Sorry for the newbie question, but while I had used qubes 3.2 in the past, it was a long while ago, and I’m sure a lot has changed by 4.2.
I have recently installed 4.2, and am trying to understand how these default apps differ: personal, work, vault, untrusted. Besides the color, I mean.
I am also trying to decide if I need a disposable vm, or if I can make untrusted disposable. Any help would be appreciated.
App qubes configured to prioritize security by compartmentalizing tasks and types of data: work, personal, untrusted, and vault. (There is nothing special about these qubes. If you were to create a black qube and name it vault, it would be the same as the pre-configured vault qube. They’re just suggestions to get you started. )
Also a newbie here.
Don’t know regarding previous versions, but personal, work, vault and untrusted are simple qubes. They differ by their intentions and qube’s settings as a result.
personal and work qubes differ by intention that you, as Qube’s user imply.
Same goes for the untrusted one.
vault simply doesn’t have networking.
From the docs:
Example usage: “In Qubes OS, you do your banking in your ‘banking’ qube and your web surfing in your ‘untrusted’ qube. That way, if your ‘untrusted’ qube is compromised, your banking activities will remain secure.”
Makes sense. I wish untrusted was a disposable qube.
I’m setting up firewall rules for work and personal. I’ll probably rename them to something more specific to my usage where personal is local lan only, and work is internet only. Maybe private and public or isolated and open.
You already can start a Firefox in a new disposable VM using the Menu button.
Understood. I just feel that if I am accessing untrusted sites, opening untrusted files, I want the qube I do it in to be disposable.
That’s the point, you can spin whatever qubes you like, however you want and as much as you like.
But you’re not there yet.
Don;t rush it and RTFM 
I understand. I ended up deleting untrusted and recreating it as a disposable qube, with no access to the local lan.
I definitely will be reading the manual many times. I wish it was available as an ebook I could put on my kindle! With all the links, it is hard to know when I’ll have read it all.
I suspect I’ll reinstall qubes from scratch also, just to make some changes once I know enough. Yes, I know I can probably make most of them after the fact (except possibly full disk encryption), but I’d like to start fresh anyway.
Pro Tip: if you do end up liking some of your changes, but want to perform a fresh install anyway, the Qubes Backup tool is a built-in way to back up entire qubes and restore them on your fresh install. There is a dedicated page in the official docs.
One thing worth noting: if you back up dom0, only the contents of your user’s home directory are backed up.
That’s the exact point in this case to not go this way.
He’s a newbie, he will break things and make some of them work not as intended.
That’s the whole point of re-installing the system.
Since I don’t have a lot invested in the current install, I’m not too worried about breaking things or reinstalling. A year from now would be a different story.
I favor a reinstall so that I can document my favorite “recipe” in case I decide to set up a second computer.
I’m sure I’ll have questions. For example:
Thanks for all the help and advice. Hopefully I’ll get to the point someday where I can help the next generation of newbies.
I was thinking of setting up a dom0 script that takes the qube name and sets up the system firewall rules for the qube. That’s probably the easiest.
I’ll look more into those links about NFS mounts. Mostly it will be to mount music and e-books read-only. I may use a directory on the NAS to backup important files in my home directory also. Generally I have a /volume/user/computer/… structure so I can back up any user on any computer - I may need to consider how to extend that to include the qube name also.