From 96c84a4f7b7742e8481e3154e8b41c49ad13104f Mon Sep 17 00:00:00 2001 From: Brian Lechthaler Date: Thu, 28 May 2020 17:37:23 -0700 Subject: [PATCH] Document Running Zoom in a DispVM see https://github.com/QubesOS/qubes-doc/pull/1000 --- docs/configuration/zoom_dispvm.md | 69 +++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 docs/configuration/zoom_dispvm.md diff --git a/docs/configuration/zoom_dispvm.md b/docs/configuration/zoom_dispvm.md new file mode 100644 index 0000000..fc2c234 --- /dev/null +++ b/docs/configuration/zoom_dispvm.md @@ -0,0 +1,69 @@ +# Running Zoom in a DispVM +## Intro +Zoom is a fairly widely-used video conferencing application that runs on a variety of platforms. In this guide we will go through the process of setting up a Disposable VM for Zoom. + +### Why we will use a DispVM +By running Zoom alone in a Disposable VM, we can improve the safety of using the application. DispVMs ensure that even if a Zoom exploit leads to the entire DispVM being compromised, it is *contained* to the DispVM which is destroyed once you shutdown the Qube or exit Zoom. No persistence, limited attack surface, and zero trust. + +## Step 0: Clone a TemplateVM +1. Open `Qubes Manager` +2. Right-click on the `debian-10` TemplateVM +3. Click `Clone Qube` +4. Name the cloned qube `videoconferencing` + +*Alternatively:* + +1. Open Terminal Emulator in dom0 +2. Clone the `debian-10` template to new template `videoconferencing`: + `qvm-clone --verbose debian-10 videoconferencing` + +## Step 1: Download Zoom for Debian 8.0+ 64-bit +### Download and import Zoom's signing key: +1. Open `Xfce Terminal` from `whonix-ws-15-dvm` **Make a note of the Qube name in the title. This will be used in step 2.** +2. Download Zoom's GPG key using wget: + `wget "https://zoom.us/linux/download/pubkey"` +3. Import Zoom's Public Key: + `gpg --import pubkey` +### Download and verify Zoom, then copy to TemplateVM: +1. Download Zoom using `wget`: + `wget "https://zoom.us/client/latest/zoom_amd64.deb"` +2. Verify `zoom_amd64.deb`: + * `sudo apt install -y dpkg-sig`: `Install dpkg-sig` so we can verify `zoom_amd64.deb` + * `dpkg-sig zoom_amd64.deb`: Verify `zoom_amd64.deb`. + * Expected output should include indicate a good signature, for example here's what I got running the command: + `GOODSIG _gpgbuilder 396060CADD8A75220BFCB369B903BF1861A7C71D 1590375377` +3. Copy `zoom_amd64.deb` to TemplateVM `videoconferencing`: + `qvm-copy zoom_amd64.deb` +4. Select the `videoconferencing` TemplateVM as the destination to copy `zoom_amd64.deb` to. +5. Shutdown the TemplateVM: + `sudo shutdown now` + +## Step 2: Install Zoom in TemplateVM +### Install Zoom in the `videoconferencing` TemplateVM: +1. Open `Terminal` from TemplateVM `videoconferencing` +2. Check QubesIncoming folder contents: + `ls QubesIncoming` +3. You should see a folder with the same name as the Qube name in the title from the end of step 2. **In the following example, the Qube name was disp6247.** +4. Change directory to the location of `zoom_amd64.deb`: + `cd ~/QubesIncoming/disp6247/` +5. Install Zoom using `apt-get`: + `sudo apt-get install -y ./zoom_amd64.deb` +6. Shutdown the TemplateVM + `sudo shutdown now` + +## Step 3: Create AppVM and configure it for use as a DispVM +1. Open `Create Qubes VM`. +2. Name the Qube `videoconferencing-dvm` and label it `red` to indicate the lowest level of trust. +3. Select `AppVM` as the type of qube to be created. *This is the default.* +4. Select `videoconferencing` as the template for the AppVM Qube. +5. Choose `sys-firewall` for networking. +6. Click `OK`. + +## Step 4: Add Zoom to the AppVM's list of applications & enable DispVM +1. Open `Qube Manager` +2. `Search` for the `videoconferencing` TemplateVM. Right-click it and select `Qube Settings` +3. Click the `Applications` tab. +4. Click `Zoom` to highlight it, then click the `>` button to add it to the AppVM's application list. +5. Click the `Advanced` tab. +6. Under the `Other` section, check the box labeled `Disposable VM Template` +7. Click `OK`.