Qubes: Antivirus?

there are, most of them are very non-practical and hard to get infected but if you are targeted, they could develop new viruses just like nso group with pegasus

Well then, the more you use Qubes and get familiar with how computers work, I guarantee there will come a time when you’ll look back on this question and chuckle :stuck_out_tongue:

This is a heavily paraphrased crashcourse in cybersecurity:
(I strongly encourage you to research more about this in your own time)

  1. Computers only do what they’re told. The question is, WHO is telling them what to do? Is it you when you’re in front of it, or is it another entity (Microsoft, Google, McAffee/Symantec, malicious actors, software made by someone else that you decided to run, etc.)?

  2. A computer will not question an instruction, even if it’s a “dumb idea”. Delete all system files, overclock itself to the point where it may cause hardware damage? Yep, a computer will do it. You’re most likely under the impression that these things cannot be done because the software you’ve used in the past (I’ll use Windows as an example) has prevented you from doing so. This is because whoever wrote that software (Microsoft) has told the computer to not let the user issue those instructions. So, the people who wrote that software have basically hidden things from you (they haven’t disabled it, I can assure you :yum:). Not only that, they might have made it so that they are able to remotely control the software and issue those instructions (This is how Microsoft can force your computer to update, for example).

On another important note:
(If anyone tells you to type in sudo rm -rf /* into a Linux terminal, they’re trolling you. Don’t do this anywhere else except a disposable VM in Qubes OS, unless you want all your files deleted, and I mean ALL of them)

There may come a time when you test live malware samples inside disposable VMs for fun.
(Probably not a good idea to try this just yet, until you get familiar with how Qubes OS works) :sweat_smile:

  1. The ways that you “get into” a computer are called “attack vectors”. These are things like open ports on a network interface, ports on the physical computer that you can plug things into, programs that are already on the computer that are allowed to do certain things to the computer (like add/change/delete system files).

  2. If you’re trying to “get into” a computer, it’s not like a bank or warehouse in the real world. You can’t just drive a truck and smash through the front entrance. That would destroy the computer. :laughing:
    Instead, you more or less try and figure out what the computer needs (password, key, request origin, etc.) from you in order for it to let you in, and you either give it those things, or you “trick” it into thinking that you gave it those things.
    Kind of like a Jedi Mind Trick (if you are familiar Star Wars). Actually, EXACTLY like a Jedi Mind Trick!

  3. Malware is just the same as any other piece of software/code. It’s a list of instructions. The way you protect yourself is that you make sure YOU have told your computer not to allow anyone else but YOU to be able to issue those instructions that could potentially harm your computer, and you tell your computer a very special “secret handshake” that only you and it know, so that it can verify that it’s really you, and not someone else pretending to be you.

An analogy would be like allowing your kids to cook food with the microwave, but not the oven or hotplate. You have also made it so that the oven won’t turn on unless you punch in a 4-digit passcode.

In Linux terminology, if you ran ls kitchen-appliances, your appliance permissions would look like this:

-rwx------  1 root root     5T Jan 31  2021  oven
-rwx------  1 root root     5T Jan 31  2021  hotplate
-rwxr-xr-x  1 root root     5T Jan 31  2021  oven-hotplate-unlock

You can still use the oven or hotplate, but not them unless they somehow learn the passcode, or they start at 0-0-0-0, and go through all possible combinations until they get the right combination. (This is called “brute-forcing”, and isn’t uncommon to see on Linux server logs that allow remote login over the internet. There are ways to mitigate this, and I’m not going to go into them, but you should if you’re interested, because they’re actually really cool)

If you’re new to Linux, it can be incredibly tempting to run things as root. While this can seem fun (I used to do it when I first started all those years ago), you’re basically saying that that program can add/change/remove/copy/move anything on the computer. ANYTHING!

Trust me, don’t run things like a web browser as root. You’re basically saying that any code in the website that you’re loading can touch whatever they want on your computer. Now THIS is how you “get hacked” :rofl:


So, in answer to your question:

If you’re worried about something in the BIOS spying on you, then you should reflash it with something that you trust (either you wrote/built it yourself, or someone whom you trust wrote it for you). However, you really have to know what you’re doing with this.

The BIOS is the first thing that executes as soon as electricity flows through your computer, so if that doesn’t execute properly (or doesn’t execute at all), you will have essentially “bricked” your computer. (Nothing happens when you push the power button. No fans, no lights, nothing. And you feel your heart just sink, and it feels awful!)

