I love this idea of “Now You’re Thinking with Qubes”. Looking forward to hearing what other creative uses of Qubes there are! Maybe we can then make a memorable picture out of them like that one!
I have played around a bit more but still with lots more stuff to try. I’ll share here some creative usages I’ve seen, some that I’ve tried and some I’ve only thought about.
Open Qube as Disposable
Not something I’ve done, but I got a hint from the docs on this:
[…] a DisposableVM could be created based on the AppVM (thereby making the AppVM a DisposableVM Template) so that the data can be analyzed by an untrusted program without jeopardizing the integrity of the original data.
“Qube in a Jar”
For working on investigations (where the process is always the same) one can have a salt formula to generate with saltstak an AppVM fresh for every new investigation and after it is done, safely back it up in cold, encrypted storage. (totally stole this idea from this presentation)
“Phoenix” Qubes
(aka. Stateless Qubes Configuration) In theory you could completely eliminate any state (persistence) from your Qubes setup and regenerate it all from a saltstack configuration you created (kind of what people already do with their dotfiles – not really, but similar enough). Then, if you ever lost your computer, you would only need to git clone your saltstack config and deploy it. See securedrop-workstation for inspiration
Split Qubes
Not really anything new but I find the Split-* configurations quite ingenious. So I think they belong here.
Some examples: Split GPG, Split SSH, Split Browser, Split dm-crypt
Testing Infrastucture (ansible molecule deploy)
When working on DevOps a lot of stuff is done in ansible and you can use qubes to automatically provision that testing infrastructure just like you would do with vagrant.
Take some inspiration from securedrop (in particular “Deploying SecureDrop staging instance on Qubes”).
The initial setup is quite painful, but after that all you have to do to test your infrastructure
molecule create -s qubes-staging
molecule converge -s qubes-staging
molecule test -s qubes-staging
And then see the magic happen – Various qubes being orchestratedly created, tested and finally destroyed.
Open in Disposable Qube / Convert to Trusted
Also widely incorporated into the Qubes ecosystem, but also worth mentioning as Qubes-foo:
Higly valuable for manipulating untrusted documents.
Tor Over VPN (vice-versa)
Not really that out of the box, but it’s something that is only easily doable in Qubes (after reading the security implications).
Even though you loose out on a bit of anonymity, this allows you to bypass a lot of webpages that block Tor and it even works for audio conversations over tor (through BigBlueButton, for example).
Pause All VMs for Secure Operation
(Haven’t seen this implemented yet – as far as I know)
We know that harware-based attacks like spectre or meltdown can read memory portions in other VMs.
But imagine for example that while opening you password manager on your vault qube it pauses all other VMs, then you enter the passphrase (it’s now in memory), copies the password to the qubes-clipboard, removes your master passphrase from memory and then resumes everything else. (stole this idea from here and
This needs some more thinking since there may be timing-sensitve operations running on other qubes, but I believe this could easily be implemented via a Qubes RPC to dom0.
Export Qube to USB (bootable)
I’ve never seen anyone mention this, but it would be pretty incredible if someone could make a Qube bootable outside of Qubes OS. One would export it to a USB stick, plug it into a computer and it would boot with whatever distro and programs you had on there.
Use-case: Sometimes a journalist needs to do some on the field investigative work and it may be too risky to take the qubes laptop. So what if we could send a qube to a usb and make it a regular bootable operating system?
This way the journalist could take just that USB to the field and when she is back she could just restore that new version onto its original qube (basically just copying the files back).
Bonus: Being able to easily create linux bootable USB already configured (with the state of the AppVM). Maybe some people would want to share this with non-qubes users, for them to have a fully setup environment.