Ultimate Guide on Using Trezor on Qubes

Community Guides
61

Hello, Its ’ a good news that you succeed ! so I hope I will also !
I just follow your advice and change “user=root” but still not working. I dont know why !

maybe someone @LittleBlackRock, @Ursidae @apparatus or @dak can review all I did and let me know if something seems wrong ?

STEP 1

if I well understand it seems Whoonix template is not working so:
I copy a debian-12 template and name it debian-12-Crypto

I aslso created an APPS Crypto with debian-12-crypto as template and sys-whonix as Netvm

I dowloaded last Trezor appimage: Trezor-Suite-24.4.3-linux-x86_64.AppImage

  1. Open a terminal window in debian-12-crypto and run the following command to allow the Trezor Suite .AppImage to be executed as a program:

sudo chmod u+x ./Downloads/Trezor-Suite-24.4.3-linux-x86_64.AppImage

STEP 2

  1. Start a Terminal window in your new Trezor-dedicated AppVM (Crypto in my case) and execute the following code to edit the rc.local file:
    sudo nano /rw/config/rc.local
    You are now editing the rc.local plain text file through terminal.
  2. Navigate to the bottom of the file using your arrow keys and type the following code (note the & at the end):
    socat TCP-LISTEN:21325,fork EXEC:”qrexec-client-vm sys-usb trezord-service” &

Press Ctrl + X to save.
Press Y to confirm.
Press Enter to exit.
Although this portion of code can be executed in any AppVM with networking, I advise it be done in the AppVM you are dedicating to Trezor Suite to avoid unwanted code elsewhere.

Step 3:

  1. Open terminal in dom0 and run the following code:
    sudo nano /etc/qubes-rpc/policy/trezord-service
    This will create a plain text file in dom0 within that directory. You are now editing that file in your terminal window.

  2. Paste the following code into the file via terminal:
    $anyvm $anyvm allow,user=trezord,target=sys-usb

  3. Press Ctrl + X to save.
    Press Y to confirm.
    Press Enter to exit.

Step 4: Debian Templates

  1. Clone your current regular debian-12 template Qube and name it debian-12-sys.
  2. Clone default-dvm and name it default-dvm-sys
  3. Set the template for the default-dvm-sys. as debian-12-sys.
  4. Set sys-usb’s template as default-dvm-sys.

Step 5: Trezord Service

In default-dvm-sys.

  1. Open terminal and execute the following code:
    sudo mkdir /usr/local/etc/qubes-rpc
    This will create a folder titled qubes-rpc within the specified directory
  2. Create a plain text file within that folder titled trezord-service by executing the following code:
    sudo nano /usr/local/etc/qubes-rpc/trezord-service
  3. You are now editing the plain text file within the terminal window. Add the following line of code to the file:
    socat - TCP:localhost:21325

Press Ctrl + X to save.
Press Y to confirm then press Enter to exit.
4. Make the new file executable with the following command:
sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service

Step 6: Trezor Bridge
In Debian-12-sys:

  1. Download the Trezor Bridge .deb file
  2. Open a terminal window in debian-12-sys and run the following code to allow the deb file to be executable:
    sudo chmod u+x ./Downloads/trezor-bridge_2.0.27_amd64.deb
  3. Install the Trezor bridge for debian file with the following code:
    sudo apt install ./Downloads/trezor-bridge_2.0.27_amd64.deb

This will automatically install the bridge in the following directories:
/etc/systemd/system/multi-user.target.wants/trezord.service
/usr/lib/systemd/system/trezord.service
Successful installation should result in terminal showing that both directories are communicating with each other.
“created symlink /etc/systemd/system/multi-user.target.wants/trezord.service → /usr/lib/systemd/system/trezord.service.”

Step 7: Udev Rules
Method 1: Manual Build
In debian-12-sys:

  1. Run the following code in a terminal window to create the 51-trezor.rules file in the Udev rules directory.
    sudo nano /etc/udev/rules.d/51-trezor.rules
  2. After running this command you are now editing the plain text file you have just created. Copy and paste the following code into terminal:

Trezor

SUBSYSTEM==“usb”, ATTR{idVendor}==“534c”, ATTR{idProduct}==“0001”, MODE=“0660”, GROUP=“plugdev”, TAG+=“uaccess”, TAG+=“udev-acl”, SYMLINK+=“trezor%n”

KERNEL==“hidraw*”, ATTRS{idVendor}==“534c”, ATTRS{idProduct}==“0001”, MODE=“0660”, GROUP=“plugdev”, TAG+=“uaccess”, TAG+=“udev-acl”

Trezor v2

SUBSYSTEM==“usb”, ATTR{idVendor}==“1209”, ATTR{idProduct}==“53c0”, MODE=“0660”, GROUP=“plugdev”, TAG+=“uaccess”, TAG+=“udev-acl”, SYMLINK+=“trezor%n”

SUBSYSTEM==“usb”, ATTR{idVendor}==“1209”, ATTR{idProduct}==“53c1”, MODE=“0660”, GROUP=“plugdev”, TAG+=“uaccess”, TAG+=“udev-acl”, SYMLINK+=“trezor%n”

