I want to make a startup script that automates the starting of VMs, the decryption and attachment of disks and partitions, etc. after I boot and enter my user password. Without a script I need about 10-15 minutes of active work to get everything up and running.
I don’t expect someone to write my script for me and I’ll try to answer all the questions I posed, but I’d appreciate some ideas. Also this might be useful to someone who wants to do something similar. Some of the things here aren’t Qubes-specific (like desktop files and app options). Here’s what I have so far. I haven’t tested it and my bash is a bit rusty, so there might be mistakes.
Ask for confirmation every major step of the way in case of a problem.
Ask to update VMs (decline if in a hurry, etc.).
Update VMs, but make clones first in case of a botched update. -clone-1 could already exist, so either find the lowest number after -clone- that’s free OR call the new VM fedora-32-clone-. The latter is better in my opinion as it makes it easy to see when a clone was made.
qvm-clone fedora-32 fedora-32-clone-$current_date
qvm-clone debian-10 debian-10-clone-$current_date
qvm-clone whonix-ws-15 whonix-ws-15-clone-$current_date
qvm-clone whonix-gw-15 whonix-gw-15-clone-$current_date
What’s the maximum length of a VN name?
Check if there’s enough space on disk for clones. What happens in there isn’t? Will qvm-clone gracefully fail or will the disk get filled up leading to an unusable system somehow?
Launch dom0 terminal with
xentop -fon one tab and another tab with just a prompt. The terminal launches by itself IIRC, so I just need to open a new tab, but I don’t know how to do it from bash.
Launch several VMs with certain apps:
disp VM for LUKS decryption - Konsole
I forgot how to make a named disp VM, but let’s call it LUKSdispVM here. If it’s not named, I’ll have to get its name (e.g., disp1234) for later.
I attach dom0:sdb1 and other disks to the LUKSdispVM, decrypt them there and then pass the newly available LUKSdispVM:dm-1 partitions from dom0 to the target VM that will use them. Kind of like Split dm-crypt, but with only one disp VM.
qvm-run --dispvm fedora-32-dvm-no-net --service qubes.StartApp+org.kde.konsole
- vault - KeePassXC
qvm-run --service -- vault qubes.StartApp+org.keepassxc.KeePassXC
qvm-run vault --service qubes.StartApp+<program> work?
-- is used to signify the end of command options, after which only positional parameters are accepted, but wouldn’t
qvm-run --service qubesStartApp+<app> -- vault make more sense here?
- VMs that will use the decrypted partitions (mainly for media, torrents, etc.) - Konsole
qvm-run --service -- mediaVM qubes.StartApp+org.kde.konsole
qvm-run --service -- torrentVM qubes.StartApp+org.kde.konsole
- books - Dolphin
qvm-run --service -- books qubes.StartApp+org.kde.dolphin
- personal (notes, documents, etc.) - Kate
Can I start it like
'kate /path/to/file'and still have the session opened?
qubes.StartApp+org.kde.kate doesn’t work right now because when I save a session in Kate, it makes a new .desktop file in
~/.local/share/applications/org.kde.kate.desktop[code], which overrides the original [code]/usr/share/applications/org.kde.kate.desktop. Even though the
Exec= part in the new .desktop file is the same, I can’t open it with
qubes.StartApp or from the GUI menu.
qvm-run --service -- personal qubes.StartApp+org.kde.kate
- disp VM for clearnet browsing - Firefox
[code]qvm-run --dispvm fedora-32-dvm --service qubes.StartApp+firefox
- mail - firefox (or a disp VM for mail)
I can’t pass a URL option to firefox with qubes.StartApp, so I’ll use the normal way of running a command in the VM.
qvm-run mail 'firefox https://<mailprovider>'
How to open more than one tab like that, especially in a disp VM that doesn’t have a saved session?
- fedora-xx-dvm - firefox with router IP for diagnostics (I like to have it open at all times)
qvm-run --dispvm fedora-32-dvm 'firefox <router IP>'
Tor and clearnet apps should be started at different times to prevent timing correlation. Should I start clearnet or Tor first? VMs are updated via Tor, so even if I start clearnet VMs first, I’d have already connected to Tor. However, that Tor connection isn’t related to the Tor connections via Whonix, except for the entry guards who I have to pretty much fully trust to not perform correlation attacks. So I should start clearnet VMs first and after about a minute start the Whonix VMs so that someone controlling or monitoring both a site I connected to over clearnet and a site I connect to over Tor wouldn’t know I’m the same person (although they could by measuring speed, etc.).
Sleep for a random amount of time ( 20-60 seconds) after opening one of the connections and before opening the other:
sleep $[ ( $RANDOM % 40 ) + 20 ]s
- whonix-ws - Tor Browser
qvm-run --dispvm whonix-ws-15-dvm --service qubes.StartApp+janondisttorbrowser
- signal VM - signal-desktop
I would prefer a terminal that starts signal-desktop so that I can view the real time logs, but I don’t know how to do that automatically.
qvm-run --service -- whonix-ws-15-signal qubes.StartApp+signal-desktop
lsblk -f | head -15and
qvm-block listin dom0.
qvm-block list doesn’t show UUIDs, but
lsblk -f does. If everything is as expected,
qvm-block attach LUKSdispVM dom0:sdb1 based on UUID. I have to get
/dev/sdX from the corresponding UUID automatically because the
/dev/sdX assignment isn’t 100% predictable .
In vault VM give KeePassXC the password for my LUKS passwords (or passphrases, as some people like to call them) - that has to be done manually, although I’m not sure if that’s more secure than just having the LUKS passwords in plaintext in dom0 (and in the script) since a dom0 exploit could keylog me anyway and get the KeePassXC password and the LUKS passwords.
Paste passwords in LUKSdispVM when prompted for decryption (or decrypt automatically somehow). Can I automate inter-VM copy-paste? Decryption should be based on UUIDs just like attaching from dom0 to the LUKSdispVM
qvm-block attach mediaVM LUKSdispVM:dm-1, but how to match
dm-X to UUID to be sure I’m attaching the correct partition?
Mount storage in mediaVM, torrentVM, etc. (test by making a small file in each one?)
Launch Clementine, Dolphin, Deluge, etc. in mediaVM and torrentVM.
In vault VM give KeePassXC the password for my accounts (mail, etc.).
Login to mail, etc.
Automatically arrange windows within workspaces on XFCE (e.g., media windows go to workspace #3)
I found this thread about auto-mounting and decrypting disk on AppVM startup and I’ll read it as well.