Don’t worry. Computers can be “de-bricked”, but it would most likely require using one of these:
image

I am handling finances on this laptop and I can’t afford to be hacked here.

Ah, so you’re just like the rest of us :stuck_out_tongue:

Well, given that you now know a little bit more about how people “get hacked”, I guess you’ll start being more aware of what your computer is actually doing, and set it up in a way that gives you more control, and not do anything “silly” that would put the important things on your computer at risk :slight_smile:

This is why Qubes OS is so awesome. If you used the setup tool to automatically create Qubes for you, have a look at the vault Qube. The idea is that it is used to store sensitive things like passwords. vault doesn’t have network access, so the only way things can get in or out of it is if you do it.


Think of using Linux and BSD-based OSes as being similar to LEGO sets:

  • They usually come pre-packaged with all the bricks you need to make something beautiful, and some even come pre-assembled. (Ubuntu, Linux Mint, etc.)
  • All bricks can be interchanged with any other LEGO bricks in existence
  • You don’t necessarily have to follow the instructions when you’re building (but it is a good idea to, unless you know what you’re doing well enough…)
  • Some people don’t use pre-packaged sets. They know exactly what parts they want, and order them direct from the factory. (Archlinux)
  • Some people even buy a 3D printer and make their own bricks (Gentoo, Linux From Scratch)

I did a factory reset and then installed Qubes.

I’m assuming you fully understand what that means. I’m just spelling it out for anyone else that might come across this post, so it helps them as well.

Ok, so when you say you “did a factory reset”, I’ll assume that you:

  1. Cold-booted the computer and went into the menu of the BIOS that is currently on your computer
  2. Selected something like “Factory Reset”
  3. Rebooted the computer

So, let’s just assume that the BIOS actually is compromised. If I wrote a malicious BIOS, it would be a bit silly if I wrote it so that it would delete my malware if the user went into the menu that I created, and selected “factory reset”, don’t you think? :stuck_out_tongue_closed_eyes:

I would make it so that “factory reset” option did absolutely nothing, and just told the user that it was reset!

Now, I’m not saying that your BIOS is compromised. In reality, it’s most likely fine.

However, if you’re genuinely concerned, you have three options:

  • Learn how to create your own BIOS (coreboot is a good place to start, if you don’t mind getting your hands dirty)
  • Take your computer to someone you trust (and I mean actually trust, not just your local computer repair shop), and get them to take a look at it (the actual hardware, or a “BIOS Dump”)
  • Continue using the current BIOS installed on your computer, and just accept any risks

At the end of the day, it’s your machine, and your choice :slight_smile:


Do you think I could eliminate most of the risk by reinstalling my BIOS?

Also, a word of warning. Just like with every community, there are people who will not respond well to questions that are “misinformed due to ignorance or laziness”.

I’m not saying that you are misinformed (well, you sort of are, but that’s not your fault, and it will change very quickly after a few weeks of Qubes OS :upside_down_face:) or lazy, but if you expect to be spoon-fed forever by the community, you will likely get a lot of " :expressionless:" in the answers to your questions.

I’m sure there’s an area of expertise that you are passionate and knowledgeable about, and it would probably frustrate you too if someone kept asking you questions that they could answer themselves quite easily if they bothered to do 2 minutes of research online (assuming that the questions actually make sense to begin with).

Imagine your reaction if someone asked you how to “download the wifi card”, “crunch the numbers”, or “crack the mainframe”. Yeah… that face you’re making now as you’re reading this is exactly what you’ll get if you ask questions and it’s obvious that you haven’t done any background research :yum:

I learned that the hard way. We all did. It beat us into shape, and we are thankful for that experience, but it was really brutal at the beginning… :smirk:


So, would it eliminate the risk if you reinstalled your BIOS?

I’ll give you my mental train of thought as I read this:
" :confused: I need more information :sleepy:. What risk? What exactly is he concerned about happening (“getting hacked” isn’t specific enough)? Where is he getting the new BIOS from? Does he know that the new BIOS isn’t going to have anything evil in it? I can’t answer his question properly because it’s way too vague… :sweat_smile:"

Make sense?

With Windows and MacOS (and any other proprietary piece of software), you only get to interact with your computer in ways that the creator of the software permits you to interact with your computer. I promise you that the settings listed in Control Panel in Windows are not the only things you can control with your computer :grin:

And if people have been surrounded by nothing except proprietary software, chances are they’re completely fine with vague terms like “reinstalling the BIOS”, “using antivirus”, “performing system updates”, etc. because someone else is doing the heavy lifting for them.

