For example, if I have a pseudonym John, and I need three apps:
A browser (Brave, Trivalent, whatever)
SimpleX
Thunderbird
Would you:
create a template named, say, whonix-workstation-17-john, and install the three programs in there (I know whonix-ws already has thunderbird), then create one qube named “john” that uses this one template.
or have a template for each program, ws-17-brave, ws-17-simplex, ws-17-thunderbird, and then create 3 qubes for each program: john-brave, john-simplex, john-thunderbird.
The benefit I see of the latter option is, if I later want to have another pseudonym that also uses SimpleX (and I also still want to follow this practice of using a qube for one single app), then I can just reuse the existing ws-17-simplex template, instead of reinstalling SimpleX many times.
I’m using a VM for each task / Project / Activity/ Outcome.
Each to their profiles,passwords,cookies,storage location.
Each Firefox with maxim extensions for privacy and security.
Containers,sandboxes,privacy,security…stand to be corrected ! ?
Templates are just software base. You make separate when you need install 3rd party repo because it could mess your template and mess other VM’s based on that template.
VM’s is depending on your need.
I have separate VM’s for e-mail (3 e-mail apps in one VM), separate VM for YT, separate VM for all banking, separate disposable for shopping, separate disposable for web searching, separate VM for forums (QubesOS, GrapheneOS, GitHUB), separate VM for developing (VSCodium and git), separate sys-vpn’s for any VM that I use with VPN, separate VM for connecting to NAS and so on…
I have a template for each application (AppVM), separated app qubes for each program. Something like:
john-brave (based on ws-17-brave)
john-simplex (based on ws-17-simplex)
john-thunderbird (based on ws-17-thunderbird)
mary-simplex (reusing ws-17-simplex template)
mary-brave (reusing ws-17-brave template)
I think It aligns with Qubes OS security principles: security through compartmentalization and efficiency through template reuse.
I think the incorrect usage is:
john-brave and john-simplex based on the same “general purpose” template running applications simultaneously compromising isolation.
Also we need to think in disposable qubes, because it minimize templates creation. So we need to consider use disposable qubes for single-use activities, but not for persistent pseudonym identities, in this case we could achive more efficiency through template reuse (but avoiding running applications simultaneously).
Note , disposable qubes could be named disposable or unamed disposable (also know as regular disposable), the first one is used to services and the second one is used for single-use activities more adapted to run multiple applications simultaneously (disp1234, disp4321, disp1432… based on the same template but running in different instances).
I’m not 100% sure about run multiple applications “together” in unamed disposables.
Also consider shutdown all distrusted qubes while using trusted ones because potentially insecure sys-firewall and keep in mind that performing a data transfer from less trusted to more trusted qubes is always potentially insecure.
The question is what do separate templates protect from.
“But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter.”
So, at least in regards to Fedora, in Qubes there is the assumption that the installation process is trusted. If we assume the same applies to official templates as well (which makes sense), then installing a package from the official distro of the template is trusted. Using the installed software is a different story.
Considering you don’t run the software in the template, the separation of templates can protect from e.g. a security flaw of SimpleX exploiting a vulnerability in Thunderbird and acting through that. To my mind, this approach makes sense only if minimal templates are used. There is no minimal Whonix template though:
In any case, separating templates is not a tool to protect from identity-correlation, as user data is the AppVMs, so template-X-john doesn’t make much sense.
Unless you install some external app outside of default repo.
I said “installing a package from the official distro of the template” which implies official repos. Anything external is obviously not the official distro.
Sorry; I know the purpose of templates in Qubes. My question was a bit more about how people organize their qubes.
Assuming that the software installed is trusted, I just would like to know if people here usually create one template for a pseudonym/activity, or for each application. Seems like there are pros and cons to both options.
For what it’s worth I use multiple templates cloned from minimal
templates to provide specific services.
I sometimes use different templates for personas.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Well, true. I guess that’d mean choice number 2 (one template for each app) is a better option in your eyes?
Inherently, that would mean you’d have a qube for each app, and that makes me curious: do people here usually have qubes for each application, even though the persona/identity between these qubes are the same?
I guess, in John’s example, if the SimpleX qube gets compromised, the attacker wouldn’t be able to see, say, John’s browsing history (because it lives in a separate qube just for the browser). That’s a benefit, too.
Yes with some additional metadata. I don’t know if it’s just fear that the government wants to put in us to control us, but in today times of massive data collection, AI power, sophisticated hacking tools and no warrants, it’s possible. Ordinary citizens (like me) simply have to trust security, as they do not have the technical knowledge and resources to actually verify it. But I believe that our collective effort for privacy is heading in the right direction, at the cost of a lot of collateral damage.
