i would attach this usb drive direct to one of the 2 USB ports of my t470). The other port is connected to a usb-hub with other usb devices .
Why this approach?
i like the way Tails OS is designed. Use the HW only for OS purpose - keep your Data on a separate usb storage (makes me also more independent of the OS i use).
I i do not need to access my data in the Qubes session today - i can start the notebook withhout attached nvme (i know, similar approach is just to not let the AppVM start when using QOS). Just a different approach. The main point is - how to attach a “trusted and secure” usb device to Qubes and keep it separate from others.
I am just trying different approaches - no special purpose behind this. Want also to avoid to copy every time all my content (from backup storage) to the notebook after re-install.
best regards