Qubes not loading without manual selection in boot menu. Is it actually a problem? And few more questions of newbie

Hello. I’m newbie. A user who wants to migrate from Tails to Qubes. I have a couple of questions.

  1. I installed Qubes twice on the same HP laptop. The first time was version 4.0.1, the second time was 4.1.2. and both times OS were not loading via Grub. When the computer was turned on, it reported that it did not have OS on it. But both times the installer reported that the installation was successful. The disk partitioning itself was automatic, without my participation. To start the OS, I had to enter the boot menu and choose the grub loader manually.

The actual path was as follows:

Boot From EFI File / Name of file (or disc?) / < EFI > / further selection of three items: < BOOT >, < fedora >, < qubes > (I choose “< qubes >”), further items: < fonts >, <xen-4.14.5.efi>, <grubx64.efi>, <xen.efi> (I choose <grubx64.efi>) and then grub is loading. Then comes a suggestion to enter the password from the disk.

The point is, I don’t think it’s a problem, I actually think it’s not a bug - it’s a feature. Because now, if the “evil forces” get hold of my computer, I can always say that it doesn’t have any OS on it, and if they turn it on, they’ll see it if they don’t dig deeper.

Basically, the point is that I’m okay with this moment, and I’m not at all keen on worrying about it, but I have to ask just in case, is there after all any serious reasons for me to start worrying and search the way how to restore the normal way of booting, or can I really leave everything as it is without any losses? If the work of the OS is not affected in any way, then everything is OK for me.

  1. In the second stage of the installation, when there was a component selection phase, I removed the checkboxes from Fedora and Debian, and left only Whonix so I wouldn’t have any clearnet traffic, and everything would be always routed through the Tor network, as it is in Tails. But there below were important points for me to check, but because I left only Whonix, these items became inactive. I needed the usb cube to be able to work with the Internet, as the Internet in cubes will work through a modem. To keep this item active, I briefly checked Debian again, checked the Internet in the usb cube, and then removed the Debian tick again. Did this help in any way or because neither Debian nor Fedora were installed, the modem will not work in Qubes? I’m asking because it’s not physically possible to test the modem because it’s not there yet. So at least I will know ahead of time and if anything, I will reinstall OS in a normal way.
    In general, is it necessary to install OSes other than Whonix so that Qubes can function as intended?

P.S. The other thing that’s troubling is that if you type the wrong password from the disk several times, the computer sends out a black screen with an error, that there are no paths like dom0/root and a few more with dom0. That it can not actually load OS. Nowhere in the manual on Qubes I have not met such a feature. Is this a normal moment (I mean, was this originally intended?) or is there something wrong with it?

Did you install it on USB drive or did you remove the drive from your PC after installing Qubes OS?
Check this issue:

It’ll help only against someone with average user knowledge.

It won’t cause any issues.

Yes. You can’t use whonix template for system qubes.

It works as intended and it works the same way for any other Linux system.

1 Like

Is it possible to install Debian on Qubes without re-installation of Qubes OS?

You can install rpm package of debian template from installer with this command in dom0 terminal:

sudo dnf install /patp/to/debian/template/package.rpm

You’ll need to mount the installer USB in odm0 and search for the package there. You can search for "*debian*.rpm"

1 Like

I installed on SSD drive of the laptop. It was unlabeled disk. Had more than enough of space. Do you mean removing of the hard drive itself? Then no. I removed only usb stick after installation process of OS was finished and it asked to reboot computer. That issue started already then, but then I already knew about how to boot Qubes manually and then did it and continued the installation process. Under “installation process” I mean the second phase when goes the process of installation of components like Debian, Fedora, Whonix.

OK then. If other packages except Whonix are needed then how can I prevent my traffic of being leaked in clearnet? I chose Qubes hoping they can give me protected Tor sandbox as Tails do but with much better protection of Qubes VM’s.

If you use this setup:
sys-net (using debian template with your network PCI controllers attached) ↔ sys-whonix (using whonix-gateway template) ↔ anon-whonix (using whonix-workstation template)
Then nothing from anon-whonix qube will be leaked to clearnet.