KERNEL==“hidraw*”, ATTRS{idVendor}==“1209”, ATTRS{idProduct}==“53c1”, MODE=“0660”, GROUP=“plugdev”, TAG+=“uaccess”, TAG+=“udev-acl”

  1. Press control + X to save the file.
    Press Y to confirm.
    Press Enter to exit.

  2. Make the Udev rules file executable by running the following code in terminal:
    sudo chmod +x /etc/udev/rules.d/51-trezor.rules

Step 8: Install Trezor Dependencies

  1. In debian-12-Crypto open a terminal window.
  2. Run the following command to install pip.
    sudo apt install pip
  3. Run the following command to install the trezor package:
    sudo apt install python3-trezor

AND

  1. Enable networking permissions for debian-12-sys in the Qubes manager.
  2. Run the following command to install the trezor-common package:
    sudo apt install trezor
  3. Revoke debian-12-sys networking permissions in the Qubes manager.

Change “User=trezord” to “User=root” in the trezord.service file of the debian-12-sys. by
sudo nano /usr/lib/systemd/system/trezord.service

62

That’s not right, you just need to remove that line entirely to make trezord run as root:

[Unit]
Description=Trezor Bridge
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/trezord

[Install]
WantedBy=multi-user.target

1 Like
63

Thank for your help !

I just follow your advice but still have “trezor bridge is not running”

64

What do you mean is not running?

Did you bounced trezord (systemctl restart trezord.service ) after the change in the unit file?
If yes, what’s the status (systemctl status trezord.service)?

1 Like
65

signal-2024-05-14-012208
signal-2024-05-14-0122082048×1536 355 KB

66

What’s the service status in sys-usb?

sudo systemctl status trezord.service

What if you try to start trezord manually?

sudo /usr/bin/trezord
1 Like
67

signal-2024-05-14-101900
signal-2024-05-14-1019002048×1536 412 KB

signal-2024-05-14-101836_002
signal-2024-05-14-101836_0022048×1536 289 KB

I open Trezor suite app image in Sys-usb and bridge work on it.

68

Was this tested for 4.2? I tried it and the only thing working was that the trezor suite detected the bridge running in dvm. Electrum didn’t detected anything and when i tried restoring with keys from my old non-qubes system for monero-gui, it sounded as if it was mining monero (yes, i checked the hashes and they passed).

1 Like
69

I’m back because I upgraded to Qubes OS 4.2 and installed Trezor Suite from scratch. Got it to work on the third try. Here is a list of mods to the instructions that I needed to make.

  1. In Step 2 - part 2: Change the quotation marks. The quotation marks in the socat command are not correct. If you cut and paste the command from FireFox you must arrow backwards and retype the quotation marks.

  2. In Step 3 - part 2: The command “$anyvm $anyvm allow,user=trezord,target=sys-usb” opens up an unnecessarily large security hole. Try using “Trezor-appVM sys-usb allow,user=trezord,target=sys-usb”

  3. In Step 4 - part 4: It is difficult to change the template of sys-usb. Do not shut down sys-usb or you will loose your mouse and keyboard. Use the following command from dom0:

qvm-shutdown --wait sys-usb; qvm-prefs -s sys-usb template fedora-37-sys-dvm; qvm-start sys-usb

  1. Step 6. Trezor Bridge RPM file can be downloaded from:
    https://data.trezor.io/bridge/latest/index.html

  2. Step 8 - part 3: The command “pip3 install --user trezor” does not work. Try: sudo apt install python3-trezor.

  3. You might need to restart Qubes OS when finished.

3 Likes
70

Suddenly I cannot connect Trezor anymore, getting spammed with “Denied: trezord-service from trezor-vm to sys-usb”…

1 Like
71

Check the RPC policy for Trezor in dom0, maybe it was removed or something.

1 Like
72

I changed the qube name and forgot to edit the RPC policy! Thank you!

1 Like
73

I’m doing a fresh install on Qubes 4.2 and when I got to step 6 of this install I came across this - looks like Trezor Bridge has been deprecated.

How does that change the install?

CORRECTION - PLEASE DISREGARD THIS POST: Everything works as it should.

1 Like
74

We’re experiencing issues setting up our Trezor Safe 5 with Trezor Suite. Here’s our current situation:

  1. Initially, Trezor Suite recognized the device without any special configuration.
  2. We tried applying suggested fixes, but this caused the device to no longer be recognized.
  3. After reverting changes, the device is recognized again, but we’re stuck during the setup process.

Our setup:

  • Using the latest Trezor Suite (version 24.12.3 AppImage)
  • Trezor Safe 5 hardware wallet
  • Running on Qubes OS 4.2.3 in a Debian 12 AppVM

Issues we’re facing:

  • Setup process gets stuck at the device legitimacy check step. We actually could not install the firmware either, it gets stuck, so we installed it from a mac to trouble shoot.
  • Unable to complete the initial setup
  • Previous solutions involving trezord do not appear to apply, as the trezor bridge is now bundled in the AppImage

Has anyone encountered similar issues or have suggestions for completing the setup process with this configuration? Any help would be appreciated.

trezor-struck-on-checking-device
trezor-struck-on-checking-device1909×1080 61.3 KB

1 Like