Just joined yesterday, had install Qubes, now what?

I do have a couple of years with Linux. I am using Mint now.
I am a noob with Qubes. I can understand its philosophy.
However I have no idea how to use it wisely.

So after installation what updates or other installations should I do?
Is there a step-by-step list somewhere of what to do after installation?
Reading through many of the posts just confuses me, they are too advanced.

Kudos to the developers.

4 Likes

You should put your threat model on a paper and then read for example this:

and from there follow the links on that page. The biggest security mistakes are made at the beginning, remember.

5 Likes

Critically think about what you are trying to achieve first before moving forward with any roadmap.

6 Likes

Hi @Torpedo

Most times I agree with everything @FranklyFlawless says, so you could do this:

…but (the subversive viewpoint) you could just start by having a play around, to get your head around the whole concept of Qubes.

Play with disposables, surf some websites, and see all the cookies, everything it downloaded, and everything else just disappear, when you shutdown, or kill, the qube.

Try some “copy/move to vm”, to see how to save the stuff you want from those disposables.

Look at the other qubes already set up, if you did a default install. Take care not to shutdown sys-usb, if you’ve got usb keyboard, but you can pretty much start and shutdown all the others. Work and Personal are “app qubes” where data and everything is persistent.

Run Qubes-manager - no need to change anything to start.
Check out how sys-firewall and sys-net chain together for regular networking of many other qubes… but not ‘vault’. See how the Whonix qubes work together for networking, if privacy and Tor is important to you.

Try cloning some qubes, create and remove some. Notice that a qube doesn’t use much space. Why is that?

Remove networking from one, to make your own vault… with a different name of course.

Have a look in “Settings” for one of your qubes.
There’s a lot in there… you can break stuff with those settings, so do it now, before you put your valuable data or passwords in. Or at leasr start trying to understand how it all works. Why do some qubes have things in the right hand column under “Devices”, what are all the other tabs about?

And while you’re playing, have a think about what you want and need to do, and what data and activities you need to keep safe or private, or separate from each other. That is what will maybe turn into your “threat model”, and then you can work out how to divide things up, and maybe have more of an idea what folk are talking about in all these posts.

Have fun, and break stuff now, while you still have that installation key, so you can just wipe it all and start again. It will all help when you come to do what @FranklyFlawless and @corporateblush suggest.

We’ve got some “beginner’s mistakes” posts around here, I think. Quite a few folk say “I made 50 qubes and templates, and it was too many”. Some spend ages making complicated setups of networking. Some people need all that, but simple is good too.

And don’t forget to check out qubes-backup, and restore. You know why!

…and last of all: don’t be afraid to ask any questions here. Sometimes a thread gets a bit flamy, but it’s really quite friendly.

6 Likes

You can update using the Qubes Update too. You can install software in the templates just like you would do in Mint.

Is there a step-by-step list somewhere of what to do after installation?

No. Just create and use VMs depending on your needs.

6 Likes

Is there a step-by-step list somewhere of what to do after installation?

The “Qubes game” is driven by the desire to make the applications you use more and more secure, and, optionally, more private or even anonymous to use. At least for me, “using” Qubes is a somewhat never ending journey. You always find some new funky thing to try out to make your setup even better. This is generally how IT security (and privacy / anonymity) works - its a process, not a solution.

You identify which applications you use and for what. Emails → thunderbird, Browser → surfing the web, banking, forums, bla… Gaming. And so on. Thne you compartmentalize those - the default installation gives you the most simple approach to this (private, work, untrusted, sys-usb, sys-net and sys-firewall).

So the first step would be to map out what apps you use and install those in those default VMs I would say, then migrate any existing data you have there. After this you are already quite much reasonably secure.

Then understand how backups work, and do backups.

After this you start tinkering with additional security, like for example setting up a VM for a VPN.

Then you look at sys-firewall and you may think “well thats a bit heavy”. So you can look at solutions like the mirage firewall.

Then you look at sys-net and may think “well thats pretty network-manager”, so you might look at solutions like sys-net with OpenBSD.

Then you might look at your private Qube and think “well thunderbird just had a billion remote code exec CVEs published, that should probably not sit next to my private banking browser”, and you move thunderbird into a custom “mail” VM.

And then you continue this forever :wink:

4 Likes

Tips to get you started.

Keep the original templates unmodified except for updates. Clone them to the templates you use, and thats where you add packages, make changes etc. The updater caches packages so you can have multiple similar templates without wasting bandwidth. If you mess up a template, its easy to just clone it and start over. For some appvms, theres no reason not to use the default template. The vault should only run keepassxc and maybe hold keys for split gpg / ssh. Sys stuff should use minimal templates, or the defaults.

For dispvms, I suggest a debian template. Fedora no longer has ublock origin in its repos. Debian also lets you configure firefox with a policy file, which is good if you don’t want your isp to know you keep running firefox for the first time. Fedora overrides this with their blog page. Fedora is fine for other appvms, and theres no harm in keeping a dispvm template of that too.

Remember to sanitize files like pdfs by making trusted versions. In the file manager, you can right click and convert to trusted.

