Compartmentalization, "am I doing it right?"

So I don’t depend so much on the stock fedora and debian vms. I clone them, then install the apps I need on the clones, then make appvms to run those apps. I like this instead installing all apps I need one only two templates. But I’ve seen I’m up to maybe 50 or so templates. Is this overkill or is this what I should be doing for maximal security? The space isn’t rly the problem. And haven’t had many peformance issues either.

Whether it’s an overkill, depends on your needs and threat model. I’ve seen quite a few other people here using very many cloned customized templates. This should indeed provide more compartmentalization. Consider also using minimal templates for even more compartmentalization.


Yes I’ve recently just discovered minimal templates. It has helped with boosting performance. I also assume being minimal, with less packages installed, or only whats needed, that this also reduces attack surface. Since I’m in the process of rebuilding my system, I’ll try to introduce more minimal templates. If others are doing the same with many cloned and compartmented templates, then I’ll continue my assumption that I got the gist of qubes.


See also:

1 Like

Minimal template + dispvm is enough for me, Having too many template make me not comfortable.

I suppose it would be best to have each domain for specific purpose (e-mail, browsing, etc.) and only have the necessary tools for the job installed, and nothing else. That would also involve using other measures to make sure the domain can only do what is it supposed to be doing (firewall). So for example, e-mail domain only needs to access provider imap/smtp etc. That’s a lot of work! I’ve spent a lot of time reversing network connections of some IM client or whatever.

I’m not there yet, at least not fully. I don’t like maintaining lots of templates, but that’s mainly because I’m using the “bloated” default fedora-33 and its clones for everything. It’s a lot of updating to be done daily.

My rule of thumb is that if I need some shady/proprietary software that cannot be installed on normal appvm, then I clone a template for it. But I’ll look for alternatives first, for example flatpak --user. I have lots of appvm’s but they are all based on only few templates. That’s not optimal because these appvm’s can do loads of other things as well as the its actual purpose.

Once debian-11 is released, I’ll probably move towards that. I’d love to have CentOS templates, but the CentOS stream is not much different from Fedora in this respect. (BTW - what will happen to centos-8 template in 2022?).