Ultimate Guide on Using Trezor on Qubes

smrtak · March 9, 2025, 9:14pm

All Trezor devices have been tested and work without issues.

Did you follow all instruction as specified in how-to? Was there anything confusing or incorrect? Where did you get stuck or lost?

When troubleshooting issues, this link was very useful: Installing Trezor Suite on Linux

Make sure you use correct UDEV rules and verify your sys-usb with cmd: systemctl --version
It needs to return value higher thatn 256.4

sys-usb template needs to have these extra pkgs installed: trezor libfuse2 socat

d-arcy · March 11, 2025, 11:43am

It’s now working. I’ve tested Qubes with a big variety of hardware wallets and they all work out of the box, no need to create a custom sys-usb - except for Trezor Model T and Trezor Safe (3 and 5), and only if you want to use them with browser based wallets (that includes Trezor Suite).

It looks like this is because most hardware wallets use HID protocol for USB communication, which is easy to passthrough to virtual machines in Qubes. Model T and Safe models use WebUSB, and it looks like they don’t like how Qubes passthrough handles WebUSB devices. Electrum seems to be able to communicate with model T and Safe models via HID.

Long story short, after following @smrtak guide Model T and Safe models work with Trezor Suite and other browser wallets. But I do believe the RPC policies are overly permissive, so I suggest to change those to make sure only the TrezorSuite VM can connect to trezord-service.

smrtak · March 11, 2025, 1:50pm

thx for feedback
NOSTR note has been edited + new reply with proposed restriction to RPC policy (for clients that don’t support edited posts)

d-arcy · March 12, 2025, 10:16am

Thanks! I didn’t realize there was a comment with modified RPC policies - when clicking the link in the thread I can only see the original post with the very permissive RPC policy.

Anyway, I see that you added to the RPC allow list appVMs for Sparrow and Electrum. According to my tests that’s not strictly necessary (but of course it will work), because you can just attach the Trezor devices to those appVMs using the standard Qubes passthrough and they will work. Only case in which Model T and Safe models don’t work via passthrough is with Trezor Suite and other browser based wallets (Metamask, Rabby, etc.)

equbes · March 16, 2025, 4:57pm

Check out USBIP protocol errors where we’ve been debugging the usb passthrough method (as opossed to running software in sys-usb), however there are some issues as well.

adamnume2 · April 9, 2025, 4:56pm

Unfortunately this doesn’t work for me.

Here is what I did:

Step 1 - No issues

I have cloned whonix-ws-17 and named it whonixtrezor
I have created AppVM Trezor using whonixtrezor as template
I have downloaded TrezorSuite to AppVM and made it executable

Step 2 - No issues

I have added the code in the whonixtrezor template instead of the AppVM (tried both way)

Step 3 - No issues

Step 4 - Some issues

I have cloned fedora-39 and called it fedoratrezor
I have also created a dvm-clone and called it fedoratrevordvm but I was not apple to use it as template for sys-usb, I could simply not opt for it in the dropdown. I was only able to opt for actual templates so I opted for fedoratrezor as sys-usb template and consequently have installed everything following that was meant for fedoratrezordvm to fedoratrezor template instead.

Step 5 - No issues

Installed to fedoratrezor template

Step 6 - No issues

Installed to feoratrezor template

Step 7 - No Issues

Step 8 - No Issues
First part:

I have installed directly into whonixtrezor template
I’ve used the following command: “sudo install python3-trezor”
Second part:
Installed in fedoratrezor template

I’m using Qubes 4.2.3

TrezorSuite gets me following erro: App can’t communicate with device

As a solution it says try restarting computer.

adamnume2 · April 10, 2025, 7:27pm

I have tried out some more but still no success:

[user@fedoratrezor ~]$ systemctl --version
systemd 254 (254.10-1.fc39)
+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
[user@fedoratrezor ~]$ sudo dnf install trezor
Last metadata expiration check: 1:34:42 ago on Thu Apr 10 13:42:05 2025.
No match for argument: trezor
Error: Unable to find a match: trezor
[user@fedoratrezor ~]$ sudo dnf install fuse
Last metadata expiration check: 1:35:01 ago on Thu Apr 10 13:42:05 2025.
Package fuse-2.9.9-17.fc39.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[user@fedoratrezor ~]$ sudo dnf install libfuse2
Last metadata expiration check: 1:35:14 ago on Thu Apr 10 13:42:05 2025.
No match for argument: libfuse2
Error: Unable to find a match: libfuse2
[user@fedoratrezor ~]$

I have added and executed the UDEV Rules and have also changed trezord.service to root by changing “User=trezord” to “User=root”

Any clues @apparatus @smrtak ?

vaticanvoodoo · June 19, 2025, 6:16pm

The trezor bridge is deprecated, is there a way to use trezor on qubes without it?