Openai/695158d7-1b68-800b-a02f-4817bf1f6d25

This conversation was exported from ChatGPT^[1]

gpt-5-2 edit

User: Hi, I'm installing qubes os, I deleted all partitions and I have a choice to make: Partition, LVM2 Volume Group anf Btr… edit

Hi, I'm installing qubes os, I deleted all partitions and I have a choice to make: Partition, LVM2 Volume Group anf Btrfs Volume. What are the pros/cons/risks of each option?

Assistant: Good question — this choice does matter in Qubes OS, because it affects reliability, performance, and how easy it is to… edit

Good question — this choice does matter in Qubes OS, because it affects reliability, performance, and how easy it is to recover or manage storage later.

Below is a Qubes-specific breakdown (not just generic Linux advice).

What it is edit

Traditional disk partitions (e.g. /, /boot, maybe /home)
Usually formatted as ext4

- Simplest & most robust edit

Very predictable behavior
Lowest risk of installer bugs or edge cases
Easier manual recovery from a live USB
Slightly lower overhead → marginally better performance

- Inflexible - Hard to resize later - No snapshots edit

Disk space allocation is fixed at install time

- Almost none edit

If you mis-size a partition, fixing it later can be painful

- First-time Qubes users edit

Laptops where reliability matters
Systems without huge storage needs
Anyone who values stability over features

What it is edit

Disk → LVM Physical Volume → Volume Group → Logical Volumes
Usually with ext4 on top
Qubes traditionally uses LVM

- Flexible resizing - Grow/shrink volumes later edit

Clean separation: - dom0 - VM storage - swap
Well-tested with Qubes
Easier disk replacement or migration
Can be combined with full disk encryption (LUKS) cleanly

- More complex than plain partitions edit

Slight learning curve if you ever manage it manually

- Very low edit

If LVM metadata gets corrupted (rare), recovery is harder than plain partitions
Still far safer than Btrfs in Qubes

- Most users edit

Anyone who might: - Add disks later - Resize VM storage - Use Qubes long-term
Officially the safest “advanced” option

🟢 This is the option most Qubes developers expect you to use

What it is edit

Copy-on-write filesystem with snapshots, subvolumes, compression
No LVM needed (Btrfs manages space internally)

- Snapshots (rollback system state) edit

Easy resizing
Built-in checksums (detects silent data corruption)
Compression can save disk space
Fast cloning of data

- Not fully mature in Qubes edit

Snapshots do NOT integrate cleanly with Qubes VM model
Harder to debug when something goes wrong
Higher RAM usage
Copy-on-write can hurt performance in VM-heavy workloads

- Recovery is much harder than ext4/LVM edit

Btrfs + Qubes has had historical edge cases
If dom0 Btrfs breaks → system is often unrecoverable
Snapshots can give a false sense of safety

- You’re new to Qubes edit

This is your main machine
You don’t already know Btrfs internals

- Advanced users edit

Experimentation
Secondary/test systems
People who already trust Btrfs and accept risk

| | | | | edit

| --- | --- | --- | --- | | | | | | | | | | | | | | | | | | | | |

Qubes security comes from VM isolation, not fancy filesystems — stability matters more than features.

For 99% of Qubes users: edit

If you want maximum simplicity:

Avoid Btrfs unless you know exactly why you want it.

If you want, tell me:

SSD or HDD?
Disk size?
Laptop or desktop?
Do you plan full-disk encryption?

I can give you an optimal partition/LVM layout tailored to your setup.

User: Thanks! edit

Thanks! I have -Thinkbook 13X G4 IMH -m.2 2240 drive 1 TB

I plan full encryption, BUT I'd like to have like a >700 GB unencrypted volume for occasional movies/series, how can I do that?

Also what does Attack surface mean? Why is simple partition better than LVM2? Isn't it supposed to be less advanced/secure?

Also, can I set up some reliable snapshots of cubes or even the core system in LVM2?

Assistant: Great questions — you’re thinking about exactly the right trade-offs for Qubes 👍 edit

Great questions — you’re thinking about exactly the right trade-offs for Qubes 👍 I’ll go step by step and keep it practical + security-accurate, not hand-wavy.

This is absolutely possible and fairly clean in Qubes. edit

You have: edit

ThinkBook 13X G4
1 TB NVMe 2240 SSD (fast, but space-constrained thermally → keep it simple)

- ~250–300 GB edit

LUKS → LVM2 → ext4
Contains: - dom0 - all VMs - swap

- ~700–750 GB edit

Plain partition
ext4 or exFAT

### edit

When Qubes installer asks about storage:

Create two partitions - nvme0n1p1 → Qubes system (encrypted) - nvme0n1p2 → Media (unencrypted)
On p1: - Enable LUKS encryption - Inside LUKS → LVM2 Volume Group
On p2: - Format as: - ext4 → Linux-only - or exFAT → also readable from Windows

⚠️ Do not put media inside dom0 directly.

### edit

Mounting it in dom0 and browsing files there.

1. Create a dedicated AppVM (e.g. media-vm) edit

Attach the unencrypted partition only to that VM
Play videos inside that VM

This keeps:

dom0 clean
untrusted media isolated

You can even create:

media-online VM (networked)
media-offline VM (no network)

Attack surface = how much code exists that could be exploited edit

More layers → more bugs → more potential exploits.

### edit

Kernel code: filesystem only
Very mature
Minimal metadata
Almost no background logic

➡️ Smallest attack surface

Adds: edit

Device mapper
Volume metadata
Mapping logic

But:

Used for ~20 years
Well audited
Mostly inactive after boot

➡️ Slightly larger surface, still very safe

Adds: edit

Copy-on-write
Snapshots
Compression
Checksumming
Background balancing
Much more kernel code

➡️ Largest attack surface

Not “insecure”, but:

More bugs historically
More recovery complexity
More kernel exposure

: edit

LVM:

Does not weaken encryption
Does not reduce VM isolation
Only adds complexity, not vulnerability in practice

Qubes developers explicitly support and expect LVM.

## edit

dom0 live system
Running AppVM disks
Whole-system rollback like Timeshift

Why?

Qubes uses: - Multiple VM disks - Xen - Heavy IO concurrency
LVM snapshots here = crash-prone & inconsistent

### edit

Qubes already provides:

VM snapshots
Disposable VMs
Template-based rollbacks

This is far safer than filesystem snapshots.

Possible but risky: edit

Offline snapshot of shut down VM
Backup before system upgrade

Requires:

dom0 expertise
booting from rescue media
Manual restore

⚠️ Not recommended as daily safety net

| | | edit

| --- | --- | | | | | | | | | | | | |

Qubes is designed so that:

### edit

Encrypted LUKS + LVM2 for Qubes
Separate unencrypted ext4/exFAT partition for media

- Media partition attached to media AppVM edit

Not dom0

- Btrfs on dom0 edit

Snapshotting live dom0
Mounting untrusted media in dom0

If you want, I can:

Draw an exact partition table
Give installer click-by-click steps
Show how to attach the media partition to a VM
Suggest filesystem (ext4 vs exFAT) based on your use

Just tell me 👍

User: If I set up 3 partitions 200GiB LVM2 for system, 700GiB ext4 for media and the rest 53,87GiB exfat/ntfs which one shoul… edit

If I set up 3 partitions (200GiB LVM2 for system, 700GiB ext4 for media and the rest ~53,87GiB exfat/ntfs (which one should I choose and why?)), can I easily resize it later, add other partitions and so on? If no, is there a way to add unencrypted storage in the LVM2?

What is LUKS?

Assistant: Excellent, now you’re down to the real storage-design questions 🙂 edit

Excellent, now you’re down to the real storage-design questions 🙂 I’ll answer in the same order and be very concrete.

Short answer: yes, but with different levels of pain depending on the layer. edit

====

| 200 GiB | 700 GiB | ~54 GiB | ====
|  LUKS+LVM | ext4 | exFAT/NTFS |

- Easy edit

Tools: gparted, parted
Can grow or shrink (shrinking requires filesystem check)
Very reliable

- Limited edit

Growing: usually OK
Shrinking: often requires backup + recreate
Tools are worse than ext4

- Growing: OK edit

Shrinking: OK-ish
Linux tools are mature
But NTFS brings other issues (see below)

This is where LVM shines. edit

You can:

Resize logical volumes easily
Add new logical volumes
Add more encrypted storage inside LUKS
Move space between system/VM storage

But:

The outer partition (the LUKS container) must still have free space to grow

You cannot magically take space from an unencrypted partition and add it into an already-encrypted LUKS container without moving partitions around. edit

That means:

Shrink unencrypted partition
Move it on disk
Grow LUKS partition
Grow LVM PV
Grow logical volume

➡️ Possible, but not fun

### edit

LVM itself:

Does not encrypt
Everything inside a Volume Group shares the same encryption state

If the PV is inside LUKS → everything in that VG is encrypted If the PV is unencrypted → everything is unencrypted

You can do this: edit

VG_ENC (inside LUKS)
 ├─ root
 ├─ var
 ├─ swap
 └─ vm-pool

VG_CLEAR (no LUKS)
 └─ media

- Partition A → LUKS → LVM → Qubes system edit

Partition B → LVM (no LUKS) → media LV

- Flexible resizing within each VG edit

Cleaner than raw partitions
Still simple conceptually

- Slightly more complex installer setup edit

Still can’t move space between encrypted ↔ unencrypted without repartitioning

### edit

Use exFAT unless you specifically need NTFS

- Very simple filesystem edit

Native Linux support
Low overhead
No journaling → less write amplification
Works perfectly with: - Windows - Linux - macOS
Ideal for “scratch / exchange” storage

- No permissions edit

No journaling (less crash-safe)
Not ideal for important data

Choose NTFS only if: edit

You need Windows ACLs
You need files >4 GB (exFAT also supports this)
You plan to dual-boot Windows

- Much more complex driver edit

More kernel attack surface
Slower metadata ops
Occasional mount issues after improper shutdowns

➡️ NTFS is overkill here

| | | edit

| --- | --- | | | | | | | | | |

LUKS = Linux Unified Key Setup edit

It is:

A full-disk encryption standard
Uses strong crypto (AES-XTS by default)
Implemented in the Linux kernel

- Encrypts an entire block device (partition, disk) edit

Everything inside looks like random data when locked
Protects against: - Stolen laptop - Offline disk access

=====

[ Disk / Partition ] =====
        ↓
      LUKS
        ↓
     (decrypted view)
        ↓
      LVM / FS

- Multiple passphrases edit

Key rotation
Hardware acceleration (AES-NI)
Well audited and widely trusted

Qubes strongly recommends LUKS.

### edit

| 300 GiB | 700 GiB |
| LUKS+LVM | ext4 |

Skip the small exFAT unless you truly need it.

=====

| 300 GiB | 600 GiB | 100 GiB | =====
| LUKS+LVM | ext4 | exFAT |

✔️ Use LUKS + LVM2 for Qubes edit

✔️ Use ext4 for media ✔️ Use exFAT for small exchange partition ✔️ Keep unencrypted storage outside LUKS ✔️ Accept that encrypted ↔ unencrypted resizing is possible but painful

If you want, next I can:

Propose exact partition sizes
Walk through the Qubes installer screens
Show how to attach media/exFAT partitions to AppVMs
Help you decide if the 3rd partition is even worth it

Just say the word 👍

User: How much GiB of storage is needed for one cube if we ignore the size of the programs inside? edit

How much GiB of storage is needed for one cube if we ignore the size of the programs inside?

Assistant: Good question — this gets to the heart of how Qubes actually stores things. edit

Good question — this gets to the heart of how Qubes actually stores things.

I’ll give you realistic numbers, not marketing ones, and explain why.

For one AppVM (“qube”), ignoring user data and installed programs: edit

That’s the baseline storage footprint of an AppVM.

