Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-08-08 22:42:46 -04:00
Code Issues Projects Releases Packages Wiki Activity

more md formatting

Browse source
This commit is contained in:
anarsec 2023-07-08 20:49:47 +00:00
parent b6bbc36b6f
commit 11986c34cb
No known key found for this signature in database
10 changed files with 237 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

26
content/posts/qubes/index.md
View file

@ -18,11 +18,13 @@ Qubes OS is a security-oriented [operating system](/glossary#operating-system-os
Qubes OS can be made to force all Internet connections through the [Tor network](/glossary/#tor-network) (like Tails) by using [Whonix](https://www.whonix.org/wiki/Qubes), which is included by default. Devices (USBs, network devices, microphone and camera) are all strongly isolated and only allowed access when it is explicitly granted. "Disposables" are one-off qubes that self-destruct when shut down.
# Who is Qubes OS For?
Given that anarchists are [regularly targeted](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in the course of repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for daily-use, and [further down](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. Whereas Tails is so user-friendly that Linux knowledge isn't even required, Qubes OS is a bit more involved, yet it is still designed to be accessible to users like journalists who don't know Linux well.
Even if nothing directly incriminating is done on a computer that you use everyday, its compromise will still give investigators a field day for [network mapping](https://www.csrc.link/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use their daily-use computer for some anarchist projects and communication with other comrades, so making our personal computers difficult to hack is a reasonable goal for all anarchists.
# How Does Qubes OS Work?
Qubes OS is not quite another version of Linux. Rather, it is based on many "[virtual machines](/glossary/#virtual-machine-vm)" running Linux. All of these "virtual machines" are configured to work together in order to build a cohesive operating system.
What is a virtual machine? [Virtualization](/glossary/#virtualization) is the process of running a virtual computer *inside* your computer. The virtual machine thinks it's a computer running on real hardware, but really it's running on abstracted hardware (software imitating hardware). Qubes OS uses a special program called a hypervisor to manage and run many of these virtual machines at once, on the same physical computer. To simplify things, virtual machines are referred to as qubes. Different operating systems like Debian, Whonix, Fedora, Windows, etc. can all run together simultaneously. The hypervisor strongly isolates each of the qubes from one another.
@ -60,6 +62,7 @@ Two more components are necessary to complete the Qubes OS system:
Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware - only the Admin qube can directly access the hard drive and only Service qubes can directly access the networking, USB, microphone and camera hardware.
# When to Use Tails vs Qubes OS
Qubes includes Whonix by default for when you need to force all connections through Tor. As [Privacy Guides](https://www.privacyguides.org/desktop/#anonymity-focused-distributions) compares (emphasis added):
> Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. **This means that even if the Workstation is compromised by [malware](/glossary/#malware) of some kind, the true IP address remains hidden.**
@ -85,6 +88,7 @@ And to use Tails:
* If the learning curve for Qubes OS is too steep
# Getting Started
Qubes OS runs ideally on a laptop with a solid-state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/qubes-best/#heads-open-source-firmware) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop—we recommend the ThinkPad X230 because the install is less involved than for other models. The X230 is also the only laptop model that is developer-tested, and is easily found in refurbished computer stores for around $200 USD. See the [community-recommended computers](https://forum.qubes-os.org/t/5560) list for several other options, and [Best Practices](#hardware-security) for further discussion of hardware security.
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you up and running. Do not set up dual boot - an other OS could be used to compromise Qubes OS. If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you though it, or first learn command line basics and GPG (required during the [verification stage](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/).
@ -100,6 +104,7 @@ In the post-installation:
The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin. The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but difficult to orient to for a new user. We'll cover some basics here that aren't already mentioned in the Getting Started link.
# How to Update
On Qubes OS, you should NOT be typing `apt update` or `apt upgrade` from the command line, which you may be used to from other experiences with Linux. As the [docs](https://www.qubes-os.org/doc/how-to-update/) specify, "these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents." The first thing that you'll want to do after connecting to the Internet is to launch Qubes Update. From the docs:
> you can [...] start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
@ -107,6 +112,7 @@ On Qubes OS, you should NOT be typing `apt update` or `apt upgrade` from the com
Updates will take a moment to be detected on a new system, so select "Enable updates...", tick all qubes, and press **Next**. A Whonix window might pop up prompting you to do a command line update, but this can be ignored as it will be resolved by the update. Once Qubes Update is done, reboot.
# How to Copy and Paste Text
Qubes has a special global clipboard to allow you to copy and paste text between qubes.
1. Press **Ctrl+C** to copy text as normal to the internal clipboard of the source App qube.
@ -117,6 +123,7 @@ Qubes has a special global clipboard to allow you to copy and paste text between
It's a little tricky at first, but you'll get the hang of it fast!