They also tend to associate computer functions with a particular piece of software, and assume that only that piece of software can do.
(One of my pet hates is that most Windows users assume that the only way they can use SSH is by using PuTTY :pensive:)

They are also used to being given software by other people and just told to install it, and by doing so, it will fix their problem. Because of this, they tend to focus less on what the software actually does, and associate the solution with the name of the software.
(Imagine if you went to the doctor, and he prescribed you “red pills, blue pills, and yellow pills” to take 3 times a day, and that was it. Would you blindly take them without knowing what they are? I hope not, but some people do…)

No no no, none of that here, my friend. You’re in the Wild West. :smirk:

You have embarked on a journey to get to know your computer inside and out. Yes, it will be tough, but the community is here to help, assuming you meet us half-way (which I’m sure you will :slight_smile: ).

An analogy for car owners:
You probably won’t have to know the molecular composition of the fuel or the brake fluid; but you will need to go deeper than “The accelerator makes the car go, and the brake pedal makes it stop”.


So, would it help to “reinstall the BIOS”?

If your currently installed BIOS was doing nasty things, and you replaced it with something that didn’t do those nasty things?

Sure, I guess… :face_with_hand_over_mouth:

There are things you can do to investigate (wireshark, biosdecode, connecting your computer to a network without access to the internet and seeing what it tries to do, etc.)

Chances are that your BIOS is fine. But again, it’s your computer, and entirely your choice :slight_smile:


What are Standalone VMs?

It’s questions like this that will usually get a " :sleepy:" in the responses. It makes it obvious that you haven’t read the documentation. (Most people don’t, I know, but if you do, people will be a lot nicer in answering your questions :slight_smile: )

This was beaten into me very early on. Haha!

Start here:

(This was actually written by the people you’re asking questions to :stuck_out_tongue:)

If you still can’t find your answer, and you’ve genuinely tried to find it, then by all means, ask away!

But chances are, it’s most likely in there :wink:


Hope this helps!

3 Likes

hi expert

you correct, i tried that and my neighbor pc got infected by many viruses that same to what i tested

except me, i don’t trust bank and i always use crypto on hw wallet

no

Why?

Thank you very much! I know that it is something I could have looked up, sorry for bothering. Your summary was very helpful.
Meanwhile, I am having a good overview about it.
I have not seen the term Standalone VM in my Qubes. That’s why I was wondering.

One question that remains is this:
I am using the anon-whonix AppVM. It is based on the template (whonix gateway and workstation, right?). Is the template actively needed for anyhing? Because I see it doesn’t even have to be launched before I can use anon-whonix. Outside Qubes, I am used to need the gateway launched before I can browse with Whonix (the workstation).

Again, a big thank you. You are right about the fact that my own research could be more thoroughly.
Your summary has helped me a lot and your kind of explaining is effective.

The fault option is great. Should be equally secure as a LUKS encrypted USB drive, isn’t it?

Regarding the factory reset:
Yes, I did it the way you described. For that reason, I have found out it is very effective to erase a hard disk using DBAN.
I’m not sure if you’re familiar with this (there is also similar software, DBAN is just popular).
I don’t think it helps me with the BIOS problem, right?
Maybe it’s still a good idea.

Regarding reinstalling my BIOS: My information was not precise enough.
I could get it from my provider which is definitely safe.
My risk is getting hacked in any way while I am operating my finance stuff (crypto currency, browser wallet and so on) through my PC being potentially compromised.

It’s questions like this that will usually get a " :sleepy:" in the responses.

I know, sorry for that!

Currently researching more. :slight_smile:

You know it appears to me at least that some people pose questions digging for answers on how they “could/would” Achieve such things or accomplished these actions. By using such information given to them from community members. If one truly is informed on such matters wouldn’t you think that these “people” would at least inform themselves before posting such questions let alone speak about said topic?

It is well known among thiefs that…
Sometimes in life it wises to play the fool…

Now with that being said.

-Any AV is inferior, why, because they are only as good as the signatures they have to check against for infections…

-AV’s do lots of “data mining” on your systems. This is well known…

it depend on where you download that frimware
there is better alternate

1 Like

not much, just for storing whonix file

1 Like

The most popular antivirus in linux:
ClamAv

FEDORA:

sudo dnf install clamav

DEBIAN:

su apt-get install clamav clamav-daemon

UPDATING CLAMAV:

freshclam

SCANING /home/directory:

clamscan -r /home/

REMOVE INFECTED FILES:

clamscan --infected --remove --recursive /home/

RUN DAEMON FOR SCAN:

/etc/init.d/clamav-daemon start
/etc/init.d/clamav-freshclam start
                                                               - Berkeley
2 Likes

I’d download it on my provider’s official website (AMD).
What do you mean by better alternate?

