I am preparing to take the jump into Qubes OS, by trying to configure a NitroPC2, which is on the certified hardware list.
The documentation clearly says you should take the integrated default graphics card, and you should take tianocore
But other than than, I was hoping to get some advice on the rest of the configuration.
CPU: i5 or i7
RAM: how much?
Memory: how much memory do you recommend in each of the 2 SSD and SATA slots? I would like to set some type of internal data back up system. Currently I have less than 500 GB of data (pdf files, excel files, pictures etc).
-Case sealing: what are the disadvantages? Cooling and access to the hardware perhaps? I don’t have an extreme threat model, I just think Qubes would fit my requirement for compartmentalization very well.
Budget: I “maxed out” all options in the configuration and it was still acceptable, assuming it will serve me for hopefully years to come
Use case: a lot of of office type work, consulting, accounting (specific accounting and ERP software), analysing data sets, video and photo editing, web browsing, …
i7 if you have the budget, the more CPU power the better
depends how much qubes you have, it’s also possible to upgrade this later, depending on budget, take 32 or 64 GB, but it really depends what you need
Take one big storage in a single slot, this leaves the second slot for a further upgrade. If you do not have more than 500 GB, buy 1 TB or 2 TB depending on budget. Being tight on storage is always really annoying.
it’s just to have a proof that the system was not opened during shipping, maybe could be used too when you own it to check it was not opened. I don’t think it’s useful for most users, if you wonder why it’s useful you certainly don’t need it
Qubes OS is not really great for this task because of the lack of GPU acceleration
Thank you very very much. As for the sealing, I guess that’s useful for identifying evil maid attacks and such, but in the end, is it not also a matter of trust that the sealing is not simulated by an adversary? I guess no sealing at all would make it even easier… So I mainly wonder about the disadvantages, as the advantages are clear. Does it possibly create ventilation issues or make it more difficult to add extra memory later?
As for Qubes OS ultimately being a good fit, I suppose there is only one way to find out. In any case, the Qubes OS hardware certification criteria still seem valuable, even if you end up going with another Linux distribution. That’s how I have been thinking about it.
I would personally probably still go with a variant that has an nvidia dGPU. In your workflow, image/video editing will most probably need a dGPU passed through to a VM, otherwise the performance will be horrible. While that config is not certified and it’s a risk, for me personally a lack of dGPU would be a big no-no.
While a dedicated GPU can be used this way, the setup is really not straightforward, unfortunately. This is not a plug and play situation, and Qubes OS does not have any specific tool to make this easy to my knowledge.
This only shows that the device was not opened, but all your peripherals could be tampered.
If hardware is not explicitly qubes-certified, there’s always the risk that parts of it (e.g. just the dGPU) or all of it may not work. I think it should work, but I cannot promise anything here. If it does work, a HCL contribution would be greatly appreciated.
Note: Only the “Dasharo TianoCore UEFI without Measured Boot, without Nitrokey” firmware option is certified. The “HEADS with Measured Boot, requires Nitrokey!” firmware option is not certified.
I am also trying to figure out the difference between Novacustom V56 and NitroPad V56. They look physically identical. So I wonder what’s the difference and which is more secure. I searched the topic but couldn’t find it.
I’d put max specs within my budget. I used Qubes on an old machine and switched to a newer one, and the usability difference is huge. Probably not much use for more than 64GB for the average user, but I routinely go over 32GB in regular use, so take that for what you will.
Nitrokey Case Seal: Buyer Beware
I at one point bought the NitroPC with case sealed, and it was a (negligently, IMO) useless seal. They were just standard commercial stickers with the brand logo and supposed to leave residue (like the word “opened”) when peeled. Not only could I find a substantially similar (if not the exact same) product online in 5 minutes, but the seals had peeled themselves off in the heat of shipping, and I could reapply and remove them several times without a trace with relative ease.
I returned it promptly, and that was a relatively painless process though. Just beware that they may not take physical security too seriously, depending on whether or not they changed practices since that incident.
As far as the V56, it’s the same exact computer with (mostly) the same firmware. The only real difference is who sells it.
Speaking of physical security, you made me reflect on the fact that a laptop seems to have clear physical security advantages. For instance, you could have a small safe at your desk, when you leave your desk you can put the laptop in the safe to make tampering harder.
You could also lock down the entire room if its a desktop but in case your family or maid are adversaries in disguise or get tricked by adversaries, it may be an added value to have the computer in a safe. Kind of overpreparing here, but it does seem logical.
