Sure, it’s actually quite simple.
- I cloned my fedora template and named it something like “fedora-insecure” (you could choose any other template you like).
- Install the respective driver for your printer in this template. See the Qubes documentation for the reasoning behind this. With one of my printers this works like a charm. With another one I still have inexplicable problems.
- Create a DisposableVM template from the “fedora-insecure” template. If you need instructions on this see https://www.qubes-os.org/doc/disposablevm-customization/.
- Optional but very much recommended: restrict the firewall settings of this new DisposableVM template to the IP address of your printer only. If you have detailed knowledge about your printer you could even further restrict the firewall to allow only the ports required for the actual printing. (Qubes docs on firewalling)
This is basically it. You could now further tweak your settings for disposableVMs to improve your workflow.
For example, it could be useful to set this VM as default disposable VM for some appVMs. Then a simple “right click on document -> Open in DisposableVM” would open a printable instance of this document.
I went another route. I edited the Qubes RPC policy file /etc/qubes-rpc/policy/qubes.OpenInVM
in dom0 and changed the first line from $anyvm $dispvm allow
to $anyvm $dispvm ask
(you could also just delete this line because the remaining line $anyvm $anyvm ask
has the same effect).
This way, every time I choose “Open in DisposableVM” from a context menu in any VM, dom0 shows a pop up asking for the target VM where I want to open the document in. I can then decide if I want to print (opening the file in the DisposableVM for printing) or if I just want to securely view a document (opening it in a DisposableVM which is offline). I could even open a file in a non-disposable appVM this way.
Minor drawbacks:
- Do not close the document right after you hit the print button. Closing the document will shutdown the VM instance and most likely kill the print job before it finished. I usually let the document window open for a few minutes or until I grabbed my copy out of the printer.
- If you want to print multiple documents, it is quite memory consuming to open them all in dedicated disposable VMs. Using the Qubes-RPC modification I described it is possible to open further documents in the same DisposableVM as the first one by specifying it’s name. Since these names are all just randomly generated numbers I recommend to choose a color for your printing dispVM which is distinct from your other dispVMs.
There is stuff like “named dispVMs” which I haven’t yet dived into. Probably, my approach could still be tweaked a bit for better usability.