I want to make a startup script that automates the starting of VMs, the decryption and attachment of disks and partitions, etc. after I boot and enter my user password. Without a script I need about 10-15 minutes of active work to get everything up and running.
I don’t expect someone to write my script for me and I’ll try to answer all the questions I posed, but I’d appreciate some ideas. Also this might be useful to someone who wants to do something similar. Some of the things here aren’t Qubes-specific (like desktop files and app options). Here’s what I have so far. I haven’t tested it and my bash is a bit rusty, so there might be mistakes.
-
Ask for confirmation every major step of the way in case of a problem.
-
Ask to update VMs (decline if in a hurry, etc.).
-
Update VMs, but make clones first in case of a botched update. -clone-1 could already exist, so either find the lowest number after -clone- that’s free OR call the new VM fedora-32-clone-. The latter is better in my opinion as it makes it easy to see when a clone was made.
current_date=$(date +"%Y-%m-%d-%H-%M")
qvm-clone fedora-32 fedora-32-clone-$current_date
qvm-clone debian-10 debian-10-clone-$current_date
qvm-clone whonix-ws-15 whonix-ws-15-clone-$current_date
qvm-clone whonix-gw-15 whonix-gw-15-clone-$current_date
What’s the maximum length of a VN name?
Check if there’s enough space on disk for clones. What happens in there isn’t? Will qvm-clone gracefully fail or will the disk get filled up leading to an unusable system somehow?
-
Launch dom0 terminal with
xentop -f
on one tab and another tab with just a prompt. The terminal launches by itself IIRC, so I just need to open a new tab, but I don’t know how to do it from bash. -
Launch several VMs with certain apps:
-
disp VM for LUKS decryption - Konsole
I forgot how to make a named disp VM, but let’s call it LUKSdispVM here. If it’s not named, I’ll have to get its name (e.g., disp1234) for later.
I attach dom0:sdb1 and other disks to the LUKSdispVM, decrypt them there and then pass the newly available LUKSdispVM:dm-1 partitions from dom0 to the target VM that will use them. Kind of like Split dm-crypt, but with only one disp VM.
qvm-run --dispvm fedora-32-dvm-no-net --service qubes.StartApp+org.kde.konsole
- vault - KeePassXC
qvm-run --service -- vault qubes.StartApp+org.keepassxc.KeePassXC
Why doesn’t qvm-run vault --service qubes.StartApp+<program>
work? --
is used to signify the end of command options, after which only positional parameters are accepted, but wouldn’t qvm-run --service qubesStartApp+<app> -- vault
make more sense here?
- VMs that will use the decrypted partitions (mainly for media, torrents, etc.) - Konsole
qvm-run --service -- mediaVM qubes.StartApp+org.kde.konsole
qvm-run --service -- torrentVM qubes.StartApp+org.kde.konsole
- books - Dolphin
qvm-run --service -- books qubes.StartApp+org.kde.dolphin
- personal (notes, documents, etc.) - Kate
Can I start it like'kate /path/to/file'
and still have the session opened?
qubes.StartApp+org.kde.kate
doesn’t work right now because when I save a session in Kate, it makes a new .desktop file in
~/.local/share/applications/org.kde.kate.desktop[code], which overrides the original [code]/usr/share/applications/org.kde.kate.desktop
. Even though the Exec=
part in the new .desktop file is the same, I can’t open it with qubes.StartApp
or from the GUI menu.
qvm-run --service -- personal qubes.StartApp+org.kde.kate
- disp VM for clearnet browsing - Firefox
[code]qvm-run --dispvm fedora-32-dvm --service qubes.StartApp+firefox
- mail - firefox (or a disp VM for mail)
I can’t pass a URL option to firefox with qubes.StartApp, so I’ll use the normal way of running a command in the VM.
qvm-run mail 'firefox https://<mailprovider>'
How to open more than one tab like that, especially in a disp VM that doesn’t have a saved session?
- fedora-xx-dvm - firefox with router IP for diagnostics (I like to have it open at all times)
qvm-run --dispvm fedora-32-dvm 'firefox <router IP>'
Tor and clearnet apps should be started at different times to prevent timing correlation. Should I start clearnet or Tor first? VMs are updated via Tor, so even if I start clearnet VMs first, I’d have already connected to Tor. However, that Tor connection isn’t related to the Tor connections via Whonix, except for the entry guards who I have to pretty much fully trust to not perform correlation attacks. So I should start clearnet VMs first and after about a minute start the Whonix VMs so that someone controlling or monitoring both a site I connected to over clearnet and a site I connect to over Tor wouldn’t know I’m the same person (although they could by measuring speed, etc.).
Sleep for a random amount of time ( 20-60 seconds) after opening one of the connections and before opening the other:
sleep $[ ( $RANDOM % 40 ) + 20 ]s
- whonix-ws - Tor Browser
qvm-run --dispvm whonix-ws-15-dvm --service qubes.StartApp+janondisttorbrowser
- signal VM - signal-desktop
I would prefer a terminal that starts signal-desktop so that I can view the real time logs, but I don’t know how to do that automatically.
qvm-run --service -- whonix-ws-15-signal qubes.StartApp+signal-desktop
- Have
lsblk -f | head -15
andqvm-block list
in dom0.
qvm-block list
doesn’t show UUIDs, but lsblk -f
does. If everything is as expected, qvm-block attach LUKSdispVM dom0:sdb1
based on UUID. I have to get /dev/sdX
from the corresponding UUID automatically because the /dev/sdX
assignment isn’t 100% predictable .
-
In vault VM give KeePassXC the password for my LUKS passwords (or passphrases, as some people like to call them) - that has to be done manually, although I’m not sure if that’s more secure than just having the LUKS passwords in plaintext in dom0 (and in the script) since a dom0 exploit could keylog me anyway and get the KeePassXC password and the LUKS passwords.
-
Paste passwords in LUKSdispVM when prompted for decryption (or decrypt automatically somehow). Can I automate inter-VM copy-paste? Decryption should be based on UUIDs just like attaching from dom0 to the LUKSdispVM
qvm-block attach mediaVM LUKSdispVM:dm-1
, but how to match dm-X
to UUID to be sure I’m attaching the correct partition?
-
Mount storage in mediaVM, torrentVM, etc. (test by making a small file in each one?)
-
Launch Clementine, Dolphin, Deluge, etc. in mediaVM and torrentVM.
-
In vault VM give KeePassXC the password for my accounts (mail, etc.).
-
Login to mail, etc.
-
Close Vault
-
Automatically arrange windows within workspaces on XFCE (e.g., media windows go to workspace #3)
I found this thread about auto-mounting and decrypting disk on AppVM startup and I’ll read it as well.