1 Like
1 Like

Thanks for help. Another qustion: is there a way to encrypt disk with keyfile instead of password? It has two advantages:

  1. If you distroy a keyfile no one ever can decrypt the disk. In contrast of password which can be obtained through “thermorectal cryptanalysis”.
  2. Password can be typed wrong during first encryption (because it was too large and you did a mistake while typed it) and you either can’t decrypt the disk anymore, or you have to enter a long password for half an hour each time. :smiley:
    The documentation really lacks a manual on how to encrypt the disk of Qubes with a keyfile.

P.S. I can’t decrypt my drive with my password anymore, so I still have to reinstall the OS. So I decided to ask this question before reinstalling.

And what should it be for? I didn’t see there anything about encryption with the keyfile. Did you send this because of something about proper manual disk partitioning about which there maybe is something written? I didn’t understand for sure yet because of still complicated text for me. I don’t have enough experience yet to figure out every single thing that is written there.

Is there a way to translate the Qubes’ interface into another language? Because they’re like the spaceship’s dashboard and everything’s in English.

This topic is about creating this setup for Qubes OS:
It’s better than just having USB drive with a key that anyone can steal/copy or get it from you using force before you manage to destroy it and decrypt your Qubes OS without asking you anything.
It’s an advanced topic so you’ll have to spend some time reading to understand it.

It’s better to keep the interface in English because when you’ll try to follow some instructions in English you won’t know what to do because you won’t know how exactly it translates from English instructions to interface in another language.


Thank you for your answers. During the acquaintance with the Qubes, I realized that this OS is too complicated to use it at once in the work and learn it like that, “in combat conditions”, so it came to the understanding that I need to begin somehow to test it in a safe environment and conditions. Of all the possible options, I have one more Qubes to install, but already on the external hard drive and test it there until I master it properly. Except it’s not empty. Is it possible to install Qubes on the remaining free space so that you can load OS, and, when you need, to open files on this disk, as on ordinary external media? Let’s say for OS to create a partition on this disk. I will put the OS there and encrypt this partition during installation, and the rest of the partition will be a normal NTFS partition with files.

Or I also have an internal HDD. There is no operating system, just file storage. With files on it too. Could use it the same way as described above. It could be something like dual boot but with OSes installed on different disks. Is it possible to do?
P. S. OS installed on that comp it’s Windows 10, not Linux.

You can install it using the free space on any of your disks the same way you can do it with any other Linux distribution.
But be aware of the possible security risks with multibooting:

1 Like

So, if I use default Qubes installation, then even if I install it on a different disk then only Qubes will boot but not Windows? Once I already installed Linux after Windows 10 and had to do extra steps to place Windows in Grub menu, but then they were installed on the same disk. So, as I understand, even if they will be installed on different disks, Qubes anyway overwrites some boot partition (wherever it is or whatever it is, I don’t know this thing for sure) and only Qubes will be bootable after that? Or even if so, can I still enter boot menu each time I turn my comp on and then manually choose from which disk to boot and this way I can boot one of two OSes when needed, without some extra steps of placing the Windows 10 in grub manu of Qubes? Am I right in something?

No, only if Qubes OS is installed on the same disk that already has some other OS installed.

You’ll be able to boot like this from BIOS if you install Qubes OS on a separate drive where no other OS are installed.

1 Like

I read the manuals on the Qubes and Whonix website and never found the answers to some questions.

  1. Do I even need the sys-net, sys-firewall cubes and cubes that use them, or can they all be uninstalled without any worries? I need all my traffic to go through the Tor network as it is in Tails, so can I delete them all to eliminate any possibility of traffic leakage into the clearnet? Or without these cubes, will the OS not work normally or not work at all?

  2. What is the point of being Disposable Template if this Disposable Template is exactly the same Template, only based on another Template? Why can’t you create Disposables right on the Templates?

  3. When creating a Whonix Workstation cube, why to give ability to choose which Internet cube to connect to it, when it is crystal clear that if it is Whonix Workstation, then it needs either sys-whonix (aka Whonix Gateway), or no Internet at all (and then it should be “none”)? Why give the ability to connect sys-net if then will go clearnet traffic, bypassing Tor?

You need to attach your PCI network controllers to one of the qubes to connect to the internet.
If you attach it directly to sys-whonix then it’ll be less secure:

And you’ll just won’t use the possible security provided by Qubes OS:

How does Qubes OS provide security?

Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.

Also, I’m not sure if Whonix Gateway even support attaching PCI network controllers directly to it.

You can have multiple Whonix Gateway qubes and not only a single sys-whonix. Also see this issue: