My mistake. Credit given.
Nice script. Thanks.
Nope, I didnāt have any comms with Emily that arenāt out in the open.
You did send me something but I hadnāt had the chance to try it to avoid the dependency.
Iāve now repeated what I originally did (but built that qube from scratch rather than updating it)ā¦and no dependency issue this time around.
Full-auto veracrypt disposable vm using custom debian minimal template. It
downloads latest VeraCrypt GUI and install it. Suggest me improvements.
***Not fully tested.
Veracrypt GUI disposable based on debian-12-minimal template:
Named disposable version:
debian-minimal-veracrypt-named-disposable.sh
#!/bin/bash
#######################################################################
# File Name : debian-minimal-veracrypt-named-disposable.sh
# Description : This script creates a named disposable VeraCrypt qube
# based on Debian minimal template with VeraCrypt GUI
# installed and configured for secure file operations.
# Dependencies : curl
# Usage : ā¢ Transfer this script from appvm to dom0 with:
# [user@dom0 ~]$ qvm-run --pass-io appvm 'cat ~/debian-minimal-veracrypt-named-disposable.sh' > ~/debian-minimal-veracrypt-named-disposable.sh
# ā¢ Make the script executable with:
# [user@dom0 ~]$ chmod +x ~/debian-minimal-veracrypt-named-disposable.sh
# ā¢ Run the script with:
# [user@dom0 ~]$ bash ~/debian-minimal-veracrypt-named-disposable.sh
# Author : Me and the bois
# License : Free of charge, no warranty
# Last edited : 2025-09-02
#######################################################################
# Safety check
set -eu
# Configuration
BASE_TEMPLATE="debian-12-minimal"
CUSTOM_TEMPLATE="debian-veracrypt-template"
DISP_TEMPLATE="debian-veracrypt-dvm"
NAMED_DISP_VM="disp-veracrypt"
# VeraCrypt base URL
VERACRYPT_BASE_URL="https://launchpad.net/veracrypt/trunk"
# Step 1: Install and update the Qubes Template
echo -e "\n[1/7] Checking for Qubes template..."
if ! qvm-check "$BASE_TEMPLATE" 2>/dev/null; then
echo "Installing $BASE_TEMPLATE..."
sudo qubes-dom0-update qubes-template-$BASE_TEMPLATE
fi
# Ensure template is shut down before updating
qvm-shutdown --wait "$BASE_TEMPLATE" 2>/dev/null || true
# Update the template whether it was just installed or already existed
echo "Updating $BASE_TEMPLATE..."
sudo qubesctl --show-output --skip-dom0 --targets=$BASE_TEMPLATE state.sls update.qubes-vm
# Ensure Qubes base template is shut down before create
qvm-shutdown --wait "$BASE_TEMPLATE" 2>/dev/null || true
# Step 2: Create custom base template
echo -e "\n[2/7] Creating custom template by cloning..."
qvm-clone "$BASE_TEMPLATE" "$CUSTOM_TEMPLATE"
qvm-prefs "$CUSTOM_TEMPLATE" label black
# Step 3: Install dependencies
echo -e "\n[3/7] Installing dependencies..."
qvm-run -p -u root "$CUSTOM_TEMPLATE" "echo 'TERM=xterm' >> /etc/environment"
qvm-run -p -u root "$CUSTOM_TEMPLATE" "sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen"
qvm-run -p -u root "$CUSTOM_TEMPLATE" "locale-gen"
qvm-run -p -u root "$CUSTOM_TEMPLATE" "
apt-get update && apt-get install -y --no-install-recommends \
curl \
libccid \
pcscd \
libwxgtk3.2-1 \
libayatana-appindicator3-1 \
libfuse2 \
polkitd \
dialog \
thunar \
qubes-core-agent-thunar \
zenity \
nautilus \
qubes-core-agent-nautilus \
qubes-core-agent-passwordless-root \
pciutils \
qubes-usb-proxy \
mousepad \
ristretto \
xarchiver \
thunar-archive-plugin \
xpdf \
metadata-cleaner \
grsync \
vlc \
pulseaudio-qubes \
gpg \
xfce4-terminal \
xfce4-notifyd
"
# Shutdown template to apply changes
qvm-shutdown --wait "$CUSTOM_TEMPLATE"
# Step 4: Install VeraCrypt GUI in the custom base template for disposable template
echo -e "\n[4/7] Installing VeraCrypt GUI in the template..."
