Polls: Do you use AEM, Whonix, VPNs, Split GPG, etc. in Qubes?

Do you use Anti Evil Maid (AEM) in Qubes?
  • Yes
  • No
  • Other (explain in comments)

0 voters

Do you use Whonix in Qubes?
  • Yes
  • No
  • Other (explain in comments)

0 voters

Do you use a VPN with Qubes?
  • Yes
  • No
  • Other (explain in comments)

0 voters

Do you use Split GPG in Qubes?
  • Yes
  • No
  • Other (explain in comments)

0 voters

Do you use the integrated Qubes backup system (qvm-backup or GUI)?
  • Yes
  • No
  • Other (explain in comments)

0 voters

Do you use a security key with Qubes (e.g., YubiKey, U2F key)?
  • Yes
  • No
  • Other (explain in comments)

0 voters

Do you yourself use Salt (SaltStack) in Qubes (e.g., custom configs)?
  • Yes
  • No
  • Other (explain in comments)

0 voters

4 Likes

I don’t have enough knowledge of Salt, so I don’t use any customs yet. But definitely want to decipher this in future.

2 Likes

I would love to be able to use salt but it seems a bit too complicated to me

1 Like

Is there a good pointer to understand SaltStack?
Like:

  • What is the problem?
  • Detailed and understandable explanation on how the problem is solved with SaltStack in Qubes

Thanks!

2 Likes
1 Like

Personally, I’d be interested in the usage of split-SSH?
A bit more advanced than split-GPG but also benefits from the same “split-approach”.

Is there a good pointer to understand SaltStack?
Like:

  • What is the problem?
  • Detailed and understandable explanation on how the problem is solved with SaltStack in Qubes

Thanks!

There’s a high level view at Salt (management software) | Qubes OS
I have some notes from training course which take you step by step
through using salt in Qubes, with many examples - GitHub - unman/notes

The Birds eye view:
What is the problem? How to configure your system, both templates and qubes.
Salt enables you to automate the process of creating templates and
qubes, and configure them as you will.
If you record your configuration in salt you can simply recreate part
or all of that system on another Qubes install.
Salt can be complicated, but it can also be extremely simple.

You could do this, (and some people do), by using batch files, which run
qvm commands in dom0. One way in which salt simplifies the process is
because it makes it easy to take different actions depending on the OS
used in the template.

2 Likes

AEM

Other: Coreboot/HEADS/Nitrokey, ME neutered and disabled

Whonix

No, for several reasons:

  1. I distrust and no longer use or support the Whonix project.

  2. Using the TOR network has become increasingly difficult (captcha’s, tor exit nodes blocked) and using it made me feel icky: I support the TOR project and see the need for it clearly, but I don’t care for the criminals (ab)using it.

  3. The thread scenario I used TOR for can be easily mitigated using a commercial VPN hosted in the EU (hide traffic from US ISP, Employer, Hotel or other Guest WiFi; avoid profiling and targeting of my specific end point with e.g. poisened updates).

VPN, Split GPG, integrated backup, security key

Yes, daily and extensively

Salt

Other: I am still using bash scripts for this purpose, because they do all I need at the moment and hence I feel little pressure to migrate.

However, more broadly I wish to learn Salt and use it to provide qube configurations for others (e.g. debian-minimal based ungoogled-chromium, thunderbird/split-GPG, signal, teams, VisualCode qubes etc.)

1 Like

Maybe this poll needs to be pinned.

We need another poll asking whether you would use those things if the UX was more straightforward. I would answer “yes” to many. (Whonix is already perfect)

Also, one could add other options like “Open (links, files) in Disposable qube”, “Disposable sys-*”, “Split-Browser” and so on.

I generally included only more official and/or officially-documented features in this poll.

I don’t believe it needs to be pinned. It’s not an official survey or anything. I generally believe pins should be used sparingly and that threads should be allowed to live or die on their own merits.

Feel free to make another thread, if you like. That sounds like it would be a considerably more complicated poll, whereas this one is designed to be very simple and straightforward.

I think disposables are close enough to the “core” to be like support for multiple templates, which I also didn’t ask about, because I assume almost all Qubes users use them and that the poll results wouldn’t be very interesting. Regarding unofficial things like “Split-Browser,” see above.

There’s value in a poll being relatively simple and focused. Making a poll too long and trying to include everything can be counterproductive. Besides, it’s mostly just for interest’s sake.

I don’t see how “Open links in disposable VM” is the “core” as well as minimal templates (in both you typically need command-line configuration for that to be useful). Otherwise, I see your point.

Open links in disposable VM

I’d like to see a qubes replacement for xdg-open that would let you open links in the qube of your choice, just like how qvm-copy works.

I run the Zoom app in a dedicated qube and any time I get a link to a meeting I have to manually copy it from the qube running the app where I received it and paste it in a browser running in the zoom qube to join. It’s quite inconvenient.

You do not need a replacement for that. You can use the original xdg-open with a “custom browser”, which just calls qvm-open-in-vm. Something like this: How do I change my default browser? - Ask Ubuntu. This is what I do to open all email links in a disposable VM.

1 Like

Here’s another method for opening email links in disposables:

https://www.qubes-os.org/doc/how-to-use-disposables/#opening-a-link-in-a-disposable-based-on-a-non-default-disposable-template-from-a-qube

1 Like

But will this work upon a simple mouse click on the link? This is just a terminal command, which I mentioned too. I combined it with the “custom browser” allowing to avoid constant use of the terminal.

You’d have to make a simple (one-line) script that uses a command like this, then set your email client to use that script for hyperlinks. It’s very similar to the option you suggested, but you don’t have to use xdg-open or set it as the default browser for the entire qube.

1 Like

I use Heads to validate the boot files/firmware.

No, but: Until I saw this question I wasn’t aware this feature existed.

I have been using VPN since 2017. I subscribed numbers of VPN but a week ago I saw a new thing which is unique for me that PureVPN passed KPMG audit. Either it is real certification or not but it was a bold step from that. KPMG Validates PureVPN No-Log Claims | PureVPN - PureVPN Blog