QubesOS 4.2.4
Goal
Automatically shut down sensitive Qubes I always forget to shutdown when I close my laptop (password managers, sys-net, vault, sys-usb, etc). I like the idea of ensuring specific Qubes have been shutdown in case of theft or not knowing whether my laptop will resume in a friendly or hostile environment.
Configuration
Mostly takes place from dom0
- Tag VMs to shutdown upon suspend with a tag of your choice
qvm-tags <VM NAME> a shutdown-on-suspend - Edit the 52qubes-pause-vms script
sudo vi /usr/lib64/pm-utils/sleep.d/52qubes-pause-vms - Add the following commands to the suspend section (above the existing
qubesd-querycommand), matching the tag you set earlier# Cycle through all Qubes with the shutdown-on-suspend tag for QUBE in $(qvm-ls --tags shutdown-upon-suspend | awk 'NR>1 {print $1}'); do # Trigger parallel shutdown commands in the background qvm-shutdown --wait --force $QUBE & # Close the for loop done # Wait until all shutdown commands complete wait
Bonus
Install the qubes-app-shutdown-idle package inside of your TemplateVM or StandaloneVM and change the TIMEOUT_SECONDS value in /lib/python*/site-packages/qubesidle/idleness_monitor.py or /usr/lib/python3/dist-packages/qubesidle/idleness_monitor.py to something shorter (like 20 seconds) and check the Shutdown when idle for more than 15 minutes box in the Qube Manager Settings to have your Qubes automatically shut down once you close the app window.
Troubleshooting
- Make sure the target Qubes are running then trigger a suspend by running
systemctl suspendand note how long it takes for the computer to go to suspend. If it suspends quickly, there’s a chance it isn’t working. - Check logs via
journalctl -b suspend
Feedback
Always open to it. This community has been so helpful to me–I wanted to share a guide that I hope may help someone else.