Qubes OS Use Case in Question:
-Bockchain dev with with over 100 wallets. new project = new wallet and only matter of time until you install one that has some malware attached. It is inevitable. Existing wallets need isolation from one another, critically. Wallets do not need to be run 24/7, can be used /spun up and used on demand, so no need for concurrent wallet VMs running at same time. Wallets do require internet access to sync blockchain data.
Questions:
-Would Qubes OS strcuture be a good fit for those who run several (100+) crypto wallets?
-Most of the wallets are core qt wallets, they typically do have a linux GUI app but are NOT normally found in package managers, is this an issue?
-Wallets do not need to be run 24/7, can be used /spun up on demand, one at a time, what kind of hardware would work without huge wait times? Does something like a X230/T430 maxed ram suffice ?
Yes, the number of vms doesn’t really matter, also considered you don’t need to run all of them at the same time.
Not an issue, you can install the package manually in a TemplateVM and use that template for all your wallet VMs. Feel free to provide a link to the wallet if you need help.
Questions about template piece: In order to run 100 wallets, I would need to then create 100 templates ? Is it not possible to use one template but run 100 app vms but maintain the necessary isolation?
Just thinking about storage and manual work required to get the custom packages installed and isolated. Please let me know.
If the wallet packages are different, I’d say you have two options:
Install all the various wallets in one template, then create 100 AppVMs (basically have the binaries in one template and each seed in one AppVM)
Create 100 StandaloneVM in which you install the package and configure the wallet.
Just note that if you go for the last option, you’ll have 100 AppVMs to update, even for just a single package. You may want to consider using an apt-cacher-ng vm that you can use to manage your updates (so you’ll only have to download each update once, but you’ll still need to install it in all Standalones)
Bonus option: if you can create an AppImage file for each wallet that doesn’t require installation but only dependencies, then you can create a single template with all dependencies and place each AppImage in a different AppVM.
The first options seems MUCH more feasible, but does it isolate effectively ? If one such wallet contains malware, is it not disastrous to all other wallets in this scenario ?
I ask because, in general, wallet malware seeks to extract tokens from and keys from other wallets on the same system.
You may want to explore solutions such as split-monero in which you have the net-connected daemon running in one vm, and the wallet with the seed in a vm without netvm.
This wallet provides a .tar.gz file that doesn’t require installation: Wallets | Ravencoin
You can place it directly in an AppVM.
The wallet developers need to release the AppImage, or you can look up ways to convert binaries to an AppImage file.
So if I understand correctly. Solution for this use case is:
Make a single template VM with dependencies
Take wallet software, a) if App image run as AppVM b) if not turn into App Image and run as AppVM. Run using single template.
Any individual wallet can have malware, but will not affect other wallets and will also not affect the single template or Dom0; unless very special type of malware.
If not possible to make App Image, make a new template for that wallet only.
Please correct me if I have made any mistake in my understanding.
That seems sensible. Before converting binaries to AppImage, check if you actually need to install them first, because in the example you linked before, no installation was necessary, thus you don’t even need to convert it to an appimage.