I do have a couple of years with Linux. I am using Mint now.
I am a noob with Qubes. I can understand its philosophy.
However I have no idea how to use it wisely.
So after installation what updates or other installations should I do?
Is there a step-by-step list somewhere of what to do after installation?
Reading through many of the posts just confuses me, they are too advanced.
Most times I agree with everything @FranklyFlawless says, so you could do this:
âŚbut (the subversive viewpoint) you could just start by having a play around, to get your head around the whole concept of Qubes.
Play with disposables, surf some websites, and see all the cookies, everything it downloaded, and everything else just disappear, when you shutdown, or kill, the qube.
Try some âcopy/move to vmâ, to see how to save the stuff you want from those disposables.
Look at the other qubes already set up, if you did a default install. Take care not to shutdown sys-usb, if youâve got usb keyboard, but you can pretty much start and shutdown all the others. Work and Personal are âapp qubesâ where data and everything is persistent.
Run Qubes-manager - no need to change anything to start.
Check out how sys-firewall and sys-net chain together for regular networking of many other qubes⌠but not âvaultâ. See how the Whonix qubes work together for networking, if privacy and Tor is important to you.
Try cloning some qubes, create and remove some. Notice that a qube doesnât use much space. Why is that?
Remove networking from one, to make your own vault⌠with a different name of course.
Have a look in âSettingsâ for one of your qubes.
Thereâs a lot in there⌠you can break stuff with those settings, so do it now, before you put your valuable data or passwords in. Or at leasr start trying to understand how it all works. Why do some qubes have things in the right hand column under âDevicesâ, what are all the other tabs about?
And while youâre playing, have a think about what you want and need to do, and what data and activities you need to keep safe or private, or separate from each other. That is what will maybe turn into your âthreat modelâ, and then you can work out how to divide things up, and maybe have more of an idea what folk are talking about in all these posts.
Have fun, and break stuff now, while you still have that installation key, so you can just wipe it all and start again. It will all help when you come to do what @FranklyFlawless and @corporateblush suggest.
Weâve got some âbeginnerâs mistakesâ posts around here, I think. Quite a few folk say âI made 50 qubes and templates, and it was too manyâ. Some spend ages making complicated setups of networking. Some people need all that, but simple is good too.
And donât forget to check out qubes-backup, and restore. You know why!
âŚand last of all: donât be afraid to ask any questions here. Sometimes a thread gets a bit flamy, but itâs really quite friendly.
Is there a step-by-step list somewhere of what to do after installation?
The âQubes gameâ is driven by the desire to make the applications you use more and more secure, and, optionally, more private or even anonymous to use. At least for me, âusingâ Qubes is a somewhat never ending journey. You always find some new funky thing to try out to make your setup even better. This is generally how IT security (and privacy / anonymity) works - its a process, not a solution.
You identify which applications you use and for what. Emails â thunderbird, Browser â surfing the web, banking, forums, bla⌠Gaming. And so on. Thne you compartmentalize those - the default installation gives you the most simple approach to this (private, work, untrusted, sys-usb, sys-net and sys-firewall).
So the first step would be to map out what apps you use and install those in those default VMs I would say, then migrate any existing data you have there. After this you are already quite much reasonably secure.
Then understand how backups work, and do backups.
After this you start tinkering with additional security, like for example setting up a VM for a VPN.
Then you look at sys-firewall and you may think âwell thats a bit heavyâ. So you can look at solutions like the mirage firewall.
Then you look at sys-net and may think âwell thats pretty network-managerâ, so you might look at solutions like sys-net with OpenBSD.
Then you might look at your private Qube and think âwell thunderbird just had a billion remote code exec CVEs published, that should probably not sit next to my private banking browserâ, and you move thunderbird into a custom âmailâ VM.
Keep the original templates unmodified except for updates. Clone them to the templates you use, and thats where you add packages, make changes etc. The updater caches packages so you can have multiple similar templates without wasting bandwidth. If you mess up a template, its easy to just clone it and start over. For some appvms, theres no reason not to use the default template. The vault should only run keepassxc and maybe hold keys for split gpg / ssh. Sys stuff should use minimal templates, or the defaults.
For dispvms, I suggest a debian template. Fedora no longer has ublock origin in its repos. Debian also lets you configure firefox with a policy file, which is good if you donât want your isp to know you keep running firefox for the first time. Fedora overrides this with their blog page. Fedora is fine for other appvms, and theres no harm in keeping a dispvm template of that too.
Remember to sanitize files like pdfs by making trusted versions. In the file manager, you can right click and convert to trusted.
