What have you installed and/or configured on your qubes os thats proven to help you be more secure from all threats imaginable? I have a post quantum double vpn that routes traffic through whonix. Is there more that I can do?
1 Like
It depends on your threat model, but if you are specifically looking for security outside but still related to Qubes OS, I can publicly discuss about it.
2 Likes
I’m using this setup that’s my own repository and i use this setup everyday
- I install every packages over tor by using tor+https
- I use qvm-firewall rules for my vm and allow only https, http, dns trafic and tor traffic everything else is dropped like IMCP traffic (ping etc…)
- I fully removed AI , Wallet, Telemetry in brave-browser the browser is “clean”
- I use my own apparmor profiles to deny access to a lof of things the browser can’t access the machine-id , root filesystem , etc…
- I separate each part of the browser in the apparmor profile to increase the security of the browser ex : brave-crash don’t have the same permission as brave-sandbox
- I’m using the Xorg apparmor profile to increase even more the security of the VM and there is also the “tor service” profile provided automatically by apparmor in the last version
- Nautilus doesn’t have access to internet in my apparmor profiles , qubes features like move files between vm doesn’t have access to internet too you can view the content here
- When i open a editors or pdf the pdf apps doesn’t have internet access and pdf apps can’t access to root filesystem (i only do a profile for okular and mupdf because they doesn’t support Javascript and it’s good for the security)
- In whonix i’m using the Xorg apparmor profiles
- I removed systemd-timsync in sys-net in my opinion it’s insecure. In favor of a ntp service that support nts protocol like chrony by default Qubes should do something like that. It would be great in the future if Qubes provide a mechanism similar for time sync Tails - Time synchronization
- In sys-net i’m using a encrypted DNS resolver
- I also have a script that randomize the hostname at boot for template, appvm, dispvm
- When i browse internet i make sure to disable Javascript in ublock origin i only enable Javascript for website who really need JS
- I minimized debian even more to reduce the attack surface thanks to @qubist
- My template only have browser installed each template are using their own browser : ex brave-temp, mullvad-temp etc…
- My appvm boot with the same kernel hardening from secureblue Kernel arguments | secureblue
For users reading my post you should only install ublock as extensions in your browser https://discuss.privacyguides.net/t/zero-day-clickjacking-vulnerabilities-in-major-password-managers/30278
I think i’m the only user going so far in term of security but i honestly can’t see how i can be hacked or get malware. My setup is really overkill
3 Likes
Related:
3 Likes