New to Qubes - Crypto - Yubikey - Librem Mini/14

Hello there,

I’ve been looking at almost every YT video about Qubes OS and I find it very interesting. My main use would be to trade/protect my crypto. I have another PC that i usually use for work/gaming.

I’ve tried to install Qubes OS via VM on my normal PC, but I cant get the internet to work. From my understanding the Qubes requires a specific type of hardware. Therefor I am looking at a new PC from Pursim. Ill have some questions before ordering one.

Pursim Questions:

1. I don’t like to use a laptop, so how does the Mini compare to the Librem 14? Negative/positive sides?

2. Are 32GB ram enough or should I go with 64GB?

3. How necessary would a 2nd SSD be for backup?

4. I would like to use the same monitor, keybord and mouse. Are there any negative sides to use a KVM switch between my main pc and the Librem Mini?

Crypto and Qubes questions:

1. Would the 24 word seed phrase be secure in the vault?

2. Is it possible to install Binance and other crypto wallets on Qubes?

3. Would a Yubikey work in Qubes OS?

General Qubes Questions

1. Would consider myself kinda tech savvy, but with little to non Linux experience. How difficult is it to master Qubes OS for my use?

2. Are there other mini pc’s that work good with Qubes or are Librem Mini the best alternative?

3. Where is the best place to start learning to get more comfortable with Qubes/Linux?

4. Anything I should know before ordering a Librem Mini and starting with Qubes?

Thanks alot

I’ve tried to install Qubes OS via VM on my normal PC, but I cant get the internet to work.

Qubes OS has been found to work in a VM for some people, but it is not recommended to do so for non-testing purposes.

From my understanding the Qubes requires a specific type of hardware.

Qubes OS does have some specific hardware requirements, which can be found in the System requirements | Qubes OS doc. The most important parts are a 64-bit Intel or AMD processor with VT-x and VT-d or the AMD equivalent (you can find this out for Intel processors at Intel® Product Specifications), 16 GB of RAM, and a 128 GB SSD.

I don’t like to use a laptop, so how does the Mini compare to the Librem 14? Negative/positive sides?

Are there other mini pc’s that work good with Qubes or are Librem Mini the best alternative?

Qubes OS does not require specific laptops or computers in general. You can check the Hardware compatibility list (HCL) | Qubes OS for laptops or desktops that other users have found to work or not work. The most important aspects to look at there are the HVM and IOMMU columns.

Are 32GB ram enough or should I go with 64GB?

16 GB of RAM is recommended and is probably enough for over 95% of Qubes OS users.

I would like to use the same monitor, keybord and mouse. Are there any negative sides to use a KVM switch between my main pc and the Librem Mini?

Using a KVM switch should work perfectly fine, just be aware that using a USB keyboard may require additional setup to get working properly and additional security considerations.

Would the 24 word seed phrase be secure in the vault?

The vault is simply an AppVM that is set up so it does not receive any networking. You can consider how secure that would be for you.

Is it possible to install Binance and other crypto wallets on Qubes?

Software installation in Qubes OS is done much the same way as a normal GNU/Linux distro with the exception that software installed by a package manager is done in the TemplateVM. You can see the full instructions here How to install software | Qubes OS. If the software isn’t in the package manager, you can likely still install it by following the Linux installation instructions from the developers’ website.

Would consider myself kinda tech savvy, but with little to non Linux experience. How difficult is it to master Qubes OS for my use?

Qubes OS functions much the same way as any other GNU/Linux distribution with a few exceptions, such as: copying text and files between qubes, installing software, updating packages, using USB devices, and setting up VMs in general. You can check out the ‘How-to guides’ section of the Documentation | Qubes OS for in-depth explanations of how to do each of those tasks.

Where is the best place to start learning to get more comfortable with Qubes/Linux?

For me, the Documentation | Qubes OS is extremely helpful and goes into more depth and explanation than any of the videos that I’ve found. Other than that, I would say the best way to learn is just by using Qubes OS and asking questions on this forum if you run into any problems.

