Video surveillance system with Qubes

Here are my ideas about setting up a video surveillance system on Qubes. I use ZoneMinder because it’s open source and seems to be enough for my needs.

I have attached IP cameras to Router_cams which is not connected to the internet. There’s a separate sys-net2 created for that router with the appropriate Ethernet controller attached to it.

The flow of information should go as follows from top to bottom:

IP cameras
   │ │ │
Encryption_qube (no network access)
   │ │ │
Servers that reside elsewhere


  • has ZoneMinder installed (duh).
  • It will save the video streams when there is motion detected and send them to Encryption_qube.
  • I will also monitor the live feed when I’m near the Qubes machine.


  • takes video files from ZM_qube.
  • It’s a separate qube with no internet access in case of a ZoneMinder supply chain attack or a malicious IP camera that exploits ZoneMinder somehow. That way I will be reasonably certain that the encryption process hasn’t been tampered with.
  • It could also send the videos to another qube without internet access that will store the videos locally on the same machine or on another (hidden) machine via Wi-Fi (in case the attackers cut off my internet access and take/destroy the Qubes machine).


  • Takes encrypted files from Encryption_qube.
  • It has internet access, but will only have access to encrypted blobs and no plaintext (plainvideo? :stuck_out_tongue:) files.


  • Can’t view the stream from another device while I’m away. I could route the videos to a separate qube that will act like a server, but securing that seems pretty hard, especially compared to the security guarantees given by of the rest of the system.

  • ZM_qube is trusted with the motion detection and filtering. I was thinking of adding another qube between ZM_qube and Encryption_qube to do that (Modec_qube), but it will also need ZoneMinder installed (or a similar program capable of motion detection). But if an IP camera is malicious, it seems (intuitively) that it would be easier for it to compromise ZM_qube directly than Modec_qube since Modec_qube will only receive (compressed?) video from ZM_qube without directly talking to the cameras and exchanging control/config data.

What would be the best way to share data between the Qubes? The data that goes ZM_qube → Encryption_qube → Upload_qube doesn’t need to touch the hard drive so something like Xen shared memory could be faster (but I don’t know much about it yet).

1 Like