Little too technical

[cm157]

I apologize for asking stupid questions i see you hAve explained what this does its just i dont understand. I am looking for a way to make sure
When a vm is not running it is at rest in encrypted state. Is that what this does?

[3hhh]

No.

Let's say you have encrypted containers (encrypted files with other files inside) inside a VM (usually sys-usb on some USB drive). Then qcrypt can attach those to other VMs and decrypt them in there.
qcryptd just monitors whether e.g. a new drive was plugged in and automates all that.

Anyway when you shut down your laptop, all data at rest is encrypted by the Qubes OS default full disk encryption.

Per-VM encryption is tracked in QubesOS/qubes-issues#1293, but you already found that. Anyway pool encryption is already possible in 4.1 via QubesOS/qubes-core-admin#354 and you can create one pool per VM if you want. However usage is rather complex (see examples in the code).

[cm157]

No.

Let's say you have encrypted containers (encrypted files with other files inside) inside a VM (usually sys-usb on some USB drive). Then qcrypt can attach those to other VMs and decrypt them in there.

qcryptd just monitors whether e.g. a new drive was plugged in and automates all that.

Ok so an analogy would be if i have my files in truecrypt type container on a usb drive i plug it in and then qcrypt detects its been plugged in and launches a vm that mounts then container?

[3hhh]

Ok so an analogy would be if i have my files in truecrypt type container on a usb drive i plug it in and then qcrypt detects its been plugged in and launches a vm that mounts then container?

Roughly, yes.

More precisely qcryptd will not launch any target VM, but wait for you to launch it and attach the container afterwards. Usually people don't want to launch 10 VMs when they attach their USB stick with 10 containers... ;-)