Privacy International v. Federal Bureau of Investigation (1:18-cv-01488)
“Government hacking poses increasingly urgent privacy and security risks because sophisticated hacking tools are becoming more widely available and increasingly easy to deploy.”
Prior to Carpenter, government entities could obtain cellphone location records from service providers by claiming the information was required as part of an investigation, without a warrant, but the ruling changed this procedure.
"Excerpt: Dissent, Justice Samuel Alito
The Fourth Amendment restricts the conduct of the Federal Government and the States; it does not apply to private actors. But today, some of the greatest threats to individual privacy may come from powerful private companies that collect and sometimes misuse vast quantities of data about the lives of ordinary Americans. If today’s decision encourages the public to think that this Court can protect them from this looming threat to their privacy, the decision will mislead as well as disrupt. "
The metadata is far more likely to catch you than the cpuid, and user
error far more likely to link personae than cpuid.
Leaking cpuid is an overstated risk, and of less importance than being a
Qubes user, and that is hard to hide.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Well, true. I guess that’d mean choice number 2 (one template for each app) is a better option in your eyes?
It depends.
Example 1:
It hardly makes sense to put vim in one app and less in another for security reasons.
Example 2:
App (X): a mail client
App (Y): a chat client
Data (D): "My name is John and I communicate with Peter "
Both X and Y process D. Is it a concern that theoretically X may exploit a vulnerability in Y to exfiltrate D, considering X has that same data?
Inherently, that would mean you’d have a qube for each app, and that makes me curious: do people here usually have qubes for each application, even though the persona/identity between these qubes are the same?
Sometimes it could be worth it. You have to evaluate what you are protecting.
Example 3:
You are the same person e.g. on Facebook and in the e-bank. No need share your banking info with Facebook, so separate AppVMs but one template with a browser is enough.
Example 4:
Sensitive medical data (e.g. blood test results). You would like to have this in an minimal offline qube, perhaps even additionally encrypted. In real life, however, labs and clinics process all your personal data on Windows and upload it unencrypted to a “secure cloud”, that data is communicated through doctor’s Viber and Gmail running on his iPhone.
I guess, in John’s example, if the SimpleX qube gets compromised, the attacker wouldn’t be able to see, say, John’s browsing history (because it lives in a separate qube just for the browser). That’s a benefit, too.
I think @qubist has a good idea - there is a lot to be learned from examples.
Here are some counter-cases I sort-of rely on…
… I think you will see that they mean I do not 100% consider that
A first example:
Here it is true that the fact of communication may be shared between the clients. I consider that it is very valuable to separate the channels of communication. If they are separated at both ends, when I receive an unexpected email, I can use chat to ask Peter about it. Otherwise, I must find a 3rd channel…
In general, after seeing the intricate hiding used for the xz backdoor, I try to separate as much as possible. Imagine an exfiltration payload, hidden so cleverly, that was only activated on VMs running in a Qubes environment… what would be the chance of it being spotted as early as xz was. (This may be pure tinfoil-hattery, but this LWN article on xz is worth reading. It was clever stuff.)
True again, and my banking qubes are firewalled to the bare minimum of connectivity. BUT every few weeks I make a dated clone of the fully updated browser template, and disable updates on the clone. After a few weeks, I switch to using the dated template for banking. My hope is that this will give a window for someone else to discover a problem with upstream, like a dev who got their signing key stolen during the weekend. In effect, my banking qube is a late adopter of recent updates. Am I the only one to do this ? Am I hopelessly paranoid?
I organize my Qubes using standalone VMs for different profiles or activities, starting with minimal templates.
For example, if I have a pseudonym like “John” and need a few specific apps, I would create a standalone VM called something like john, based on a minimal template. I’d then install only the necessary apps (like Brave, SimpleX, Thunderbird) in that standalone VM, so everything related to John is contained within its own isolated environment.
This approach has the benefit of keeping things clean and organized. If I later need another pseudonym, I could easily create a new standalone VM for it (e.g., alice), based on the same minimal template, and install the apps needed for that profile. The apps themselves would be isolated to their respective VMs, but I can still reuse the base template (e.g., whonix-workstation-17 or debian-11-minimal) without unnecessary duplication.
To summarize: I prefer the single qube per profile approach because it keeps the system simple and efficient, while also maintaining strong separation between activities. Plus, I only need to install each app once and can reuse the same template for different qubes as needed.