Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-08 14:52:54 -04:00
Code Issues Projects Releases Packages Wiki Activity

qubes templates names update

Browse source
This commit is contained in:
anarsec 2024-04-13 17:46:04 +00:00
parent b8508f7f77
commit 1fc0ee894f
No known key found for this signature in database
4 changed files with 21 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
content/posts/qubes/diagram.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 45 KiB

Before After
Before After

36
content/posts/qubes/index.md
View file

@ -168,7 +168,7 @@ It is best not to install additional software into the default Template, but rat
3) Create an App qube based on the cloned Template
4) Optional: Make this App qube a disposable
For example, to install packages for working with documents, which are not included by default in `debian-11`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`.
For example, to install packages for working with documents, which are not included by default in `debian-12`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-12` and select "Clone qube". Name the new Template `debian-12-documents`.
To install new software, as described in the [docs](https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-default-repositories):
@ -190,7 +190,7 @@ To install new software, as described in the [docs](https://www.qubes-os.org/doc
Remember that you should not run `apt update` or `dnf update`.
Returning to the example above, I start a terminal in the `debian-11-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs gnome-disk-utility`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
Returning to the example above, I start a terminal in the `debian-12-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs gnome-disk-utility`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk - you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). If the software is available on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) - if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
@ -204,11 +204,11 @@ How the App qubes will be organized, without displaying service qubes or Templat
![](diagram.png)
* **A vault qube**. This is used for all data storage because you don't need internet to store files. This qube can be reassigned to the `debian-11-documents` Template so that trusted files can be opened there.
* **A vault qube**. This is used for all data storage because you don't need internet to store files. This qube can be reassigned to the `debian-12-documents` Template so that trusted files can be opened there.
* **A disposable Whonix-Workstation qube (`whonix-ws-16-dvm`)**.
* [Remember](#general-usage) - Whonix works by using the Whonix-Workstation Template (`whonix-ws-16`) for the App qube, and the Whonix-Gateway Template (`whonix-gw-16`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway - all your activity takes place in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
* Disposables appear in Applications Menu in a way that can be confusing. You will see two entries for this qube: the **Disposable: whonix-ws-16-dvm** entry, which is where you launch applications from, and the **Template (disp): whonix-ws-16-dvm** entry which is the Template for the disposable (do not use applications from here).
* **A disposable Whonix-Workstation qube (`whonix-workstation-17-dvm`)**.
* [Remember](#general-usage) - Whonix works by using the Whonix-Workstation Template (`whonix-workstation-17`) for the App qube, and the Whonix-Gateway Template (`whonix-gateway-17`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway - all your activity takes place in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
* Disposables appear in Applications Menu in a way that can be confusing. You will see two entries for this qube: the **whonix-workstation-17-dvm** entry in the Apps menu, which is where you launch applications from, and the **whonix-workstation-17-dvm** entry in the Templates menu, which is the Template for the disposable (do not use applications from here).
* You can think of a disposable Whonix-Workstation qube as similar to Tails: system-wide Tor, and deletion after shutdown (without the anti-forensics property, as noted above).
* Do not customize the disposable Template at all to resist fingerprinting.
@ -222,19 +222,19 @@ If you wanted, you could use the system as is, but let's create an App qube and
* **Name**: Project-monero
* **Color**: Yellow
* **Type**: AppVM
* **Template**: whonix-ws-16
* **Template**: whonix-workstation-17
* **Networking**: sys-whonix
* Now that the qube exists, [install the Monero wallet into the App qube](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). Then, in the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
* This App qube is not made disposable - we prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.
* **An offline disposable qube**. At the moment, both disposables are networked (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM**
* **Name**: debian-11-offline-dvm
* **Name**: debian-12-offline-dvm
* **Color**: Black
* **Type**: AppVM
* **Template**: debian-11-documents
* **Template**: debian-12-documents
* **Networking**: none
* You can also use Fedora. In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable at the top of the Applications Menu - make sure you are working in the disposable, not the disposable Template.
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm`
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface for creating and configuring qubes that would otherwise require advanced command line configuration. Available configurations include:
@ -267,7 +267,7 @@ In the file manager of an App qube, right-clicking on certain fle types gives yo
If your file opens in an application other than the one you want, you'll need to change the default for the disposable Template:
1. Send a file of this type to your disposable Template (in our case, `debian-11-offline-dvm`).
1. Send a file of this type to your disposable Template (in our case, `debian-12-offline-dvm`).
2. Open the file manager for the disposable Template.
3. Select the file, right click and select **Properties**.
4. In the **Open With** tab, select your preferred application for this file type.
@ -283,7 +283,7 @@ You can set it up so that certain types of files in an App qube open in a dispos
To learn how to attach devices, let's format the empty USB or hard drive that will be used for backups. Attaching the USB to an offline disposable mitigates against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB).
1. Go to **Applications menu → Disposable: debian-11-offline-dvm → Disks**. The disposable will have a name with a random number such as disp4653. If Disks does not exist, make the change in the **Settings → Applications** tab.
1. Go to **Applications menu → Disposable: debian-12-offline-dvm → Disks**. The disposable will have a name with a random number such as disp4653. If Disks does not exist, make the change in the **Settings → Applications** tab.
2. The Qubes Devices widget is used to attach a USB drive (or just its partitions) to any qube. Just click on the widget and plug in your USB drive (see the screenshot [above](#how-to-shutdown-qubes)). The new entry will be under "Data (Block) Devices", typically `sys-usb:sda` is the one you want (`sda1` is a partition and would need to be mounted manually). Hover over the entry and attach it to the disposable you just started (in the case of the example above, disp4653).
@ -307,7 +307,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
>
>2. Move the VMs that you want to back up to the right-hand Selected column. VMs in the left-hand Available column will not be backed up. You may choose whether to compress backups by checking or unchecking the Compress the backup box. Compressed backups will be smaller but take more time to create. Once you have selected all desired VMs, click Next.
>
>3. Go to **Applications menu → Disposable: debian-11-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be saving your backup to and attach it to the qube ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in the LUKS partition called `backups`.
>3. Go to **Applications menu → Disposable: debian-12-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be saving your backup to and attach it to the qube ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in the LUKS partition called `backups`.
>
>4. In Backup Qubes, select the destination for the backup:
>* **Target qube**: select the disposable, named something like disp1217.
@ -330,7 +330,7 @@ Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due t
Like any software, the Tor Browser has vulnerabilities that can be exploited - various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting.
Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-ws-16`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template - the disposable Template will be updated automatically.
Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template - the disposable Template will be updated automatically.
# Password Management
@ -377,16 +377,16 @@ During the [post-installation of Qubes OS](#getting-started), you have the optio
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template, clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend using disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
* Go to **Applications menu → Qubes Tools → Create Qubes VM**
* Name: kicksecure-16-dvm
* Name: kicksecure-17-dvm
* Color: purple
* Type: AppVM
* Template: kicksecure-16
* Template: kicksecure-17
* Networking: default (sys-firewall)
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable at the top of the Applications Menu - make sure you are working in the disposable, not the disposable Template.
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-11-dvm`. If you want to use disposable Kicksecure for sys qubes:
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes:
* Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template.
* Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-17-dvm` Template.
## Hardware Security

