Dangerzone for Qubes (alpha version) Available (Qubes Trusted PDF cousin)

Hi all! (Taking off my forum moderator hat for a moment)

As some of you may know, I’m one of the developers of Dangerzone, the cross-platform Qubes Trusted PDF cousin, originally developed by Micah Lee and taken under Freedom of the Press Foundation (FPF) since 2022. We recently started working on Dangerzone’s Qubes integration and I wanted to share some updates and welcome testers for our alpha version.

For some background, Dangerzone essentially reimplements Qubes Trusted PDF but cross-platform, using containers. It does however have some features beyond Qubes Trusted PDF, particularly OCR support (to make the final doc searchable), PDF compression, offline conversion by default and supporting multiple file types (images and documents).

The alpha Qubes support is already out, which means that Dangerzone can work in Qubes natively, using disposable qubes instead of containers for conversions. There are two caveats, though:

  • it requires manual installation from source, and configuring a diposable qube (subject to change)
  • we have not yet implemented security “guard rails”, so please use only with documents you trust :warning:

Want to help testing?

Follow these instructions. If you encounter problems, report them on our bug tracker and give us feedback here or on our Github Forum.

Next Steps

Now we’re working on the beta version which will make Dangerzone available as a package and close some of the implementation gaps, particularly making sure we handle errors correctly and adding timeouts.

Then, we’ll work towards the stable version. This will be focused on thinking more systematically about the multi-VM architecture of Dangerzone, in particular how we can make it easier to install and maintain. I have shared some thoughts on this already on the forum but more is to come.

SecureDrop Workstation Integration

An additional goal is to integrate Dangerzone with FPF’s Qubes-based SecureDrop Workstation to add document santization to journalists’ workflow when exporting files to less safe systems in the newsroom. Dangerzone will keep being a standalone project but just have this extra integration.

21 Likes

This is great. It was always a bummer for me to lose the OCR on the pdf docs after I sanitize them in qubes.

6 Likes

Hi, I checked out github. As it appears you have an integration for fedora templates. Are you planning one for debian templates as well?

1 Like

This would be just great!

But, can you please explain how you provided this in a safely manner, something like Joanna explained Qubes Trusted PDF here

I’ve overrided this by keeping both .trusted and .untrusted files. When I need security, I use former, when I need conveience, I use the latter one in offline dispvm. Yes, I know, overhead, but that’s the price I’m (now was?) ready to pay for it. :laughing:

3 Likes

On Qubes it has pretty much the same security properties. Just more formats and OCR.

But on non-Qubes systems recently gVisor was added Safe Ride into the Dangerzone: Reducing attack surface with gVisor to be able to get a bit closer to the isolation VMs provide. It is not the same, of course.

1 Like

Hi @deeplow and all!

Is this project still being actively developed? If so, I’d be happy to put in the effort and make myself available as a tester (Qubes 4.3.0).

I think the approach behind Dangerzone is excellent.

2 Likes

Yes, check out git log history

5 Likes

The description provided on GitHub describes the installation for Fedora 42, but, if modified appropriately, it will work for Fedora 43, too.

Currently, there is no version of Dangerzone for Debian templates.

1 Like

Are you sure? There is a debian based installation so why not install it and use a debian template?

It’s just setting a repo and install dangerzone from there.

I’ll give it a try both ways (fedora & debian) but am too busy right now to even start it…

1 Like

There are two different versions of Dangerzone:

  • The dangerzone repository is available for several operating systems, including Windows and Debian. It achieves the protection of the dangerous first part of the processing by putting this into a Docker container.

  • The dangerzone-qubes repository is a special version that can be installed only in a Fedora template running under Qubes. This version has far better protection of the first processing phase by putting that into a disposable qube.

As Docker is running completely within the same system as any other software used there, its protection is much weaker than the Qubes approach. If malware in a document may break out of the Docker container, there is a risk of infecting the whole system (or at least, under Qubes, the whole qube), whereas breaking out of a disposable VM has just the effect of destroying that VM.

6 Likes

You’re right! I tried an install in a debian based template, this is just fine. But the dispvm on that template is not able to give a “cleaned” PDF back automatically.

So what you can achieve with debian is only partly the functionality as “the one and only” fedora based installation.

2 Likes

Ok, dangerzone is now working nicely.

What about picture files? Is there a similar tool?

1 Like

dangerzone-qubes accepts already .jpg and .png files, converts them into .pdf, and even texts shown in the original pictures can be extracted from the generated files. (Tested in R4.3 with a Fedora 43 template).

4 Likes

Interesting! I checked it shortly after install and it didnt’t work with JPG.

Right now it worked. Was probably in a different AppVM where dangerzone wasn’t installed.

Thanks for clarification!

3 Likes

Thanks for the interest a @lars-qubes! And thanks for chiming in @GWeck. I am no longer a Dangerzone developer, but I believe @GWeck’s answers are accurate.

If you have a GitHub account, please feel free to report any issues you find for the Qubes version.

4 Likes