Havenât heard anyone else talk about this, but web browsers are the scary apps. Theyâre practically network operating systems running entirely in userspace. For most domains, I keep a separate browser vm, and still do most browsing in dispvms. For example, a work appvm, and work-browser appvm. If your a student, you might even have different appvms for classes, but that would be more organizational.
Compartmentalization isnât just about security. You can also use it for organization. Projects, groups of projects, whatever.
Keeping your passwords in a separate vault is one of the most underrated features of compartmentalized oses like qubes. Most OSes have something to try to protect password entry, but its better to prevent the problem.
Its not explicitly stated, but you can use the whonix dvm. Just start it as terminal instead of the browser, then run torbrowser from its command line if thats what you want to do. Starting it with the browser will just kill the dvm if it has to update.
Assuming you donât know yet what kind of qube arrangement you want, these steps will get you from vanilla install to a simple setup you can further adjust to your needs:
Yeah, if you donât really, really need something else, stick with the most defaults you can. If minimal gave that much extra security, then minimal would be default, and the other would be âfully loadedâ or something.
The worst thing for security is giving up Qubes because you made life too hard for yourself. Save that for later, when youâve got to grips with the basics.
Thanks to all for the replies. I must do a lot of reading now.
As far as a threat model goes I want to have a secure system to do investments and banking. I suppose that I could use another o/s, but this one captures my curosity. My family has been hacked ⌠how, who knows. But we were able to handle the problem. Seems like nothing is secure or private any more. Oh well!
split up all your apps into individual VMs and choose VM types that leave as little permanent storage as possible. If you do banking in a browser, use a dispvm for that. You have to log in each time (browser doesnt remember your password), but thats a small price (time) to pay
upgrade everything always often.
understand the gui firewall and restrict all VMs to only talk to the services they are supposed to.
If your are being targeted exclusively remotely and somebody accessing your laptop while its turned on and unlocked is not an issue, then you should be pretty safe with that setup in qubes.
OpenBSD would be the only alternative OS that comes to mind, but to configure that similarly secure as the list I stated above you need way more technical knowledge.
Oh and 4) of course do not use this laptop for anything other than what you really need for work. Ideally split browsing the web and everything you can, including even this forum, to another machine.
This should keep you âreasonably secureâ
Some banks -at least round here- require a whole 2FA procedure to register a browser for use. Sometimes a visit to the bank is needed. dispVMs are really inconvenient for that.
Separating different banks is good, though, and so is firewalling to remove the unnecessary calls to FaceBook, Twitter, etc, but it takes some time to set up.
Email and communication with the banks is another whole thingâŚ
But it sounds like Torpedo needs some time to get familiar with Qubes - maybe we should let them do that.
Some banks -at least round here- require a whole 2FA procedure to register a browser for use. Sometimes a visit to the bank is needed. dispVMs are really inconvenient for that.
You can create a named disposable VM for that, login with the AppVM once and then use it as named DispVM. To attach your 2FA device, attach it to usb and click in this usb attach thingy to attach it to the VM.
An insecure door is convinient (fast to open), a bunker door is inconvinient (takes more time to open) but its more secure. Security is commonly a trade of time for more security.
Separating different banks is good, though, and so is firewalling to remove the unnecessary calls to FaceBook, Twitter, etc, but it takes some time to set up.
Yeah true. You could use something like OpenSnitch for this (or give me a bit more time to release Qubes-Snitch lol).
Email and communication with the banks is another whole thingâŚ
Email is a bit of an entry way (Iâm looking at you thunderbird, and your millions of recent CVEs lol). I wouldnt trust it, Iâd recommend moving that to another machine if you are paranoid. Or at least to another Qube / an AppVM probably.
Ah just noticed it wasnt the op that wrote it, but none the less.
When the bank insists your 2FA device to use ebanking is exclusively your mobile phone device/mbanking app, then that is the real pain in the arse. Use Second space for it exclusively thenâŚ
omfg tell me about it.
The other day I googled how to run android in Qubes⌠There are ways, but supposedly all of them are caught by those crappy banking appsâŚ
Has anyone managed to run android in a Qubes VM that worked for a banking app?
Yes, I think I tried that route, but they really just wanted me to look like a regular user. Itâs no wonder the banks are so worried about fraud.
At least now, most of my banks donât require me to use both factors on every device
Letâs hope our Tornado realises theyâre in the right place if they want to progressively get their affairs as thoroughly protected as is reasonably possible.
Maybe we should move to a new thread, and let them have some spaceâŚ