I want to use partitions instead of LVM for my secondary block device because it will only be used as storage, not for creating qubes, and I won’t have more than 4 partitions and I know the size of each partition. There will be only a couple hundred GB unused which I will use to resize the other partitions in the future (years from now) as necessary.
I want LUKS on each partition even though it’s not really important to encrypt this data, I think it’s worth it because “why not?”.
I have read how to do this on a Linux distro but I’m not sure how to do it the best (secure) way in qubes os because it’s very different than other linux distros when qubes os has xen and vm compartmentalization and everything which makes it more complicated.
- First I have to create the partition with parted. That’s easy.
- Then it’s time to encrypt with luks, that’s easy too.
- Now is when I am not sure what to do. In a linux distro you should now make luksOpen the partition to get it mapped. After that you can create the filesystem ext4. But how do you do this in qubes os? Should I get it mapped in dom0 with luksOpen and continue to create the filesystem from dom0? Or should I first attach the partition to a qube and then luksOpen and create fs? If it’s the latter (attach to a qube) then should it be the qube I intend to use this storage partition for? And after I have luksOpen the partition inside the qube, do I still need to also mount the partition as described in How to use block storage devices | Qubes OS after creating the filesystem?
I try to avoid doing things in dom0 whenever possible, so the latter option is better to me. If you only use one qube with this partition, I don’t see any reason not to do everything inside that qube?
1 Like
I will use 1 partition for qube1, than another partition for qube2.
I have a lot of ideas/guesses how it’s done but this is advanced stuff so I have a lot of uncertainty as well what is best way to all this.
The How to use block storage devices | Qubes OS guide says it’s best for security to only attach the partition to the qube. But how do I do that when I haven’t created any partitions yet? Either I have to do it in dom0 or I have to do like you said and attach the entire device to a qube and do everything there. Maybe I can use a disposable minimal qube for that, and after partioning and encryption and filesystem is created for each partition then I can de-attach them from the disposable and then attach each partition to different qubes that I intend to use them as encrypted storage. Does that sound good?
I just realized that I don’t know if you are talking about an internal or external drive. In the first case, I’m not sure how it will work.
Seems quite good. You can use your disposable only to partition, and do the rest in each destination qube.
1 Like
That is a good modification to only create the partitions in the disposable.
What is it that makes you uncertain about if it’s an internal block device? Because it is internal.
Is it about it being PCIe or USB? It is PCIe in my case or at least it says so on the specifications of the ssd. Otherwise I’m not sure what kind of difference there would be between external or internal.
I’m just not sure about how the attachment will work, that’s all.
1 Like