Hello. I use LUKS encryption.
I want to store all my virtual machines in a container using Veracrypt or Zulucrypt.
My question: Is it possible to get rid of traces of the existence of my virtual machines when the container is encrypted?
Hello. I use LUKS encryption.
Hi @qn00r3, welcome to the Community! Could you clarify what you mean by “store all my virtual machines in a container”? How are you using the containers? Are you running them in dom0 or in VMs? In the latter case, this questions is probably not Qubes-specific, and you should be able to find some information on Veracrypt/Zulucrypt forums.
Also, maybe this issue is relevant:
Hello. I continue to study Qubes OS. Right now I have a few thoughts in my head about implementing containers.
How I imagine it:
- Install Veracrypt/Zulucrypt in dom0.
- Allocate 500 gigabytes of free space on your SSD disk, create a container of 500 gigabytes in size.
- Create new virtual machines and save them in an encrypted container.
Thus, until the password for the container (where my virtual machines are stored) is entered, Qubes OS should not know about the existence of virtual machines in the encrypted container.
At the moment I don’t know if it’s possible to implement everything that I wrote above. I continue to study Qubes OS.
Question: Is it technically possible to implement what I wrote?
If this is possible, which way should I look? What can I read that could help me?
At the moment I found an article that in my opinion can help me, this is:
At the moment, on my second computer I am using Windows OS, I allocated 500 gigabytes of free space and created an encrypted container.
I installed Virtual Box Portable on an encrypted container, and all my virtual machines are stored in the encrypted container, Windows OS does not know about the existence of my virtual machines.
Windows OS does not know that I have Virtual Box installed on my computer.
I want to do the same with Qubes OS. That’s why I came looking for help. Thank you for your time.
Hi. (I wrote the Split Veracrypt online book you linked to. OK it’s not an online book but it was pretty long.)
Based on your description I don’t see how Windows can not know about your Virtual Box installation–you’re running it from a windows session, right? Now it may not be visible to someone looking at your system (even someone who can poke around in the menys) until you decrypt the container it’s on, but I am sure it has left traces in your windows registry.
The good news is you’re in the right place to do it better. There’s no reason you can’t keep your containers inside another container if using veracrypt. (I never did work out how to put virtual machines in an encrypted container, but I believe it’s possible–I’d have to look more at pools and the like.)
If you don’t want dom0 to know about any of this I would not install veracrypt on dom0. I would instead install it on a VM (as I described in the post you linked). (That’s good policy anyway–avoid if at all possible installing things on dom0.) Even then it will still probably show up in dom0 menus and so forth unless you install the command-line version of veracrypt.
I’m not completely sure what you want, but based on what you said (and my hopefully-not-too-far-off-the-mark interpretation of it), I’d think about a VM whose sole function is to mount and decrypt the big container (the one that contains everything else). I’d make that a minimal template with veracrypt (command line) installed. You can write a bash script to mount and decrypt the container (and of course veracrypt will mount the decrypted version of it as well). (The bash script will have to prompt for the password, PIM, etc.) You can then detach and attach the little containers within the big containers to wherever you want them to go–e.g., to a dedicated VM that has libreoffice installed on it. This is the point at which my split veracrypt would step in, decrypting those containers and connecting them to the clients. I don’t know how this would relate to actually storing VMs in the big container though; perhaps it wouldn’t work at all for that in which case please disregard my suggestion.
All these days I read the forum, documentation, re-read and re-read what @SteveC and @fsflover wrote to me
All this is hard for me, I’m not a Linux master, but I understand something. My native language is not English, which adds to the difficulty in learning information.
What conclusion have I come to?
I see that all the people who are in one way or another connected with the development of the Qubes OS are very categorical about encrypted virtual machines, one can only guess what the reason for this is.
But I myself see little point in this, I prefer the idea of an encrypted container and storing all virtual machines on an encrypted container (possibly because I used something similar on Windows for a long time), but then it makes sense to hide all traces on OS Qubes, but as I understand it is not that simple based on this answer:
Comment: One way to do it might be to store them on a hidden encrypted volume, but all traces of their existence outside of the hidden volume would have to be eliminated, which would be very difficult.
Explanation: An error occurred: Sorry, new users can only put 2 links in a post.
At the moment I am considering 2 options in which I can encrypt my data and use the Qubes OS:
2.1. Use an external encrypted SSD disk that I will connect inside a specific virtual machine (most likely a one-time use one), install portable applications on this disk that store data (FTP/SSH/VNC and others). Inspired by this post:
2.2. Implement secondary storage as described in the documentation secondary storage.
I still can’t imagine how everything will work with this option, this comment worries me:
In fact, when I first learned about the existence of the Qubes OS, I was very inspired and bought a new laptop for this operating system, but with each new day, plunging deeper and deeper into the documentation and forum, fear and depression began to permeate me.
For a very long time I could not bring myself to write a message on the forum, apparently I was stalling for time, thinking that I did not understand something or, on the contrary, I understood that this was not at all what it seemed at first glance.
But now I have calmed down, I have the options that I described above, and I will see how they look in implementation.
For my tasks I need:
- Using a browser.
- Using FTP, SSH, VNC, RDP.
- Using various messengers.
- Using an email client.
- Using an IDE for programming.
- Using of programs for reverse engineering.
- Using a graphic editor to process photographs.
- Using crypto wallets.
Perhaps I can use portable versions of some programs that will store confidential data and I can install these programs on an external encrypted drive.
If anyone has any ideas for implementing encryption for my purposes, I would be happy to hear from you.
Thank you for your time.