Anything I should know before ordering a Librem Mini and starting with Qubes?

Just know that the hardware requirements are not as extremely specific as they sound. As long as it has a 64-bit CPU with Intel VT-x and VT-d or the AMD equivalent, 16 GB of ram, and a 128 GB SSD, it has a good chance of working. However, Lenovo or Purism generally work the best and are less likely to have hardware problems. The Purism Librem Mini is listed in the Hardware compatibility list (HCL) | Qubes OS and works well.

Alternatively, I did a quick lookup and found a refurbished Lenovo tiny PC that meets all the recommended requirements and should work without any problems. https://www.newegg.com/lenovo-m92-tiny-student-home-office/p/1VK-0003-1DUM4

I strongly disagree here. Unless you are using all minimal templates (which is an advanced feature), at some point you will have not enough memory for more or less normal use. I recommend at least to buy a computer, which you can upgrade later (both Librem Mini and 14 can be upgraded).

According to this list, it’s not that simple at all.

For detailed comparison between Mini and Librem 14, you probably should go to Purism forums. Apart from that, USB keyboard is not recommended: Device handling security | Qubes OS.

You can also make backup to a USB stick or hard drive, so it depends on your needs.

Yes: Device handling security | Qubes OS

If you are asking about storing your passphrase in an offline VM, then read this: Data leaks | Qubes OS.

Any software working on Linux should in general work on Qubes.

Accessing a Puri.sm Librem Key

It depends on your needs. If you only use web browsers, it will be easy. If you need to use VPNs and crypto wallets, it will be harder. You can always ask on this forum.

If it’s not in the HCL, then it’s probably not tested. Mini is there.

Consider a laptop instead to avoid security problems with a USB keyboard as I explained above.

Qubes documentation is generally well written but not always easy to read. I hope someone else can point to a good Linux learning guide.

16 GB of RAM is recommended and is probably enough for over 95% of Qubes OS users.

I strongly disagree here. Unless you are using all minimal templates (which is an advanced feature), at some point you will have not enough memory for more or less normal use.

Are you using the shutdown-idle script? How many concurrent qubes would you define as normal use? Do you assign more than 2GB memory to your qubes – why?

I recommend at least to buy a computer, which you can upgrade later

That’s always a good idea obviously.

It was probably an overstatement to say that’d work for 95% of Qubes OS users. I don’t know how much RAM the average Qubes user uses, I just know that 16 GB seems to be plenty for me and I use about 7 qubes on average, not including service qubes. But 16 GB should still be plenty for a beginner to Qubes. Nevertheless, getting something where you can upgrade the RAM later on is definitely a good idea.

Mini has slightly inferior specs than the L14. It has a quad-core Comet Lake i7-10510U compared to the L14’s 6-core i7-10710U. The Mini is half the price though, since Purism literally just rebrands a Mini PC, flashed custom firmware, then ships. The L14 was a lot more involved than that.

Librem 14 has Open Source EC firmware. The L14 has two hardware write protection switches installed on the mainboard with the future possibility of write protecting the EC & BIOS flash chips (this hasn’t been fully implemented yet).

I went with 64GB because I don’t like to worry much about RAM assignment.

Internal or external? Internal backups I don’t see much benefit for in case your lost the device, or if it got stolen.

None I can think of. I use a TE smart KVM switch between my Laptop & Desktop running Qubes. With my USB keyboard, mouse, & single 4K monitor, it runs perfect fine. This is the KVM switch I personally use. It’s bolted to the back edge of my desk.

[quote]Would the 24 word seed phrase be secure in the vault?
[/quote]
KeePassXC in an offline Vault should suffice.

Absolutely.

Absolutely. You can use qubes-u2f proxy too. That way you don’t have to pass the USB device to the VM. I used qubes-u2f with my Yubikey to authenticate my forum account.

