SubgraphOS Qube

huaopeng · May 15, 2021, 1:12am

Hola,

Would SubgraphOS be a good choice to use for a hardened version of Debian as a Qube TemplateVM? Or is it better to harden a Debian Qube with the Kicksecure script? What are the thoughts of the community?

Sven · May 15, 2021, 2:01am

SubgraphOS

…last ALPHA(!) release & blog post was September 2017 – 3+ years ago.

Kicksecure

…is actively maintained and the basis for Whonix. The lead of both
projects is also an active member of the Qubes OS community.

While I do not feel qualified to give an opinion on the quality of
either Subgraph nor Kicksecure, these external circumstances should be
helpful in coming to a conclusion.

huaopeng · May 15, 2021, 2:52am

So SubgraphOS is no longer maintained. What about Kicksecure in comparison with hardened Arch or Gentoo?

Sven · May 17, 2021, 4:15am

What about Kicksecure in comparison with hardened Arch or Gentoo?

That’s not really a Qubes specific question. You might want to ask in
another forum.

In relation to Qubes OS I can tell you that Debian (basis for
Kicksecure) is officially supported and present on the install media /
Qubes repositories.

There is a supported Arch template, but you need to build it yourself
with the Qubes Builder. Not a big deal but requires some knowledge.

I am not sure there is a Gentoo template or that the qubes-core-agent-
packages are easily available for it. Since everything is open source
though, it is totally possible to make that work with the respective effort.

loke · May 17, 2021, 7:21am

When talking about hardened VM’s, you have to think why you want to do it. What threat is it you want to protect against when hardening a VM? Most hardening projects are about making the operating system more resilient to attacks that allows they attacker to do things in the operating system that they wouldn’t otherwise be allowed to do.

However, in the case of Qubes, any software running in a VM already has full access to everything, or at least the threat model makes the assumption that any software has full access to the VM.

Because of this, it’s hard to think of any benefits provided by specific hardening scripts, and the time would be better spent making sure the Qubes environment is properly setup.

qubicrm · May 17, 2021, 11:38am

I am not sure there is a Gentoo template or that the qubes-core-agent-
packages are easily available for it. Since everything is open source
though, it is totally possible to make that work with the respective effort.

there is, at least for 4.1