Any suggestion to organize this mess?

I use the same laptop for everything.
Does any one would like to suggest how should I organize my qubes, templatesVM and sys-net?

Beside sys-net for each internet device, I’d never use anything important online via non-ethernet internal. But I guess you don’t have it since you don’t mention it… Well, then I’d never have one without it.
Ethernet is not necessary more secure then wifi (I’d like to think it is, but there are a lot of discussion with pros and cons for each, I just took my side), but then USB wifi almost for sure.

I understant your point and make sense.
Here’s an update.

What’s your opinion now?

1 Like

I have an App-Update-Home qube to update the /home/user/.vsoss and other applications that use the home directory as storage.

Once you update the vscode extensions, copy the files to the other VMs.

1 Like

Even if not a Qubes starter, it is clear for me that you comprehend Qubes OS concept as it is meant to,
I am sure that in next iterations you’ll perfect reflection of your threat model through your Qubes.

For example, how to perfect your security through using minimal templates and disposables and by further segmenting them, thus reducing attack surface for each use case: for example, why you’d need multimedia packages, even simple gui text editors for your vault, or sys-net’s? Why you’d need iwlwifi firmware in your sys-net-ethernet template, etc…

The same for privacy and anonymity layers afterward…


That was one of the very first things that struck me as odd about my shiny new qubes os installation (a year ago).

A qube like Vault had LibreOffice and Firefox installed…yet had no network access (not necessarily ridiculous for LibreOffice, but almost certainly so for Firefox). On the other hand every other qube had KeePassXC on it even though it was only useful on Vault.

This was of course because they all were based on the same TemplateVM.

Yes…I know they did it that way to keep the size of the ISO down. The alternative at the other end is minimal templates, but that takes a lot of specialized knowledge (it’s all findable here, but still, it’s specialized).

The low rent way to cut down on some of this is to clone your debian 11 (or Fedora whateveritisthisweek) template, once for each AppVM, and base each appvm on one of the clones.

Then go into the clones and uninstall anything that appears in the menu (you’ll want to keep terminal and maybe the file manager), that’s useless for that template’s appvm. (In the case of vault, that should be everything except Keepass and terminal and maybe file manager.) The reason I say “that appears in the menu” is that if you wipe out (say) libre office, you’re unlikely to find out that something depended on it, because it’s an end-user application. It depends on things, other things don’t depend on it. Also those end user applications tend to be large executables with a large attack surface; lots of “bang” for your “uninstalling” buck.

That’s not quite as secure as starting from minimum templates, but it’s easy and probably gives at least half as much added benefit as minimum templates do.

1 Like

That’s interesting, @dro212 !
Could you provide more details, step-by-step of how you did it and examples?

Thanks, @tempmail !
About my example, above, do you have any suggestion of change? Do you recommend something?

1 Like

I like the idea to clone debian and uninstall few stuffs.
Thanks, pal!


Depending on your threat model, you may not want to have python site pkges & vscode extensions exposed to the internet. Make a “Home Update VM” where you can update these packages, since they are typically stored in the home directory.

Once updated copy to your production VM.

Alternatively you may be able to redirect the site packages to use a root location.

1 Like

Not specifically. I’d suggest two things:

  1. Compare positions and relations of your VMs with the official one. It might help you to visually realize your ideas even faster:

  2. Don’t rush to set everything at once. Download one bare minimal. Wait for the first use case. Browsing probably. Clone minimal template and try to install all additional packages needed for it (be sure if you’d like audio enabled in browser, for example). Practice until you succeed. Once you succeed, repeat it for the next use case when needed, not before that. After second successful setup, you’ll realize you’d want all minimals. Here’s my 2c for the browsing brave template (after that create dvm-template based on it and start using disposables based on that dvm-template):
    Your experiences with Qubes as daily driver? - #9 by tempmail

1 Like