What extra layers of protection should I add for better security on Qubes OS 4.3?

Tarkov · March 4, 2026, 3:19am

What have you installed and/or configured on your qubes os thats proven to help you be more secure from all threats imaginable? I have a post quantum double vpn that routes traffic through whonix. Is there more that I can do?

FranklyFlawless · March 4, 2026, 3:49am

It depends on your threat model, but if you are specifically looking for security outside but still related to Qubes OS, I can publicly discuss about it.

dkzkz · March 4, 2026, 7:59am

I’m using this setup that’s my own repository and i use this setup everyday

I install every packages over tor by using tor+https
I use qvm-firewall rules for my vm and allow only https, http, dns trafic and tor traffic everything else is dropped like IMCP traffic (ping etc…)
I fully removed AI , Wallet, Telemetry in brave-browser the browser is “clean”
I use my own apparmor profiles to deny access to a lof of things the browser can’t access the machine-id , root filesystem , etc…
I separate each part of the browser in the apparmor profile to increase the security of the browser ex : brave-crash don’t have the same permission as brave-sandbox
I’m using the Xorg apparmor profile to increase even more the security of the VM and there is also the “tor service” profile provided automatically by apparmor in the last version
Nautilus doesn’t have access to internet in my apparmor profiles , qubes features like move files between vm doesn’t have access to internet too you can view the content here
When i open a editors or pdf the pdf apps doesn’t have internet access and pdf apps can’t access to root filesystem (i only do a profile for okular and mupdf because they doesn’t support Javascript and it’s good for the security)
In whonix i’m using the Xorg apparmor profiles
I removed systemd-timsync in sys-net in my opinion it’s insecure. In favor of a ntp service that support nts protocol like chrony by default Qubes should do something like that. It would be great in the future if Qubes provide a mechanism similar for time sync Tails - Time synchronization
In sys-net i’m using a encrypted DNS resolver
I also have a script that randomize the hostname at boot for template, appvm, dispvm
When i browse internet i make sure to disable Javascript in ublock origin i only enable Javascript for website who really need JS
I minimized debian even more to reduce the attack surface thanks to @qubist
My template only have browser installed each template are using their own browser : ex brave-temp, mullvad-temp etc…
My appvm boot with the same kernel hardening from secureblue Kernel arguments | secureblue

For users reading my post you should only install ublock as extensions in your browser https://discuss.privacyguides.net/t/zero-day-clickjacking-vulnerabilities-in-major-password-managers/30278

I think i’m the only user going so far in term of security but i honestly can’t see how i can be hacked or get malware. My setup is really overkill

fsflover · March 4, 2026, 11:49am

Tarkov · March 8, 2026, 2:52am

yes please

FranklyFlawless · March 8, 2026, 3:27am

Okay, a few augmentations to Qubes OS security benefit from firmware and hardware (root of trust), particularily Coreboot, an open-source boot firmware. Qubes-certified hardware requires Coreboot among its certification criteria, but leaves the rest of the Coreboot payload implementation details up to the manufacturer. Currently, the situation is split into two mutually exclusive pathways:

Secure Boot
Measured/Sovereign/Verified Boot

@maltfield provided a detailed analysis of the benefits and tradeoffs of each approach in a blog article:

Here are additional related topics:

Currently, the latest in Secure Boot development is Dasharo TrustRoot, and the latest in Measured/Verified Boot development is Flashkeeper:

FranklyFlawless · March 9, 2026, 5:20am

I also forgot to mention about USBGuard, which is within dom0:

Currently the policy is permissive and has an open GitHub issue:

