Where I can save untrusted files in Qubes?

Can I save suspected or even compromised files in qubes ?

Sometimes I need to download some files from unknown websites or I have some suspected files for my work.
I know of course it isn’t recommended but I used to download these files in a different laptop.

For Qubes if I downlaoded these files in (untrusted VM ) for example it could compromise Dom0 .

Note: I don’t want to use disposable here since I want to save these files to use them later.

It depends on your threat model, but one solution is to create offline untrusted appVm and save all untrusted files there, but not to open them there. You would want to open them in an offline dispVM, if the files doesn’t need internet access.

1 Like

You can safely save untrusted files in a Qube and know it will not compromise any other Qubes. The way Qubes OS essentially works is the VMs are isolated from each other and don’t communicate with each other. The default Untrusted VM, for instance, does not communicate with dom0. It is also strongly recommended to not send any files to dom0.
For example, I use an untrusted VM for all of my untrusted browsing and general stuff. I download files, open them, and do general untrusted stuff all in my untrusted VM because I don’t really care if it gets compromised because I don’t have any sensitive or personal data or do any sensitive or personal stuff in my untrusted VM. You can also use the method that @enmus suggested if that better suits your threat model.
I would also recommend reading this article:


It’s extremely unlikely that any VM can compromise dom0, no matter how compromised it is. See also: Frequently asked questions (FAQ) | Qubes OS.


What if I cloned my vault template and saved the files there ?!

That would be the same as just having a Qube that isn’t connected to networking. The names and colors of VMs only serve for organization. The vault Qube is just a Qube that doesn’t have networking, and there’s no difference between the default personal, work, and untrusted VMs other than what you do inside of them.
You can read this page in the documentation for more information:


If it is offline appVm and wouldn’t compromise my Dom0 …Why I need to open files in an offline dispVM

If you want to avoid compromising the vault (despite it’s offline and isolated), you can open all its file in a disposable VM. Note that, even though it has no networking, there is still some danger in its compromise: Data leaks | Qubes OS. Depending on your threat model, you might consider this danger insignificant and unlikely – then you wouldn’t need a disposable VM.

1 Like

What fslover is basically saying is that because by opening compromised file in a non-disp AppVm (like vault, for example), you can compromise all other non-compromised files in the vault, and whole vault actually. And, when you take those compromised files to other VMs or other computers, they will compromise then them too.
When you open compromised file in a dispVM dispxxx, it will compromise dispVM, but when you shut it down, and open new dispxxy it won’t be compromised.

And we aren’t talking here about side-channel attacks that don’t depend on the type of AppVM.

I hope it is a bit clearer now.

1 Like

It can destroy or compromise the files in the same VM “of course” … There any threats about leaking these files to remote device ( Attacker) -even my VM offline -