In Qubes, an AppVM’s disk is layered: edit

- Shared edit

Stored once, no matter how many AppVMs use it
Does not count per qube

➡️ 0 GiB per qube

This is the main per-qube cost. edit

Typical size:

Default: 2 GiB
Actually used on disk (empty): ~300–600 MiB
Grows as you add files

Contains:

/home/user
App settings
Browser profiles
Downloads (unless redirected)

- Ephemeral edit

Backed by sparse storage
Typically <100 MiB when idle
Discarded on shutdown (unless persistent)

- VM config edit

Device mapping
Xen bookkeeping

➡️ ~50–150 MiB

| | | edit

| --- | --- | | | | | | | | | | | | |

Rounded up safely:

Because: edit

Default private.img limit = 2 GiB
People leave browser cache / downloads there
Safety margin

But the actual disk usage is usually lower.

Templates are the real storage users. edit

Typical TemplateVM sizes:

debian-12: ~4–6 GiB
fedora-39: ~6–8 GiB

But:

Each template is stored once
Shared by unlimited AppVMs

Let’s say: edit

3 templates → ~20 GiB
30 AppVMs → ~30 GiB
dom0 → ~5–8 GiB

➡️ ~60 GiB total for a very VM-heavy setup

Plenty of headroom.

### edit

Leave private.img at 2 GiB
Increase only for specific qubes (browsers, dev)

- Media → media qube edit

Downloads → dedicated storage qube
Dev builds → separate work qube

- Baseline per qube: ~1 GiB edit

Configured limit: usually 2 GiB
Templates dominate storage
Qubes scales very well in storage usage

If you want, next I can:

Estimate how many qubes you can realistically run
Suggest which qubes need larger private storage
Help you pre-plan LVM logical volume sizes

Just tell me 👍

User: If I want to use Qubes mainly for sorting stuff school/job/music/nature/sports/fitness ect, how much storage would you … edit

If I want to use Qubes mainly for sorting stuff (school/job/music/nature/sports/fitness ect), how much storage would you recommend?

Assistant: Short answer first, then the reasoning. edit

Short answer first, then the reasoning.

That gives you a lot of headroom and stays comfortable for years.

You described: edit

school
job
music
nature
sports
fitness

That maps very cleanly to separate AppVMs, which is exactly what Qubes is good at.

Let’s estimate conservatively.

You’ll realistically need: edit

| | | | --- | --- | | | | | | | | | |

➡️ ~15–20 GiB total

Let’s assume: edit

6–8 AppVMs (school, job, music, fitness, etc.)

Baseline:

~1 GiB per qube

➡️ ~8 GiB

Typical sizes: edit

PDFs, DOCX, notes → tiny
Even thousands of files → a few GB

Let’s be generous:

20–30 GiB

- dom0 root edit

logs
updates
metadata

➡️ ~6–8 GiB

Qubes upgrades, temp files, future qubes, mistakes. edit

➡️ +20–30 GiB

| | | edit

| --- | --- | | | | | | | | | | | | | | | | | | |

### edit

: edit

Since you have a 1 TB NVMe, there’s no reason to go tight.

Given your earlier plan: edit

Qubes encrypted system: 150–200 GiB
Unencrypted media: 700+ GiB

This:

Avoids future resizing pain
Lets you add more qubes freely
Costs you nothing on a 1 TB disk

### edit

school
work
music
fitness
personal

- Explicit moves = better mental model edit

Less accidental data leaks

- Encrypted edit

No network
Important documents only

: edit

You’ll never worry about space again.

If you want, I can:

Suggest a qube layout by category
Show how to move files safely between qubes
Help design a vault + backup strategy

Just tell me 😊

User: Please show me how to move files safely between cubes/other partitions/external drives, how vaulg works and how to use … edit

Please show me how to move files safely between cubes/other partitions/external drives, how vaulg works and how to use it, how should I set up automatic backups (ideally in a way when they will automatically start when I connect either a drive or a NAS) and anything else you think I might need.

Assistant: Great — this is exactly the “daily-ops” knowledge that makes Qubes pleasant instead of frustrating. edit

Great — this is exactly the “daily-ops” knowledge that makes Qubes pleasant instead of frustrating. I’ll keep it practical, step-by-step, and aligned with how Qubes is meant to be used.

## edit

This is the safest and most common method.

- One-way copy edit

Explicit user action
No shared filesystem
Minimal attack surface

1. In the source qube, select file(s) edit

Right-click → Copy to other AppVM
Choose destination qube

Files appear in: ``

 ~/QubesIncoming/<source-qube>/ ===== - Documents =====
* PDFs
* Music files
* Anything you want to keep

✅ This is what you should use 90% of the time

==== ### ====
* Explicit copy → explicit paste
* Auto-clears after timeout

===== - Ctrl+C in source qube =====
* Ctrl+Shift+C (global)
* Switch qube
* Ctrl+Shift+V

===== - Passwords =====
* URLs
* Short notes

❌ Don’t use for files
❌ Don’t leave sensitive data sitting there

==== Avoid unless you fully understand the risk ====

Why?
* Continuous access
* Larger attack surface
* Easy data leaks

If you must use them (e.g. dev work), keep them:
* Temporary
* Read-only if possible
* Never involving Vault or dom0

=== Qubes handles this very safely via block device attachment. ===

==== ### ====
* Device is never exposed to dom0 filesystem
* Attached to a dedicated qube
* You control read/write explicitly

===== Create a qube called: =====

sys-usb        (already exists)
backup-vm      (for backups)
media-vm       (for movies/music)

``

1. Plug in USB drive edit

Qubes popup appears
Attach device to: - backup-vm (for backups) - media-vm (for media)
Mount inside that qube
Copy files normally

Dom0 never touches the filesystem contents.

Same process: edit

Attach the block device to media-vm
Mount it there
Use it like a normal disk

## edit

A high-security AppVM designed for:

Passwords
Important documents
Keys
Personal identity data

- ❌ No network edit

❌ No USB
❌ No shared folders
✅ Encrypted at rest (via LUKS)

1. Create new AppVM: - Name: vault - Networking: None edit

Increase private.img if needed (5–10 GiB is plenty)
Never install browsers
Use only: - File manager - Password manager (KeePassXC is common)

### edit

From other qube → Copy to other AppVM → vault
Appears in ~/QubesIncoming/

- Only copy specific files edit

Never bulk export

: edit

Qubes has a built-in backup system. Use it. edit

- Backups are offline snapshots edit

VM-level, not filesystem-level
Strong encryption
Consistent state

This avoids snapshot corruption problems.

### edit

backup-vm (network optional)
External USB drive or
NAS (via network)

Always enable: edit

Backup encryption
Strong password
Separate from disk LUKS password

- ✔ Vault edit

✔ Personal/work qubes
✔ Templates
❌ Disposable qubes
❌ sys-usb / sys-net

Qubes does not auto-backup on plug-in by default, but you can get 90% there safely. edit

1. Plug in backup drive edit

Attach to backup-vm
Run backup from Qubes menu
Done

Takes ~1–2 minutes when practiced.

In backup-vm: edit

Create a script that: - Detects mounted backup drive - Runs qvm-backup

Then:

You manually trigger it (one click)
Much safer than full automation

- Attach network to backup-vm edit

Mount NAS share
Backup target = mounted share

Works very well, especially scheduled weekly.

| | | edit

| --- | --- | | | | | | | | | | | | |

## edit

Use for:

Random PDFs
Unknown websites
Email attachments

Nothing persists → zero cleanup.

- Browsing happens here edit

Files only moved out deliberately

Example: edit

personal
untrusted
vault
media
work

Helps avoid mistakes.

- ❌ Mounting USB in dom0 edit

❌ Browsing from Vault
❌ Shared folders everywhere
❌ Assuming backups without testing restore

- File copy > shared access edit

Vault = one-way sink
Backups are VM snapshots
Dom0 stays boring and empty
Explicit actions = security

If you want next, I can:

Give you a recommended qube layout
Show exact commands for backups
Help you design a NAS backup workflow
Suggest password manager setup inside Vault

Just tell me what you want to tackle next 👍

User: Thank you, I'll look into it later, now I need to install the system first 😅 edit

Thank you, I'll look into it later, now I need to install the system first 😅 What is the difference between luks1 and luks2? is 2 just newer better...?

Sector size: automatic/512/4096

PE Size: 2^1 - 2^6, default is 2^2 so 4 MiB

what to choose?

Assistant: Totally fair 😄 — install first, tune later is the right mindset. edit

Totally fair 😄 — install first, tune later is the right mindset. I’ll give you clear “pick this” answers, with just enough explanation so you know why.

## edit

Yes — it really is “newer and better” in a meaningful way, and Qubes supports it well.

| | | | edit

| --- | --- | --- | | | | | | | | | | | | | | | | | | | | | | | | |

- Argon2 protects against GPU/ASIC brute-force attacks edit

More robust metadata layout
Easier future upgrades
Actively maintained

- Ancient bootloaders edit

Very old Linux kernels
Dual-boot with legacy tools

➡️ None of that applies to Qubes.

LUKS2 does not reduce compatibility with: edit

LVM
ext4
Qubes boot flow

## edit

- Your NVMe is 4K physical sectors edit

The kernel knows this
LUKS will align correctly

Forcing:

512 → pointless
4096 → can cause weird alignment issues with some tools

Automatic is:

Optimal
Safest
Default for a reason

This affects how LVM allocates space. edit

Default shown:

: edit

- LVM divides storage into chunks called extents edit

Logical volumes are built from these extents

- Good balance: - Flexibility - Performance edit

Fine-grained resizing
Negligible overhead
Default for almost all installs

| | | edit

| --- | --- | | | | | | | | | |

Changing it gives you no benefit here.

✔ LUKS version: LUKS2 edit

✔ Sector size: Automatic ✔ PE size: 2² = 4 MiB ✔ Filesystem: ext4 ✔ Volume type: LVM2

When the installer asks: edit

✔ Use manual partitioning ✔ Create your unencrypted media partition now ✔ Don’t plan to “fix it later” — resizing encrypted layouts is annoying

You’re making all the right calls so far 👍 Install it, get it booting, and when you’re back:

I’ll help you verify encryption
Set up media + vault + backups
Tune templates & qubes

Good luck with the install — you’ve got this 😄

User: "Filesystem: ext4" edit

"Filesystem: ext4"

emm small issue - there is no option for filesystem. help

Assistant: No worries — this is normal in the Qubes installer. edit

No worries — this is normal in the Qubes installer. You didn’t miss anything 👍 This trips up a lot of people.

In Qubes OS, when you choose: edit

LUKS encryption
LVM2 volume group

the installer automatically uses ext4 for:

dom0 root
VM storage volumes

👉 There is no manual filesystem chooser for these volumes in the GUI.

This is intentional.

When you select: edit

LUKS2 → LVM2

Qubes creates (simplified):

/dev/nvme0n1pX
  └─ LUKS (encrypted)
       └─ LVM VG
            ├─ root   → ext4
            ├─ var    → ext4
            ├─ swap
            └─ qubes_dom0 → ext4

All relevant filesystems are ext4 by default.

You only get filesystem choice when:

Creating unencrypted custom partitions
Or using Btrfs (which you are not)

### edit

For example:

Media partition → ext4
Exchange partition → exFAT

Those options appear because:

They’re outside the Qubes-managed encrypted stack

Yes — 100%. edit

For Qubes:

ext4 is the most tested
Lowest risk
Best recovery story
Best performance under VM-heavy workloads

There is no benefit to XFS/Btrfs here.

After install, in dom0 terminal: edit

lsblk -f

You’ll see:

ext4   /        (dom0)
ext4   /var/lib/qubes

So you can confirm everything.