Qubes should require a little Linux related experience beforehand IMO. But I think most trouble comes from adjusting to a new workflow in order to use Qubes as it was intended: to partition your Digital Life into different security domains.

YouTube & the Qubes OS docs: Documentation | Qubes OS

As well as just experience.

Let’s say that a work-related staff is heavy enough to require maybe 5 GB of RAM (doesn’t seem far-fetched to me). Let’s say that modern browsing requires at least 2 GB per qube with running Firefox, to be on a safe side. Now, imagine that every link is opened with a DisposableVM. Now, 5 links are enough to get over 16 GB RAM. I did not even mention any other stuff running like Whonix, sys-* and so on.

I don’t even understand why the above does not happen with others…

Yes, works and it is the perfect match with KeePassXC

Maybe this is interesting for you.

Maybe this is interesting for you.

Yes (nothing is 100% but you are very secure)

When you are done with the docs you will see that you (have to) fully trust dom0. That also means that your (default; no networking) vault AppVM is almost as trustful as dom0 itself. I mean, you could theoretically store your secrets in plain text since only you / dom0 should have access to it. “…if your app qubes are network disconnected, even though their filesystems might get compromised due to the corresponding template compromise, it still would be difficult for the attacker to actually leak out the data stolen in an app qube. Not impossible (due to existence of covert channels between VMs on x86 architecture), but difficult and slow.”

For your secrets I would suggest you to set a long LUKS disk password, use the default vault AppVM (networking OFF), KeePassXC with a strong password and Yubikey Challenger Response. Additionally, you can set OTP within KeePassXC, in a extra AppVM, to you your Yubikey or on an OTP app you trust (i.e. installed on GrapheneOS)

Have you ever investigated the actual memory consumption of your qubes using e.g. top in various situations, or are those numbers more or less guesses?

I’ve never tried this with “full” templates, but system qubes don’t need more than 400MB for sure. Most application qubes run fine with 800-1000MB even when editing large presentations, documents etc. A firefox instance works just fine with 1-2GB especially if you don’t use many tabs. My (work) windows runs all applications I need including IDE or even video editing fine with 4GB (maybe not at the same time).

Not trying to convince you, just want to understand what’s so different in your workflow. Obviously if one can have 32GB or more that’s awesome!

I didn’t know this existed till someone randomly mentioned after years

Thanks a lot for good answers! Finding it very interesting to start learning Linux and Qubes :).

Then 32GB or 64GB it is :).

1. Would 250 GB of storage be enough? Would only use Qubes as a OS to secure my crypto. Ill might try to get better at security with learning Kali sometime :).

My plan was to buy the Librem Mini, but from my understanding now are the Librem 14 a much better choice when it comes to security?

Weird question, but how would you guys rate it from a scale 1 - 10?

Windows - 1

Qubes OS with Librem Mini - 7?

Qubes OS with Librem 14 - 9?

Or am I totally wrong here? ;p

Thanks again

Librem mini and Librem 14 aren’t that different from a security perspective (though I don’t know if the Librem mini has a TPM chip).

– EDIT:
Ok, seems like there are a few rather minute differences that might have a great impact on security.

• no TPM
• USB keyboard instead of built-in

USB keyboard is not a good thing for Qubes security, so they are different. Especially if there is only one USB controller as in L Mini and L14.

From my recent experiences: don’t just get a SSD – make sure it is a high performance, professional grade SSD.

I’ve used a Samsung 870 QVO and recently replaced it with a 860 PRO. The difference exceeds my wildest expectations. Especially when doing backup/restore.

dAPP websites, bunch of tradingview charts, tg and discord and some simultaneous surfing on the untrusted appVM and 32GB is not enough except you keep closing those tabs and work with bookmarks.
In the end it all depends on how many things you want to have running simultaneously and if you are willing to shut down appVMs and focus on just a few browser tabs.

I’m using Librem Mini and it does not have a TPM chip.