How to check Qubes authenticity without the iso?

I have access to my bare metal install of QubesOS machine and ROOT

  1. what is the CLI command to verify that I really am on Qubes 4.2
    (I am sure I am but want to see it in the output to be sure)

  2. what is the CLI command to run a check on an already installed QubesOS to know if it is authentic (with the hash I presume).
    can this be done offline, as I currently lack network connectivity and internet access for the laptop at this time
    (so I can’t follow the GIT instructions I saw btw, at least not right now during getting everything resetup).

  3. what is the link to where Qubes project website has that hash to compare it with?

• I tried searching online and in the Forum here for “Verify Qubes” and the results mostly were about verifying a USB iso file which I don’t have as this is a pre-install of QubesOS that shipped with the laptop from Star Labs; thus I must not be entering good enough search queries as I am not finding what I am looking for so I made this topic.

• Plus, I am in a predicament where many instructions I did find like GIT repos assume you have internet connectivity for the laptop — I am currently setting this up offline before risking having anything leak onto the internet as I am being CyberStalked so I need to set this up as hardened as possible before I place it online (I also need to still setup my new network too). Thus, I need instructions that DO NOT assume I have internet connectivity!

(yes I have cellular data on my phone, and no I will not use it as a hotspot as my attacker has capabilities to exploit cellular networks and phones but so far the new carrier and non-Google phone has kept me safe right now yet I dare not risk devices and keeping my new phone isolated)

Thank you

this can’t exist because if the system is compromised, it could fake the command to say it’s authentic

You need to bootstrap the trust at some point, if you can’t trust the machine you are using, you can’t trust the files you download, so you can’t trust ISO to install your machine again.

By default, Qubes OS is hardened. The “best” an attacker could achieve could be to attack the sys-net qube which is only responsible for network. In your case, you should add a VPN or Tor so if a man in the middle targets you, they will see nothing except encrypted data or tor, and no way to manipulate the content. Basically, they can’t do anything against you except blocking the traffic if it’s in their reach, but nothing more.

1 Like

There is none, and, if you think about it, there could not be. What happens if you ask a corrupt agency to investigate itself? They will say, “We have conducted a thorough investigation and have found no evidence of wrongdoing.” We must assume the same in the case of a compromised computer. If you enter some command into its terminal asking it to verify its own goodness, it will assure you that it is quite good indeed.

Isn’t this the same question as (1)?

Maybe what you meant instead is that you want to re-verify your installation media after writing.

The links are on the downloads page alongside each Qubes OS release. The link title for each is “Cryptographic hash values.” Each is a PGP clearsigned file, which you should authenticate by following these instructions.

1 Like

cat /etc/qubes-release

1 Like

Oh … didn’t think about this.

As for bootstrapping the trust. I was trusting Star Labs until

  1. They shipped extremely out of date UEFI boots older than they been in business
  2. A Qubes Forum poster informed me Star Labs has a MasterKey of which Star Labs NEVER mentioned let alone gave instructions for, they only ever gave instructions on the KeySlot passphrases AFTER I bugged them about
  3. They haven’t responded in 3 business days, to a new customer (me)

They had my trust and that trust has now quickly eroded and I now am starting to regret doing business with them but didn’t have the $ for a Libre or Purism laptop. It is a shame Poor people always have to sacrifice their privacy and even security … I wasn’t poor again until everything was stolen so this makes me extra bitter going through this entire ordeal having been excited about Star Labs only to be let down.

Yes, these are my next To Do’s after I finish with the 2 Qubes laptops I got from Star Labs.

I have 2 hardware firewalls to set up, as well as a kill switch hardware based VPN and I will learn how to utilize the Whonix to connect to TOR as well. All that is on my list To Do.


Thank you for explaining btw

I didn’t exactly think this through, yes I understand now

Also thank you for the resource links I will be going through them soon


A masterkey for what? Your encrypted disk? :thinking:

If you are using a Starbook that is now certified Qubes OS, that seems quite bad from them

1 Like

Now verified the version, at least this is up to date

THANK YOU so much :pray:t3:

1 Like

Correct, the FDE for the entire disk

They NEVER even mentioned it, I only learned about it from someone replying to my AES topic thread brb grabbing the references as well as screenshotting the ONLY email Star Labs sent which NEVER mentioned the MasterKey let alone gave those instructions


sm95’s clued me in on the KeySlots NOT being the same as FDE — prior I was clueless

1st Star Labs NEVER sent instructions until I asked and those instructions were only about user password changing and Key Slot password changing and deleting

NEVER did Star Labs mention the FDE so I assumed the FDE had to be the Key Slots but @sm95 informed me these are two different things

Star Lab email is as follows:

from what I’ve read, they didn’t hide anything.

