Qubes not loading without manual selection in boot menu. Is it actually a problem? And few more questions of newbie

Qubie · November 30, 2023, 5:41am

And what should it be for? I didn’t see there anything about encryption with the keyfile. Did you send this because of something about proper manual disk partitioning about which there maybe is something written? I didn’t understand for sure yet because of still complicated text for me. I don’t have enough experience yet to figure out every single thing that is written there.

Qubie · November 30, 2023, 9:53am

Is there a way to translate the Qubes’ interface into another language? Because they’re like the spaceship’s dashboard and everything’s in English.

apparatus · November 30, 2023, 1:02pm

This topic is about creating this setup for Qubes OS:
https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_/boot_and_a_detached_LUKS_header_on_USB
It’s better than just having USB drive with a key that anyone can steal/copy or get it from you using force before you manage to destroy it and decrypt your Qubes OS without asking you anything.
It’s an advanced topic so you’ll have to spend some time reading to understand it.

It’s better to keep the interface in English because when you’ll try to follow some instructions in English you won’t know what to do because you won’t know how exactly it translates from English instructions to interface in another language.

Qubie · December 1, 2023, 6:15am

Thank you for your answers. During the acquaintance with the Qubes, I realized that this OS is too complicated to use it at once in the work and learn it like that, “in combat conditions”, so it came to the understanding that I need to begin somehow to test it in a safe environment and conditions. Of all the possible options, I have one more Qubes to install, but already on the external hard drive and test it there until I master it properly. Except it’s not empty. Is it possible to install Qubes on the remaining free space so that you can load OS, and, when you need, to open files on this disk, as on ordinary external media? Let’s say for OS to create a partition on this disk. I will put the OS there and encrypt this partition during installation, and the rest of the partition will be a normal NTFS partition with files.

Qubie · December 1, 2023, 7:10am

Or I also have an internal HDD. There is no operating system, just file storage. With files on it too. Could use it the same way as described above. It could be something like dual boot but with OSes installed on different disks. Is it possible to do?
P. S. OS installed on that comp it’s Windows 10, not Linux.

apparatus · December 1, 2023, 7:26am

You can install it using the free space on any of your disks the same way you can do it with any other Linux distribution.
But be aware of the possible security risks with multibooting:

Qubie · December 1, 2023, 7:47am

So, if I use default Qubes installation, then even if I install it on a different disk then only Qubes will boot but not Windows? Once I already installed Linux after Windows 10 and had to do extra steps to place Windows in Grub menu, but then they were installed on the same disk. So, as I understand, even if they will be installed on different disks, Qubes anyway overwrites some boot partition (wherever it is or whatever it is, I don’t know this thing for sure) and only Qubes will be bootable after that? Or even if so, can I still enter boot menu each time I turn my comp on and then manually choose from which disk to boot and this way I can boot one of two OSes when needed, without some extra steps of placing the Windows 10 in grub manu of Qubes? Am I right in something?

apparatus · December 1, 2023, 11:55pm

No, only if Qubes OS is installed on the same disk that already has some other OS installed.

You’ll be able to boot like this from BIOS if you install Qubes OS on a separate drive where no other OS are installed.

Qubie · December 5, 2023, 12:13pm

I read the manuals on the Qubes and Whonix website and never found the answers to some questions.

Do I even need the sys-net, sys-firewall cubes and cubes that use them, or can they all be uninstalled without any worries? I need all my traffic to go through the Tor network as it is in Tails, so can I delete them all to eliminate any possibility of traffic leakage into the clearnet? Or without these cubes, will the OS not work normally or not work at all?
What is the point of being Disposable Template if this Disposable Template is exactly the same Template, only based on another Template? Why can’t you create Disposables right on the Templates?
When creating a Whonix Workstation cube, why to give ability to choose which Internet cube to connect to it, when it is crystal clear that if it is Whonix Workstation, then it needs either sys-whonix (aka Whonix Gateway), or no Internet at all (and then it should be “none”)? Why give the ability to connect sys-net if then will go clearnet traffic, bypassing Tor?

apparatus · December 5, 2023, 1:01pm

You need to attach your PCI network controllers to one of the qubes to connect to the internet.
If you attach it directly to sys-whonix then it’ll be less secure:

And you’ll just won’t use the possible security provided by Qubes OS:

How does Qubes OS provide security?

Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.

Also, I’m not sure if Whonix Gateway even support attaching PCI network controllers directly to it.

github.com/QubesOS/qubes-issues

Allow disposable qubes to be based directly on regular templates

opened 05:31AM - 19 Jun 21 UTC

ninavizz

T: enhancement C: core ux P: default

**The problem you're addressing (if any)** Today a user must create a "Disposab…le Template" from an App VM. It is well understood why a user may _desire_ that, but it feels odd to be forcing it. **Describe the solution you'd like** Allow users to create Templates that are only to be used to spawn Disposable qubes from. **Where is the value to a user, and who might that user be?** 1. Users new to Qubes OS and learning its ecosystem 2. It feels a bit silly to _have to_ create at least one Template and one App Qube, to be able to have a Disposable Qube. Again, for the use-case where a user would desire having a Disposable Qube spawned from an App Qube for unusually sensitive things, it's awesome that this capability exists! It's just breaks an intuitive mental-model of how Qubes works, to shoehorn today's dependency on an App VM intermediary as a requirement. **Describe alternatives you've considered** Nope **Additional context** From a private conversation with @marmarek: > "One corner case (not a blocker for the idea) is what to do about template's private disk. Currently template's private disk is not share with anything based on it. On the other hand, DispVM does get snapshot of its template private disk (which is that intermediate app qube right now). If we're going to remove that intermediate qube, we need to decide: should DispVM get always clean private disk in this case, or should template's private disk be no longer that private?" **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** Nope **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** Nope