# How to Copy and Move Files
A special tool exists for moving files and directories (folders) between qubes that requires explicit user consent. As a rule of thumb, only move files from more trusted qubes to less trusted ones.
From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
@ -130,6 +137,7 @@ From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
>4. If you wish, you may now move the file in the target qube to a different directory and delete the /home/user/QubesIncoming/ directory when no longer needed.
# How to Shutdown Qubes
![](r4.1-widgets.png)
Click on the Domains widget to see which Qubes are currently running, as well as how much memory (RAM) and computing power (CPU) they are using. Each qube uses memory, so when you are done with a qube you should shut it down to free up the memory it is using. Closing windows is not enough - you need to shut each qube down manually when it's no longer needed.
@ -137,6 +145,7 @@ Click on the Domains widget to see which Qubes are currently running, as well as
![](shutdown.png)
# How to Install Software
While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html) for installing any additional software, at this time Qubes OS does not, so new software must be installed from the command line. If unfamilar with either the command line or how software works in Linux, check out [Linux Essentials](/posts/linux/) to get acquainted. For choosing what additional software to install, keep in mind that an application being [open-source](/glossary/#open-source) is an essential criteria, but is insufficient to be considered secure. The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, and all can be browsed through a web browser for [Debian](http://packages.debian.org/) as well as [Fedora](https://packages.fedoraproject.org/), or on the command line.
@ -168,6 +177,7 @@ To return to the example above, I would start a terminal in the `debian-11-docum
You may want to use software that is not present in the Debian/Fedora repositories, which makes matters a bit more complicated and also poses a security risk - you must independently assess whether the source is trustworthy, instead of relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) lays out your options. If the software is available at [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories (such as Signal Desktop), we recommend [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/).
# How to Organize Your Qubes
The next step is to decide how to organize your system - there is much more flexibility in this regard than in a monolithic system like Tails. In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended set-up for the typical user, which can be futher extended as needed.
After installation, a number of qubes already exist. Click on the Applications Menu to see all of them. We will delete the following default App qubes because they use the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.
@ -182,6 +192,8 @@ How the App qubes will be organized, without displaying service qubes or Templat
* **A disposable Debian or Fedora qube**. The default `debian/fedora-dvm` qube (depending on your post-installation decision) is disposable, and is great for web browsing that blocks Tor, such as logging into online banking.
## Creating Qubes
It's possible to just use the system as it is now, but let's show you how to create an App qube and a disposable.
* **A Monero qube**. Lets say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize that activity. Go to **Applications menu → Qubes Tools → Create Qubes VM**
@ -202,7 +214,7 @@ It's possible to just use the system as it is now, but let's show you how to cre
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm`
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network, and which is destroyed upon being exited.
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to configure qubes that otherwise require advanced command line use to set up. Available configurations include:
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to create and configure qubes that otherwise require advanced command line use to set up. Available configurations include:
* **Split-gpg**: GPG keys live in an offline qube and their access is tightly controlled
* **Split-ssh**: SSH keys live in an offline qube and their access is tightly controlled
@ -214,11 +226,11 @@ If you want your qubes that are not using Tor to be forced through a VPN, this i
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - if an App qube is close to filling up, the Disk Space Monitor widget will have a notification. To increase the private storage size of any given qube, in the qubes' **Settings → Basic** tab, change "Private storage max size". This storage won't be used immediately, it is just the max that can be used by that qube.
# How to Use Disposables
Disposables can be launched from the Applications menu; the disposable will be at the top, and the disposable Template near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, this can be accomplished from the Qubes Domains widget, in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would start yet another disposable.
Once you close all windows of a disposable, the whole disposable shuts down and is destroyed. The next time that it boots, the disposable will completely reflect the state of its Template. In contrast, an App qube needs to be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local` and `/rw/config` directory. The next time that it boots, all locations in the file system of an App qube other than these three directories will reflect the state of its Template. Take a look at how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
![](disposable.png)
In the file manager of an App qube, right-clicking on certain types of files will give the option **Edit In DisposableVM** and **View In DisposableVM**. This is exactly how we want to open any untrusted files stored in our vault qube. It will use the default disposable that we set earlier, which is offline. Once you close the viewing application the whole disposable will be destroyed. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. By contrast, viewing in a disposable is read-only, so if the file executes something malicious, it can't write to the App qube you launched it from - this is preferred for files you don't need to edit.
@ -238,6 +250,7 @@ For PDF files, right-clicking will also give the option **Convert To Trusted PDF
Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to set the default of only opening PDF files in a disposable, right-click a PDF and select **Open With Other Application → qvm-open-in-dvm**.
# How to Use Devices (like USBs)
To learn how to attach devices, we will format the empty USB or hard drive you will be using for backups. The USB will be attached to an offline disposable to mitigate against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB).
