Which of these templates is more secure from a disk encryption standpoint? Whonix workstation with
no network access or a hardened Gentoo template (like ClipOS) with no network access?
Can you clarify what your threat model is? Which attack are you trying to prevent?
compromised dom0 with xen-blkback disk r/w access.
Nothing will save you from a compromised dom0. It has full access to everything. However it’s extremely hard to compromise. How would it be done?
Could it be done via encryption libraries within dom0? Because encryption/decryption is still done in dom0 unless the splt-dmcrypt shell script is applied (this should really be a saltstack script).
You have to trust that all code in dom0 is not malicious: Security-critical code | Qubes OS
There is a big community constantly verifying this code, and you can help too.
If it’s buggy though, it’s not that dangerous: Security-critical code | Qubes OS
Encryption library doesn’t parse your data; it treats it just as zeroes and ones, so it doesn’t matter if some of it could be malicious (just like with the copy-paste content and moving files across VMs).
this is dm-crypt you are talking about right?
Yes:
By default, Qubes OS uses LUKS/dm-crypt to encrypt everything except the
/bootpartition.
From the Wikipedia:
The dm-crypt device mapper target resides entirely in kernel space, and is only concerned with encryption of the block device – it does not interpret any data itself.