Merge branch 'Galland-patch-3'

configuration/secondary-storage.md

@@ -20,7 +20,7 @@ Qubes 4.0 is more flexible than earlier versions about placing different VMs on
 For example, you can keep templates on one disk and AppVMs on another, without messy symlinks.
 
 These steps assume you have already created a separate [volume group](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create) and [thin pool](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation) (not thin volume) for your HDD.
-See also [this example](https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks) if you would like to create an encrypted LVM pool (but note you can use a single logical volume if preferred, and to use the `-T` option on `lvcreate` to specify it is thin).
+See also [this example](https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks) if you would like to create an encrypted LVM pool (but note you can use a single logical volume if preferred, and to use the `-T` option on `lvcreate` to specify it is thin). You can find the commands for this example applied to Qubes at the bottom of this R4.0 section.
 
 First, collect some information in a dom0 terminal:
 
@@ -50,6 +50,45 @@ For example:
 
 In theory, you can still use file-based disk images ("file" pool driver), but it lacks some features such as you won't be able to do backups without shutting down the qube.
 
+#### Example HDD setup ####
+
+Assuming the secondary hard disk is at /dev/sdb (it will be completely erased), you can set it up for encryption by doing in a dom0 terminal (use the same passphrase as the main Qubes disk to avoid a second password prompt at boot):
+
+    sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb
+    sudo blkid /dev/sdb
+    
+Note the device's UUID (in this example "b209..."), we will use it as its luks name for auto-mounting at boot, by doing:
+
+    sudo nano /etc/crypttab
+
+And adding this line (change both "b209..." for your device's UUID from blkid) to crypttab:
+
+    luks-b20975aa-8318-433d-8508-6c23982c6cde UUID=b20975aa-8318-433d-8508-6c23982c6cde none
+
+Reboot the computer so the new luks device appears at /dev/mapper/luks-b209... and we can then create its pool, by doing this on a dom0 terminal (substitute the b209... UUIDs with yours):
+
+First create the physical volume
+
+    sudo pvcreate /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde 
+    
+Then create the LVM volume group, we will use for example "qubes" as the <vg_name>:
+
+    sudo vgcreate qubes /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde 
+
+And then use "poolhd0" as the <thin_pool_name> (LVM thin pool name):
+
+    sudo lvcreate -T -n poolhd0 -l +100%FREE qubes
+   
+Finally we will tell Qubes to add a new pool on the just created thin pool
+
+    qvm-pool --add poolhd0_qubes lvm_thin -o volume_group=qubes,thin_pool=poolhd0,revisions_to_keep=2
+
+By default VMs will be created on the main Qubes disk (i.e. a small SSD), to create them on this secondary HDD do the following on a dom0 terminal:
+
+    qvm-create -P poolhd0_qubes --label red unstrusted-hdd
+
+
+
 ### R3.2 ###
 
 In dom0: