I have access to my bare metal install of QubesOS machine and ROOT
what is the CLI command to verify that I really am on Qubes 4.2
(I am sure I am but want to see it in the output to be sure)
what is the CLI command to run a check on an already installed QubesOS to know if it is authentic (with the hash I presume).
And
can this be done offline, as I currently lack network connectivity and internet access for the laptop at this time
(so I can’t follow the GIT instructions I saw btw, at least not right now during getting everything resetup).
what is the link to where Qubes project website has that hash to compare it with?
• I tried searching online and in the Forum here for “Verify Qubes” and the results mostly were about verifying a USB iso file which I don’t have as this is a pre-install of QubesOS that shipped with the laptop from Star Labs; thus I must not be entering good enough search queries as I am not finding what I am looking for so I made this topic.
• Plus, I am in a predicament where many instructions I did find like GIT repos assume you have internet connectivity for the laptop — I am currently setting this up offline before risking having anything leak onto the internet as I am being CyberStalked so I need to set this up as hardened as possible before I place it online (I also need to still setup my new network too). Thus, I need instructions that DO NOT assume I have internet connectivity!
(yes I have cellular data on my phone, and no I will not use it as a hotspot as my attacker has capabilities to exploit cellular networks and phones but so far the new carrier and non-Google phone has kept me safe right now yet I dare not risk devices and keeping my new phone isolated)
this can’t exist because if the system is compromised, it could fake the command to say it’s authentic
You need to bootstrap the trust at some point, if you can’t trust the machine you are using, you can’t trust the files you download, so you can’t trust ISO to install your machine again.
By default, Qubes OS is hardened. The “best” an attacker could achieve could be to attack the sys-net qube which is only responsible for network. In your case, you should add a VPN or Tor so if a man in the middle targets you, they will see nothing except encrypted data or tor, and no way to manipulate the content. Basically, they can’t do anything against you except blocking the traffic if it’s in their reach, but nothing more.
There is none, and, if you think about it, there could not be. What happens if you ask a corrupt agency to investigate itself? They will say, “We have conducted a thorough investigation and have found no evidence of wrongdoing.” We must assume the same in the case of a compromised computer. If you enter some command into its terminal asking it to verify its own goodness, it will assure you that it is quite good indeed.
The links are on the downloads page alongside each Qubes OS release. The link title for each is “Cryptographic hash values.” Each is a PGP clearsigned file, which you should authenticate by following these instructions.
As for bootstrapping the trust. I was trusting Star Labs until
They shipped extremely out of date UEFI boots older than they been in business
A Qubes Forum poster informed me Star Labs has a MasterKey of which Star Labs NEVER mentioned let alone gave instructions for, they only ever gave instructions on the KeySlot passphrases AFTER I bugged them about
They haven’t responded in 3 business days, to a new customer (me)
They had my trust and that trust has now quickly eroded and I now am starting to regret doing business with them but didn’t have the $ for a Libre or Purism laptop. It is a shame Poor people always have to sacrifice their privacy and even security … I wasn’t poor again until everything was stolen so this makes me extra bitter going through this entire ordeal having been excited about Star Labs only to be let down.
Yes, these are my next To Do’s after I finish with the 2 Qubes laptops I got from Star Labs.
I have 2 hardware firewalls to set up, as well as a kill switch hardware based VPN and I will learn how to utilize the Whonix to connect to TOR as well. All that is on my list To Do.
They NEVER even mentioned it, I only learned about it from someone replying to my AES topic thread brb grabbing the references as well as screenshotting the ONLY email Star Labs sent which NEVER mentioned the MasterKey let alone gave those instructions
sm95’s clued me in on the KeySlots NOT being the same as FDE — prior I was clueless
1st Star Labs NEVER sent instructions until I asked and those instructions were only about user password changing and Key Slot password changing and deleting
NEVER did Star Labs mention the FDE so I assumed the FDE had to be the Key Slots but @sm95 informed me these are two different things
They used a passphrase to unlock your LUKS device like anyone would do when creating a LUKS volume.
But LUKS framework allows multiple passphrases / hardware token to unlock a single volume, and obviously this couldn’t work if they worked independently. These passphrases / hardware token (like an USB stick prepared for that) unlock the real key (the master key). This doesn’t mean StarLab dumped it. I don’t know if this key can be changed without recreating the volume.
So this is part of the process for shipping Qubes pre-installed, thus I should not be alarmed?
This makes me feel better.
So the assumption is Star Labs would dump the “Masterkey”, but they have to do it as they are the ones who had the iso image and initially setup my laptop
Okay I think I understand and am not freaking out anymore
download a Qubes OS 4.2 iso, verify its integrity, reinstall
try the cryptsetup-reencrypt tool mentioned in the link above that can change the master key, make sure to make a Qubes OS installer disk before + backups in case you screw everything because you will lose all the data if you make a mistake (or if the guide made a mistake)
IMHO, your preoccupation with LUKS is completely misplaced. The vendor had direct access to your hardware. They assembled it. They had countless better opportunities to do something malicious that you would never be able to detect. This is like finding out your reality is a simulation, and your main concern is that the whoever’s running the simulation might have stolen the (virtual) money out of your (virtual) safe. It is simply the wrong thing to be concerned about. If you don’t trust your hardware, you can’t trust anything that runs on it.
Well it isn’t just about Star Labs,
my shipment was stuck in US Customs for 3 days as it was “randomly” picked
So I do wonder if the extremely outdated UEFI was Star Labs (likely yes) or if it was put on there during its pit stop inside of US Customs. Ironically, I am not trying to evade the government — but at the same time I don’t want anyone touching my shipment being that I need to know that Star Labs and Qubes has done the best they can so I can be confident not to be found and attacked by my Cyber Stalker Black Hat hacker again.
I see you’ve rolled back (a little) on your initial claims against Star
Labs - I think you owe them an apology.
@adw has rightly pointed out that if you dont trust Star Labs and the
hardware, then your effort at cryptsetup-reencrypt is just theatre. It
can do nothing to deal with the issue you think you face. Nothing
can.
I have already in a previous post rolled back most
But it is sketch that Star Labs sent me a build with extremely outdated UEFI versions from the 2000s not sure why they did that, so most of it is rolled back but I am still frustrated and a little sketched out that they would place an EXTREMELY outdated BIOS on a brand new build, and they have almost no customer support as all they did was dump me on Qubes to ask questions even though Star Labs was paid while Qubes was not. Don’t you see this an issue I do. I haven’t even bugged them that much, but since emailing them asking why they placed an outdated UEFI version instead of the most up to date version it has been now 4 business days and absolutely no reply email from them. Disappointed
I also already clarified I started with trust but now becoming a customer I am losing faith in them, they may not be doing anything on purpose but Star Labs will ship new builds with outdated firmware UEFI/BIOS, and not mention the FDE only the Key Slot LUKS.
Take it for what you will but these are going from 5 star rating to lower in my book
I expected better being they are technically in a similar consumer market for security and privacy, at least they put “security tape” on their shipment albeit sort of moot compared to the shipment options both Libre and Purism offers (both of which as stared before I cannot afford so I settled for Star Labs and even then I wanted the Star Fighter but again had to settle for the Star Book due to the limited budget on loaned $ I am working with since having all my own $ stolen).
