Hardening Qubes OS?

I was wondering whether anyone has any tips on how to further ‘harden’ Qubes OS. I am currently running all my sys-* as disposable vm’s. These sys* vm’s are all based on fedora-33-minimal. I also use 1 appvm/standalone per program. Any further tips would be appreciated!

I think beyond Qubes-specific measures, like using sys-disps, using minimal VMs, restarting VMs frequently, segregating VMs with different trust levels, and updating, everything else is plain Linux hardening (assuming a pure-Linux system).

I wouldn’t mind seeing a Qubes-centered Linux hardening guide here and don’t think it should be considered an ‘All around Qubes’ topic since Linux is so core to the overall system. Maybe start with a ‘tips and tricks’ thread that can then be compiled into a guide.


Not technically trained; consume advice with salt.

A few interesting hardening tips here: "Now You're Thinking with Qubes".

Using different operating systems may also improve your security through isolation (depending on your threat model). Qubes provides quite a few different OSs: Documentation | Qubes OS and minimal templates: Documentation | Qubes OS.

See also:

tip: use the in-forum search Search results for 'harden' - Qubes OS Forum