Okay. So I don’t have to do anything with it as I can just use Whonix AppVM (like the pre-installed anon-whonix)?

Are there any downsides? Many people are not recommending Antivirus at all, especially for Qubes.

If your BIOS is compromised, then it can compromise the OS. Reinstalling BIOS will not restore the OS. The OS might in principle compromise the BIOS again after you reinstall it. You should reinstall both for maximum reliability.

I dont use antivirus. Do you can use some firewall + firefox settings for increase your security.


Maybe this can help you:

FIREFOX

ABOUT:CONFIG

Then type in the filter or find field:

network.http.pipelining and as soon as the respective line appears double click on the line changing its value to ‘True’.

Now search the filter for

network.http.pipelining.maxrequests and change its value from ‘4’ to ’32’

Filter again looking for

network.http.proxy.pipelining and changing to ‘True’.

In the filter search for

network.dns.disableIPv6 and change it to ‘True’.

Again the same procedure, only now search for plugin.

expose_full_path and change its value to ‘True’.

Now you will need to insert new lines. To do this, right click > New Option > Integer .
Create a line called

nglayout.initialpaint.delay and in the value field enter ‘0’ (zero).

Create another line called

content.notify.backoffcount with value ‘5’.

Another line called

ui.submenuDelay and value ‘0’ (zero).

One more line called

browser.cache.memory.capacity with value ‘16384’ for Firefox to consume 16 MB of memory. Or ‘32768’ for 32MB.

Look in the find the

layout.spellcheckDefault line and change its value to ‘2’.

KEEP GOING:

Set browser.download.animateNotifications to False
Set security.dialog_enable_delay to 0
Set network.prefetch-next to False (Only on slow internet connections)
Set browser.newtabpage.activity-stream.feeds.telemetry to false
Set browser.newtabpage.activity-stream.telemetry to false
Set browser.ping-centre.telemetry to false
Set toolkit.telemetry.archive.enabled to false
Set toolkit.telemetry.bhrPing.enabled to false
Set toolkit.telemetry.enabled to false
Set toolkit.telemetry.firstShutdownPing.enabled to false
Set toolkit.telemetry.hybridContent.enabled to false
Set toolkit.telemetry.newProfilePing.enabled to false
Set toolkit.telemetry.reportingpolicy.firstRun to false
Set toolkit.telemetry.shutdownPingSender.enabled to false
Set toolkit.telemetry.unified to false
Set toolkit.telemetry.updatePing.enabled to false

In about:config, set reader.parse-on-load.enabled to False
In about:config, set reader.parse-on-load.force-enabled to False
In about:config, set browser.pocket.enabled to False
In about:config, set loop.enabled to False
1 Like

If you are a good neighbour and share files with others, then you will
want to use some sort of AV - and use native Qubes tools, like
qvm-convert-img and qvm-convert-pdf.
Other people may not enjoy the same compartmentalization that you have.

2 Likes

Not quite sure what you mean by this. LUKS stands for Linux Unified Key Setup, and it basically keeps a block device (a hard drive, USB stick, SD card, etc.) jumbled up (encrypted) when it’s not mounted. It’s useful, for example, for protecting your files from being read when your computer is off, or when a USB stick is in your pocket.

If someone does, then it’ll probably look something like this:

��h@R7�W2�lA��Z�S����i�;I-i�\a&f��R��OǂKi�mz�dN��M�������R�ƻ�דu�x�Lq6��,5Є����>a�d�������
K�%��BM�XE��#�
:�GM��f(��͞3�?��.�����n’D�����s�6��mP�A�S<�p!S�5����!$g�P�7P�S�"���bN���}iV���}��d5���C4��Kn!¨�< �{�n|�����f2T>�yCه�ձ�*a���Ix!�>0_��\W� 6� ��"1��N�Ï[
(�}�.Ic���fu���{?�m,�,xog��L1�w���M��蜩@/�%��D��,P��6�#�:����R�[4L[$2�n�
��ۃ�p[T��U�
2�B�% 3�;j�K�����l�-�BsR��H�$Z�z �m!��!)CXd14��0�1ݶITN+l7߈X�j���"R�����W#���f+�P����H��#�n��3Dii�=M����ODP�����05��܉��E���<�=�#ĉ�t�EL]���o���÷n۶��CsHx�i��ݩH�z�d[�� � B[>�����87d��)*%^y�(/�/�n��5k��4�rw/7k.̧z�K ӜJ\�cD� �?{^��>�����^v�m[}�V���hx�Sߧ�$eW�Km�16U����� ���D�:�J%l��܊�m��3��K�w���U�%������Ts(�k�ZU�Zb��xs<v�ڥ;���.��^�<q� f�cFu3I�F����(e��’8��鰺bu.c�<i�rY�i�M���x+�������^C