2
content/posts/tails-best/index.md
View file

@ -208,7 +208,7 @@ Our recommendations are:
> **Tip**
>
> Diceware passphrases can be easy to forget if you have several to keep track of, especially if you use them infrequently. To reduce the risk of forgetting a diceware passphrase, you can create a KeePassXC file with all "memorized" passphrases in it. Store this on a LUKS USB, and hide that USB somewhere off-site where it won't be recovered in a police raid. You should be able to reconstruct both the LUKS and KeePassXC passphrases if a lot of time has passed. One strategy is to use a memorable sentence from a book - this reduction in password entropy is acceptable if the USB is highly unlikely to ever be recovered due to its storage location. That way, if you ever really forget a "memorized" passphrase, you can access that offsite backup. As with all important backups, you should have at least two.
> Diceware passphrases can be easy to forget if you have several to keep track of, especially if you use them infrequently. To reduce the risk of forgetting a diceware passphrase, you can store all "memorized" passphrases on a LUKS USB that you create using Tails, which is hidden somewhere off-site where it won't be recovered during a police raid. You should be able to reconstruct the LUKS passphrase if a lot of time has passed. See the [No Trace Project](https://www.notrace.how/threat-library/mitigations/digital-best-practices.html) for two different approaches you can take: one relies on a trusted comrade, and the other is self-sufficient. As with all important backups, you should have at least two.
For Tails, you need to memorize two passphrases:

4
themes/DeepThought/templates/base.html
View file

@ -123,9 +123,9 @@
<footer class="footer py-4">
<div class="content has-text-centered has-text-link-light">
<p>
<a href="http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/anarsec/anarsec.guide/-/blob/no-masters/CHANGELOG.md">Changelog </a>
<a class="has-text-black" href="http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/anarsec/anarsec.guide/-/blob/no-masters/CHANGELOG.md">Changelog </a>
<a href="/atom.xml" target="_blank">
<span class="icon is-large" title="RSS Feed">
<span class="icon is-large has-text-black" title="RSS Feed">
<i class="fas fa-rss fa-lg"></i>
</span>
</a>