You can have multiple Whonix Gateway qubes and not only a single sys-whonix. Also see this issue:

github.com/QubesOS/qubes-issues

Stop users from changing their `anon-whonix` net qube to `sys-firewall` to avoid IP leaks

opened 05:44PM - 27 Sep 23 UTC

adrelanos

T: enhancement C: core C: manager/widget P: major ux privacy C: Whonix C: networking

### Qubes OS release R4.2 ### Brief summary Some users are shooting the…ir own feet by setting the Net Qube of `anon-whonix` to `sys-firewall`. See [this example](https://www.reddit.com/r/Whonix/comments/16taa0e/qubes_monero_blockchain_download/). There should be some protection in place in QVMM or otherwise to prevent this. ### Steps to reproduce 1. configure the Net Qube of `anon-whonix` to be `sys-firewall` 2. `curl.anondist-orig 1.1.1.1` ### Expected behavior simplified: Not possible to change `anon-whonix` to any VM other than `sys-whonix` as Net Qube. formalized: Prohibited by QVMM to change a VM with the `anon-vm` qvm-tag to use a VM without the `anon-gateway` qvm-tag. (I wouldn't be opposed to this being only a warning that the user can choose to ignore. But that part does not seem important. That part could remain "patches welcome".) ### Actual behavior Functional networking. IP leak. ### Additional information Whonix for VirtualBox does not have the issue of new users being able to reconfigure this. While possible for advanced users, not something as simple as point and click as it can be done with Qubes. Details here: https://github.com/QubesOS/qubes-issues/issues/3994#issuecomment-397229398

Qubie · December 6, 2023, 9:15am

What do you all call “pci device”? An internet modem? So, if I’m using an Internet modem, which cube I need to connect the modem to, so I can use the Internet without leaking into the clearnet?

apparatus · December 6, 2023, 5:12pm

Your Ethernet or Wireless controller (LAN / WiFi) that is using PCI bus. Or it could be USB adapter.
By default your PCI network controllers are attached to sys-net qube that is created by installer by default.

Qubie · December 7, 2023, 6:42am

I have an internal HDD with ~ 500 MB read/write speed. Is it enough to test Qubes on it? Still want to test Qubes in a safe environment before really use it “in the wild”, but have to choose the drive for the Qubes’ test. At the moment that HDD is the most possible and convenient option.

apparatus · December 7, 2023, 7:10am

It’s enough.

SteveC · December 7, 2023, 5:11pm

I tested QubesOS out by running it from a thumbdrive, because that was the only way I could install to that hardware. I knew it would be slow; I just wanted to see how it functioned–what the workflow was and how things interconnected. (Once I knew I wanted it I bought new hardware.)

Qubie · December 8, 2023, 8:24am

OK, I could install. It’s pretty slow (I suppose because of HDD), but works. There is USB mouse attached and when I entered Qubes it asked me to attach USB mouse to the dom0. As I understand sysnet cube asked this, because that cube was in the window that appeared. Why dirrectly in dom0? I decided do not do this before I ask here. There was written many times that dom0 must be used only for updating and nothing should be attached to it. During installation I checked tick about sysnet using usb cube to make working with modem possible. Is it somehow related (I mean, that it was sysnet who made the request)? So it means all usb devices that I will attach to the computer can connect to the Internet? Is it possible to avoid this?
And how high is risk if I will attach mouse to the dom0 as it asks? Is it better do not use mouse at all and use touchpad instead?

apparatus · December 8, 2023, 9:06am

Yes.

Because dom0 needs the mouse input to use it for itself and to pass this input to other qubes.

Yes:

Yes.

If you have multiple USB controllers you can attach one of them to sys-net and use it only for your USB network adapter and attach all other USB controllers to sys-usb to use for mouse or other USB devices.

Qubie · December 8, 2023, 9:53am

Thank you very much. Is this the manual how to do this? There also is written:

You said dom0 needs mouse to use it. But how mouse can be used by dom0 if mouse will be attached to sys-usb instead of dom0 so dom0 will not see it?

apparatus · December 8, 2023, 10:00am

Yes.

Mouse can be attached from sys-usb to dom0 in the same way as any other USB device can be attached from sys-usb to any other VM.

DVM · December 8, 2023, 10:07am

This is not how it works currently. sys-usb can’t attach anything to dom0 for obvious security reasons. In the case of mouse/keyboard, Qubes sends the input through Qrexec using input-proxy-sender and input-proxy-receiver. The sender resides in sys-usb where the mouse and keyboard are, and the receiver runs in dom0 and filters the events sent to it based on a specific list of actions.