What packages do I need to install in either minimal (fed or deb) to serve as the underlying template for SYS-USB’s DVM template?
I have written out all the other steps below. I need a big brain to fill in the blanks for steps 1 & 2 (please also tell me how you obtained this knowledge so I can study it).
Expectations for the response are below. You can take this post and make a guide of it I do not care if not I will do it. Up to you.
Also, you don’t have to add to the FAQ. I will follow up with you if I need clarification but if you think of a good FAQ please contribute. Additionally check my work in steps 3, 4, and 5 especially any parts that could brick a qube. If good give me the thumbs up.
Hi Networknoob,
Here is the list of packages you need to install for using X:
eject-(this for ejecting the cockpit prior to impact and is mandatory)
qubes-usb-proxy -(this is for …)
blablabla- (this is for … )
Read the above and then decide what you need and do not need based on your setup(e.g., not using bluetooth, skip blueman installation etc).
Here is how you would install and set up all of these packages in a minimal template:
Step 1
a.Install BLANK (Name of Minimal) Minimal BLANK (NAME OF VERSION)
(if you suggest a version that is newer or older ensure you mention it’s compatibility with other versions)
b. Optional- Clone the template (in case you want to clone the minimal for making other minimal’s)
#######
Step 2
#######
a. Open terminal inside BLANK (Name of Minimal) Minimal BLANK (NAME OF VERSION)
b. Run these commands in this exact order
c. Sudo apt install …
etc…
etc…
etc…
etc…
Shutdown -h now…
alternate of step 2 (only if using bash script)
a. Open terminal inside BLANK (Name of Minimal) Minimal BLANK (NAME OF VERSION)
b. Run these commands in this exact order
c. Nano ~/relevant-file-name.sh
‘’‘Insert Code Block’‘’
press ctrl + x and then y to save script
d. Make it executable
chmod + ~/relevant-file-name.sh
e. execute it (or don’t but give the information, also don’t say something like run as root just give them the information to do it)
sudo ~/relevant-file-name.sh
f. shutdown -h now
DONE!
#############
Step 3
#############
a. Create an App VM Called
Default-USB
^ select minimal template you just installed things in. e.g.,BLANK (Name of Minimal)
b. select none for network. select checkbox to launch settings>okay
c. click advance>check disposable template box in advanced > press apply.
d. select Default Disposable Template > Default-USB (if not in the drop down you forgot to press apply above^)
DONE!
##########################################
Step 4 *Optional (required for keyboard or mouse users)
##########################################
Navigate to a DOM0 terminal to make a bash script (don’t be intimidated it’s very simple)
a. open a terminal window
nano ~/testing-sys-minimal
b. Warning! This next step is dangerous (like flashing a bios during a thunderstorm) TYPE THESE IN CAREFULLY to avoid locking yourself out
#!/usr/bin/bash
qvm-shutdown sys-usb --wait
qvm-prefs sys-usb template Default-USB
qvm-start sys-usb
sleep 180
qvm-shutdown sys-usb --wait
qvm-prefs sys-usb template default-dvm
qvm-start sys-usb`
ctrl + X and save
c. while still in dom0 terminal make it executable
chmod +x ~/testing-sys-minimal
d. run the test
~/testing-sys-minimal
e. did your keyboard and mouse work? Make sure you checked during that 3 minute period
##############################
Step 5
##############################
a. go back to dom0 terminal to edit the bash script we just made and comment out the lines that switch your minimal off
b. nano ~/testing-sys-minimal
c. WARNING! This next step is dangerous (like flashing a bios during a thunderstorm) TYPE THESE IN CAREFULLY to avoid locking yourself out
#!/usr/bin/bash
qvm-shutdown sys-usb --wait
qvm-prefs sys-usb template Default-USB
qvm-start sys-usb
#sleep 180
#qvm-shutdown sys-usb --wait
#qvm-prefs sys-usb template default-dvm
#qvm-start sys-usb`
d. run the script again to finalize the switch
~/testing-sys-minimal
e. Clean up (if you don’t need the script anymore or don’t want to accidentally run it)
sudo rm -rf ~/testing-sys-minimal
f. YOUR DONE 
###############################
Optional Information on Steps 4 & 5
###############################
(TLDR: We are running the above commands to test out that everything works correctly for 180 seconds and then switching back to the original setup as a fail safe.)
Why do I HAVE TO DO THIS!?
This is currently the only way to switch sys-usb safely if you use a keyboard or mouse. Consider upgrading your device to one with ps/2 port to avoid this hassle in the future.
Putting things inside DOM0 that I do not understand makes me uneasy. is this safe?
Yes!! You just have to be careful not to type things incorrectly. So double check your script. Instead of assuming everyone will know (or making them dig for it) or writing guides tailored towards “advanced users” please read an explanation of what the dom0 commands are doing below to get you more comfortable with it.
Step 4 & 5 recap.
qvm-shutdown sys-usb --wait
^ This will shutdown your usb but it must wait for the proceeding command first. This is because when you switch a template that switch does not get applied until the qube is shutdown and then started again.
qvm-prefs sys-usb template Default-USB
^ this switches the setting for your sys-usb to the fancy new minimal one with a smaller attack service(example: do you need a browser in your usb qube? Probably not).
qvm-start sys-usb
^ this starts up our fancy test!!
sleep 180
^this gives us a whole 3 minutes to see if things are working correctly. Go test things out and make sure it works (don’t panic if it doesn’t it will switch back in a moment, barring any power interruptions).
qvm-shutdown sys-usb --wait
^ same thing as earlier
qvm-prefs sys-usb template default-dvm
^ Now we are going back to your original sys-usb template (if you used default-dvm as your original if not put the name of the one you had been using) that we know works.
qvm-start sys-usb
^Like nothing ever happened we are back to the original and ready to make changes depending on the test.
BUT WAIT!? Can’t I use the template switcher instead of potentially fat fingering something above and bricking qubes?
-NO!! But maybe a qubes team member will read this and add a feature that would automatically revert any changes made if no keyboard or mouse input is detected after a specified timeout period if the user elects to change the underlying template of sys-usb(and uses a usb keyboard or mouse). Additionally, it could incorporate a prompt that requires the user to input a specific word into a designated text box post switch. If the user fails to enter the word and confirm by pressing “OK” within the allotted time, the system should revert to the previous state. after two minutes etc. Wouldn’t that be swell 
!?
Further FAQs and edge cases:
Can I use this for Sys-Net and Sys-Firewall?
You can but just make sure you add the packages they need to the template.
Should I use this for Sys-Net and Sys-Firewall?
Up to you. The benefit you get is less updating but in return for that convenience you get a slight increase in attack surface. Whereas if you repeat the steps above for each sys and give it it’s own template and dvm template you will need to update them individually via the Dom updater.
What are the benefits of this solution?
Reducing attack surface by removing unnecessary applications from a Qube more prone to compromise(they mention this in official docs somewhere i forget where).
Is this overkill?
If it takes 5 minutes to do then no it’s a nice quick win.
Are steps 4 & 5 in the GUI yet so I can avoid a typo lockout?
As of Sept 10th, 2025 no. Maybe putting something with a timer like this decreases security or increase maintenance, or is a trade off not acceptable enough for the UX improvement. Also many may stick to the defaults and its only a niche group who choose to opt for the minimal templates. Furthermore, step 4 and 5 can be completely avoided if you use a ps/2 port (which is the best solution for security). Feel free to comment, IT’S IN THE GUI NOW so a user can ctrl + f to check if they added it and OP has not gotten around to updating this.
What if I want to switch it back?
Keep your old template and repeat step 4. Otherwise go through the steps again.
What if I just want to reinstall the template and not switch?
You also must follow these steps if you use a non ps/2 mouse or keyboard user 
. Otherwise, you can just reinstall using the gui.
But I want to do this type of minimal (fedora version 6899) will this work???
I’m unsure. Please test it out and comment below if your version worked to aid the community.
Does this guide apply to xx.x version of qubes?
Yes, as of September 10th, 2025 this guide applies to all stable versions of qubes (please comment the word outdated guide in a comment so a user can ctrl + f the thread to check if this is stale and you have not had a chance to update this timestamp in awhile).
Will continue to add good FAQs as they come in above so people do not have to sort/hunt through a rabbit hole of comments trying to sort out how this guide might apply to an edge case).
Additional meanderings (will remove later)
The target audience of this post is “Beginner”. It is meant to be a good first segue into the subject matter of minimal templates (which is gated for advanced users). From here, the goal is to make an intermediate level (please DM me for thoughts on an intermediate project with a minimal, I’m thinking something with VPNs that is a very hot topic here, maybe taking one of solene’s posts and making it for minimals only etc. Just make sure it has a net benefit of improving ones security posture, privacy is great too but only if it improves security). Finally the user needs to get comfortable with the command line. Especially in dom0. Any instructions involving commands inside of dom0 should be overly detailed and informative. If not, the user will shy away from it if they are not confident they can execute it correctly.