…essentially, nothing useful without your encryption key (password, keyfile, hardware decryptor, etc.)

I mean, sure, I guess if you had a USB stick unplugged, then LUKS definitely would protect whatever was on it, but it wouldn’t really do anything once you unlocked it with your key. Then, the drive behaves just like a regular drive, until you unmount (lock) it again.

It’s like someone keeping important paper documents inside a safe (in terms of who can read them, not the encryption…). You can only read them when the safe is open. BUT, if the safe door is open, then it does nothing to protect the documents inside, and ANYONE can read them who has access to the safe, until you close it again.

If you’re aim is to try to mitigate someone stealing your files (whatever files they may be) when you’re not using them, then LUKS is perfect. But I’m afraid it won’t do anything once the drive is unlocked and mounted, and you’ll have to rely on other things.

The BIOS is a binary program (zeros and ones) stored on a microchip on the motherboard of your computer. It’s main job is to “activate” all the components in your computer to get ready to boot.

If it was on your hard drive, you’d have a chicken-and-egg problem, because without your motherboard knowing how to power up and interact with all the other devices on the motherboard (serial bus, gpu, ram, storage, etc.), it wouldn’t really be able to get the BIOS file in the first place :stuck_out_tongue:

Oh god, that’s really not a good idea to say in a forum…
You’ll likely get A LOT of “:angry:” from all directions about this assumption you have that it’s “definitely safe” just because it “came from the provider” (whatever that actually means)

@ppc is definitely right about this. It’s all about TRUST.

A lot of smartphones come with firmware and software “from the provider”, but are they “definitely safe”…?

Well, I have several mobile handsets that I have bought from retail shops in China, street vendors in Russia, an electronics market in Serbia and an Apple Store in Brazil (to name a few), and I can tell you right now that I do not believe in the slightest that they fit my definition of “safe” because:

  • I didn’t get any source code of what’s running on them (the manufacturers obviously didn’t release it, otherwise I would have a copy)
  • I don’t have any way to truly know what they are actually doing (what they tell me they’re doing and what they’re actually doing are completely different things)
  • Every time I ask them to “bare all”, they blatantly lie to me, or omit certain details

It’s these things that make me feel uncomfortable using them, at least until I can replace that software with something that I trust. For some of those handsets, that may take a while… :sweat_smile:

Another example that might be more relatable for you is many home routers provided by ISPs with internet plans. I can tell you now that not only are they locked down, blackboxed and backdoored “to the moon” (google those expressions if you don’t understand them), the amount of “phoning home”, snitching and probing the ISPs’ firmware makes them do (and hide from the user that they’re doing it) is quite alarming.

The worst one I saw was a SoHo router that would allow a WAN IP (usually an Amazon Cloud VM) to get a DHCP lease on a LAN IP, and then not list that IP in the subnet. And that IP would probe all your LAN devices like no tomorrow!

But they’re stories for another day :slight_smile:


As for your BIOS, if you’re worried, reflash it (obviously with a BIOS that you trust, and using tools that you trust). Your machine, your rules :slight_smile:

Well, in that case, the only way to truly protect yourself is to examine and audit the source code of whatever software you are running for your “finance stuff”, and build it yourself, so you can be sure it’s only doing what YOU told it to, and nothing else.
(This is basically the Edward Snowden model, which some people consider to be the only approach, while others may consider it to be a bit extreme)

Or at the very least, work out which software that other people wrote and built that you actually TRUST.
(This is the option that a majority of computer users tend to go for, but you make sure you don’t let me persuade you one way or the other. That’s not what I’m trying to do)

Basically, you (and you alone) will have to come up with your own definition of “safe” and your own trust model.

You’ll have to ask yourself:
"Is my device doing only what I want it to do, and nothing that I don’t?"

