Qubes makes me feel overwhelmed

Before Qubes i was using minimal debian install + KVM to run Guest OSes.
The minimal debian system was giving me some peace of mind because i know all running process by heart, I at least know what they was suppose to do. Firewalling was simple.
This system “felt secure” because it was minimal and i had some idea whats happening. But Qubes …
I feel overwhelmed by Qubes, of course i see value in its security architecture. Im reading docs, but not sure how long it would take me to be at ease with my understanding of Qubes OS.
Do anyone else experienced similar feelings ?

1 Like

Qubes definitely has a deep learning curve compared to other operating systems. Back then, the switch from Windows to Linux was pretty easy. But the switch from Linux to Qubes was definitely not that straight forward. I think it took 1 or maybe 2 weeks of using Qubes until i really understood each concept. However, I dont regret anything: Qubes is worth the initial learning time.

10 Likes

Thank you for reply. I will keep learning

2 Likes

Something I’d say in general when it comes to learning any new tools, workflows, or domains of interest would be to unlearn, if needed, the mentality that “one should instantly take a deep dive to something unknown, and know how to use it on autopilot, after using something once or twice”. Or reading the documentation on a certain topic once or twice. Nope, some creatures need to use tools and work in certain workflows constantly, to adapt themselves, rather than doing something once or twice, and it’s perfectly valid (even though I’ve witnessed multiple examples of this not being tolerated, what I disagree with).

Given how much stuff here is foreign right now, the being overwhelmed part is rather natural, and speaking from my POV, I’d just use it to perform some fairly simple daily tasks, like browsing the web for cat pictures in one domain, using social media in another one, and similar others. In my case that simple thing would allow to grasp the idea of the separation, while at the same time having a seamless desktop. This doesn’t even account for any of the idiomatic tools for administration - merely getting to know, how to make your way around with the tooling provided out-of-the-box.
(Note that this is also a huge appreciation for the devs, so that one can use the Xen hypervisor with its own nomenclature, like virtualization modes’ names, without knowing, how they operate under the hood)

Maybe, what could also help, would be the unlearning of the mindset that “I’m using separate virtual machines with guest systems”, and instead a metaphor like “I’m running something like multiple tiny laptops inside my big one, and I decide, which tiny laptop gets some of my data and tasks to handle”, skipping all the technical details?

3 Likes

What you are feeling is normal. :slight_smile: You are moving from from debian host to fedora host (dom0), and moving from KVM to Xen, at the same time as learning all the qubes stuff.

Were you using virsh/libvirt for interacting with KVM on your old system? If so the libvirt tools like virsh should be available to you to inspect the xen qubes while figuring things out. I don’t recommend changing any settings via libvirt as qubes could easily overwrite your changes, but being able to check if the status of a qube is what you expect, via a tool with a output that you are used to/know what the output actually means, could help the learning curve.

3 Likes

No, i was using virt-manager. But thanks to pointing to libvirt thing.

2 Likes

@aronowski Thanks for reply.
Well usability and separation architecture I’m grasping that at some level. I’m just confused about how this all happen under the hood… The qubes processes that runs inside each template and how they interact with dom0…

1 Like

Some of the following things may help:

  • running the following inside dom0: qvm-run --pass-io sys-net 'ls /home/user' will give you a directory listing of the /home/user directory of sys-net.
  • The name of the system that qvm-run uses is “qrexec” (search term)
  • if you want to look into understanding things better look into qubes “policies”.
  • most (all?) things that can be done with the gui tools can be done via cli, (and those commands usually have man pages).
2 Likes

@ddevz Thanks, these things really help.

Thats very good suggestion. Thank you!

1 Like

You haven’t said why you feel overwhelmed, or in what way you feel
overwhelmed. Nor have you said what would count as “being at ease with
your understanding of Qubes OS”.
I suspect this is very much down to individual approach and understanding.
All I can tell you is that some people are immediately productive in
using Qubes, without having any grasp of the security architecture.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

2 Likes

This hits the nail on the head. It’s a bunch of changes at once in many cases - not just the core computer stuff (os, distro, virtualization platform) or the qubes stuff (template vms, dispvms, how files are moved, how clipboard stuff moves, setting up the right persistence) but workflow. How are you going to get things done in this environment? Falling out of that are things like, what is the right level of compartmentalization, how finely do i want to dice up my digital life, what is the right balance of security and convenience and productivity.

Our world already throws so many choices at us. Qubes is like… mega mega choices… on top of that, at least when you’re starting up. I’d say give it a couple months if you can bear to and see how you feel. Step away from it, give yourself breaks. Once it’s set up and you get a good flow going (esp if you use it as a daily driver) it feels so much better.

Although there are still a bunch of tools and little scripts and playbooks and thins I rely on that I feel like I’m endlessly tweaking. But it feels like maybe 1/100th the cognitive load as when I started with Qubes.