1. Go to **Applications menu → Disposable: debian-11-offline-dvm → Disks**. The disposable will have a name with a random number like disp4653. If Disks is not present, make the change on the **Settings → Applications** tab.
@ -262,6 +275,7 @@ There are command line instructions for setting up an [external keyboard](https:
You don't always need to attach a USB drive to another qube with the Qubes Devices widget - it will also be accessible from sys-usb directly, through the File Manager. You can [copy specific files](#how-to-copy-and-move-files) between the USB and another App qube without needing to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb - since it's disposable, it does the job of sanitizing for another device.
# How to Backup
As soon as your qubes are organized in the way that you would like, backup your system. Depending on your needs, we recommend making a weekly backup - pick a day of the week and add a reminder on your calendar. We also recommend making a redundant backup which is stored off-site and is synchronized monthly (to protect against data loss from a [house raid](https://www.csrc.link/threat-library/techniques/house-raid.html)).
Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup):
@ -280,6 +294,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
>7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you cant restore your data from it, and you cant be sure that your backup is not corrupted until you try to restore.
# Whonix and Tor
The Whonix project has their own [extensive documentation](https://www.whonix.org/wiki/Documentation), as does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), upon which it is based. When Whonix is used in Qubes OS it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems as well, but it's preferable to use it on Qubes OS due to the superior isolation it provides.
Different applications on a Whonix App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated - this is called [Stream Isolation](https://www.whonix.org/wiki/Stream_Isolation).
@ -292,6 +307,7 @@ Also worth noting is that "for those who regularly download Internet files, Tor
Tor Browser can't upload files from `/home/user/QubesIncoming/` due to how permissions are set, so move files somewhere in `/home/user/` to upload them, such as the Downloads directory.
# Password Management
Passwords should be managed with KeePassXC from the `vault` App qube. If unfamiliar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This leaves three passwords that must be memorized:
1. [LUKS](/glossary/#luks) password (first boot password)
@ -301,9 +317,11 @@ Passwords should be managed with KeePassXC from the `vault` App qube. If unfamil
For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords).
# Windows Qubes
It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), though the installation is a bit involved. This allows programs that are not available for Linux, such as the Adobe Creative Suite programs, to be used from Qubes OS (ideally offline). Installing "cracked" software downloaded from a torrent is not recommended as these are often malicious. The Adobe Creative Suite can be downloaded from Adobe, and then cracked with [GenP](https://www.reddit.com/r/GenP/wiki/redditgenpguides/#wiki_guide_.232_-_dummy_guide_for_first_timers_genp_.28method_1.3A_cc.2Bgenp.29).
# Best Practices
There is a lot more flexibility in how you configure Qubes OS than Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
* Protecting your identity
@ -345,6 +363,7 @@ Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Servic
* Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template.
## Hardware Security
Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
* **Root of trust**: A secure element to store secrets that can be used as a root of trust during the boot process.
@ -362,6 +381,7 @@ Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the
Qubes OS also applies proper software mitigation to this class of attacks at the level of the hypervisor, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
## OPSEC for Memory Use
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that is no longer receiving microcode updates, the OPSEC suggestion is to limit the presence of secrets in memory that could result in leaks. Every qube that is running is using memory, and a compromised qube could use such vulnerabilities to read and exfiltrate the memory being used by other qubes. Disposables will be reset after being shutdown, so we can assume that their compromise would likely be transient. Perform sensitive operations in qubes with no networking, and shutdown secure qubes when not in use. Pay attention to which qubes are running simultaneously:
* [vault qube](#how-to-organize-your-qubes):
@ -371,9 +391,11 @@ To address "future not-yet-identified vulnerabilities of this kind" on older har
* sys-net: Disposable. Only run when needed, and shutdown when finished. Shutdown when performing sensitive operations in other qubes, as far as possible. Restart before activities which require sys-net (i.e. email, ssh sessions, etc.).
## Remove Passwordless Root
By default, Qubes OS does not require a password for root permissions (in other words, you can run a command with `sudo` without a password). The [docs](https://www.qubes-os.org/doc/vm-sudo/) explain the rationale for this decision. In alignment with the security principle of defense-in-depth, we recommend enabling a password for root permissions. Forcing an adversary to successfully execute privilege escalation can be a mitigating factor, considering the hardening of Kicksecure/Whonix Templates as well as the limited time window provided by disposables.
If you are comfortable with the command line, follow the [docs](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) for replacing passwordless root access with a Dom0 user prompt in Debian/Whonix/Kicksecure Templates.
# Wrapping Up
The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend starting to use Qubes OS gradually, where you can progressively do tasks on Qubes OS instead of your previous operating system, because trying to learn everything at once may be overwhelming.