If the answer is yes, then that’s great. You are one with your machine.

But if the answer is no, then you’ll have to figure out:
"Why is my device doing this thing that I don’t want it to do?"
(did I tell it to do it, did a program I ran tell it to do it, or did someone else?)

"Is the undesired thing necessary to do a thing that I actually want to do?"
(web servers generally have to listen to the outside world and accept requests from anyone, legitimate and malicious)

"How can I stop it from doing this undesired thing?"
(there is ALWAYS a way)

OR

"Can I still meet my definition of ‘safe’ if I let my device continue to do this undesired thing?"
(specifying what outside users can request from a web server)

"What do I need to be aware of if I know my device is doing this undesired thing, and I still will permit it to do so?"
(anyone could potentially ask a web server for a root shell, so I need to make sure the web server will always deny that request)

If a crypto miner, for example, is running with root privileges (generally not the best idea, just FYI), and you aren’t 100% sure of what it’s doing (no, “it’s obviously mining crypto, well duh! What kind of dumb question is that?” is NOT a sufficient answer! You have to go deeper than that…), then you can’t accurately determine your risk model.

Not a problem at all! Qubes OS will cause your computer to be much more transparent and upfront with you than you’ve probably experienced before. It can be daunting to take in sometimes if you’re not used to it, but trust me, you’ll be thankful that you did. :slight_smile:

Trust me, I would love to be able to tell you that “This program provides the best security, and you just have to open it, and all your problems will disappear, and you’ll be free to roam around the internet safely forever, and you’ll never be hacked!”…

…but that’s unfortunately not how it works :stuck_out_tongue:

If you’re interested, there is a YouTube channel called Computerphile that is run by Brady Haran. There are several good videos that explain a few types of cyberattacks in plain simple English.

Maybe this might help you understand more clearly what things other people can do to your computer, so you can better understand how to counter them, and remove some of the “unknown” for you. :slight_smile:
https://www.youtube.com/user/Computerphile

1 Like

heads with nitrokey (@anon93834559)

not much if you using good one and in correct way

About the template’s purpose:
Whonix has 2 template VMs, one for the gateway and one for the workstation. It also one AppVM based on the gateway template and one or more app VMs and disposable VMs based on the workstation template.
The only times you would run the templates directly is to install updates or to install software.
Otherwise, you want to run the AppVM. How does this work with templates? When you start the AppVM, Qubes makes temporary copies of the template’s /usr, /opt, /etc, and other directories, combines these copies with the AppVM’s actual /home and /rw directories, and then launches the combination as a VM (technically these are separate virtual disks, but let’s not get too technical). When the VM terminates, its copy of /usr, /opt and such are discarded, leaving only /home and /rw to be combined with the template again on the next launch.
That’s the real antivirus in Qubes. Most viruses will try to infect the /usr and similar directories, not knowing they are ephemeral copies doomed to destruction.

It takes a specialized virus to realize, “hey this is Qubes, so I need to infect /rw instead.” Not impossible, but obscure enough that most virus authors won’t bother. And it would take a VERY sophisticated virus to try to jailbreak the AppVM and infect other VMs or dom0.

As for Whonix, the Whonix gateway AppVM runs first (usually as part of Qubes startup, and the workstation AppVMs and disposable VMs run as needed. Both templates sit unlaunched, just serving as the source for the system directories for the appropriate AppVMs and disposable VMs.

That is a good point that I haven’t thought about.
Does it make a difference if I could plug it in, enter the password and copy all the files to a non-persistent folder, using the files from there? (Probably not)

What are the attack vectors here that could endanger my USB drive files?

If I only use it while being offline and unmount it before I connect to the internet, it should be safe as well, right?

Right now, I think LUKS is enough, but if you know a nice alternative that protects my files even if using them, it is very welcomed.

Oh god, that’s really not a good idea to say in a forum…
You’ll likely get A LOT of “:angry:” from all directions about this assumption you have that it’s “definitely safe” just because it “came from the provider” (whatever that actually means)

I know that the word safe is not existing. However, I meant AMD/Intel… by the provider. It is the safest source there is. I mean, my current BIOS is from the same provider as well, I don’t see any bigger risk here when reinstalling, do you?

Thank you for all your other input that I am not answering to here.
I am currently learning a lot about Qubes, even if I am still struggling between Qubes + Whonix and Tails. But that is another question (my newest one, where I have summed up all my desires including my own thoughts and the progress that I have made). Maybe you can take a look at it, your opinion is very welcome.