Extra templateVM for email / vault?


does it make sense to build an extra templateVM for (for example) emailVM or vaultVM?

Or is it no real problem, if I surf with untrustedVM, get mails with emailVM, which have all the same templateVM as vault, personal and so on?

Best regards

1 Like

If you run all in an untrusted VM, this shouldn’t be much different to the behaviour some/most of us did 10 or 15 years ago.
Qubes was build for such paranoid ones of us, who driving every little thing in an own AppVM.

In other words: if you’re feeling fine in surfing + getting mails in the same VM - no problem. But thats a thing, you also can do on any other OS.
For your other question: it never is a real problem, having different qubes (for vault, mails, surfing and work) from the same templateVM.
The thing behind is - you’re using all on different AppVMs and this is much saver. That these AppVMs were children of their parent/templateVMs, doesn’t matter in this case - the childs won’t harm each other.

1 Like

I don’t want to run everythin in an untrusted VM. The question is about splitting not only the VMs, but ALSO the templateVMs. For example:

emailVM - templateVM-email
untrusted - templateVM-untrusted
personal - templateVM
vault - templateVM
shopping - templateVM

Or just having it all email / untrusted / personal /vault / shopping related to ONE templateVM

So, do an appVM can break through via the templateVM to another appVM or can these children really don’t harm each other? :slight_smile:

1 Like

Some people definitely do that for a better compartmentalization. Also, consider minimal templates, too.

1 Like

TemplateVM provides the root partition to the AppVM. Every reboot AppVM sees that the root partition is reset. So even if it tries to modify it, it will only be seen by this VM and only until reboot. Other AppVMs will not notice that. So no, the children cannot harm each other. More information: Templates | Qubes OS.

1 Like

ah, ok, thank you!
So the only security advantage to make nearly one templateVM for each appVM (maby better 3 districts which one template for different VMs: very safe / safe / not safe) is not to break the appVM itself, by opening for example PDF in the emailVM, isn’t it?

I considered the minimal templates for the sys-net and sys-firewall. But for that I must understand, what do I need for these Qubes and what is in the minimal template. But maby I will understand it there: Minimal templates | Qubes OS

Maby it would be “nice to have” feature, if the Qubes team can make such special templates for special porposes. For example just a template, that can manage sys-net and sys-firewall and NOTHING more. Or a template, that just can manage to get emails via thunderbird and nothing more… and so on. Just some standard cases. That would push the usability for non skilled users.

1 Like

Another advantage is that the less software you have installed, the less attack surface you have in general. Yet another advantage is that if your template is somehow compromised/broken, it will affect less AppVMs (ideally, only one). Compartmentalization to the limit!

This is an advanced feature that only experienced users would benefit from. At the same time it could confuse new users. Qubes already has a steep learning curve and a lot of VMs by default. Advanced users can install the minimal templates following the guide you linked (and ask for help here!).

ok… and what is the (security) difference, if I make just stanaloneVMs for nearly everything instead of making templateVMs and appVMs for each “task”? Is the benefit especially in separation from the root partition which is in the templateVM?

ok, sounds comprehensible

Yes, the reset of root partition is the main advantage in security. This brings more security through isolation. Software in the AppVM will not be able to change the root partition. It also bring a lot of convenience with updates, software installations, less disk space, lower number of VMs.

See also:

ok, sounds great! I use Qubes already for many years, but as a not very advanced user it has tons of things to learn :smiley:

So, will try to “build” templates for each purposes and kill all standalones (except windows)