# Function to install VeraCrypt GUI in the template
install_veracrypt_gui() {
local template="$1"
# Create a temporary script file
cat > /tmp/install_veracrypt.sh < /tmp/install_veracrypt.sh" < /tmp/install_veracrypt.sh
qvm-run -p -u root "$template" "chmod +x /tmp/install_veracrypt.sh && /tmp/install_veracrypt.sh"
# Clean up local script
rm -f /tmp/install_veracrypt.sh
# Check if installation was successful
if qvm-run "$template" "dpkg -l | grep -q veracrypt"; then
echo "VeraCrypt installation completed successfully."
else
echo "ERROR: VeraCrypt installation failed."
exit 1
fi
}
# Install VeraCrypt in the disposable template
install_veracrypt_gui "$CUSTOM_TEMPLATE"
# Shutdown template to apply changes
qvm-shutdown --wait "$CUSTOM_TEMPLATE"
# Step 5: Create DVM template based on custom template
echo -e "\n[5/7] Creating DVM template..."
qvm-create --template "$CUSTOM_TEMPLATE" --label red "$DISP_TEMPLATE"
qvm-prefs "$DISP_TEMPLATE" template_for_dispvms True
# Step 6: Create named diposable VM instance
echo -e "\n[6/7] Creating named disposable VM instance..."
qvm-create --class DispVM --template "$DISP_TEMPLATE" --label red \
--property netvm="" \
--property include_in_backups=False \
"$NAMED_DISP_VM"
qvm-features "$NAMED_DISP_VM" appmenus-dispvm 1
# Step 7: Configure menu items
echo -e "\n[7/7] Configuring menu items..."
qvm-features "$CUSTOM_TEMPLATE" menu-items "debian-xterm.desktop"
qvm-features "$NAMED_DISP_VM" menu-items "veracrypt.desktop thunar.desktop grsync.desktop mousepad.desktop xfce.ristretto.desktop vlc.desktop xarchiver.desktop xfce4-terminal.desktop xpdf.desktop"
# Finalize
echo -e "\nFinish!"
Regular disposable version:
debian-minimal-veracrypt-regular-disposable.sh
#!/bin/bash
#######################################################################
# File Name : debian-minimal-veracrypt-regular-disposable.sh
# Description : This script creates a regular disposable VeraCrypt qube
# based on Debian minimal template with VeraCrypt GUI
# installed and configured for secure file operations.
# Dependencies : curl
# Usage : ā¢ Transfer this script from appvm to dom0 with:
# [user@dom0 ~]$ qvm-run --pass-io appvm 'cat ~/debian-minimal-veracrypt-regular-disposable.sh' > ~/debian-minimal-veracrypt-regular-disposable.sh
# ā¢ Make the script executable with:
# [user@dom0 ~]$ chmod +x ~/debian-minimal-veracrypt-regular-disposable.sh
# ā¢ Run the script with:
# [user@dom0 ~]$ bash ~/debian-minimal-veracrypt-regular-disposable.sh
# Author : Me and the bois
# License : Free of charge, no warranty
# Last edited : 2025-09-02
#######################################################################
# Safety check
set -eu
# Configuration
BASE_TEMPLATE="debian-12-minimal"
CUSTOM_TEMPLATE="debian-veracrypt-template"
DVM_TEMPLATE="debian-veracrypt-dvm"
# VeraCrypt base URL
VERACRYPT_BASE_URL="https://launchpad.net/veracrypt/trunk"
# Step 1: Install and update the Qubes Template
echo -e "\n[1/7] Checking for Qubes template..."
if ! qvm-check "$BASE_TEMPLATE" 2>/dev/null; then
echo "Installing $BASE_TEMPLATE..."
sudo qubes-dom0-update qubes-template-$BASE_TEMPLATE
fi
# Ensure template is shut down before updating
qvm-shutdown --wait "$BASE_TEMPLATE" 2>/dev/null || true
# Update the template whether it was just installed or already existed
echo "Updating $BASE_TEMPLATE..."
sudo qubesctl --show-output --skip-dom0 --targets=$BASE_TEMPLATE state.sls update.qubes-vm
# Ensure Qubes base template is shut down before create
qvm-shutdown --wait "$BASE_TEMPLATE" 2>/dev/null || true
# Step 2: Create custom base template
echo -e "\n[2/7] Creating custom template by cloning..."
