Blog post - using Qubes and Salt at a large media organisation

Hello,

Shameless plug here for a blog post about how we’ve been using Qubes at the Guardian. The motivation behind it was to hopefully help others get started with salt stack configuration - it took me a lot of time and a lot of trawling these forums to get to the setup discussed in the article.

Any questions (or corrections!) very welcome - would be interested to hear from anyone else deploying Qubes at scale. We have around 5 machines at the moment being used by fairly technical users - but might end up with a point where we have some very much non-technical users trying to use Qubes workstations. We’ve found lots of menu customisation, desktop icons and nautilus right click menus have been useful to avoid users having to open a terminal. Very much looking forwards to the new menu in Qubes 4.2 once we’ve upgraded!

16 Likes

SecureDrop workstation developer here (new on the job, previously on Dangerzone) but a long time Qubes user / community member.

Really nice to see a bit of the “behind the scenes” at The Guardian and most importantly even, as a Qubes-pioneer newsroom, showing others how Qubes can be used in a journalism context.

There aren’t a lot of orgs out there explaining how they use Qubes, so this is really critical for showing adoption potential! Thank you so much!

I’ve been on 4.2 for a bit and I can’t wait for The Guardian to have it too. Visually, with that new menu and updater it’s like night and day.

2 Likes

Great to see some behind-the-scenes work. I know the SD and FPF folks are excited for the public release of SDW, which has been working great since I began testing last year.

3 Likes

Oh that’s exciting about updater improvements! I was mainly aware of the new menu bar. Looking forwards to Securedrop Workstation 1.0!

1 Like

Thank you for the great writeup, @pmcmahon!

A minor comment on configuring disp vms: you can do this through Salt as well.

create-guardian-template-disp:
 qvm.vm:
   - name: guardian-template-disp
   - present:
     - template: guardian-template
     - label: black
  - class: AppVM
   - prefs:
     - template: guardian-template
     - template_for_dispvms: True
     - netvm: ""

Just add
- default_dispvm: ""
to the pref section.

2 Likes

Discussion on Hacker News: Working with Qubes OS at the Guardian | Hacker News

1 Like

Some strong opinions there about what the Guardian should be doing with its threat model, but the bigger picture is you’re saving me lots of time with a clearly written how-to that covers several things on my roadmap. Thanks!

1 Like

Glad to hear it! Would recommend the feedback linked to right at the bottom of the article (this) - some stuff in there I wish we did the first time.

1 Like