The purpose of having a detached LUKS header and boot partition on a separate external disk is to achieve a deniable encryption: https://en.wikipedia.org/wiki/Deniable_encryption The encrypted disk will look like an unused/empty unpartitioned disk.
Boot into Qubes OS installer and on GUI screen switch to shell on another TTY by pressing Ctrl+Alt+F2.
Assuming: /dev/sda - disk where you want to install Qubes OS /dev/sdb - USB disk where you want to install Qubes OS boot partition
Find out the right disk names on your machine in Qubes OS installer shell by running this command and checking the output:
fdisk -l
In this shell run these commands:
dd if=/dev/zero of=header.img bs=16M count=1
cryptsetup luksFormat /dev/sda -c aes-xts-plain64 -h sha512 -s 512 -y -i 10000 --use-random --force-password --header header.img
cryptsetup open --header header.img /dev/sda luks
mkfs.btrfs --csum xxhash -L qubes_dom0 -d single /dev/mapper/luks
Return to Qubes OS installer GUI by pressing Ctrl+Alt+F6. Configure the installation as normal except for Installation Destination: https://www.qubes-os.org/doc/installation-guide/#installation-summary At the Installation Destination screen click on "Refresh..." at the bottom right corner and in the opened window press on "Disk rescan" button and then OK. At the Device Selection choose your Qubes OS installation destination and boot partition destination disks /dev/sda and /dev/sdb. At the Storage Configuration select "Advanced Custom (Blivet-GUI)". Press Done. In the "BLIVET GUI PARTITIONING" screen select "sdb" disk. Delete the old partitions on the disk if needed.
Add new partition using "+" button: Device type: Partition Size: 512 MiB Filesystem: EFI System Mountpoint: /boot/efi Press OK button.
Add new partition using "+" button: Device type: Partition Size: 1 GiB Filesystem: ext4 Mountpoint: /boot Press OK button.
In the "BLIVET GUI PARTITIONING" screen select "qubes_dom0" Btrfs Volume. Add new subvolume using "+" button: Name: root Mountpoint: / Press OK button.
Press on Done button in "BLIVET GUI PARTITIONING" and then "Accept Changes" button in "SUMMARY OF CHANGES" window. Press "Begin Installation" button.
After installation is completed don't press "Reboot System" button. Switch to shell on another TTY by pressing Ctrl+Alt+F2. Run these commands in the installer shell:
cp header.img /mnt/sysroot/root/
cd /mnt/sysroot
chroot /mnt/sysroot
btrfs subvolume create /swap
btrfs filesystem mkswapfile --size=4g --uuid clear /swap/swapfile
/etc/fstab file using nano or any other text editor:
nano /etc/fstab
noauto option to the /boot and /boot/efi mounts like this:
UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /boot ext4 defaults,discard,noauto 1 2
UUID=XXXX-XXXX /boot/efi vfat umask=0077,shortname=winnt,discard,noauto 0 2
/swap/swapfile none swap defaults,discard=once 0 0
/etc/fstab file.
Edit /etc/default/grub file using nano or any other text editor:
nano /etc/default/grub
rd.luks.uuid=XXXXX option and add rd.driver.pre=btrfs option to the GRUB_CMDLINE_LINUX variable. It should look like this:
GRUB_CMDLINE_LINUX="rd.driver.pre=btrfs plymouth.ignore-serial-consoles 6.7.7-1.qubes.fc37.x86_64 x86_64 rhgb quiet"
/etc/default/grub file.
Create new /etc/dracut.conf.d/crypt.conf file using nano or any other text editor:
nano /etc/dracut.conf.d/crypt.conf
add_dracutmodules+=" crypt "
install_items+=" /root/header.img "
/etc/dracut.conf.d/crypt.conf file.
Find out the ID of your Qubes OS destination disk /dev/sda:
ls -la /dev/disk/by-id/ | grep /sda
lrwxrwxrwx 1 root root 9 May 10 20:15 ata-YOUR_DISK_ID -> ../../sda
ata-YOUR_DISK_ID is your disk ID.
Append the disk ID to the /etc/crypttab file to not type it by hand there:
ls /dev/disk/by-id/ | grep ANY_UNIQUE_PART_OF_YOUR_DISK_ID >> /etc/crypttab
Edit /etc/crypttab file using nano or any other text editor:
nano /etc/crypttab
luks /dev/disk/by-id/ata-YOUR_DISK_ID none header=/root/header.img,force,discard
/etc/crypttab file.
Run these commands:
grub2-mkconfig -o /boot/grub2/grub.cfg
dracut -f --regenerate-all
exit
Since /boot and /boot/efi partitions are stored on USB disk then you'll need to attach this disk to your dom0 when doing dom0 updates so the files there will be updated. It's better to use disposable sys-usb for this setup. When you want to update your dom0 you can follow these steps: Disconnect all your USB devices. Restart sys-usb to clear it's state. Connect your USB disk with Qubes OS /boot partition. Run this command in dom0 to mount the /boot and /boot/efi partitions in dom0 assuming that /dev/sda is the name of your USB disk with Qubes OS /boot partition in sys-usb:
qvm-block attach dom0 sys-usb:sda1 && qvm-block attach dom0 sys-usb:sda2 && sudo mount /boot && sudo mount /boot/efi
sudo umount /boot/efi /boot && qvm-block d dom0 sys-usb:sda1 && qvm-block d dom0 sys-usb:sda2
Since TRIM is enabled by default: https://forum.qubes-os.org/t/disk-trimming/19054 This could indicate that this disk is not unused and this could break the plausible deniability: https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD) So you may want to disable the TRIM, but this will reduce the disk performance.