Default disk images folder in another (encrypted) partition

iesnes · February 3, 2016, 3:11am

I decided I’d dump VirtualBox-Whonix for KVM-Whonix, so I was following the tutorial to perform a clean install when I saw it is highly recommended for the Whonix disks to reside in /var/lib/libvirt/images. That’s a problem for me because I want the disks to be on a Veracrypt-encrypted partition on my HDD, dedicated to Whonix, so that the VMs are visible and accessible only when the partition is mounted /decrypted.

Is creating a symlink, a mountpoint in ~/libvirt pointing to my encrypted partition a good idea? (I’m not even knowing what I’m talking about, here) Could then Whonix be run and in a safe way?
XML files, AppArmor and SELinux would be okay with that?

There’s that thread, but it confuses me about the thing being feasible and secure or not: “Cannot access storage file” using Veracrypt?

I’m on Ubuntu MATE if that matters.

Ego · February 3, 2016, 6:12am

Good day,

rather than using a link, I’d recommended simply encryting the entire folder. That schould work with no problems.

Have a nice day,

Ego

HulaHoop · February 3, 2016, 7:12am

Apparmor protection is a reason to leave default disk location alone and also for better protection you should do LUKS full disk encryption instead of containers.

iesnes · February 4, 2016, 2:31am

Hi and thanks for your answers.
The thing which makes me go with Veracrypt is the ability of hiding volumes inside containers. The encryption methods you’re pointing me to might be good and efficient but that’s not what I’m looking for.

So having the same path as default, but not pointing to the same physical location is not a good idea regarding AppArmor then… If this is it then I’ll take your word for it, and thus think I’ll stay on VirtualBox then.

HulaHoop · February 4, 2016, 4:44am

The “hidden volumes” feature and the supposed deniability it gives you is of marginal value IRL. You are either in a jurisdiction that protects against self incrimination and you can refuse to hand over the password or you are unfortunate enough to live in a cesspool where refusing to cooperate can get you imprisoned, tortured, killed in which case you’ve already lost and hidden volumes won’t save you.