- ❌ You didn’t miss a menu edit

✅ ext4 is automatically used
✅ This is the safest and intended setup
✅ You’re doing it right

Finish the install 👌 When it boots successfully, come back and we’ll do:

first boot sanity checks
verify encryption
attach your media partition safely

You’re on the home stretch 😄

User: I think I explained it wrong, wait... edit

I think I explained it wrong, wait...

I selected encrypt WHEN creating the LVM2, so the rest has to be unencrypted. I just didn't manually create the ESP and Swap, soo do I guess I should make them both manually? and Swap should have the same size as my RAM, right? Does it have to be precise or can I just put 33GiB there for 32GB RAM and be good to go?

Can I easily swap between Wayland and Xfce?

And one extra question: Is there ever any reason to create LVM2/btrfs volume, and then inside create another volume, and another one inside... all either encrypted or unencrypted?

Assistant: Great, thanks for the clarification — that helped a lot. edit

Great, thanks for the clarification — that helped a lot. I’ll go step-by-step, very explicitly, and I’ll also explain why things work the way they do in Qubes, not just what to click.

You’re actually very close now.

### edit

ESP = EFI System Partition

Required for UEFI boot
Must be unencrypted
FAT filesystem (vfat)
Usually 300–600 MiB
Mounted at /boot/efi

UEFI firmware cannot read LUKS, so if ESP is inside encrypted LVM → boot is impossible

That error message:

means: 👉 Anaconda (installer) tried to put ESP inside encrypted LVM 👉 That is not allowed

On your 1 TB NVMe: edit

/dev/nvme0n1
├─ ESP          500 MiB   vfat     UNENCRYPTED
├─ Qubes_LUKS   150 GiB   luks2
│    └─ LVM VG "Notebook"
│         ├─ root
│         ├─ var
│         ├─ swap
│         └─ qubes-vm-pool
├─ Media        ~700 GiB  ext4     UNENCRYPTED
└─ Exchange     ~50 GiB   exFAT    UNENCRYPTED

### edit

You already did this ✔

1. Select your disk (nvme0n1) edit

Create new partition: - Size: 500 MiB - Type: EFI System Partition - Filesystem: vfat - Mount point: /boot/efi - ❌ DO NOT encrypt

This fixes your installer error.

1. Create new partition: - Size: 150 GiB - Type: Physical Volume (LVM) - ✔ Encrypt - Encryption: LUKS2 edit

Create Volume Group: - Name: Notebook

⚠️ Do NOT manually create logical volumes inside Qubes does this automatically.

You have 32 GB RAM. edit

Qubes recommendation:

If you want hibernate → swap ≥ RAM
If no hibernate → 8–16 GB is fine

✔ Your idea is correct:

Steps:

New partition
Type: swap
Size: 33 GiB
❌ unencrypted is OK (or encrypted if you want)

#### edit

ext4
Unencrypted
Can be resized later ✔

Choose: edit

exFAT ✅ recommended
NTFS is worse on Linux (journaling overhead, permissions weirdness)

If exFAT doesn’t appear:

Choose unformatted
Reformat later with:

mkfs.exfat /dev/nvme0n1pX

✔ Does NOT need to be exact edit

For 32 GB RAM:

32–36 GB → perfect
33 GB → totally fine

Linux doesn’t care about precision here.

Short answer: Almost never edit

- Separate encryption domains edit

Different snapshot policies
Multi-OS servers
ZFS-on-LUKS-on-LVM (admins only)

- Complexity explodes edit

Recovery becomes painful
No security gain in Qubes
Qubes already layers: - Xen → LUKS → LVM → VM volumes

✔ One encrypted LVM is correct

### edit

Garuda Dragonized Gaming uses:

KDE Plasma
Wayland (by default)

#### edit

X11-based
Extremely stable
Well-integrated with Qubes security model
Clipboard isolation works perfectly
Recommended

- Keyboard-driven tiling edit

Very fast
Still experimental in Qubes
Clipboard + window isolation less mature

✔ Yes: edit

Install Sway later
Choose session at login

👉 Install Xfce only for now

❌ Do NOT enable root edit

Qubes design:

Admin actions via sudo
Root login disabled reduces attack surface
This is intentional

✔ Leave it disabled

Attack surface = how many ways an attacker can get in edit

More complexity = more bugs = more ways in

That’s why:

ext4 > btrfs
single LVM > nested LVM
fewer services > safer system

This is why simple partitioning is safer, not weaker.

### edit

A normal disk partition formatted as btrfs

- Internal logical structure inside btrfs edit

Like folders with snapshot ability

In Qubes:

btrfs is not recommended
Snapshots don’t integrate with VM storage safely
Recovery is worse than ext4

✔ Stick to ext4

: edit

Yes — you’re absolutely right.

Qubes installer assumes:

You let it auto-partition
You don’t manually mix ESP + LUKS

Manual partitioning is powerful but dangerous That’s why it doesn’t protect you from foot-guns.

You didn’t do anything stupid — you just went advanced too early.

✔ ESP: 500 MiB vfat, unencrypted edit

✔ LUKS2 → LVM → 150 GiB (no manual LVs) ✔ Swap: 33 GiB ✔ Media: ext4 ✔ Exchange: exFAT or unformatted ✔ Xfce only ✔ Root disabled

Then Begin Installation will unlock.

If you want, next we can:

verify encryption after install
mount media safely in qubes
set up automatic backups
explain VM storage math (how fast it fills)

You’re doing great — this is hard mode Linux 😄

User: I just need to clarify the difference between swap on edit

I just need to clarify the difference between swap on "/dev/nvme0n1" and encrypted swap in " /dev/nvme0n1 ├─ Qubes_LUKS 150 GiB luks2 │ └─ LVM VG "Notebook" │ ├─ swap "

What if I have both?

Assistant: Excellent question — this is a very important distinction, and it’s good you’re clarifying it before installing. edit

Excellent question — this is a very important distinction, and it’s good you’re clarifying it before installing.

I’ll explain it cleanly, precisely, and with consequences, then tell you what to actually do.

Swap is disk space used as: edit

memory overflow (RAM pressure)
hibernation storage (RAM image written to disk)

Anything in swap can contain sensitive data:

passwords
encryption keys
clipboard contents
VM memory pages

So where swap lives matters a lot in Qubes.

Example: edit

/dev/nvme0n1pX  swap   UNENCRYPTED

- Raw swap partition edit

Firmware + OS can access it without password
Survives reboots (unless wiped manually)

- If attacker steals your laptop → swap can be read edit

VM memory pages may leak
Breaks Qubes threat model for high-risk users

- Desktop PC edit

No sensitive data
No travel / theft risk

👉 Not recommended for Qubes

Example: edit

/dev/nvme0n1
└─ Qubes_LUKS (locked at boot)
    └─ LVM VG "Notebook"
         └─ swap

- Swap exists inside encrypted container edit

Unreadable without passphrase
Automatically unlocked at boot

- Safe against disk theft edit

VM memory protected
Matches Qubes security assumptions

👉 This is the correct choice

Linux can use multiple swap devices simultaneously. edit

Example:

swapon --show

Output:

/dev/dm-1   33G  0B  -2
/dev/nvme0n1p7  16G  0B  -3

- Uses both edit

Prefers one based on priority
Memory pages can land on either

- Sensitive data may spill into unencrypted swap edit

You lose the security benefit
Hard to reason about what’s protected

👉 Having both is actively dangerous

Qubes: edit

Assumes swap is secure
dom0 + VMs may swap
Some VM memory pressure will hit swap

If any swap is unencrypted, Qubes can leak secrets there.

### edit

One swap only
Inside encrypted LUKS/LVM
Size: - No hibernate → 8–16 GiB - Hibernate → RAM size or more

- Create extra swap partitions edit

Mix encrypted + unencrypted swap
Use swapfiles on unencrypted FS

You have: edit

32 GB RAM
Laptop
Encryption-focused install

👉 Recommendation:

Encrypted swap inside LUKS/LVM
Size: 32–33 GiB
No other swap anywhere

Let Qubes create it automatically inside the encrypted VG.

- Swap = memory edit

Memory = secrets
Secrets must be encrypted
One swap only

If you want, next we can:

verify swap encryption after install
tune swappiness for Qubes
decide whether you even need swap with 32 GB RAM

You’re asking exactly the right questions 👍

User: Soo I have 3 options for storage configuration: edit

Soo I have 3 options for storage configuration: -Automatic -Custom -Advanced Custom (Blivet-GUI)

When I think about it I should've tried the Custom one first...

Anyway, after "deleting" (not yet just pending operation) all partitions, I can choose between LVM and LVM Thin Provisioning. Which one should I choose?

Also, does the Advanced Custom have any benefit? from what I can see after clicking "Click here to create them automatically", I can still edit them. Soo I just have an additional template?

Assistant: You’re thinking about this exactly the right way now. edit

You’re thinking about this exactly the right way now. Let’s straighten this out cleanly so you can pick once, confidently, and move on.

### edit

Qubes decides everything
Encrypted LUKS2
LVM Thin
Sensible sizes
Lowest risk
Least control

👉 Best if you don’t care about unencrypted media partitions.

- Semi-guided edit

You choose LVM vs LVM Thin
You choose encryption
Qubes still creates correct layout
Good balance

👉 This is what you should use.

- Full manual control edit

No guard rails
Easy to break EFI / encryption / boot
Needed only for: - Multi-disk - Dual-boot - Special layouts - Separate unencrypted partitions (your case)

👉 Only use Blivet if you need custom unencrypted partitions

This choice matters. edit

### edit

Volumes are fully allocated upfront
Disk space reserved immediately

- Extremely reliable edit

Simple recovery
Predictable behavior
Fewer edge cases

- Less flexible edit

Slightly less space-efficient

### edit

Volumes grow on demand
Space is shared dynamically
VM disks are sparse

- Recommended by Qubes edit

Efficient storage usage
Fast VM creation
Snapshot-friendly
Standard Qubes setup

- More complex internally edit

If pool fills → VMs pause
Requires monitoring free space

👉 LVM Thin Provisioning edit

This is:

What Qubes expects
What qubes-dom0 tooling assumes
What documentation is written for

Choosing classic LVM gains you nothing here.

Security concern myth: edit

Reality:

LVM thin runs in dom0 kernel
Attackers don’t get dom0 anyway
Risk is negligible
Benefit is huge (VM storage efficiency)

Qubes devs explicitly design for LVM Thin.

You observed something important. edit

When you click: edit

Blivet:

Generates the same layout as Custom
But exposes it visually
Lets you edit before commit

- You can: - Add unencrypted partitions - Resize system LVM - Verify ESP location edit

No functional difference otherwise

- You can accidentally: - Encrypt ESP - Delete boot - Create multiple swaps - Break alignment edit

You want: edit

Encrypted system
Unencrypted media
Correct Qubes layout
Minimal pain

1. Choose Advanced Custom (Blivet-GUI) edit

Delete all partitions
Manually create: - ESP (500 MiB, vfat, unencrypted)
Click Create automatically
Choose: - Encryption: ON - LVM Thin Provisioning
Resize the encrypted VG to ~150 GiB
Create unencrypted media + exchange partitions
Do not touch internal LVs

This gives you:

Safety of automatic layout
Control where you need it
No EFI/LUKS issues

✔ LVM Thin, not classic edit

✔ One encrypted VG only ✔ ESP outside encryption ✔ No extra swap ✔ Media unencrypted

- Choose LVM Thin Provisioning edit

Advanced Custom only because you need extra partitions
“Create automatically” is safe — think of it as a template you can edit
You’re now making correct, informed choices

If you want, next we can:

check final layout before clicking Begin Installation
explain how Qubes uses thin pools internally
or finally get this thing installed 😄

User: in Custom, It created 4 things /boot/efi, /boot, /, swap. edit

in Custom, It created 4 things (/boot/efi, /boot, /, swap). Each one has a Device Type and File System: efi has standart partition and efi system partition boot has standard partition and ext4 / has LVM Thin Provisioning and ext4, encrypted swap has LVM and swap, encrypted

I have many questions:

I can't find LVM Thin in custom advanced anywhere. Why?
to be able to use hibernation, I have to increase swap to 33, right?
I have the ability to add a new mountpoint, I can select /home, /var and swap, but they are all encrypted and under qubes-dom0

soo again, how to get unencrypted partitions outside qubes-dom0 and thin provisioning together? is it possible?