They used a passphrase to unlock your LUKS device like anyone would do when creating a LUKS volume.

But LUKS framework allows multiple passphrases / hardware token to unlock a single volume, and obviously this couldn’t work if they worked independently. These passphrases / hardware token (like an USB stick prepared for that) unlock the real key (the master key). This doesn’t mean StarLab dumped it. I don’t know if this key can be changed without recreating the volume.


So this is part of the process for shipping Qubes pre-installed, thus I should not be alarmed?

This makes me feel better.

So the assumption is Star Labs would dump the “Masterkey”, but they have to do it as they are the ones who had the iso image and initially setup my laptop

Okay I think I understand and am not freaking out anymore

I think in this situation, you can trust your current system, but if you don’t trust StarLabs for having good practices about your LUKS masterkey, you have 2 options: (see How to change LUKS device master key, cipher, hash, key-size in Linux | GoLinuxCloud)

  • download a Qubes OS 4.2 iso, verify its integrity, reinstall
  • try the cryptsetup-reencrypt tool mentioned in the link above that can change the master key, make sure to make a Qubes OS installer disk before + backups in case you screw everything because you will lose all the data if you make a mistake (or if the guide made a mistake) :sweat_smile:
1 Like

Due to currently lacking internet connectivity for my gear (except my phone) right now

I will be taking a risky dive into,

I understand the risk, luckily this is a new build so nothing is on it except the OS.

Just make sure to be able to reinstall in case something is wrong :wink:

1 Like

IMHO, your preoccupation with LUKS is completely misplaced. The vendor had direct access to your hardware. They assembled it. They had countless better opportunities to do something malicious that you would never be able to detect. This is like finding out your reality is a simulation, and your main concern is that the whoever’s running the simulation might have stolen the (virtual) money out of your (virtual) safe. It is simply the wrong thing to be concerned about. If you don’t trust your hardware, you can’t trust anything that runs on it.

1 Like

Well it isn’t just about Star Labs,
my shipment was stuck in US Customs for 3 days as it was “randomly” picked

So I do wonder if the extremely outdated UEFI was Star Labs (likely yes) or if it was put on there during its pit stop inside of US Customs. Ironically, I am not trying to evade the government — but at the same time I don’t want anyone touching my shipment being that I need to know that Star Labs and Qubes has done the best they can so I can be confident not to be found and attacked by my Cyber Stalker Black Hat hacker again.

But yes, I see your point here …

I see you’ve rolled back (a little) on your initial claims against Star
Labs - I think you owe them an apology.

@adw has rightly pointed out that if you dont trust Star Labs and the
hardware, then your effort at cryptsetup-reencrypt is just theatre. It
can do nothing to deal with the issue you think you face. Nothing


I have already in a previous post rolled back most

But it is sketch that Star Labs sent me a build with extremely outdated UEFI versions from the 2000s not sure why they did that, so most of it is rolled back but I am still frustrated and a little sketched out that they would place an EXTREMELY outdated BIOS on a brand new build, and they have almost no customer support as all they did was dump me on Qubes to ask questions even though Star Labs was paid while Qubes was not. Don’t you see this an issue I do. I haven’t even bugged them that much, but since emailing them asking why they placed an outdated UEFI version instead of the most up to date version it has been now 4 business days and absolutely no reply email from them. Disappointed

I also already clarified I started with trust but now becoming a customer I am losing faith in them, they may not be doing anything on purpose but Star Labs will ship new builds with outdated firmware UEFI/BIOS, and not mention the FDE only the Key Slot LUKS.

Take it for what you will but these are going from 5 star rating to lower in my book

I expected better being they are technically in a similar consumer market for security and privacy, at least they put “security tape” on their shipment albeit sort of moot compared to the shipment options both Libre and Purism offers (both of which as stared before I cannot afford so I settled for Star Labs and even then I wanted the Star Fighter but again had to settle for the Star Book due to the limited budget on loaned $ I am working with since having all my own $ stolen).