Haven’t heard anyone else talk about this, but web browsers are the scary apps. They’re practically network operating systems running entirely in userspace. For most domains, I keep a separate browser vm, and still do most browsing in dispvms. For example, a work appvm, and work-browser appvm. If your a student, you might even have different appvms for classes, but that would be more organizational.

Compartmentalization isn’t just about security. You can also use it for organization. Projects, groups of projects, whatever.

Keeping your passwords in a separate vault is one of the most underrated features of compartmentalized oses like qubes. Most OSes have something to try to protect password entry, but its better to prevent the problem.

Its not explicitly stated, but you can use the whonix dvm. Just start it as terminal instead of the browser, then run torbrowser from its command line if thats what you want to do. Starting it with the browser will just kill the dvm if it has to update.

2 Likes

It’s not the defaults, but one can use a caching proxy.

Do not use minimal template.

2 Likes

Assuming you don’t know yet what kind of qube arrangement you want, these steps will get you from vanilla install to a simple setup you can further adjust to your needs:

  1. Check out quality of life improvements, you’ll probably want to pick things from there as you go
  2. Set up an audio qube
  3. Secret separation (split ssh and split gpg) if you need it
  4. Probably some form of GPU passthrough, assuming you have an IOMMU or SR-IOV machine
  5. Have fun!

p.s. these are what I think of as most common task-agnostic things people do with their setups, there are no rules, all steps are optional

2 Likes
2 Likes

Yeah, if you don’t really, really need something else, stick with the most defaults you can. If minimal gave that much extra security, then minimal would be default, and the other would be “fully loaded” or something.

The worst thing for security is giving up Qubes because you made life too hard for yourself. Save that for later, when you’ve got to grips with the basics.

2 Likes

Thanks to all for the replies. I must do a lot of reading now.
As far as a threat model goes I want to have a secure system to do investments and banking. I suppose that I could use another o/s, but this one captures my curosity. My family has been hacked … how, who knows. But we were able to handle the problem. Seems like nothing is secure or private any more. Oh well!

3 Likes

Thanks, following that lead to https://qubes.3isec.org/tasks.html which looks great out of the box setup.

2 Likes

Your question is answered here. :grinning:

1 Like

my best suggestion would be:

  1. split up all your apps into individual VMs and choose VM types that leave as little permanent storage as possible. If you do banking in a browser, use a dispvm for that. You have to log in each time (browser doesnt remember your password), but thats a small price (time) to pay
  2. upgrade everything always often.
  3. understand the gui firewall and restrict all VMs to only talk to the services they are supposed to.

If your are being targeted exclusively remotely and somebody accessing your laptop while its turned on and unlocked is not an issue, then you should be pretty safe with that setup in qubes.
OpenBSD would be the only alternative OS that comes to mind, but to configure that similarly secure as the list I stated above you need way more technical knowledge.

Oh and 4) of course do not use this laptop for anything other than what you really need for work. Ideally split browsing the web and everything you can, including even this forum, to another machine.
This should keep you “reasonably secure” :wink:

2 Likes
  • Some banks -at least round here- require a whole 2FA procedure to register a browser for use. Sometimes a visit to the bank is needed. dispVMs are really inconvenient for that.
  • Separating different banks is good, though, and so is firewalling to remove the unnecessary calls to FaceBook, Twitter, etc, but it takes some time to set up.
  • Email and communication with the banks is another whole thing…

But it sounds like Torpedo needs some time to get familiar with Qubes - maybe we should let them do that.

2 Likes
  • Some banks -at least round here- require a whole 2FA procedure to register a browser for use. Sometimes a visit to the bank is needed. dispVMs are really inconvenient for that.

You can create a named disposable VM for that, login with the AppVM once and then use it as named DispVM. To attach your 2FA device, attach it to usb and click in this usb attach thingy to attach it to the VM.

An insecure door is convinient (fast to open), a bunker door is inconvinient (takes more time to open) but its more secure. Security is commonly a trade of time for more security.

  • Separating different banks is good, though, and so is firewalling to remove the unnecessary calls to FaceBook, Twitter, etc, but it takes some time to set up.

Yeah true. You could use something like OpenSnitch for this (or give me a bit more time to release Qubes-Snitch lol).

  • Email and communication with the banks is another whole thing…

Email is a bit of an entry way (I’m looking at you thunderbird, and your millions of recent CVEs lol). I wouldnt trust it, I’d recommend moving that to another machine if you are paranoid. Or at least to another Qube / an AppVM probably.

Ah just noticed it wasnt the op that wrote it, but none the less.

2 Likes

When the bank insists your 2FA device to use ebanking is exclusively your mobile phone device/mbanking app, then that is the real pain in the arse. Use Second space for it exclusively then…

3 Likes

omfg tell me about it.
The other day I googled how to run android in Qubes… There are ways, but supposedly all of them are caught by those crappy banking apps…
Has anyone managed to run android in a Qubes VM that worked for a banking app?

2 Likes

:slight_smile:

Yes, I think I tried that route, but they really just wanted me to look like a regular user. It’s no wonder the banks are so worried about fraud.

At least now, most of my banks don’t require me to use both factors on every device :person_facepalming:

Let’s hope our Tornado realises they’re in the right place if they want to progressively get their affairs as thoroughly protected as is reasonably possible.

Maybe we should move to a new thread, and let them have some space…

2 Likes