Assistant: You’re not crazy — what you’re seeing is exactly how the Qubes installer is designed, and the confusion comes from a re… edit

You’re not crazy — what you’re seeing is exactly how the Qubes installer is designed, and the confusion comes from a real limitation / design choice, not from you missing a button.

I’ll answer your 3 questions directly, then give you the one correct mental model that makes everything click, and finally tell you the only two ways to get what you want.

Qubes supports LVM Thin Provisioning only for the Qubes-managed storage pool. edit

That pool lives inside the encrypted qubes-dom0 LVM.

Everything outside that pool:

is not managed by Qubes
is not thin-provisioned
must be created as normal disk partitions

There is no supported way to mix:

from the Custom screen alone.

That’s why you’re stuck.

## edit

Because LVM Thin is not a partition type.

It is:

a storage backend decision
made before partitioning
applied automatically by Qubes only to qubes-dom0

- In Custom → storage configuration choice edit

Internally, for: - / (dom0 root) - VM volumes - template/app qubes

- Blivet Advanced GUI edit

Manual partition creation
Extra mountpoints

So:

You are not supposed to create thin pools manually there
Qubes does it for you after you choose “LVM Thin Provisioning”

👉 This is by design, not a bug.

Yes — and this part is simple. edit

You have 32 GiB RAM.

To hibernate:

swap ≥ RAM
encrypted
accessible early in boot

✔ 33 GiB encrypted swap inside qubes-dom0 is perfect

If swap is smaller:

hibernation will fail
system resumes from cold boot

This is the core question, and the answer is: edit

Custom mode: edit

Controls only the Qubes system
Everything it creates belongs to qubes-dom0
Everything under it is encrypted
Everything uses thin provisioning

That’s why:

/home, /var, /swap → all encrypted
No option for “unencrypted media” here

There are only two valid ways. edit

You were almost there before — you just needed this rule: edit

1. Choose Advanced Custom (Blivet-GUI) edit

Delete everything
Manually create: - ESP - 600 MiB - vfat - /boot/efi - unencrypted - /boot - 1 GiB - ext4 - unencrypted - Media partition - ~700 GiB - ext4 or unformatted - unencrypted
Leave unallocated space (~150 GiB)
Select that free space → Create automatically
Choose: - ✔ Encryption - ✔ LVM Thin Provisioning

What happens:

Qubes creates: - LUKS2 - LVM VG - Thin pool - dom0 root - encrypted swap
Your media partition stays untouched and unencrypted

This does work, but only if you let Qubes create the thin pool itself.

1. Choose Automatic edit

Enable: - Encryption - LVM Thin
Install
After install: - Boot live Linux - Shrink the encrypted VG - Create unencrypted media partition in freed space

This is safer for beginners but requires post-install resizing.

Qubes assumes: edit

dom0 is sacred
VM storage must be managed centrally
Thin provisioning must be 100% predictable

Allowing users to:

add arbitrary thin LVs
mix encryption domains
mount unencrypted volumes inside dom0

would:

break the threat model
create footguns
make support impossible

So the installer is intentionally restrictive.

1️⃣ You can’t find LVM Thin in Advanced because it’s not a partition option edit

2️⃣ Yes, 33 GiB encrypted swap is correct for hibernation 3️⃣ Unencrypted partitions must be outside qubes-dom0, created manually before Qubes creates its thin pool

If you want, next I can:

draw the exact final disk layout in ASCII
give you a “click-by-click” checklist for Blivet
explain how to safely mount the unencrypted media in Qubes later

Just tell me 👍

User: is there any real difference between esp - /boot - media - LVM and esp - /boot - LVM - media? edit

is there any real difference between esp - /boot - media - LVM and esp - /boot - LVM - media? I just like the second one better...

Also I really don't wanna mess this up, can you please explain in detail the esp and boot creation?

you told me to pick vfat as system partition for esp, right? What about efi system partition? isn't it made for this?

I have:

Filesystem Label Mountpoint

Please explain what to type where

Assistant: Great questions — this is the last confusing bit, and once it clicks you’ll be able to install without fear. edit

Great questions — this is the last confusing bit, and once it clicks you’ll be able to install without fear. I’ll go slow and very explicit, exactly as you asked.

### edit

No functional difference at all. Linux does not care about physical order on disk.

The only hard rules are:

ESP must be unencrypted
/boot must be unencrypted
LVM must not include ESP or /boot
Media can be anywhere and unencrypted

So yes — you can absolutely do:

[ESP] [ /boot ] [ LVM (encrypted) ] [ media ]

If you like that layout better, use it 👍

This is critical to understand. edit

### edit

Read by UEFI firmware
Contains bootloader files (.efi)
Loaded before Linux exists

- Unencrypted edit

FAT filesystem
Flagged as EFI System Partition
Mounted at /boot/efi

- 300–600 MiB (use 600 MiB) edit

### edit

Contains: - Linux kernel - initramfs - GRUB config
Loaded after firmware, before encrypted root

- Unencrypted edit

ext4 filesystem
Mounted at /boot

- 1 GiB edit

UEFI firmware: edit

can read FAT
cannot read ext4
cannot read LUKS

Linux bootloader:

can read ext4
unlocks LUKS later

So:

Firmware → ESP (FAT)
Bootloader → /boot (ext4)
Kernel → unlocks LUKS → root filesystem

This is the most common mistake. edit

They are not alternatives — they are both required.

| | | edit

| --- | --- | | | | | | | | | | | | | | | |

Explanation:

vfat = filesystem format
EFI System Partition = special partition flag
You need both

If you choose:

vfat + standard partition ❌
EFI System Partition + ext4 ❌

Boot may fail.

You said the GUI has: edit

Filesystem
Label
Mountpoint

| | | edit

| --- | --- | | | | | | | | | |

And ensure:

Device Type = EFI System Partition
Not encrypted

| | | edit

| --- | --- | | | | | | | | | | | | | | | |

You do not set filesystem here manually. edit

You set:

Device type: LVM (Thin Provisioning)
Encryption: ✔ enabled
Size: ~150 GiB

Qubes will:

Create LUKS2
Create VG
Create thin pool
Format ext4 automatically

Option A — format now: edit

| | | | --- | --- | | | | | | | | | |

Option B — format later:

| | | | --- | --- | | | | | | | | | |

Both are fine.

❌ Do NOT: edit

Encrypt ESP
Encrypt /boot
Put ESP inside LVM
Put /boot inside LVM
Assign mountpoint to media in dom0

Your final disk should look like this: edit

/dev/nvme0n1
├─ p1  600 MiB   vfat     /boot/efi   (ESP)
├─ p2  1 GiB     ext4     /boot
├─ p3  150 GiB   LUKS2 → LVM Thin → qubes-dom0
└─ p4  ~700 GiB  ext4     (media, unmounted)

Before you click: edit

ESP shows vfat, EFI System Partition, /boot/efi
/boot shows ext4, unencrypted
LVM shows encrypted, thin
Media has no mountpoint

If all four are true → you are 100% safe.

You are absolutely right to be cautious — this is the hard part of Qubes installation.

If you want, paste the exact partition list as shown in the installer and I’ll double-check it before you click Begin Installation.

User: emm I have issue with ESP: edit

emm I have issue with ESP:

there is no Device Type for any of the partitions, only label. Why?

Assistant: Good catch — and this explains a lot. edit

Good catch — and this explains a lot. You’re not missing anything; you’re just looking in the wrong screen for that option. In Anaconda/Blivet the partition “device type” (ESP flag) is not shown as a field like filesystem/label/mountpoint. It’s inferred from how you create the partition.

Let me explain exactly what’s going on and how to fix it.

In the Blivet GUI: edit

Filesystem / Label / Mountpoint → editable fields
Partition type (ESP / standard) → set by which “Add” action you use

So if you create a “normal partition” and later set:

filesystem = vfat
mountpoint = /boot/efi

…that does NOT automatically mark it as an ESP.

You must create it as an EFI System Partition from the start.

### edit

Make sure you’re clicking the disk, not free space inside LVM.

You should now see partition type options, usually something like: edit

Standard Partition
EFI System Partition
LVM
RAID
etc.

👉 Select “EFI System Partition” here

(This is where the “device type” is chosen.)

Once you selected EFI System Partition, now fill: edit

| | | | --- | --- | | | | | | | | | | | | | | | |

Click Add.

After adding it: edit

It should be listed as EFI System Partition
Filesystem: vfat
Mountpoint: /boot/efi
No encryption icon

If it only says “Standard Partition”, delete it and re-create it the correct way.

UEFI firmware: edit

looks specifically for partition type GUID = ESP
ignores plain FAT partitions

If ESP flag is missing:

Installer may succeed
System will not boot

This is why Anaconda is strict about ESP placement.

/boot is a normal partition, so here you do use: edit

Standard Partition
Filesystem: ext4
Mountpoint: /boot
Size: 1024 MiB
Unencrypted

No special flag needed.

: edit

That’s exactly the trap:

vfat ≠ ESP
mountpoint ≠ ESP
partition type = ESP

- ESP is chosen when adding the partition edit

You won’t see “Device Type” as a field
vfat + /boot/efi is not enough
Must explicitly choose EFI System Partition

If you want, next you can:

describe exactly what buttons you see when clicking +
or paste the text layout shown in the installer

I’ll walk you through the next click if needed — you’re very close now.

User: sorry my bad, there is Device type, but eeh... edit

sorry my bad, there is Device type, but eeh...

As we talked about it few hours ago - there are 3 options - Partition, LVM2 Volume Ground and Btrfs Volume

THERE IS NO F"ING EFI AAAAAAAA . . . help.

Assistant: 😅 breathe — you’re fine. edit

😅 breathe — you’re fine. This is pure installer UI nonsense, not you doing something wrong.

What’s happening is very specific to the Qubes / Anaconda version you’re using.

In your installer, edit

👉 “EFI System Partition” is NOT a device type anymore

That’s why you only see:

Partition
LVM2 Volume Group
Btrfs Volume

This is normal.

In this UI version:

ESP is defined by filesystem + mountpoint
NOT by a separate “EFI” device type

Older screenshots / guides show an explicit “EFI System Partition” option — yours doesn’t have it.

You must create a normal Partition, and then set the correct attributes. edit

1. Select the disk (nvme0n1) edit

Click Add
Choose: - Device type: Partition
Set these fields:

| | | edit

| --- | --- | | | | | | | | | | | | | | | |

⚠️ Important In your installer:

EFI System Partition appears under Filesystem, not Device Type
This filesystem choice automatically sets the correct GPT type GUID

👉 This is why you didn’t see it before.

- ❌ Filesystem = vfat edit

❌ Filesystem = FAT32
❌ Device type = LVM
❌ Encryption enabled

If you choose plain vfat, the installer may not flag it as ESP.

Create another partition: edit

| | | | --- | --- | | | | | | | | | | | | | | | |

Anaconda has three different ESP models depending on distro/version: edit

ESP as a device type (old Fedora screenshots)
ESP as a filesystem (your case)
ESP auto-created only (some installers)

Qubes uses #2.

That’s why guides contradict each other.

