Install Qubes OS with boot partition and a detached LUKS header on USB revisions

Go back to topic: Install Qubes OS with boot partition and a detached LUKS header on USB

  1. v4 anchor; v4 full version
  2. v3 anchor; v3 full version
  3. v2 anchor; v2 full version

Revision #4

Edited on
2024-11-14
Edited by user
apparatus
mount -t proc /proc proc/ mount -t sysfs /sys sys/ mount --rbind /dev dev/
Append the disk ID to the `/etc/crypttab` file to not type it by hand there: ``` ls /dev/disk/by-id/ | grep ANY_UNIQUE_PART_OF_YOUR_DISK_ID >> /etc/crypttab ```

Revision #3

Edited on
2024-10-10
Edited by user
apparatus
The purpose of having a detached LUKS header and boot partition on a separate external disk is to achieve a deniable encryption: https://en.wikipedia.org/wiki/Deniable_encryption The encrypted disk will look like an unused/empty unpartitioned disk.
At this point you can disconnect the USB disk with Qubes OS /boot partition from your machine and continue to use sys-usb with other USB devices as normal.At this point you can disconnect the USB disk with Qubes OS /boot partition from your machine and continue to use sys-usb with other USB devices as normal. # NOTE Since TRIM is enabled by default: https://forum.qubes-os.org/t/disk-trimming/19054 This could indicate that this disk is not unused and this could break the plausible deniability: https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD) So you may want to disable the TRIM, but this will reduce the disk performance.

Revision #2

Edited on
2024-06-27
Edited by user
apparatus
add_dracutmodules+=" crypt install_items+=" /root/header.img add_dracutmodules+=" crypt " install_items+=" /root/header.img "