github.com/QubesOS/qubes-issues

Hardened option for single USB keyboard

opened 12:29PM - 02 Jan 24 UTC

emanruse

P: default C: input proxy

### The problem you're addressing (if any) Currently, on systems which can us…e only USB keyboards, it seems possible to have unrestricted number of such USB keyboards that are automatically allowed to connect to dom0 due to `/etc/qubes-rpc/policy/qubes.InputKeyboard` permissive policy. This makes it possible a malicious USB device (e.g. a USB memory stick) to represent itself as a keyboard, do its mischief, then switch back to being a non-keyboard. Using usbguard inside sys-usb to allow only specific predefined keyboards is a possibility, however it might result in a situation when the user gets locked out of the system. Example: The user has only one physical keyboard and whitelists it in usbguard rules. If the keyboard hardware stops functioning (e.g. the keyboard is physically damaged), the user will be compelled to replace it with another. However, since the new keyboard will not be whitelisted, the user won't be able to access the system through it, regardless of the fact that it is a good (non-malicious) device. ### The solution you'd like Provide an option (perhaps even enforced by default) which allows the user to restrict the number of possible USB keyboards on the system to 1 (one) at a time. ### The value to a user, and who that user might be The proposed solution would make it impossible for a malicious device to act as described, as a second keyboard will be denied. The only way to use another USB keyboard would be to physically disconnect the first one, then connect another. That must also be documented properly. #### Possible caveat **I don't know if that is possible** (there are [some](https://forums.tomshardware.com/threads/every-usb-port-will-randomly-disconnect-for-a-few-seconds-on-new-pc.3793952/) [reports](https://superuser.com/questions/1450976/external-usb-hard-drive-momentarily-disconnects-when-additional-external-hard-dr)), but just for extra consideration: If for some reason (e.g. a driver bug, power related issues or other) the malicious USB device is able to cause the original keyboard to (appear to) disconnect or simply "sneak in" while the original good keyboard is actually disconnected, the proposed solution will not work *per se* - the malicious device may still connect as a keyboard and accomplish the described attack, and during that period the actual keyboard will be blocked. To prevent such possibility, additional possible measures to the solution might be: - Enable any newly connected USB keyboard **only after reboot** In this way, even if a temporary disconnect happens, no other device would be able to take over a running the system, because to accomplish an attack the malicious device would have to cause a reboot of dom0 through sys-usb, which seems impossible in Qubes OS (at least not without a serious security bug). - UI for easy whitelisting of newly connected keyboards (using usbguard rules in sys-usb) Without other input device (e.g. at least a mouse able to click and confirm the newly connected keyboards), a possibility for user input might be the power button of the system. A service like `acpid` may be used to monitor for events. Example usage: A new keyboard is connected. The UI dialog shows up and asks for confirmation. The user is required to press the power button of the system to activate the new keyboard, after which it gets whitelisted in `/etc/usbguard/rules`. The `acpid` service may probably run in a separate VM (sys-acpi), thus making it impossible for a malicious device to attack both sys-usb and sys-acpi. Having sys-acpi may even provide extra security, e.g. the number of presses within a period of time might be configurable, e.g. "must press 3 times within 10 seconds", and may serve as a "password" for allowing new USB devices. **Additional notes**: As by default passwordless root is enabled in VMs, whitelisting devices in sys-usb itself may turn out vulnerable. I don't know what inter-VM communication mechanism for this may be suitable but it seems better to isolate the "credentials" of devices - have another VM store and verify if a device is whitelisted, then report the result back to sys-usb.

wafmtjwadllc · March 19, 2026, 12:55am

I think i’m the only user going so far in term of security but i honestly can’t see how i can be hacked or get malware. My setup is really overkill

Yeah its overkill you made everything overcomplicated. You are in Qubes OS but your setup feels like you are doing hardening like you are in traditional linux. You should learn to seperate your activities inside Qubes OS by doing that you can significantly reduce the complications you made.

i honestly can’t see how i can be hacked or get malware.

All those steps you mentioned covers only basic hardening i don’t even call it as basic its should be named as very basic you made very basic hardening this much complicated. You setup has too many loop holes for your vm to be infected.

The number one main mistake you are doing is relying too much on apparrmor and believing it protects you by creating all those apparmor profiles instead of relying on apparmor try to seperate your activities. apparmor profiles can by bypassed keep this in mind.

Read this docs its has tons of useful information

newqube · March 19, 2026, 6:51am

The best hardening I’ve seen on the forum. God-like level of protection

lars-qubes · March 20, 2026, 12:20am

yes please.

tokaso80 · March 20, 2026, 2:42am

This setup only seem to improve security. But makes you extremely easy to track. When you enable js the sites which require it fingerprint your vm. What software it has, what “hardware” it has and so on and so forth. A plain vm with only browser installed will be extremely unusual for pretty much everyone on the internet

dkzkz · March 21, 2026, 1:08am

That’s interesting i would like you explain me this

I guess you was right CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation to Root | Qualys i really think i will stop using apparmor and i’m going to use SElinux only and learn how selinux works

FranklyFlawless · March 21, 2026, 1:27am

Other than what I have already mentioned above, it is possible to compile your own Linux kernel in dom0 to replace the default VM kernels:

Distribution kernels are designed to be compatible with a wide variety of hardware, but at the cost of increased attack surface due to the amount of modules required to support them. In comparison, compiling your own kernel for your Qubes OS-supported hardware significantly reduces the available attack surface, but requires understanding the various configuration options available (GCC vs. Clang, ThinLTO vs. Full LTO, etc.) along with testing before deployment.