qvm-clone "$BASE_TEMPLATE" "$CUSTOM_TEMPLATE"
qvm-prefs "$CUSTOM_TEMPLATE" label black
# Step 3: Install template dependencies
echo -e "\n[3/7] Installing template dependencies..."
qvm-run -p -u root "$CUSTOM_TEMPLATE" "echo 'TERM=xterm' >> /etc/environment"
qvm-run -p -u root "$CUSTOM_TEMPLATE" "sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen"
qvm-run -p -u root "$CUSTOM_TEMPLATE" "locale-gen"
qvm-run -p -u root "$CUSTOM_TEMPLATE" "
apt-get update && apt-get install -y --no-install-recommends \
curl \
libccid \
pcscd \
libwxgtk3.2-1 \
libayatana-appindicator3-1 \
libfuse2 \
polkitd \
dialog \
thunar \
qubes-core-agent-thunar \
zenity \
nautilus \
qubes-core-agent-nautilus \
qubes-core-agent-passwordless-root \
pciutils \
qubes-usb-proxy \
mousepad \
ristretto \
xarchiver \
thunar-archive-plugin \
xpdf \
metadata-cleaner \
grsync \
vlc \
pulseaudio-qubes \
gpg \
xfce4-terminal \
xfce4-notifyd
"
# Shutdown custom template to apply changes
qvm-shutdown --wait "$CUSTOM_TEMPLATE"
# Step 4: Install VeraCrypt GUI in the custom base template for disposable template
echo -e "\n[4/7] Installing VeraCrypt GUI in the template..."
# Function to install VeraCrypt GUI in the template
install_veracrypt_gui() {
local template="$1"
# Create a temporary script file
cat > /tmp/install_veracrypt.sh < /tmp/install_veracrypt.sh" < /tmp/install_veracrypt.sh
qvm-run -p -u root "$template" "chmod +x /tmp/install_veracrypt.sh && /tmp/install_veracrypt.sh"
# Clean up local script
rm -f /tmp/install_veracrypt.sh
# Check if installation was successful
if qvm-run "$template" "dpkg -l | grep -q veracrypt"; then
echo "VeraCrypt installation completed successfully."
else
echo "ERROR: VeraCrypt installation failed."
exit 1
fi
}
# Install VeraCrypt in the disposable template
install_veracrypt_gui "$CUSTOM_TEMPLATE"
# Shutdown custom template to apply changes
qvm-shutdown --wait "$CUSTOM_TEMPLATE"
# Step 5: Create DVM template based on custom template
echo -e "\n[5/7] Creating DVM template..."
qvm-create --template "$CUSTOM_TEMPLATE" --label red \
--property netvm="" \
--property include_in_backups=False \
"$DVM_TEMPLATE"
qvm-prefs "$DVM_TEMPLATE" template_for_dispvms True
# Step 6: Create regular disposable VM instance
echo -e "\n[6/7] Creating regular disposable VM instance..."
qvm-features "$DVM_TEMPLATE" appmenus-dispvm 1
# Step 7: Configure menu items
echo -e "\n[7/7] Configuring menu items..."
qvm-features "$CUSTOM_TEMPLATE" menu-items "debian-xterm.desktop"
qvm-features "$DVM_TEMPLATE" menu-items "veracrypt.desktop thunar.desktop grsync.desktop mousepad.desktop xfce.ristretto.desktop vlc.desktop xarchiver.desktop xfce4-terminal.desktop xpdf.desktop"
# Finalize
echo -e "\nFinish!"
1 Like
In my opinion:
- āvlcā does not have any reason to exist in this MINIMAL template! and so do some of the other stuff (audio? zenity?). Not sure which are Veracrypt dependencies, and which are your personal choices.
- The minimal template should only be able to mount and re-export encrypted volumes.
1 Like
Iāve done it with the average userās workflow in mind, and Iāve even put the packages in order of their dependence so that anyone reading can evaluate what they want to put in. As you can see, vlc and audio are towards the end of the list, while the zenity package is required for interactive dialogs, e.g., file selection and for using the Nautilus menu option to copy some files to other qubes. I also based myself on the packages used in Whonix.
Thanks for the feedback.
1 Like