What are common pitfalls new Qubes users run into?

Hi,
I am Raghav Hinduja, a Switzerland (Swiss) -based IT professional. can anyone explain What are common pitfalls new Qubes users run into?

Thanks, Regards
Raghav Hinduja

Basic issues:

• how templates work
• installing software
• doing backups
• bluetooth hardware

For advanced uses:

• firewall and nat
• netvm
• GPU passthrough

I’d say it all starts with BIOS settings (virt mode etc.) and hardware incompatibilities while installing.

Basic issues:

• Copy/Move data between qubes
• understanding use of disposables
• understanding how to use isolation to best effect
• understanding what Qubes cannot do
  
  I never presume to speak for the Qubes team.
  When I comment in the Forum I speak for myself.
  

I personally had troubles with just sticking to Qubes official website only initially since I am used to Arch wiki. The two windows with the same buttons of minimize, maximize and cancel would be a bit confusing for the most first users. I also got confused to where attach encrypted hard drives (it’s not sys-usb but a disposable vm)

I mitigated the problem of not understanding how Qubes works by trying to replicate it using just QEMU. I obviously failed in doing so but I learned Qubes conceptually before even trying it out

From what I did or see, some common pitfalls are:

• thinking that an issue is related to Qubes OS, when it comes from another software (Fedora, XFCE, etc.)
• the confusion between templates and disposable templates
• using minimal templates (unless advanced or willing to do your own research)
• sticking to only Fedora or only Debian templates (switching from one template to the other can help with some issues)
• changing the networking, especially when doing things against recommendations (network in templates, VPN-tor tunnels, etc.)
• copying things to dom0 (i.e.: a wallpaper)
• using dom0 to do anything else than managing qubes or the Qubes OS (navigate files, use an app, use drives, etc)
• attaching the same USB drive to different qubes (i.e.: because you made a backup of your old system on a single drive)
• using USB devices instead of block devices (when appropriate)
• using sys-usb to mount drives
• the belief that vault is something more than a regular qube with a grey label and no network
• too much use of standalones: I used some standalones for a long time to do something that could be achieved with a template and app qubes, instead of figuring out how to separate the user files from the root filesystem. That’s still a good tool to play with, or to use when you can’t make something work using template+app qube.
• underestimating the power of disposables (this is more an efficiency pitfall, not so important)
• trying to use a disposable sys-net with a wifi connection, without knowing how to use disposables
• confusing “disposables”, “disposable templates” and “templates”
• not trying things in test qubes (app qube, disposables or templates). It’s easy to create and delete them in case of trouble.

Think Qubes OS is private and hardened by default.

I agree, but thinking that something is “private” is a pitfall concerning Qubes users or people looking for privacy in general?

Its not a pitfall for wealth people, people have privacy at Swiss banks.

I think Qubes Team should mitigate the default configurations and applications in it.

At least, maintaining hardening scripts for Qubes and updating the documentation clearly about pitfalls.

They mistakenly believe that security is a product. [Link to PDF]

The most common perception I’ve observed among many people is that, when you start using Qubes OS, you magically become hack-proof and malware-proof.

Not knowing that the lifespan of a disposable is only as long as the first application that was launched to create it.

It got me the first time I used a disposable, and it got me again today, and I know I can turn it off, but I forgot how. (in 4.2)

Believing that a VM without any network access is secure and saving all personal files unencrypted on that VM is a significant security oversight.