Ultimate Guide on Using Trezor on Qubes

Francois · April 20, 2024, 4:34pm

with your answer I succed this part just now thank you

Francois · April 20, 2024, 5:15pm

Unfortunately it’s still not working but at list I fixed some issue with your help.
Maybe I will rebuild all this protocol from the beginning soon just in case i did something wrong

apparatus · April 20, 2024, 5:19pm

Maybe there is a problem with SELinux in fedora-39.
You can try to disable the SELinux for a test in the qubes by running this command:

sudo setenforce 0

And see if it’ll work without it.

Francois · April 20, 2024, 5:24pm

where i have to try this command line ? In dom0 or Fedora-39-Sys ?

apparatus · April 20, 2024, 5:26pm

In sys-usb.
Or you can try to use debian-12 template instead of fedora-39 template for sys-usb.

Francois · April 20, 2024, 5:31pm

I tried now in sys-usb but nothing change

apparatus · April 20, 2024, 5:38pm

You can try to configure sys-usb to use debian-12 template for a test.

LittleBlackRock · May 2, 2024, 6:49pm

Hi Francois, I was wondering if you figured out how to get your Trezor running… I am running a very similar system (Nitrokey NV41, Qubes 4.2.1, debian 12, fedora 39, and whonix 17. I went through the process as described in the post and comments, but I’m not able to make it work. If you figured it out, can you please post it?

Ursidae · May 2, 2024, 7:35pm

Looks like a few people are having this issue. I’ll run through the process again and see if anything needs changing, and I’ll update this post with my findings.

In the meantime, please check out the in-depth guide at https://ursidaecyber.com. It’s more clear than the guide here and contains more details you may have missed.

LittleBlackRock · May 2, 2024, 7:54pm

Thanks for this guide Ursidae. I’ve been using the In Depth Instructions and they are well written and easy to follow - I’m just not getting the final result I need. I’m looking forward to your revision.

LittleBlackRock · May 2, 2024, 8:00pm

Also, on your page, someone asked about your reference in step 1 about needing a fresh whonix template to apply software. The commenter stated that there weren’t any references to adding software to the whonix template. You replied that it had to do with port listening. So should we be modifying the rc.local file in the whonix template in addition to the whonix AppVM?

Ursidae · May 3, 2024, 4:54am

Good question. I can’t answer that off the top of my head but I’ll take it into account when doing the revision.

Francois · May 3, 2024, 9:45am

Hi,

Unfortunately, I still haven’t managed to get Trezor to work on my system.

I’d like to reinstall everything again but I haven’t had the time

Francois · May 3, 2024, 11:40am

I just did but still not working

Francois · May 3, 2024, 11:49am

I did like that to install on debian:

Step 6: Trezor Bridge
In Debian-12-sys:

Download the Trezor Bridge .deb file
Open a terminal window in debian-12-sys and run the following code to allow the deb file to be executable:
sudo chmod u+x ./Downloads/trezor-bridge_2.0.27_amd64.deb
Install the Trezor bridge for debian file with the following code:
sudo apt install ./Downloads/trezor-bridge_2.0.27_amd64.deb

installation is maybe not perfect if you can read last line i had permission denied

apparatus · May 3, 2024, 11:57am

That’s not an error, you can ignore it.

I don’t have Trezor myself so I can’t check whatever the guide works or not, but maybe someone else can confirm that Trezor works on debian after following this guide. Then it should be an error on your side.

dak · May 3, 2024, 3:20pm

I had the same problem, although I didn’t follow the howto to the letter as I don’t like messing with templates in general, but in the end I finally managed to get it to work.

I tried a lot of things, but the only way I was able to get this to work was by setting up trezord (trezor bridge that runs in sys-usb) to run as root instead of the trezord user as per the unit file. It seems that the non-privileged user doesn’t have full access to the trezor device, resulting in the trezor suite failing to detect it.

Ideally I would like to run this as a non-privileged user, but since sys-usb is disposable and has no network, I don’t see this as a major issue.

Hope this helps anyone else with a similar problem.

LittleBlackRock · May 9, 2024, 6:23am

the only way I was able to get this to work was by setting up trezord (trezor bridge that runs in sys-usb) to run as root instead of the trezord user as per the unit file.

Sorry to be such a newb, but how exactly did you do this?

apparatus · May 9, 2024, 7:37am

I guess you need to edit systemd service in the sys-usb template:

sudo systemctl edit trezord

or

sudo systemctl edit trezor

I don’t know how exactly the service is called, you can check it like this:

systemctl list-unit-files | grep -i trezor

Then find and edit the User= and maybe Group= options (or something similar) in systemd service file from trezord to root.

LittleBlackRock · May 10, 2024, 3:21am

That did the trick @apparatus - thank you!! Thanks also to @dak and @Ursidae !

@Francois : I’m pretty sure you and I are running identical hardware. This did the trick for me. Change “User=trezord” to “User=root” in the trezord.service file of the sys-usb disposable. Mine was located in /usr/lib/systemd/system/