I don’t trust current geopolitical situation in general and I want to be well prepared for time, when software and speech freedom were significantly limited. What I want to achieve is to be prepared for hard times in the future, which we cannot predict of course, not to protect myself against advanced attacks because my threat model requires it, I’m not journalist, activist, whistleblower etc. I live in civilized EU country also.
Do you think that keeping Qubes OS installed on the separate disk apart from main Linux distro is a good idea? If the answer for that question is no, what do you think instead about installing Tails on some pendrive and upgrading it regularly and having Tails for bad times? What do you think about both?
My next motivation to install Qubes OS is just to learn cybersecurity, how Qubes OS works and testing or just isolating untrusted stuff in VMs.
In General I would install Qubes for every aspect even when living in a “Freedom of Speech” Country. And I mean you can learn a lot but be aware that Qubes has a steep learning curve, you need to use it and actually learn by yourself and look things up, but afterwards the reward couldn’t be bigger.
Is it fine in your opinion, and Qubes community to have both Qubes and other favorite Linux distror installed on the same PC? Is the question I ask here opinion-based or does it have objective answer?
I don’t understand phrase “take care off”. I’m not English native.
I googled a bit and understand what do you mean. Since I don’t have threat model requiring what we talk about I can do it.
Thank you for advice, I think the Qubes OS will be my second favorite distro apart from Arch Linux. I’m interested in system administration, programming and cybersecurity.
I started using qubes for a narrow use case and then expanded as i liked its functionality more.
Id encourage you to just try it first and don’t worry about optimizing your setup. You will learn things and probably end up reinstalling the setup anyway.
The main issue for newbies is not just navigating qubes but keeping it working. At least twice a year, i have an issue that requires a fair bit of research and workarounds to fix
Your arch boot partition will be able to see your qubes boot partition (and your arch luks will also when unlocked). So you end up having to “trust” arch for your qubes as well.
Less of a concern for arch vs a windows ssd but threat model dependent
The reason for most people is just to have full control over their internet persona. And on the other side for most people it’s just the paranoia that drives them.
I for one do not know what you consider to be a civilized country. The countries you may consider to be civilized may differ from those of another. Not trying to be smug or pedantic. It’s a genuine question. Also, do keep in mind that even countries often deemed civilized by many, conduct illegal surveillance, contrary to their own laws.
Let me give you a quick example since you mentioned the EU. Several years ago, the European Data Protection Supervisor found that Europol had been illegally collecting and retaining large volumes of personal data on individuals with no established link to criminal activity. Rather than enforcing deletion of the data, the EU responded by amending the Europol Regulation in 2022 with transitional provisions that effectively retroactively legalized the previously illegal practices.
As for your question, you do not necessarily need to be a “high value target” in order to be targeted as if you were. You need only be related or connected with someone who is. Sometimes even with multiple degrees of separation.
To cut it short: Qubes helps keep your digital life secure, and in my opinion does it best than any other OS. It does suffer from hardware compatibility issues, many (perhaps most) computers will not be fully compatible. So do keep that in mind.
The first step to security is to have no illusions.
Qubes OS is great for data security but no technology per se can ensure social security (even in the so called civilized countries).
Do you think that keeping Qubes OS installed on the separate disk apart from main Linux distro is a good idea?
Only if you just want to play with Qubes until you get used to it.
If the answer for that question is no, what do you think instead about installing Tails on some pendrive and upgrading it regularly and having Tails for bad times?
I don’t know what bad times means, it is not a clear threat model. You can run Tails in a qube.
To give you a first impression of the differences between the usage of Tails and Qubes, I created (using the AI tool NotebookLM) an image showing the main aspects of Tails, Whonix, and Qubes:
Security and privacy is not a product that you can just pull out of the box and get it. Those are more like a process you must follow to get them.
Booth Qubes OS and Tails are just a tool. having them in a box for ‘bad times’ will not save you - and/or not give you security and privacy, because:
you are very likely not familiar with them. You get experience only by using those tools…
your ‘behaviour’ is very likely not compatible with such tools. And no tools can save you from your own ignorance…
^^ This is however the right approach. And that’s what you need to start with. However, there are lot of pitfall among that route you should avoid.
The biggest mistake that many committing, that they have have not defined their own threat model. Without such, there is no point talking about security or privacy, as no tool - or even process - would save you from ‘everything’.
So my advice is:
Define your goals, and more importantly what exactly you want to avoid and be protected from - that helps you not lost in the rabbit hole.
Then, you can choose the tool(s) that helps you achieve that.
Then you must learn those selected tools… as no tool is ever useful if it’s user is not familiar with it.
Qubes can, and should, be used by people who are in western firsrt world democracies. Look at America the people there forgot that freedom isn’t free and now are now losing it. Standing up for your right to privacy, security, and freedom means you have to take action to protect it. One way of doing that is by using Qubes OS and other privacy tools to ensure that you protect thoses freedoms.
I think that having Tails on a drive as a just in case is a good idea, but the only way to be sure it has not been comprimised is to keep it on your person at all times. For example keeping it on your keychain, wallet, purse, etc.
Qubes OS should be kept physically seprate from another system. Ideally on seprate hardware as well, but that can be a lot for some users.
If you are using Qubes to learn about cybersecurity in the context of learning how to protect yourself while online then you are in the right place. Please read the Qubes docs to learn best practices.
Please be careful with testing things that you are unsure of because while Qubes does reduce your attack surface it is not magic and if you are not using Qubes the right way either by mistake or for some reason you will have a larger attack surface. There could be a zero day in the Xen hypervisor and the kernal and you just so happened to install a program that you think is safe to run in a qube but it escapes from the VM and can now live forever in dom0 and do whatever it wants.
If you’re at all interested in learning about cybersecurity it’s a great OS to do that in. I would personally recommend not over-thinking it too much in the beginning or being super concerned with defining your threat model. Basically anything you do with Qubes that you’d normally do with Arch will have improved security.
Like others mention learning how to do convert your regular workflows into a qube compatible workflow is a great start and gives you a lot of things for free.
If you are choosing between dual booting arch and Qubes or just using arch I’d definitely suggest using both, but the worry with dual booting is 2-fold:
You might not use it since you’re comfortable with arch already
Arch technically has boot control and you’re implicitly trusting your arch installation even when running qubes. Not ideal for the long term.
However I think it’s a totally legitimate way to get started if you try to primarily use qubes and use arch as a backup when something does not work on qubes and you need to jump into arch to quickly get it working.
Hopefully you’ve eventually fully converted and things that are now hard in arch are easy in qubes and you find yourself never booting arch anymore. At that point you can remove the arch boot.
I don’t think using tails or whonix without having a clear threat model makes a lot of sense, they are specialized tools for specialized occasions. QubesOS is a general workstation OS where you can do basically everything you’d normally want to do. Not so for tails. You can get the benefits of whonix inside of Qubes.