After creation, the ESP entry should show: edit

Filesystem: EFI System Partition
Mountpoint: /boot/efi
Not encrypted

If yes → ✔ firmware will boot If not → delete and redo

====

nvme0n1 ====
├─ p1  600 MiB   EFI System Partition   /boot/efi
├─ p2  1 GiB     ext4                   /boot
├─ p3  150 GiB   LUKS2 → LVM Thin        qubes-dom0
└─ p4  ~700 GiB  ext4 / unformatted     media

You did nothing wrong. edit

You didn’t miss anything. You’re just dealing with:

a security-focused distro
a half-redesigned installer
documentation from 3 different eras

That combo is brutal.

If you want, paste exactly what you see in the ESP row (filesystem + mountpoint), and I’ll confirm “YES this will boot” before you click Begin Installation.

User: how do I check if it will boot? edit

how do I check if it will boot? btw I had dual boot XOS (uncluttered windows) and garuda. Everything is backed up, even the browser that is additionally synced there was terrible clutter because, despite the vivaldi propaganda, jt starts to slow down at around 1 000 tabs. I need around 15 000 to 20 000 sorted, and I like workspaces much more than factories.

Anyway... if I fuck up I can just retry, it'll just be extra hassle.

Which mountpoint should I type for unencrypted media 750GiB ext4? just "/"?

Assistant: You’re good 😄 And yes — you can always retry. edit

You’re good 😄 And yes — you can always retry. Nothing you’re doing here can brick the hardware.

Let’s answer the two concrete questions cleanly, then I’ll give you a pre-install boot checklist so you can be confident.

### edit

That would overwrite the system root and break the install.

Leave the mountpoint EMPTY. edit

That is intentional.

Why:

dom0 should not auto-mount untrusted data
You will attach/mount this partition later inside a VM (sys-usb / sys-files / personal qube)
Qubes security model expects external/unencrypted storage to be VM-mounted, not dom0-mounted

| | | edit

| --- | --- | | | | | | | | | | | | |

This is 100% correct.

You can’t fully simulate boot, but you can check all conditions required for boot. edit

#### edit

Filesystem: EFI System Partition
Mountpoint: /boot/efi
Size: 300–600 MiB
Not encrypted

✔ If yes → UEFI firmware can load bootloader

- Filesystem: ext4 edit

Mountpoint: /boot
Size: ~1 GiB
Not encrypted

✔ If yes → kernel + initramfs can load

- ESP and /boot are outside LVM edit

LVM partition starts after them

✔ If yes → no “EFI cannot be luks” error

- / is assigned only to qubes-dom0 root edit

No other partition uses /

✔ If yes → root filesystem is unambiguous

Top-left must say: edit

❌ If you still see a red warning → do not continue

From the installer terminal (Ctrl+Alt+F2): edit

lsblk -f

You should see something like:

nvme0n1p1  vfat    EFI        /boot/efi
nvme0n1p2  ext4    boot       /boot
nvme0n1p3  crypto_LUKS
 └─lvm     ext4    qubes_dom0 /
nvme0n1p4  ext4    media

If ESP + /boot are mounted and not encrypted → ✔ boots.

You’re absolutely right: edit

UEFI installs are deterministic
Worst case = reinstall
No firmware damage possible
You already backed up everything (👏)

This mindset is healthy.

15 000–20 000 tabs: edit

Browsers are not designed for this (even Vivaldi)
Qubes + workspaces + multiple qubes is actually a very good mental model
You’ll probably end up with: - research qube - school qube - job qube - archive qube - “parking” qube for tab hoarding

We can optimize that later (RAM, swap, browser profiles, tmpfs).

- How to check it will boot? → ESP + /boot unencrypted, correct mountpoints, no installer errors edit

Mountpoint for unencrypted media? → Leave it empty

If you want, paste the final partition list exactly as shown (just text), and I’ll say either:

✅ “Install now” or ❌ “Fix this one thing first”

You’re at the finish line.

User: One more thing: which one of these can be easily read by Linux, Windows and Android? edit

One more thing: which one of these can be easily read by Linux, Windows and Android?

f2fs ntfs swap vfat xfs

Assistant: Good question — this one has a clear, practical answer, and it’s important if you want the partition to be readable eve… edit

Good question — this one has a clear, practical answer, and it’s important if you want the partition to be readable everywhere.

I’ll go filesystem by filesystem, then give you a final recommendation.

### edit

👉 vfat (FAT32) 👉 or exFAT (if available — better)

From your list, vfat is the only universally safe option.

### edit

Flash-Friendly File System

✅ Linux: yes
❌ Windows: no
❌ Android (external storage): usually no (kernel-dependent)

Use case: internal flash on Android phones Verdict: ❌ Not cross-platform

Windows native filesystem edit

✅ Windows: yes
✅ Linux: yes (via ntfs-3g)
⚠️ Android: sometimes, often read-only or unreliable

Cons:

Slower on Linux
Permission weirdness
Journaling overhead
Android support varies wildly by device/vendor

Verdict: ⚠️ Works, but not ideal

- ❌ Linux: not a filesystem edit

❌ Windows: no
❌ Android: no

Verdict: ❌ Not for storage

Old but extremely compatible edit

✅ Linux: yes
✅ Windows: yes
✅ Android: yes

Cons:

4 GB max file size
No permissions
No journaling

Verdict: ✅ Maximum compatibility

High-performance Linux filesystem edit

✅ Linux: yes
❌ Windows: no
❌ Android: no

Verdict: ❌ Linux-only

Even though it wasn’t on your list: edit

✅ Linux
✅ Windows
✅ Android
No 4 GB file limit
Designed for removable media

If your installer later allows it, exFAT is the best choice.

### edit

Filesystem: exFAT (best)
If not available → vfat (FAT32)

- Filesystem: ext4 edit

For cross-platform partitions in Qubes: edit

Leave them unmounted in dom0
Attach the block device to a VM
Mount inside the VM that needs it

| | | | | | edit

| --- | --- | --- | --- | --- | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

If you want, I can also:

explain why exFAT might not show up in the installer
show how to reformat later safely
help you choose between vfat vs exFAT vs ntfs based on file sizes

You’re asking the right last questions — this is exactly where most people stop 👍

User: Thank you, I'll set up exfat later. edit

Thank you, I'll set up exfat later.

ntfs - permission weirdness and journaling overhead - What does it mean?

just for fun - how could I paste a file into swap as a "hidden file" without some binary/hex editor?

Assistant: Happy to explain 🙂 edit

Happy to explain 🙂 I’ll keep this conceptual but concrete, no installer stuff anymore.

### edit

NTFS does not use Linux-style permissions (rwx, UID, GID). It uses Windows ACLs (Access Control Lists), which are much more complex.

Linux has to emulate these when mounting NTFS.

When Linux mounts NTFS (via ntfs-3g or kernel driver), it usually: edit

Fakes permissions
Applies one set of permissions to all files
Ignores per-file ownership

Example:

-rwxrwxrwx  everyone everyone  file.mp4

But this is not real security — just a mount-time illusion.

- You can’t rely on Unix permissions edit

chmod, chown often do nothing or behave strangely
Some apps break assumptions (especially sandboxed ones)
Qubes isolation logic prefers predictable permissions

That’s the permission weirdness.

### edit

A journaling filesystem logs changes before committing them.

Purpose:

Crash recovery
Consistency guarantees

NTFS journaling is: edit

Always on
Designed for Windows I/O patterns
Heavier than Linux ext4 defaults

- Extra writes (bad for SSD endurance) edit

Slower metadata operations
Higher CPU usage
Worse performance for many small files

On Windows → optimized On Linux → tolerated, not ideal

- ext4: native, optimized, predictable edit

exFAT: simple, no journaling, low overhead

Short answer: edit

👉 Not in any meaningful or reliable way

Long answer (the fun part):

Swap: edit

Has no directory structure
No filenames
No metadata
Just raw memory pages dumped to disk

So there is no such thing as a “hidden file” in swap.

### edit

You can:

Load a file into RAM
Lock memory pressure
Let the kernel swap it out

Example (conceptual):

cat secret.txt > /dev/null &
stress --vm 1 --vm-bytes 99%

Now parts of secret.txt may end up in swap.

But:

You don’t control where
It may be fragmented
It may be overwritten anytime
You can’t reliably recover it

This is more of a forensics accident than storage.

You could: edit

Disable swap
Write directly to /dev/nvme0n1pX (swap partition)
Re-enable swap

Example:

swapoff /dev/nvme0n1pX
dd if=secret.txt of=/dev/nvme0n1pX bs=4K seek=12345
swapon /dev/nvme0n1pX

Why this is terrible:

Kernel will overwrite it
No persistence
High chance of corruption
Extremely detectable
One reboot = gone

This is basically abusing disk blocks, not hiding data.

(For learning, not recommending.) edit

Use LUKS hidden volume (plausible deniability)
Or steganography inside filesystems
Or sparse files with unusual extents
Or encrypted containers inside unencrypted FS

Swap is one of the worst places to hide anything.

This is why Qubes insists: edit

Encrypted swap
Controlled VM memory
Minimal dom0 exposure

Because swap leaks are real, but they are:

accidental
unreliable
forensic artifacts, not storage

### edit

Permission weirdness = ACL mismatch + fake Unix perms
Journaling overhead = extra writes + slower Linux performance

- Not a filesystem edit

No filenames
No reliable storage
Anything written there is temporary garbage

: edit

If you want a similarly fun deep dive next time:

how deleted files still exist on ext4
how SSDs break forensic assumptions
how Qubes memory isolation really works

Just say the word 😄

gpt-5-t-mini edit

User: Thanks for the tips! edit

Thanks for the tips! But there are still some issues...

When I tried to install it using ventoy, I couldn't pick "Installation Source" despite there being an option for ISO file, and when I tried it using Rufus in dd mode, when I clicked something like "test and install qubes" the test failed despite being successful before. So I got the idea to install it using 2 flash drives - Ventoy to boot the installer and Rufus to select as source, but people on reddit told me to just continue with installing without the tests. Well, when clicking that, I still see tests (it looks like appearing command lines with green text at the beginnig, like OK or PASSED, idk what). Now, what is the difference between those two modes?

I got this comment: "The image you provided has it failing the test, so trying without the test will hopefully get you farther, or at least give a more helpful error message. I don't see much use in trying with 2 usb drives. As for ventoy, looking at the github issue for it, it hasn't been fully diagnosed why it doesn't work. But I don't believe it's a high priority, so I don't believe the devs are actively trying to figure out why it doesn't work." and yes secure boot is off and yes virtualization is enabled. Soo what should I do, should I simply ignore it and hope nothing bad happens? My thinkbook isn't on the list of supported devices.

When creating partition, I don't see an option for exfat. I see: -btrfs (I guess there is a difference between btrfs partition and volume? please explain) -EFI System Partition (some Windows stuff?) -ext2 -ext3 -ext4 -f2fs -physical volume (LVM) -ntfs -swap (soo extended ram?) -vfat -xfs -unformated

What should I do? I guess I can reformat it later, right? Should I try to use ZFS, which I heard is good for servers (so good for media storage?). Please explain to me strenghts, weaknesses and usage of each file system mentioned and if I should just choose ext4 and reformat it later.

Under the BLIVET GUI PARTITIONING (thanks god for gui), there are 2 groups now: Disks (my only m.2 2240 drive) and LVM (I called Notebook, size 150GiB). I can create partitions inside the Notebook LVM. Should I? Or is it automatic.

Should I enable root account? it's disabled by default

Under SOFTWARE SELECTION, there are 3 Additional software for Selected Enviroment (only 1 - Qubes OS with Xfce) -Qubes UI (Audio/Gui) - only one that is on by default -Desktop accessibility -Sway Window Manager (supplemental package)

Should I turn them all on?

