Qube Organization

After reading the article on ideas concerning how to organize one’s qubes, it caused me to question my existing setup.

When I first started with Qubes last year, I really took things to the max by trying to have a separate qubes for different uses and some select websites in addition to general purpose qubes.

This setup quickly became for cumbersome to keep track of and I now have a setup where I have three qubes: one whonix qube for anonymous internet activity, one networked qube for clearnet activity, and one offline qube for anything that doesn’t require an internet conection. This makes things SOOOO much simpler and takes less time to setup.

But maybe there are perspectives I’ve not considered. What advantage is there in having a qube dedicated to a particular website or having a separate qube for your password vault.

I used to have a separate password vault qube myself, but I eventually merged it with my general purpose offline qube because I figured: why bother if they’re both offline? If any of my offline qubes are compromised, that probably means my dom0 has been compromised, which means all my offline qubes are compromised. Maybe my understanding is flawed?

Is there any significant benefit to having separate qubes for visiting different websites if you’re not having the browser store your login credentials? I have my browser clear the cookies, data, history…everything from each session upon exit and if I want to visit a potentially shady website, I’ll just use a disposable. If anyone does use separate qubes for internet activity, please explain your reasoning.

EDIT: Btw, I’m not considering the use of work-related qubes. I can certainly see the benefit in having separate qubes for work stuff. Unfortunately, my job forces me to use Windows (though thankfully on employer-provided machine).

EDIT: Also, for the purpose of maintaining anonymity where that is important and to my understanding, having separate whonix qubes for different websites may be necessary. I’m specifically asking about the value in having separate qubes for non-anonymous internet activity.

That’s an interesting perspective.

Maybe not for visiting different websites, but I do have separate minimal qubes for sys-net/-usb/-mgmt which contain only must-have packages for them to function their own specilalized mission.

Since you don’t store any browser data, why not just use a disposable? Any malware won’t persist the session, seems trivial not to take advantage of it. Plus your passwords are in a separate qube so it’s not like you have the simplicity of login integration.

On top of that, if you only clear what you stated, you still leave your browser profile intact which leads to profile fingerprinting, even if you don’t store any cookies and such. At least with a dispvm you get a new profile every time. (If you’re interested on how to set it up, check out my howto guide: [Guide] Automatically install extensions and configure new (dispvm) hardened Firefox profiles with arkenfox user.js and policies)

This specifically: if you’re not carefully and selectively blocking cookies, then you can easily be tracked across websites. You could use temporary containers, or dispvms, or both if you’re extra paranoid.

That’s a good point, and if you apply the same strategy for browsing qubes, you get a smaller exploitable attack surface.

I have a qube called “library” where i store… basically everything. Videos, documents, potentially untrusted stuff as well of course.
I also have a vault qube for only my passwords.

The reason being, that:

1. I have some software installed in my normal library to make my life a bit easier. Some fonts, custom command prompts, some system utilities, …This is attack surface
2. Should i somehow open a malicious file, i really don’t want to do that anywhere near my passwords.

The latter can be omitted by not having vlc, libreoffice or other high risk parsers on the library, however for limiting the number of templates i need to handle, i think i have those installed. I try to open everything in disps, but i may fuck up.

So this is my reasoning for having a special vault vm. Also it makes backups a bit more easy imo.

For browsing i use whonix-ws-disps. Sometimes i need to do stuff in clearnet, for this i use clearnet-disps. However i do have a netflix qube that i only use for netflix for the convenience of not needing to log in.

If by separate you mean really separated, or separated due to missing persistence as with disps, yes, not having to have cookies from other stuff i did. That is why i use disps 99% of the time.

I personally would not trust the browser to do this 100% perfect, so i just reside to the most safest approach of using a vanilla, never used browser from disp vms.

I have those too. Not necessary, but makes things a bit more tidy if i know that anything related to projectA is in this qube and only there.

Another thing that you did not mention, are other “app related” qubes. I have those for some docker stuff, like drawio and such like, or high risk applications like messenger- and communication qubes.

In the end everybody has to figure out how much compartmentalization one needs or wants. Everything is possible between using one singular qube, and having thousands. Somewhere in between usually is the sweet spot, but that depends on use case. I for example have some use case related qubes for high CPU or RAM usage tasks, some bound to specific projects and other with specific services that other people probably don’t need.

@BEBF738VD Such approach is not reliable: Can websites track me across different qubes?. See also: How does Qubes OS provide privacy? Only Whonix is reliable in providing privacy.

See this: Why Use Minimal Templates?

In particular:

Of course, I agree, but I was specifically only referring to cookies. Maybe I wasn’t clear enough.

What’s the point of fighting with cookies if you still can be tracked via fingerprinting? Well, I use disposables for browsing anyway, but I do not expect to be anonymous unless I open websites in anon-whonix.

Maybe you want to log into multiple accounts for the same website and you don’t care about correlation: ie personal and corporate google drive. Using that as an easy example, I know google handles multiple accounts but again. just an example.

Not necessarily:

See also:

Here is a nice example of a very compartmentalized setup: Best Way To Setup A Global Share Folder? - #63 by unman, hopefully making it more clear.

I like that idea from a security standpoint, though that would be overkill for my use case. I also need more experimentation with minimals before using them.

ease of managing bookmarks mainly, but it is something I’ve considered.

Is this more secure than keeping that data on a separate encrypted data drive?

you wouldn’t happen to know of a list of other high risk applications?

Point taken. If privacy is what I’m concerned about, that’s what whonix is for.

I’ve tried that before on pixelplanet. I got mixed results.

In default setup no qube (template) except dom0 is truly offline. Any template can still contact repositories over qrexec - and that is not offline, so installing software in a template for common purposes increases surface attack significantly. I knew this was coming, and that is why docs recently changed to my suggestion.

Actually, by fighting with cookies, you make it harder (but not impossible) to track you. It might be a goal in itself, too.

Another probably relevant discussion:

Do you have a lot of saved bookmarks? You didn’t mention that.

I’m personally evolving towards more and more named disposables to do things. Storage is offline (on a NAS in fact), compartmentalized by topic (not so much by which app it’s for), and attachable to the disposables on an ad-hoc basis. And I’m working on converting to unnamed disposables in places–at least they shut down automatically when I’m done with them. (The disadvantage is, I can’t necessarily tell what a window is for when its title reads disp4321, especially if it’s a file manager.) [As I write this I’m thinking of ways to get a named disposable to shut down once I disconnect from offline storage and close the app I wrote to manage those connections.]

A case in point; I have a VM that has LibreOffice installed. It’s offline. I realized the other day that I have exactly three documents stored in that qube. It’s a ripe candidate for being turned into a named disposable, at the very least. I’ve got two or three other qubes like that–candidates for DVMing.

I never would have imagined I would be heading down that particular path back in June when I first installed Qubes, but every step along the way has been logical.

The next possible step (now that someone here has put the idea into my head) is to create one-app disposables and access them from the disposable that has the storage attached to it, for viewing (as opposed to modifying) things, rather than having a small suite of software in that qube.

Can you explain what you mean by this?

By that reasoning dom0 is not offline since it is trivial to set up a two
way interaction from dom0.

There’s a good argument for locking down what the proxy can be used for.
tinyproxy used to be restricted, but was opened up for convenience.
I restrict use of apt-cacher-ng to named sites.
We’ve discussed this before.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

I was specific

In the default setup, dom0 can easily go online, if you enter the right one-liner.

Ok, good to know that when you change something, it is still considered to be default.

Do you “change something”, when dom0 is updated?

By the way, snarks are unproductive, so it would help if you could avoid them.