How does Qubes update securely if connected to compromised network?

I keep reading that qubes assumes that your network has been compromised, but how does qubes assure that it can update securely in these connections?

I am someone who is required to be constantly travelling for work, and secure connections aren’t always possible.

Second question, assuming that qubes can assure updating is secure on potentially compromised connections, does that also apply to qubes? I.e you can safely browse on your appvms, log in to services and not worry too much?, Or is it simply disp only and no logging In to accounts & services?

Hello and welcome. These are 4 questions actually, so it’s better to open separate topic for each.

Here’s the answer to the original question from the subject

You can safely update using a compromised connection because you have the Qubes public key, when you receive an update it’s signed/encrypted with the Qubes private key. Any official Qubes updates can be decrypted using the Qubes public key, if this fails you know the file is modified or corrupted.

This only applies to files you receive from Qubes and can’t be applied to data in general.

You can use Tor/Whoinx to connect to the internet using a compromised connection, and it also uses public/private key encryption, but this is something separate from the Qubes update process.

1 Like

Update packages are cryptographically signed and aren’t installed unless the signature is successfully authenticated, so it doesn’t matter how compromised the network is. Imagine it like an armored truck transporting money through a bad neighborhood. (Except it’s feasible to break into an armored truck by brute force, whereas brute forcing strong cryptography is generally impractical.)

Dom0 also has additional protections:

1 Like