After setting it all up, I can't even click "Begin Installation", because Installation Destination tells me "Error checking storage configuration". I set up 150GiB LVM2 as you said and left the rest empty, also I left the LVM empty with no partitions. After clicking Installation Destination, and clicking on the error for details, it tells me: "Failed to find a suitable stage1 device: EFI System Partition cannot be of type luks.

Please explain everything in obsessive detail cause idk what I'm doing.

Assistant: Nice — you’re deep in the weeds now, good stuff. edit

Nice — you’re deep in the weeds now, good stuff. I’ll answer each of your numbered points clearly and in practical order, with exact actions you can take right now (no fluff).

If anything below looks unfamiliar, follow the “Recommended quick fixes” at the end of each section.

### edit

Ventoy: a multiboot USB loader that runs ISOs directly from the USB. It sometimes interacts oddly with hybrid ISOs or with the installer’s expectations (loopback, squashfs), so some distros or installers don’t behave perfectly on Ventoy.
Rufus — DD mode: writes the ISO bit-for-bit as a raw image. This is the most reliable way to make a bootable USB for Linux ISOs.
“Test and install” in the Qubes (Anaconda) installer runs media checks / sanity checks (checksum, integrity of live image, maybe firmware checks). If these tests fail it will either stop or print warnings. A failure can be: - real (corrupt ISO / bad write) - caused by the way USB was written (Ventoy can trigger false failures) - caused by a quirk of your hardware or boot mode

1. Verify the ISO first on your host machine: ```bash sha256sum Qubes-R4.1-x86_64.iso` ` `Compare with the SHA256 on the Qubes website. If the checksum matches, the ISO is OK.` edit

Create the USB with a different, very reliable tool: - Preferred: balenaEtcher (GUI, cross-platform) — writes correctly for almost all distros. - Or: use dd (Linux/macOS) or Rufus in DD/“dd” mode (Windows). - Avoid Ventoy for the initial install attempt if you’re seeing test failures.

Boot the installer in the same mode you’ll install (UEFI vs legacy). Check you booted in UEFI by opening the live environment terminal and running: `bash [ -d /sys/firmware/efi ] && echo "UEFI boot" || echo "Legacy/BIOS boot" `` Qubes expects UEFI for most modern installations.
If a write-method still causes the “test” to fail but the ISO checksum was OK, try another USB stick or another writer (balenaEtcher or dd). If the test still fails after a proper write and checksum match, post the exact test output (copy-paste) — that gives a clue. But typically: use dd/balenaEtcher and proceed.

Quick fix: Verify ISO SHA256 → write ISO with balenaEtcher or dd → boot in UEFI → try install. Don’t use Ventoy for first attempt.

You listed: btrfs, EFI System Partition, ext2, ext3, ext4, f2fs, physical volume (LVM), ntfs, swap, vfat, xfs, unformatted. edit

- EFI System Partition → Use vfat (FAT32), size ~512 MiB, flagged as EFI System Partition. This must be unencrypted. edit

Qubes system (inside LUKS+LVM) → LUKS container → LVM → ext4 volumes will be created automatically by the installer (you do not need to pick ext4).
Large unencrypted media partition (Linux-only) → ext4 (fast, reliable).
Small exchange partition for Windows/macOS → exFAT (supports large files and cross-OS). If the installer GUI does not offer exFAT, make it unformatted now and format it later from a Linux environment or in your media VM.
NTFS → only if you must share with Windows and need Windows ACLs. Otherwise avoid.
btrfs → advanced features (snapshots, checksums), but not recommended for dom0 / Qubes system. You can use btrfs for a media partition if you want snapshots, but ZFS/btrfs add complexity and more potential for tricky recovery.
ZFS → not listed in the installer (often not available); ZFS is excellent for servers (data integrity, snapshots), but it is RAM-hungry and unusual on a laptop — not recommended for Qubes dom0 or for your media partition on a laptop.

- ext4: mature, reliable, fast, low memory — default choice for Linux-only media and what Qubes expects for system volumes. edit

vfat (FAT32): required for EFI boot. Also used for very small cross-platform partitions. No permissions, no journaling.
exFAT: cross-platform, large file support, no POSIX permissions. Good for sharing movies with Windows/macOS.
ntfs: Windows-native; use if you need Windows features. Linux support is solid but heavier.
btrfs: snapshots, checksums; more complex, riskier recovery, not recommended for dom0.
f2fs: filesystem optimized for flash; specialty use.
xfs: good for big-file servers; not necessary for laptop media, and less flexible for shrinking.
ext2/ext3: legacy (ext2 no journaling; ext3 is older journaling); not recommended over ext4.
swap: swap partition (pagefile). Qubes installer will create swap inside LVM usually.

The installer GUI may not list exFAT. Do this: create the partition as unformatted or as ext4 temporarily and reformat later inside a media-vm with mkfs.exfat (install exfatprogs) or on another machine. edit

Quick fix: Use EFI (vfat) 512 MiB for ESP, physical volume (LVM) for the Qubes LUKS container, and unformatted or ext4 for your media partition if you plan to reformat later to exFAT.

### edit

Disk = physical device (your M.2).
Partition = a region on the disk (e.g., /dev/nvme0n1p1).
Physical Volume (PV) = partition or whole disk that LVM uses.
Volume Group (VG) = collection of PVs (a pool).
Logical Volume (LV) = “virtual partition” carved out of a VG (you create file systems on LVs).

In the BLIVET GUI you’re seeing a VG named Notebook (that’s fine). You do not create partitions inside the VG — instead you create logical volumes inside the VG, or let the installer do it automatically.

- Create a partition on the disk to be used as the LUKS container or PV (e.g., /dev/nvme0n1p2), mark it for LUKS encryption. edit

After LUKS is set on that partition, inside it create an LVM PV, then a VG, and then LVs: the installer normally does this for you automatically (root, swap, vm-pool).
Do not try to create classic MBR-style partitions inside the LVM — that’s not how LVM works.

If BLIVET is showing an LVM and letting you create LVs, you can:

Let it create the LVs automatically (recommended)
Or create LVs manually: root, swap, qubes pool etc. But be careful and copy a recommended layout.

Quick fix: Let the installer auto-create the LVs inside your LUKS→LVM PV. If you must do it manually, create LVs, not partitions, inside the VG.

No — keep root disabled (default). Qubes expects dom0 root to be locked and you to use sudo from your normal dom0 user when necessary. Enabling root is an unnecessary increase in attack surface / risk. edit

If you really want to enable it later:

sudo passwd root

But don’t unless you know why.

Quick fix: leave root disabled.

- Qubes UI (Audio/GUI) — keep on (default). Needed. edit

Desktop accessibility — enable only if you need screen reader/assistive tech.
Sway Window Manager — choose only if you prefer a tiling Wayland sway session and you know how to use it. If you’re new to Qubes/Xfce, leave it off.

Quick fix: stick with defaults for a first install (only Qubes UI).

This is the key error. The installer is telling you the EFI System Partition (ESP) is currently set to be inside LUKS (encrypted), or you flagged the ESP to be encrypted — that’s invalid. The firmware (UEFI) needs an unencrypted FAT32 partition to read the bootloader. edit

You must create a separate unencrypted EFI partition (FAT32, ~512 MiB) and not put it inside LUKS. Example partition scheme: edit

Partition 1 — EFI System Partition - Size: 512 MiB - Type: EFI System Partition - Filesystem: vfat/FAT32 - Do not encrypt this.
Partition 2 — LUKS container for Qubes - Size: 150 GiB (or your chosen system size) - Type: physical volume (LVM) or leave as partition that you will encrypt - Enable LUKS encryption on this partition (the installer will wrap it and then create LVM inside it).
Partition 3 — Unencrypted media - Size: ~700 GiB - Filesystem: ext4 OR leave unformatted and format later (exFAT if you need Windows compatibility) - Not encrypted.
(Optional) Partition 4 — small exchange - Size: ~54 GiB - Filesystem: exFAT (if available) or unformatted and format later.

Important: Ensure the ESP is flagged properly and that when you choose LUKS for the main system you do not select the ESP to be inside LUKS. The GUI sometimes lets you accidentally apply LUKS to the whole disk; instead assign LUKS only to the partition you intend for the system.

Boot the installer live and open a terminal: edit

lsblk -f

Check which partitions exist and whether any FAT32 partition is present for EFI. Also check you booted in UEFI.

If you accidentally encrypted the whole disk (including ESP), you need to: edit

Recreate partitions: make a small unencrypted FAT32 ESP first, then the LUKS partition after it. This may require wiping/repartitioning the disk.

Quick fix: Create a 512 MiB vfat EFI partition (unformatted as EFI System Partition in GUI), then a separate LUKS partition for Qubes. Don’t wrap the EFI partition in LUKS.

After install, attach the media partition to a media-vm and run: edit

# install tools in the media-vm if missing
sudo dnf install exfatprogs      # Fedora-based template
=== or on Debian-based TemplateVM: ===
sudo apt install exfatprogs

=== format the block device (example /dev/nvme0n1p3) ===
sudo mkfs.exfat /dev/nvme0n1p3

Or use mkfs.ntfs for NTFS, mkfs.ext4 for ext4.

- /dev/nvme0n1p1 — EFI | 512 MiB | vfat | EFI System Partition (unmounted by LUKS) edit

/dev/nvme0n1p2 — System | 150 GiB | set to be encrypted (LUKS) → inside LUKS create LVM → LVs (auto: root, swap, vm-pool)
/dev/nvme0n1p3 — Media | 700 GiB | unformatted (or ext4) → format later as ext4 or exFAT inside media-vm
/dev/nvme0n1p4 — Optional exchange | ~54 GiB | unformatted (format later to exFAT/NTFS if needed)

Make sure the EFI partition is not encrypted.

1. ISO SHA256 verified. edit

USB written with balenaEtcher or dd.
Booted in UEFI (not legacy).
EFI partition exists (vfat, 512 MiB, unencrypted).
Main system partition is marked for LUKS and inside it LVM will be created.
Media partition left unencrypted/unformatted or ext4 as you prefer.
Don’t enable root; keep software defaults.
If you get “Error checking storage configuration” again, review the installer log (there’s a button to show details) and confirm the ESP is not LUKS.

If you want, I can:

Walk you through writing the ISO step-by-step for your OS (Windows or Linux) — exact commands for dd / Rufus / Etcher.
If you copy the exact installer test error output (the text it shows when tests fail), paste it here and I’ll diagnose it specifically.
Or I can create a short checklist you can follow at the installer screen (one-liner commands you can copy into a terminal in the live environment).

Which would you like next — (A) exact USB write commands for your OS, or (B) help parsing the installer test failure output?

User: "use efi for esp" - what is esp? edit

"use efi for esp" - what is esp?

What is the difference between Tiling Wayland and Xfce? Which one does Garuda Dragonized Gaming Edition use? (I'm coming from that distro) and what are the pros/cons of both?

Do you think the LUKS error is caused because I checked "encrypt" for the system partition? If yes, shouldn't the devs, like, fix it so newbies don't have to deal with it? Afaik Qubes is supposed to be for security so it's assumed you wanna encrypt your stuff.

Is there a difference between btrfs partition and volume (idk which volume there was just volume)? if yes, which one? I can create both of them in the same space (directly on the drive) as normal partitions.

Thanks for all the help!

Assistant: Nice — great follow-ups. edit

Nice — great follow-ups. I’ll go point-by-point, keep it practical, and call out the exact things you should do right now. I’ll start with the short answers, then give the deeper explanation.

ESP = EFI System Partition. edit

It’s a small unencrypted FAT32 partition the UEFI firmware reads to find and load your bootloader (GRUB/shim/whatever). It must be unencrypted and flagged as an EFI System Partition.

(So: create a ~512 MiB vfat/FAT32 partition, mark it as EFI System Partition, do not put it inside LUKS.)