1 Like

And some people are not immediately productive using Qubes, and this thread is created by one of them asking if people have similar experiences of feeling overwhelmed. What is the point of your statement? No one claimed that everyone has trouble with Qubes. It’s like if your friend at the pub said “i’m really having a lot of arguments with my wife, you know?” and you replied “you have not defined what is ‘a lot’ of arguments, all I can say is some people have peaceful marriages.” Oh thanks buddy, great hanging out with you.

If you don’t empathize with this person or have anything constructive to contribute maybe move along and don’t post a comment?

1 Like

I don’t agree: this is not a pub filled with friends, but a technical forum. To me, @unman is asking for more details to explain why @kid feels overwhelmed. And usually, @unman really tries to help, sometimes by providing another point of view, which could give you the impression that it is not constructive.

As for the original question:

I don’t think I felt overwhelmed by Qubes. I just knew that I wouldn’t be familiar with everything right from the start (well, right now I’m only familiar with some small parts of the OS). And it was great because of what Qubes offers me: every important data was in offline qubes, and I was able to create as many qubes as I wanted to mess up with.

But I had no hardware problem and I wasn’t trying to use a GPU or any peripheral apart from USB storage.

3 Likes

No, my Qubes OS experience and workflow are highly simplified to eliminate any technical complexity.

3 Likes

I learn slowly and only through practice. I wrote down my top 5 workflows / tasks and worked immediately to make them natural and comfortable

The rest I slowly picked up as needed. After 3 months it started to come very naturally. If I didn’t know quite right how to do something, I knew where to start

Don’t know that this is helpful, just my experience

2 Likes

Perhaps the reason you feel overwhelmed by Qubes is that you’re accustomed to knowing all the running processes on your system by heart. This is easy to do when the number of running processes is small, but it’s harder to do when you have a collection of VMs running on your system. However, I think we need to take a step back and ask how much security is provided by knowing all the running processes on one’s system by heart as compared to a security-by-compartmentalization model, which is what Qubes implements.

If a skilled adversary were to compromise your conventional OS, he might be able to prevent his presence from appearing in the list of running processes, or he might disguise his presence in that list under the name of an innocuous process. In that case, knowing all the running processes by heart would provide only a false sense of security. The reasoning is something like, “I don’t see anything bad here, so there must not be anything bad here.” By contrast, Qubes is designed under the assumption that some qubes will be compromised, so we must limit the damage and prevent it from spreading. The reasoning here is something like, “There’s probably already something bad here, so I will isolate and contain it.”

The idea that one can ensure a system is “clean” by inspecting it thoroughly enough is appealing in theory, but it’s overly optimistic in real-world environments, where software is buggy and there are too many ways for an adversary to hide and attack. All it takes is one new zero-day vulnerability to sink this approach. Qubes, on the other hand, was born from the idea that nearly all code contains bugs and that new zero days are inevitable and unavoidable, so the best we can do is minimize the code we have to trust and cordon off the rest so as to control the damage it can do. It’s an approach designed for the messy and hostile computing environment we find ourselves in today, where armies of overworked software developers (and now AIs) around the world are tasked with churning out sloppy code at a far faster rate than the comparatively small group of security experts can analyze it (assuming they’re even incentivized to do so).

6 Likes

If before Qubes you were using minimal debian install + KVM to run Guest OSes, then you shouldn’t be overwhelmed at all. The basic difference now is that your host is now offline, thus safer. That single fact should put you at ease to slowly explore all the scenarios you deployed earlier.

This is actually how I discovered Qubes ten years ago. I was using Windows as a host and VirtualBox OS’s as guests and I was looking for a way to make Windows offline, while keeping guest OS’s online. When found Qubes, I was productive immediately.

Now, ask yourself, why you moved to Qubes from your original configuration. What you missed there? How to achieve it with Qubes?

So, knowing that your dom0 is offline, just don’t put anything important in any online qube (files, emails, passwords, even bookmarks, etc) before you find out what configuration works best for you, and you are good to go.

Isn’t this enough to put you at ease at the point?

3 Likes

I believe Qubes OS can feel overwhelming if you dive in without first defining your threat model and understanding how Qubes addresses those risks compared to your previous setup. Taking the time to make an informed decision about switching to Qubes can transform the experience from daunting to exciting.

Before Qubes, I used Whonix on a Windows host. I wasn’t fully satisfied with that setup because it didn’t fully align with my threat model. When I discovered Qubes OS, I spent a week studying its concepts and a month experimenting with the OS before fully transitioning. That preparation made all the difference. Now, two years later, I find Qubes OS consistently exciting and empowering, not a single day has felt overwhelming.

For anyone feeling overwhelmed, I recommend starting small: clarify your threat model, explore Qubes’ documentation, and experiment with its features at your own pace. It’s a powerful tool that becomes rewarding once you understand how it fits your needs!

3 Likes