I have been reading on the forum and I have seen that some other users need something like this but I could not find some clear instructions on how to do this.
There are several reasons why such setup might be useful:
- Setting up a VM that can run only if a USB is attached to the machine will allow the user of the system to bring his laptop in a riskier environment (for example where there is a risk of someone taking the laptop away from him/her while it is unlocked). Simply bringing the laptop but not the USB, this way the sensitive data in the VM running in the USB is protected.
- It could potentially allow for plausible deniability, something that several users asked for. If the VM is running inside of a hidden container and we can set up a vm running in the outer container (maybe with the same name?). Then there is no way to prove the data that the opponent is looking for is even there. This could help in several scenarios but to make one example the user puts a decoy crypto wallet in the outer layer with some crypto and then puts the most in the hidden container. If asked for what is this the user will show only the outer layer and give up only part of his riches.
- We might be able to move a vm from one system to another or even use this as a backup system. An example might be running a vanilla Qubes installation and have all of your VMs into an external SSD. You could use the VMs on any machine that has Qubes OS installed. (You guys will tell me if this makes any sense or is even possible)
My goal is to be able to have a VM running inside of a Veracrypt container that is within a partition of an external disk.
Ideally I would decrypt the veracrypt container using a RAM based qube as in this post Really disposable (RAM based) qubes
I can make the qube always get the same name.
How would I go about doing this?
Thanks for your input, please consider that I am quite a noob and that I am not the only one using Qubes OS. It would be amazing to put together a clear way of doing this so also others could use it.
Disclaimer: I have never used VeraCrypt.
[…] Then there is no way to prove the data that the opponent is looking for is even there.
There could be hints about it though. Running a qube leaves traces in system logs too (in dom0), and the qube name is also in the list of qubes (also persistent info in dom0). So, if you have a qube named my-secrets-for-hacking-the-government, that can be a lead.
Consider also: VeraCrypt - Free Open source disk encryption with strong security for the Paranoid
Thanks, that is great knowledge. Do you think what I want to achieve is too complex?
That depends on what your actual threat model, i.e. what are you trying to protect, from whom, what is the actual risk, etc.
I need to make sure that a VM can be plausibly deniable from government and non government thugs and at the same time persistent.
Without getting into talking of how hard of a duress situation I could get in I see that was discussed a lot before. That would be up to me to judge if ever needed.
You can hide and/or destroy data but I don’t know if you can hide your own knowledge of its existence from thugs ready to duress you. If it comes to that, one becomes one’s own point of failure, which is beyond computers and cryptography.
How can you hide this data on a persistent qube?
If it is just data (e.g. documents), I wouldn’t use a VM but some external storage medium not containing any chips (e.g. magnetic tape, DVD) and keep it in a different physical location (or more than one).
Yes this is the obvious solution and I am already doing this.
What I cannot figure out is how to hide persistent messaging applications, stuff like Signal, Element, Telegram etc…
Thanks for clarifying the XY problem.
When it comes to communication, things are even more complicated. Even if your system is stateless, if you have identified yourself to the other parties, your security is entirely in their hands (as you can’t secure all end points). So, securing your own system might turn out to be an unnecessary exercise.
In case you are anonymous, the likelihood that someone would share something so precious that it is worth hiding is very low anyway. So, again - consider the actual need for this.
If even after all that you see a need to keep a persistent communication history, you can simply mount an encrypted USB drive inside a disposable, using it as (a subdir of) your home dir. Do your messaging, shutdown the disposable, unplug, done. Also, don’t tell anyone about this public thread
Thanks for the opsec advise. It might be useful for someone else reading this.
I am tech illiterate compared to pros like you not dumb =).