- Tiling Wayland (e.g. Sway) = a tiling window manager running on Wayland. Keyboard-driven, tiles windows automatically, very efficient workflow, minimal UI chrome, modern compositor features (Wayland). Pros: power-user productivity, low overhead, modern Wayland features. Cons: steeper learning curve, some apps/GUI tools expect floating windows, Wayland + NVIDIA can be flaky at times. edit

Xfce = a traditional desktop environment (panel, menu, settings) that runs on X11 (mostly). Pros: simple, familiar, stable, easy to configure. Cons: less modern compositor features, not tiling by default (but you can add tilers), looks older.

Which does Garuda Dr460nized use? Garuda’s “Dr460nized / Dr46onized / Dr460nized Gaming” is a KDE Plasma variant (not Xfce or Sway by default). It ships Plasma (customized) and historically uses X11 by default but users can enable a Wayland Plasma session; the gaming variant is mostly configuration / packages on top of KDE/Plasma. Garuda Linux Forum^[2]

If you’re coming from Garuda Dr460nized (KDE), then moving to Xfce in Qubes is a different workflow — Xfce is simpler and more predictable for Qubes; Sway (Wayland tiling) is available as an optional install but only pick it if you’re comfortable with tiling WMs and aware of Wayland/NVIDIA quirks. Garuda Linux Forum^[3]

Yes — but specifically: the error you saw (EFI System Partition cannot be of type luks) means the installer found your EFI partition flagged as being inside (or treated as) an encrypted volume. The firmware needs to read the ESP before any decryption, so ESP cannot be LUKS-encrypted. edit

Why it happens:

If you accidentally selected the whole disk for encryption (instead of a single partition), the installer may try to wrap the ESP too.
The GUI sometimes lets you assign encryption at the disk-level or apply LUKS to the wrong partition.

Fix (concrete steps):

In manual partitioning create a separate partition for ESP first: /dev/nvme0n1p1 → 512 MiB → vfat → flag: EFI System Partition (leave unencrypted).
Make a separate partition for the system and enable LUKS only on that partition (not the whole disk).
Media/exchange partitions are separate and unencrypted (or formatted later).

Why devs don’t silently encrypt ESP:

The firmware must read ESP without decryption; automatic encryption of ESP would prevent boot. It’s the firmware constraint, not an installer oversight. The installer could warn more helpfully, but the underlying rule is firm: ESP must be accessible to the firmware unencrypted.

Short: there’s no “two filesystems in the same partition” magical thing — you can only have one filesystem occupying a partition. But the terms you see are talking about two different layered concepts: edit

btrfs partition (what you pick in the partition editor): you create a partition on disk and format it with the btrfs filesystem. That means the whole partition is a btrfs filesystem.
btrfs volume / subvolume (internal to btrfs): inside a btrfs filesystem you create subvolumes (sometimes shown as “volumes” in GUIs). Subvolumes act like independent mountable roots but they live inside the single btrfs filesystem (they are not separate partitions). btrfs also supports multiple devices combined into a btrfs pool, RAID levels, etc.

So:

If the GUI shows both options for the same slice of disk, it likely means (a) create a partition and (b) create a btrfs filesystem on it and then optionally create subvolumes inside it. You cannot have a separate ext4 and btrfs both on the same partition — you must pick one filesystem per partition.

If you want LVM + encryption, that’s a different model: LVM gives you logical volumes (LVs) that look like separate block devices and you can format each LV with ext4 / btrfs etc. btrfs subvolumes are more akin to directories with special semantics, not block-device LVs.

- Don’t use btrfs for dom0/system — Qubes devs advise against Btrfs for dom0 (historical stability and recovery reasons). Use LUKS+LVM with ext4 for the system. edit

Media partition: ext4 is the simplest and most trouble-free on Linux.
exFAT if you need cross-platform (Windows/macOS) compatibility. If you want snapshots for media, btrfs can provide them, but they add complexity and possible recovery headaches on a laptop — only choose btrfs if you understand subvolumes and are comfortable with btrfs maintenance. ZFS is excellent for servers (integrity, compression, snapshots) but it’s heavy (RAM, kernel module/licensing differences) and not typically used for Qubes/dom0 on laptops.

1. ESP (EFI System Partition): - Create partition #1, 512 MiB, vfat (FAT32), flag EFI System Partition, do not encrypt. edit

System partition: - Create partition #2, your chosen system size (e.g. 150 GiB), mark it for LUKS encryption (LUKS2), inside it the installer will create the LVM and LVs.
Media partition: - Create partition #3, the big ~700 GiB, leave it unformatted or set as ext4; you can change later to exFAT from a media AppVM.
Optional small exchange: - Partition #4, leave unformatted if the GUI lacks exFAT; format later.
Make sure the installer shows the EFI partition as vfat and NOT inside LUKS. If it still says ESP cannot be LUKS, you missed step 1 or accidentally set encryption at the disk-level.

- Is ESP the same as “EFI” you saw in the GUI? Yes — choose the item “EFI System Partition” or create a small vfat partition and mark it as EFI. edit

If I need exFAT but installer doesn’t show it: make the partition unformatted now and format it later from a TemplateVM/media-vm using mkfs.exfat (exfatprogs) or format on another machine.
If the GUI allowed “encrypt whole disk” and you chose that: you must repartition so that ESP is separate and unencrypted.
Can I use btrfs for media? Yes, but only if you want the specific btrfs features (snapshots, checksums); otherwise ext4 is simpler and more proven on laptops.

Create a 512 MiB unencrypted vfat ESP, create a separate LUKS2 partition for the system (LVM inside), and put your big media partition as ext4 or unformatted (convert to exFAT later if you need cross-OS). For desktop choice: if you like KDE on Garuda, you’ll feel most at home with a full-featured DE — but for a first Qubes setup stick with the default Xfce (stable & simple); add Sway (tiling Wayland) later if you’re confident and the hardware (esp. GPU/NVIDIA) plays nicely. edit

If you want I can:

Give the exact clicks to make these partitions in the installer (step-by-step with labels), or
Provide the exact parted / gdisk / mkfs commands to repartition from a live terminal, or
Help you decide ext4 vs exFAT formatting command and how to format the media partition from a TemplateVM after install.

Which one do you want me to do next?

User: When I tried the custom automatic, it did: edit

When I tried the custom automatic, it did:

/boot/efi 600MiB nvme0n1p1

/boot 1024MiB nvme0n1p2

/ 20GiB qubes-dom0-root

swap 3.92 GiB qubes-dom0-swap

and each one has many options/setting

Is there really no way to create unencrypted volumes here? Also why is efi under something and not directly on the drive as a partition?

My issue is that I see no option for Thin Provisioning in the Blivet advanced partitioner

Assistant: Nice — you’re asking exactly the right next-level questions. edit

Nice — you’re asking exactly the right next-level questions. I’ll keep this short(ish) and actionable: explain why you’re seeing what you see, show the safe/simple path you should take now, and then give the exact manual commands you can use only if you want to do everything by hand.

1. If you want LVM thin (recommended for Qubes) and also unencrypted media partitions, use the Custom flow (not Advanced) and pick LVM Thin Provisioning there. edit

If you already went into Advanced (Blivet), first create the unencrypted partitions (EFI, /boot, media) before you create the encrypted LUKS partition. The installer will then create the LUKS/LVM inside the correct partition.
If Blivet GUI doesn’t show a “thin” checkbox, don’t panic — either go back to the earlier Custom screen to pick LVM Thin, or you can create a thin pool manually from the live terminal (commands below). Manual commands are powerful but risky — only use them if you’re comfortable.

- /boot/efi (vfat) is the EFI System Partition (ESP). It is a real partition (e.g. /dev/nvme0n1p1). BLIVET may display it under the device or grouped by mountpoint — that’s just UI representation. edit

/boot is usually an unencrypted small partition (here 1024 MiB). Qubes keeps /boot unencrypted so the bootloader & initramfs can be read to unlock the encrypted LUKS container.
/ (qubes-dom0-root) and swap are logical volumes created inside the encrypted LUKS → LVM. The installer auto-created small defaults (20 GiB root, ~4 GiB swap) for dom0. You can change sizes — but they live inside the LVM VG.

Yes — but only if you create partitions outside the LUKS container. edit

How to do that in Blivet/Advanced:

Create a partition on the disk and do not mark it for encryption (e.g. /dev/nvme0n1p3, size 700 GiB). Format it as ext4 (or leave unformatted to format later as exFAT). This partition will be unencrypted and accessible if you mount it in a VM.
Create the partition you do want encrypted (e.g. 150 GiB) and mark that one for LUKS. Inside that LUKS container you'll create the LVM PV/VG and LVs for the system.

So the trick: put unencrypted partitions alongside the LUKS partition. Don’t try to create unencrypted LVs "inside" an encrypted PV — once PV is inside LUKS, everything inside is encrypted.

This is a UI thing. nvme0n1p1 is a partition on the drive. BLIVET groups mountpoints and shows logical relationships; it may visually nest boot/efi under the device or volume. As long as that partition is vfat and not marked LUKS, it’s correct. edit

- In the Custom install flow there’s a specific toggle or radio to choose LVM Thin Provisioning. That’s the easy way — pick Custom, choose Thin, then only use Advanced if you need per-partition control. edit

If you’re already in Advanced and don’t see a “thin” checkbox, you can: 1. Go back to the previous screen and pick Custom → choose LVM Thin (recommended), or 2. Create the LUKS + VG with the GUI and then create the thin pool manually in a terminal (commands below).

Only follow this if you understand CLI and have a backup. Replace device names and sizes to match your layout. edit

Assume you created partitions:

/dev/nvme0n1p1 — EFI (vfat), 600 MiB — unencrypted
/dev/nvme0n1p2 — /boot 1024 MiB — unencrypted
/dev/nvme0n1p3 — 150 GiB — intended for LUKS (system)
/dev/nvme0n1p4 — media (rest) — unencrypted

Commands (run in the live installer terminal):

# 1) format and set up LUKS on the partition
sudo cryptsetup luksFormat --type luks2 /dev/nvme0n1p3
=== open it (choose a name like cryptroot) ===
sudo cryptsetup open /dev/nvme0n1p3 cryptroot

=== 2) create LVM PV and VG inside the decrypted mapping ===
sudo pvcreate /dev/mapper/cryptroot
sudo vgcreate Notebook /dev/mapper/cryptroot

=== 3) create dom0 logical volumes (example sizes) ===
sudo lvcreate -L 20G -n qubes-dom0-root Notebook
sudo lvcreate -L 33G -n qubes-dom0-swap Notebook

=== 4) create a thin-pool to back thin LVs (choose size for pool; here 90G as example) ===
sudo lvcreate --type thin-pool -L 90G -n thinpool Notebook

=== 5) create thin logical volumes for VMs (virtual size can be larger than physical) ===
=== e.g., create a 200G-thin LV (virtual size) for VM storage ===
sudo lvcreate -V 200G -T Notebook/thinpool -n qubes-vm-pool

=== 6) create filesystems on LVs where expected (dom0 uses ext4 etc.) ===
sudo mkfs.ext4 /dev/Notebook/qubes-dom0-root
sudo mkswap /dev/Notebook/qubes-dom0-swap
=== DO NOT mkfs on the thin pool itself ===

After this you’d tell the installer where root, swap and the VM pool are (if doing everything manually) or let the installer proceed if it detects these LVs. Again, manual approach requires care.

