What is the recommended best practice for the use of template qubes in v4.2+?
To summarize, any feedback that can help me better understand these questions would be greatly appreciated -
What is the recommended way to use templates in v4.2+?
Why has that changed from v4.1 (or hasn’t it changed and am I missing something here?)
As additional context, I reviewed and commented on this post -
However the explanations didn’t get me where I needed to go.
Specifically, in v4.1, I used to create a template for each app qube. I thought this was the recommended way to use templates back then. This doesn’t work in v4.2, because I can’t select a template when creating a template qube. I understand this is where that change happened.
I don’t understand why that change happened and what the recommendation is now. Is the recommendation to use a small number of template qubes and install necessary software in the app qubes?
I thought installing software in templates was one of the primary security benefits to using Qubes. So I’m either misunderstanding this and/or the security architecture has changed.
To answer your first question it really depends on the usage of your AppVMs. I think using a separate template for each AppVM is not intended by the developers. One big advantage is the possibility having many AppVMs based on only one template. So all AppVMs can share most of the base system. Beside this you only have to update the packages in one template.
Therefore, it is only worthwhile to create a new template if the AppVM usage changes excessively. As you said it’s still the way it should be to install software only inside templates.
To your second question as I know the command to create a new template from another one switched from qvm-create to qvm-clone. So of course it’s still possiblem to set up a new template based on an existing one. Inside the GUI the naming switched to clone, too.
When properly configured and used, minimal templates can be less resource-intensive, reduce attack surface, and support more fine-grained compartmentalization.
I am currently setting up a minimal template myself but my intention was to use it for more than one AppVM. @MellowPoison Do you really recommend to create a template for each AppVM?
Not for each app qube, but for separate needs. Personally, that’s how I use them.
For example, create a minimal browsing template that you’ll use for all your app qubes that will only use a browser.
But many templates will only be used by one app qube.
You can use a cacher to cache template updates so you won’t need to download updates for each template separately:
But they will still use more disk space, create more disk load, wear down the disk and take more time to update.
There is also a collection of salt formulas that are used to create qubes with specific function using minimal templates:
