I’d like to use a m-sata disk on the mini-pci-x bus as my backup disk. I’m assuming the drive is compromised so I’d like for it to have it’s own sys-pci qube to keep it away from dom 0.
I tried to assign the pci bus and when starting the qube get the error “Start failed : Internal Error. Non-endpoint PCI devices cannot be assigned to guests.”
As far as I know my PCI have no devices, except that storage drive.
Edit: Still trying to figure out PCI problem above, but this this part of the question is solved but leaving for others.
My chosen solution is manual backups to external drives using rsync further explored here: sys-PCI storage qube? Error: Non-endpoint PCI devices... And security decrease or increase with appvm secondary storage? - #3 by GateOfRanre
Mostly for timely backup management and restore in the event of dom 0 compromise, I’ve realized it is probably better to keep qubes-os own it’s own drive or partition, and appvms on it’s own parition / drive. And rather then using qube backup to help me backup my data qube, I’ll connect a drive weekly to that qube and do a folder to folder backup on a separate drive. Or use rsync once I figure it out to just sync the folders with an external drive.
The problem is I cannot leave my computer on for more than 12 hours. A full qubes backup takes longer then this, but copying folder to folder takes much less.
However I’m curious to know if dom 0 can see it’s luk’s boot passphrase? If not, then probably adding a secondary storage might be a security decrease if I have to unlock the drive using the same passphrase while logged into qubes. Or if dom 0 is compromised then it would now know my encryption passphrase of the data drive, which would become a target for AEM cloning or theft.
If it’s the case of dom 0 not knowing it’s passphrase, then it would likely be more secure to just keep my appvms on the same drive and use rsync to a secondary drive if it support the ability to just mirror partitions, or the linux pools or virtual drives that qubes makes automatically, hopefully syncing in encrypted form without needing me to ever type in a passphrase while booted into qubes is possible?