1. Back out of Advanced if you’re unsure. edit

Choose Custom (semi-guided). On that screen select LVM Thin Provisioning.
In the partitioning step create explicitly: - nvme0n1p1 — ESP (vfat, ~600 MiB) — unencrypted - nvme0n1p2 — /boot (~1 GiB) — unencrypted - nvme0n1p3 — 150 GiB — mark as Physical volume (LVM) and enable encryption (this becomes LUKS -> VG) - nvme0n1p4 — media (~700 GiB) — ext4 or unformatted (unencrypted) - optional exchange partition — unformatted/exFAT
Let the installer create LVs inside the encrypted VG (it will create qubes-dom0-root, swap, and the thin pool/LVs if you chose Thin). If you need custom sizes for dom0 root/swap, adjust them in Custom before applying.

- Don’t create swap as a separate unencrypted partition if you want full-disk protection — put swap inside the encrypted LUKS/LV. edit

If you choose to do LVM thin manually, monitor free space — thin pools can run out and cause issues.

If you want, tell me which path you want now:

A) I’ll walk you step-by-step in the installer GUI (exact clicks for Custom → partition setup).
B) I’ll provide a ready-to-run script of the exact cryptsetup + pvcreate + vgcreate + lvcreate commands tailored to your chosen sizes.

Pick A or B and I’ll give the exact next steps.

gpt-5-mini edit

User: One more thing: under LVM - Notebook, there is nothing. edit

One more thing: under LVM - Notebook, there is nothing. What should be there, and should I manually create 33GiB swap for hibernation?

Assistant: Ah, perfect — now we’re back in the LVM/installer world, so let’s go slow and precise. edit

Ah, perfect — now we’re back in the LVM/installer world, so let’s go slow and precise.

When you select your 150 GiB LUKS → LVM Thin Provisioning, the installer will create the following logical volumes (LVs) automatically: edit

| | | | | --- | --- | --- | | | | | | | | | | | | |

- The LVM exists at PV → VG level (Notebook) edit

You haven’t told the installer to auto-create LVs yet, so the VG is empty
Once you accept the configuration, the installer will create dom0 LVs automatically

So seeing nothing under Notebook right now is normal.

### edit

Swap must be ≥ RAM for hibernation
You have 32 GiB RAM → make swap 33 GiB to be safe
Keep it inside the encrypted LUKS/LVM (don’t make a separate partition)

1. Click your LVM “Notebook” edit

Look for Add LV or Auto-create
Set LV sizes: - qubes-dom0-root → 20–30 GiB (depending on your dom0 plans) - qubes-dom0-swap → 33 GiB - Thin pool LV → remaining space for qubes

- If you make a separate swap partition outside LUKS/LVM: - It will not be encrypted - Hibernation will write plaintext RAM to disk - This breaks Qubes security assumptions edit

✅ Keep swap inside the encrypted LVM.

====

/dev/nvme0n1 ====
├─ p1 600 MiB EFI System Partition   /boot/efi   (unencrypted)
├─ p2 1 GiB ext4                     /boot       (unencrypted)
├─ p3 150 GiB LUKS → LVM Thin        Notebook
│    ├─ qubes-dom0-root  20 GiB      /
│    ├─ qubes-dom0-swap  33 GiB      swap
│    └─ thinpool        ~97 GiB      VM storage
└─ p4 ~700 GiB ext4                   media      (unencrypted)

✅ Bottom line

Nothing under Notebook yet = normal
Yes, create 33 GiB swap inside LVM for hibernation
Let the installer create dom0 root + thin pool automatically
Don’t make swap outside the encrypted LVM

If you want, I can make a click-by-click checklist for the installer GUI including setting dom0 root, 33 GiB swap, thin pool, and leaving media unencrypted — that usually clears up all confusion at once.

Do you want me to do that next?

User: yes please. edit

yes please.

Now Inside LVM I have 2 options:

LVM2 Logical Volume -size -file system (btrfs esp ext2 ext3 ext4 f2fs physical volume (LVM) ntfs swap vfat xfs unformatted) -label -name -mountpoint -encrypt y/n

and

LVM2 ThinPool -size -name -NO ENCRYPT?!?

Assistant: Perfect — now I understand exactly what you see. edit

Perfect — now I understand exactly what you see. Let’s go step by step, so you can configure your LVM in Qubes installer safely, including dom0 root, swap for hibernation, thin pool for VMs, and leave your media partition untouched.

You have 150 GiB inside your LUKS → LVM “Notebook”. edit

| | | | edit

| --- | --- | --- | | | | | | | | | | | | |

1. Click Add LV → LVM2 Logical Volume edit

Fill:

| | | | --- | --- | | | | | | | | | | | | | | | | | | |

Click Add / OK

1. Click Add LV → LVM2 Logical Volume edit

Fill:

| | | | --- | --- | | | | | | | | | | | | | | | | | | |

Click Add / OK

1. Click Add LV → LVM2 ThinPool edit

Fill:

| | | | --- | --- | | | | | | | | | |

After these steps, inside Notebook LVM, you should see: edit

Notebook (VG)
├─ qubes-dom0-root   20 GiB   ext4   /
├─ qubes-dom0-swap   33 GiB   swap
└─ qubes-thinpool    ~97 GiB  thin pool (for VMs)

Leave your media partition outside LVM: edit

Size: 700–750 GiB
Filesystem: ext4 or exFAT (format later if needed)
Mountpoint: leave empty
Encryption: ❌ No

Do not put it inside LUKS or LVM — this keeps it unencrypted and easily mountable in other OSes.

- ESP → 600 MiB, vfat, /boot/efi, unencrypted edit

/boot → 1024 MiB, ext4, unencrypted
LVM → 150 GiB LUKS2 → Notebook - dom0 root LV → 20 GiB ext4 / - dom0 swap LV → 33 GiB swap - thinpool → remaining (~97 GiB)
Media → 750 GiB ext4/exFAT, no mountpoint, unencrypted

If all of these match, installer will:

Boot fine
Encrypt dom0 + VMs correctly
Leave media unencrypted

If you want, I can also draw a full ASCII “installer tree view” exactly as it should appear in Blivet, so you can literally match it before clicking Begin Installation.

Do you want me to do that?

User: Why not use ThinkPool for everything? edit

Why not use ThinkPool for everything? Wouldn't it save space?

Are there any pros/cons to double encryption besides remembering extra password?

Assistant: Ah, now we’re getting into the why Qubes uses LVM Thin + separate dom0 root/swap instead of putting everything into a s… edit

Ah, now we’re getting into the why Qubes uses LVM Thin + separate dom0 root/swap instead of putting everything into a single thin pool, and the “double encryption” tradeoffs. Let’s break it down carefully.

### edit

You could, in theory, create one big ThinPool LV, and use it for: - dom0 root - swap - all VM storage
It would save some space because thin provisioning is very efficient with VM volumes.

1. Dom0 isolation and reliability - dom0 is the “control plane” - If dom0 LV is inside the ThinPool and something goes wrong (thin pool full, corruption, VM misbehavior), you risk breaking dom0 - ThinPools can overcommit space → dom0 could unexpectedly run out of space → unbootable edit

Swap requirements - Swap must be available before thin provisioning is active - Some parts of boot may need to page memory before thinpool is ready
Performance - dom0 root + swap in their own LVs ensures predictable performance - ThinPools are optimized for many small VMs, not for constant dom0 I/O
Installer simplicity and security - Clear separation: - dom0 root LV → always mounted at / - swap LV → hibernation safe - thinpool → VMs - Makes backup, snapshot, recovery easier - Makes audits and security assumptions clear

✅ Verdict: putting everything in one ThinPool may “save a few GiB” but is riskier and not recommended for Qubes.

### edit

LUKS on the whole LVM (Notebook) → encrypts everything inside LVM
dom0 root LV + swap → encryption inside the LUKS (optional in GUI)

So double encryption = encrypting an already encrypted volume.

- Extra defense if LUKS header is compromised (rare) edit

Dom0 swap and root get an extra encryption layer
Fine-grained keys possible if you want separate passphrases

1. No practical security gain for 99% of users - LUKS already encrypts all bytes in the volume - Double encryption does not make brute-force attacks meaningfully harder edit

Extra complexity - You must enter two passphrases (if not using same) - Recovery and troubleshooting are more difficult
Negligible performance hit - Slight CPU overhead, almost invisible on modern CPUs with AES-NI

- Keep one LUKS layer at the VG level edit

Dom0 root + swap do not need extra encryption (it’s already inside LUKS)
Only use extra LV encryption if you want separate passphrases per LV (rarely needed)

| | | edit

| --- | --- | | | | | | | | | | | | |

If you want, I can draw a visual diagram of “what goes where” inside your 150 GiB Notebook LVM, showing encryption layers, thinpool, swap, dom0 root, so it’s crystal clear before you click Install.

Do you want me to do that next?

User: how easily can dom0 run out of space? edit

how easily can dom0 run out of space?

Assistant: Ah — this is an important practical question for Qubes. edit

Ah — this is an important practical question for Qubes. Let’s go step by step, because “dom0 running out of space” is not just theoretical — it can break your system if you’re not careful.

1️⃣ What dom0 actually stores edit

Dom0 is the control domain in Qubes. It holds:

Root filesystem (/) → OS, kernel, drivers
System logs (/var/log)
Bootloader, configuration
Minimal app tools (dom0 apps like Qubes Manager)
Sometimes temporary downloads or templates if misconfigured

NOT the VMs themselves → VMs live in thinpool logical volumes.

So dom0’s space usage is much smaller than the total LVM size.

2️⃣ Typical dom0 root LV size edit

Installer default: ~20 GiB
Recommended: 20–30 GiB for typical usage
With 32 GiB RAM → 33 GiB swap

If you stick to 20–30 GiB root LV, dom0 is usually very safe, even with logs, updates, and a few templates cached.

3️⃣ How dom0 can run out of space edit

Common causes: edit

Huge log files - /var/log/journal can grow if system misbehaves
Templates cached in dom0 by mistake - Only ever “template files” should be in thinpool
Manual downloads in dom0 - Installing big packages in dom0 instead of using VMs
Misconfigured qubes VM storage - Accidentally mounting thinpool inside dom0

Rare causes: edit

Multiple large updates + old kernels not cleaned up
Dom0 home directory storing lots of user files (not recommended!)

4️⃣ How fast it could happen edit

Normal usage: virtually impossible within first year
Heavy tinkering / dev work: possible after tens of GiB of files, logs, and cached templates
20–30 GiB is a safe starting point

Rule of thumb: keep dom0 small but clean, don’t store personal files there. Everything else goes in VMs.

5️⃣ How to prevent dom0 from filling edit

Don’t store personal files in dom0 → Use VMs or unencrypted media partition instead
Enable automatic journal rotation ``bash sudo journalctl --vacuum-size=500M 3. Remove old kernels and packages bash sudo dnf autoremove 4. Monitor space regularly bash df -h /``
Snapshots for emergency rollback - Thinpool snapshots don’t help dom0, but backups of root LV do

6️⃣ Bottom line edit

With 20–30 GiB root LV, dom0 running out of space is very unlikely for normal usage
Only a problem if you store gigabytes of files in dom0 instead of inside qubes or external media
Swap + thinpool do not affect dom0 free space, so no risk there

If you want, I can give you a practical sizing example for your 150 GiB LUKS LVM:

20–25 GiB dom0 root
33 GiB swap
Remaining ~97 GiB thinpool → VMs

…and explain how this scales if you add many VMs or large templates.

Do you want me to do that?

References edit

↑ "Qubes OS Partition Options". ChatGPT. Retrieved 2025-12-29.
↑ "Garuda Linux Forum". Garuda Linux Forum. Retrieved 2025-12-29.
↑ "Garuda Linux Forum". Garuda Linux Forum. Retrieved 2025-12-29.

[1] "Qubes OS Partition Options". ChatGPT. Retrieved 2025-12-29.

[2] "Garuda Linux Forum". Garuda Linux Forum. Retrieved 2025-12-29.

[3] "Garuda Linux Forum". Garuda Linux Forum. Retrieved 2025-12-29.

[1]

[2]

[3]