Dear community,
I would like to use Qubes on a mini-PC and I am searching for the best solutions to have wireless without sacrificing security.
Wireless would be essentially for connecting to routers, monitors and keyboards.
I read that one solution would be to use a wifi dongle (usb/wifi dongle for example) which I would connect to my Qubes PC therefore not compromising the basic principles of Qubes.
Is this the best solution ? What about internet, do you necessarily connect to your router via (ethernet/fiber) cable ?
Thanks
From my point, as far as we not use open source hardware, there’s still risk there.
Qubes work by Isolating each component or software, by using wifi dongle (usb), you won’t isolate usb (or at least 1 usb ctrl) and internet.
Yeah, if I were you, I would try and NOT use wireless when it comes to your private network (wifi is risky and bluetooth can be even worse).
What I would recommend is buying a mini-PC with NO wifi card.
Plug your mini-PC to your router with cable.
Connect your keyboard and monitor via cable as well.
→ whenever you don’t use the internet (unplug your ethernet cable for extra assurance).
→ try not to have your mini-Pc running 24/7, reboot regularly
→ make sure software is updated
Wireless would be essentially for connecting to routers, monitors and keyboards.
I read that one solution would be to use a wifi dongle (usb/wifi dongle for example) which I would connect to my Qubes PC therefore not compromising the basic principles of Qubes.
I want to be sure I am not misreading your intent, and I probably am. The direction of the connection with the keyboard and monitors is what I am unsure of, but just in case…
Are you saying you want a remote connection in through Wifi, using another systems remote keyboard and remote monitor to login and use this Qubes PC remotely? If so, that in itself would break the Qubes/dom0 isolation paradigm by opening up dom0 to direct attack from the outside through that wifi dongle. Dom0 by design has no network for a reason.
What about a KVM switch to connect to it? That would give both keyboard and monitor access without opening the control of Qubes/dom0 up to every Tom, Dick, and Harry on the Internet.
Or is this a private Lan network with no Internet access and sitting in a shielded room? If dom0 isolation matters then KVM would be better as long as the cable run length is within its limits.
If cable length is an issue then at, least use a ipsec VPN only connection on that if which disallows all non-vpn connections and only permits known machines with the right keys.
Sorry if I misunderstood your actual situation.
Thank you (all) for your answer(s).
I have been doing quite a lot of research since my post.
My intent was indeed for a keyboard (mouse is optional) to connect wirelessly (wifi, bluetooth whatever) to my miniPC.
Then why not also have a monitor connect to miniPC via wifi/bluetooth.
And finally miniPC connect to my home router wirelessly to acces the internet.
I was preparing myself for some skeptical answers but since I am new to Qubes and security to some extent, I was blown away by the amount of hardware/software vulnerabilities we have to face.
Today, I basically learned that Hdmi is vulnerable, Vga is vulnerable, even using USB for anything is terrible. 
I am totally lost as to find out the best solution to plug a keyboard and monitor to my miniPC in a secure manner as it does not have ps/2 and it seems that people in this forum argue that even usb-to-ps/2 is not secure.
FYI, my “adversary” as folks seem to say is a hacker who was eavesdropping on my computer for months/years I don’t know. He voluntarily made himself known to me by typing stuff (like my name) on my terminal and then modified my root file (probably others to mask traces) and have not heard of him since.
Really creepy but let say my threat model is to avoid this, not being searched by government…
I am also voluntarily leaving out the possibility of an attacker getting physical access to my machine.
So basically I am learning how to secure my network on the one hand, while on the other I am trying to find out what’s best in terms of computer security.
How do you connect to your monitor and keyboard in an relatively secure manner ? Does a ethernet-to-ps/2 exist ?
PS: examples of mini-PCs I am looking at:
- librem mini
- nitroPC from Nitrokey
I’m only going to mention this once & answer no further questions regarding it. What you may be wanting is a form of “extension.” I know of a company that made a PS/2/VGA extension which technically utilized cat5 (don’t confuse this with true ethernet, same wire cabling, different acting components on either end so don’t plug these into a switch or hub) to provide distance between devices & PCs. I know of a company & will not do more than mention their name - there are likely many such companies & the value of their products with respect to security may be anywhere from useful to useless. Raritan is one such company.
| browser
August 28 |
Thank you (all) for your answer(s).
I have been doing quite a lot of research since my post.
My intent was indeed for a keyboard (mouse is optional) to connect wirelessly (wifi, bluetooth whatever) to my miniPC.
Then why not also have a monitor connect to miniPC via wifi/bluetooth.
And finally miniPC connect to my home router wirelessly to acces the internet.
Thank you for that clarification.
FYI, my “adversary” as folks seem to say is a hacker who was eavesdropping on my computer for months/years I don’t know. He voluntarily made himself known to me by typing stuff (like my name) on my terminal and then modified my root file (probably others to mask traces) and have not heard of him since.
Really creepy but let say my threat model is to avoid this, not being searched by government…
I am also voluntarily leaving out the possibility of an attacker getting physical access to my machine.
You definitely need to secure your network. To do the above he is either in your network or has installed software on your system. Either way Qubes will help if you don’t connect your dom0 to any network. Use direct cables if at all possible.
Are you using an old cable modem? Many routers have security problems that can be patched, if they are still supported. If its not supported see if there is open source software for your model router because that will always stay up to date with regulary released patches. If you “own” your router (not the vendors appliance software) you would have complete control of what goes in or out of your network.
This network stuff is not Qubes specific, but if you email me off list maybe I can help you figure some of this out. I can set up a Teams meeting and we can talk through some of your hacker issues.
How do you connect to your monitor and keyboard in an relatively secure manner ? Does a ethernet-to-ps/2 exist ?
For the keyboard and mouse you might try an IR connection if you are alone in your own space. IR is line of sight and does not penitrate walls like wifi or bluetooth, so the hacker would not intercept keystrokes from next door like they could with wifi or bluetooth. To intercept IR the person would likely need to be in the room with you if the blinds/curtains are drawn tight. That IR would however be some kind of USB dongle, but it might fix your hacker problem.
Is there a reason for the monitor needing to be remote? Point to point cabling is always the most secure. Just how far of a distance are we talking about?
If this person has physical access then you want to look at the anti-evil-maid configuration to prevent them from modifying your boot partition and installing anything that way. Use the sys-usb vm for all USB devices and turn off any USB connected directly to dom0.