I’m looking to minimize the number of services I have to check regularly, without making compartmentalization useless.
A basic pattern would be copying emails from several qubes to a shared read-only vault with a reader installed. Any solution should use only local services without an internet connection, and the reader shouldn’t be in dom0.
The end state would be a single reader application with one click between different accounts.
For writing, opening different qubes+applications is not an issue. I don’t want real-time updating, either - a manual sync several times a day would be enough.
Some of the services I use make this difficult, e.g. not supporting exporting or shared clients. These are already a problem without trying to compartmentalize, so I can live with ignoring these and just combining the ones I can. Ideally I’d view content from multiple email, discourse, and matrix accounts in one application.
If this wouldn’t work with your threat model or would undermine what you get from Qubes’ design, please explain what you’d be concerned about.
What do people do? Partial solutions, solutions in a different OS, and closed-source solutions could all be useful.
Multiple clients in separate workspaces or windows does give me the one-click between different accounts. It’s heavier on resources than a single pane of glass, which isn’t so bad, but the process of starting/stopping is the real headache for “just checking” several times a day. I suppose a cheap solution is just to script multiple qvm-runs in dom0. That closes the main issue, but I’d be interested in alternatives.
I also have a correlation concern, and I’m not seeing any great solutions. I could update multiple services in the same small windows, probably in consistent patterns over time, or I could have multiple always-on clients that can be correlated during shutdowns and network drops.
Okay, my suggestion is to create a read-only VM without network access, export the content from each VM to a text document, then send those files to the read-only VM using the inter-qube file move and copy system:
This is quite difficult to achieve without reducing the security offered
by Qubes - I’ll come on to that.
Here is one approach for email that might work for you. It’s based on split-mutt
The idea here is that you separate email collection, reading, writing,
and sending in to different stages handled by different qubes. Only the
mail store is based on a permanent qube - the rest are handled in
disposables.
I think my note should be enough for you to put that in place.
In your case you will want to configure a number of different disposables
to handle the mail acquisition from different sources.
The mail store is, of course, offline.
The general principle here is that of using a backend shared qube
and of syncing the data between other qubes and the store. You can
extend that to transfer of any data in to a store.
What you do with that data is up to you - my preference is just to use
the store as a store. As an example, I use a shared qube for document
and media storage, and all files are actually opened in a named
disposable. The shared qube has no network access and no
readers/viewers installed, and is configured to open files in that named
disposable. An example is packaged for easy install here
Of course, this goes against the basis of compartmentalization, and you
will have to take specific steps to ensure that you do not compromise
that. You can set policies using qrexec arguments to limit data flows
between different qubes, and to keep the risk low. Distinct use of Qubes
firewall should also help to reduce risk. None of this will be easy, but
it is possible.
You mention correlations. It is possible to limit use of qubes to
specific times, to give some degree of separation between identities.
Another vital thing to do will be to use separate varieties of
sys-net, preferably based on different templates, and using different
NICs. Use some power backup to ensure that at least one of your
identities stays working in the event of a power outage: your vanilla
qubes should drop off when the main power/network drops.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Much appreciated, that looks like it should take me quite a long way. I stopped using mutt originally (ages ago) because I couldn’t see how to format text properly, but that’ll be a me problem and I liked using it otherwise (and Thunderbird’s not my cup of tea), so I’ll revisit.
Beyond email, I was initially thinking of something like an RSS reader for forums. Anyone know if there’s a similar standard that handles forums/chat well? Again, read-only is all I’m looking for.
Discourse has options for sending you emails based on your preferences. Mailing list mode will send you every post from categories you have followed/tracked, while summaries are dependent on your activity and preferred frequency.