I have 2 machines working with Qubes. One for the web, and one for my work that I’ll NEVER connect to the web, for maximum security.
_ How can I update/upgrade Dom0 and the templates on my not-connected machine ?
_ The other machine is connected to the web this way : sys-whonix → VPN → sys-firewall → sys-net → web. Let’s consider that my attackers know my IP address despite my VPN. How could these attackers corrupt my PC knowing my IP address ? Could these attackers corrupt Dom0 and my templates when I update/upgrade them ? Would it be more secure to download the updates/upgrades into a disposable and then transfer them to Dom0 and the templates, so that Dom0 and the templates are never directly connected to the web ?
I mean, you could do some sort of sneakernet routine every time you want to update or install new packages, but most likely you’ll just turn yourself into the network connection without any real security gain.
Nowadays, you’d most likely be using a USB drive, so, for the sake of simplicity, I’ll assume that’s the tool of choice (though it could be something else). Sneakernetting an ordinary USB drive between untrusted and trusted machines doesn’t seem inherently safer than letting sys-net use its network stack. Malware from the untrusted online machine could infect the USB drive, which could in turn infect your offline Qubes machine. This is effectively just network access with extra steps.
However, I suppose it might be possible to make data exfiltration more difficult by using a USB drive with a physical read/write switch (and ideally non-flashable and/or signed firmware) such that the drive is only ever plugged into the offline Qubes machine while in read-only mode. This would at least prevent the attacker from using the USB drive to exfiltrate data from the offline Qubes machine, though it wouldn’t prevent other exfiltration methods, and it wouldn’t do anything to prevent the offline Qubes machine from being exploited.
Obviously, you can’t do the reverse, i.e., only ever plug the USB drive into the online untrusted machine in read-only mode, since then you wouldn’t be able to copy update packages onto it that are destined for use on the offline Qubes machine.
Update packages without valid signatures are rejected. Doing what you describe would be rather pointless for dom0, since Qubes already does something like that for you. By trying to do it yourself, you introduce the risk of human error. Read this:
Templates use the updates proxy by default, but that’s more about protecting you from your own mistakes:
if you would go to offline, i suggest that you use another distribution, download debian and configure everything or maybe windows, to boost your pc performance, you’ll be okay since it’s offline.
if you still insists wanna use qubes, take a look at qubes-builder, build your own template, and pass the template to your offline qubes, i wonder if your usb is safe?
What about updating/upgrading “normally” Dom0 and the templates on the connected machine, then clone them to the offline machine ? It seems to be possible for the templates (even if I don’t know how to do… any information about this would be welcome ), but is it possible for Dom0 ?
Indeed, I intend to exchange datas between the 2 machines with 2 usb sticks with a physical read/write switch, through a third Qubes machine used as a “decontamination airlock” for usb sticks. This third machine, never connected to the web, will work with the installation version of Qubes, with no update/upgrade and no other installation, to avoid corruption. This machine will only be used to transfer datas from a usb stick to another through disposables.
For example, if I want to transfer datas from PC1 to PC2 :
_ PC1 : I open the USB1 in a disposable and I transfer the datas on this USB1.
_ INTERMEDIARY PC : I open the USB1 in a first disposable, I open the USB2 in a second disposable, and I transfer the datas from USB1 to USB2.
_ PC2 : I open the USB2 in a disposable and I recup the datas.
And vice-versa if I want to transfer datas from PC2 to PC1.
It doesn’t protect from package corruptions or infected files, but, in my (bad ?) idea, this could make more difficult datas exfiltrations when I transfer datas from PC1 to PC2, and it could reduce the risks of contamination when I transfer datas from PC2 to PC1.
I’m not in situation to do so, i don’t know, but i think it’s wasting time.
Because the purpose of qubes os is simplify the computer resource without increasing air attack, from my point, your explanation is a technique that people use in normal distro.
I have already been hacked so, to prevent this from happening again, I try to envisage the worst cases possible. The fact is I have no idea of what hackers are able to do or not, so maybe my imagination is a little on fire, but I prefer too many precautions to not enough… XD
Let’s imagine that PC1 and PC2 are corrupted, so my hackers can save datas of PC1 on my usb stick and recup them when I connect this usb stick to the PC2.
In this case, I tell myself it could be usefull to introduce a third intermediary Qubes machine. This one would work with the installation version of Qubes (no update/upgrade and no other installations) to avoid Qubes corruption. It would never be connected to the web (internal wifi/bluetooth card removed), every external ports (ethernet, usb…) would be closed in the bios when unused, and, of course, I would take it with me everywhere I go (as I always take all my machines with me everywhere I go).
On this intermediary PC, I’d open USB1 in a first disposable, USB2 in a second disposable and I’d transfer only the datas I chose from USB1 to USB2. In my idea, this could prevent other datas than the ones that I want to be transfered without my knowledge from USB1 to USB2, so from PC1 to PC2.
Always assuming that both PC1 and PC2 are corrupted, this intermediary PC with a not-corrupted Qubes could also be used to “purify” usb sticks potentially corrupted by formatting them into disposables.
I doubt there is such thing as “purify” and if online VM is compromised (and in Qubes philosophy it always is), whatever you send from it to any other PC will compromise that PC as well. So, yo have to draw the underline somewhere.
Even if the intermediary machine were able to somehow “purify” things, that wouldn’t help you, because both the source and destination machines are, ex hypothesi, already compromised.
But also, I don’t think you can be certain that the source machine won’t compromise the intermediary machine when you transfer untrusted files from the former to the latter.
