The way I see it there are three main “levels” of compartmentalization:
(I am assuming you know how to clone a template, and how to make a template the template for an existing AppVM. If not, both are trivial skills.)
- Leave things as they are set up on first installation of Qubes. You’ll end up installing all of your software on ONE template, which will mean your vault, personal, work, etc. qubes will all have access to the same software suite. And if I recall correctly, even something like sys-net will have access to these things because it uses the same template.
2a) The next step up is somewhat easy and gives you most of the benefits Sven was talking about (as quoted by fslover). After install, clone the debian-11 or fedora-3x template (I don’t recall the fedora version number that is current, sorry). Make THAT new template the template for all of your domains (work, personal, etc) but not of things like sys-net and sys-firewall. That way at least your working qubes are the only things that see all that software. (This way your original template is left “clean” of any modifications you might make to it.)
2b) Instead of just making one clone, make a separate template for each of those working qubes. This can make sense if the apps you want to install differ greatly for each qube. Alternatively, if they’re similar, make ONE clone, install everything on it, then make clones of it, one for each working qube.
if you go with 2b you can…at some future date…compartmentalize a bit. Or not. It’s truly up to you. I personally find myself doing compartmentalization as time goes on (and even making more and more things disposable–but I actually keep my data elsewhere so that’s feasible in many cases where it wouldn’t be for most people), but that’s me not you.
- Whole hog–it’s a lot more work, and a lot more to learn, but that’s to build templates from scratch even for the system qubes like sys-net and sys-wifi. Start with debian-11-minimal, which has a lot less stuff on it than debian-11, and clone it and install only what a particular qube needs. For instance, more than likely (your situation may differ of course) only the vault qube needs keepass; this way only the vault qube will have it; it will never have been put on the template now being used by (say) sys-net.
A case study here is the fact that my system is on two networks, a wifi one (for the internet) and an ethernet one (local). I don’t want those two networks touching, so I have two different qubes doing the job of sys-net. The template for one includes wifi drivers, the template for the other includes ethernet drivers. That way if somehow by mistake I assign both devices to the same qube, that qube literally won’t know what to do with the device it’s not supposed to have.
But again, that takes a lot of knowledge, in fact, if you take this on you have a new hobby.
2a and 2b is something someone should be able to take on relatively quickly, and gives you most of the benefit of 3 for 1/20th the effort. But even leaving it as-is (option 1) is vastly better than almost everything else out there.
If you happen to be looking at a fresh installation, I’d at least clone the debian or fedora template to something else as a clean backup copy regardless of which choice is made.
[Edit to add: I make a distinction between “working” or “app” qubes and “system” or “infrastructure” qubes. The first is where you’d be working with GIMP or LibreOffice or a browser. The second group is things like sys-net, sys-firewall, and so on; qubes you don’t do any work on, but provide support services. What I was trying to get at with options 2a and 2b were to leave the provided template alone for system qubes, and make a clone of the template and modify it for the working qubes–as many or as few different ways as you like.
I just realized there’s an option 2c as well…which is to make separate copies of the system qube templates and uninstall software not needed in them (such as keepass). Obviously you only want to uninstall something you’re sure you won’t need. (And of course you have to know it’s there but useless before you can even think to do this.) But that’s still easier than building from scratch (option 3).
If at some point you do decide to go with Option 3 there are threads out there (usually titled something like “Debian 11 minimal install” or “Debian 11 minimal templates”) to help you get started. Threads like that are how I got started, in fact.
end edit]