Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-23 23:01:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

qubes update

Browse source
This commit is contained in:
anarsec 2024-04-18 21:40:16 +00:00
parent beb42f8cf7
commit 53a6c6296d
No known key found for this signature in database
2 changed files with 61 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

105
content/posts/qubes/index.md
View file

@ -13,7 +13,7 @@ dateedit=2024-04-07
a4="qubes-a4.pdf"
letter="qubes-letter.pdf"
+++
Qubes OS is a security-oriented [operating system](/glossary#operating-system-os) (OS), which means it is an operating system designed from the ground up to be more difficult to hack. This is achieved through [compartmentalization](https://www.qubes-os.org/faq/#how-does-qubes-os-provide-security), where the base system is divided into compartments called "qubes". All other Linux systems like [Tails](/tags/tails/) are *monolithic*, which means that if a hack succeeds anywhere on the system, it can more easily take over. In Qubes OS, if one qube is compromised, the others remain safe. You can think of using Qubes OS as having many different computers on your desk, each for a different activity, but with the convenience of a single physical machine and a set of tools for securely using them all together as a unified system.
Qubes OS is a security-oriented [operating system](/glossary#operating-system-os) (OS), which means it is an operating system designed from the ground up to be more difficult to hack. This is achieved through [compartmentalization](https://www.qubes-os.org/faq/#how-does-qubes-os-provide-security), where the base system is divided into compartments called "qubes". All other Linux systems like [Tails](/tags/tails/) are *monolithic*, which means that they are not compartmentalized, so if a hack succeeds anywhere on the system, it can more easily take over. In Qubes OS, if one qube is compromised, the others remain safe. You can think of using Qubes OS as having many different computers on your desk, each for a different activity, but with the convenience of a single physical machine and a set of tools for securely using them all together as a unified system.
<!-- more -->
@ -21,7 +21,7 @@ Qubes OS can be configured to force all Internet connections through the [Tor ne
# Who is Qubes OS For?
Given that anarchists are [regularly targeted](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](/posts/qubes/#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS — both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
Given that anarchists are [regularly targeted](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. We recommend Qubes OS for everyday use, and [below](/posts/qubes/#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS in more detail — both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
Even if you don't do anything directly incriminating on the computer you use every day, if it were compromised, this would still give investigators a field day for [network mapping](https://notrace.how/threat-library/techniques/network-mapping.html) — knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to communicate with other comrades, so making our personal computers difficult to hack is an important baseline for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.
@ -48,7 +48,7 @@ Ignore the greyed-out parts of the diagram for now. Daily use of Qubes OS primar
You'll notice that App qube #1 is connected to the Internet, App qube #2 is offline, while App qube #3 is connected to the Internet via Tor and is Disposable. Note that Whonix is actually split between two qubes: the workstation (App qube #3) and the gateway (sys-whonix). This has the security property that if the workstation qube is compromised, the gateway qube (where Tor runs) is not.
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails uses only memory (when the Persistent Storage feature is not enabled), Qubes OS uses the hard drive, so a Disposable qube will leave forensic traces on your computer — a Disposable isn't intended to be anti-forensic, it's intended to reset a qube in case it is compromised by malware.
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails uses only memory (when the Persistent Storage feature is not enabled), Qubes OS uses the hard drive, so a Disposable qube will leave forensic traces on your computer. A Disposable isn't intended to be anti-forensic, it's intended to reset a qube in case it is compromised by malware.
## Management Qubes
@ -65,9 +65,9 @@ Another security feature of the Qubes OS structure is that the App qubes don't h
# When to Use Tails vs. Qubes OS
Put simply, Tails is easier to use and better protects against *forensics*, while Qubes-Whonix better protects against malware.
Put simply, Tails is easier to use and better protects against *forensics*, while Qubes OS better protects against malware.
Qubes OS includes Whonix by default (Qubes-Whonix) for when you want to force all connections through Tor. As compared by [Privacy Guides](https://www.privacyguides.org/desktop/#anonymity-focused-distributions) (emphasis added):
Qubes OS includes Whonix by default for when you want to force all connections through Tor (this is referred to as Qubes-Whonix because Whonix can also be used with other virtualization technologies). As compared by [Privacy Guides](https://www.privacyguides.org/desktop/#anonymity-focused-distributions) (emphasis added):
> Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. **This means that even if the Workstation is compromised by [malware](/glossary/#malware) of some kind, the true IP address remains hidden.**
>
@ -75,9 +75,11 @@ Qubes OS includes Whonix by default (Qubes-Whonix) for when you want to force al
>
>Whonix virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. By design, Tails is meant to completely reset itself after each reboot. Encrypted persistent storage can be configured to store some data between reboots.
For more information on how Whonix compares to Tails against different types of deanonymization attacks, see the [Whonix documentation](https://www.whonix.org/wiki/Comparison_with_Others#Circumventing_Proxy_Obedience_Design).
For more information on how Whonix compares to Tails in regards to different types of deanonymization attacks, see the [Whonix documentation](https://www.whonix.org/wiki/Comparison_with_Others#Circumventing_Proxy_Obedience_Design).
In order to recover data from a Qubes OS system when it is turned off, an adversary would still need to successfully [bypass](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) the [Full Disk Encryption](/glossary#full-disk-encryption-fde) (e.g. by seizing the computer when it is turned on, or cracking a weak password). In order to recover data from a Tails system when it is turned off, **the situation is the same if any data is saved to Persistent Storage or an encrypted USB** — this saved data is no longer protected by anti-forensic features but by Full Disk Encryption.
In order to recover data from a Qubes OS system when it is turned off, an adversary would still need to successfully [bypass](https://notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) the [Full Disk Encryption](/glossary#full-disk-encryption-fde) (e.g. by cracking a weak password). In order to recover data from a Tails system when it is turned off, **the situation is the same if any data is saved to Persistent Storage or an encrypted USB** — this saved data is no longer protected by anti-forensic features but by Full Disk Encryption.
Keep in mind that with Tails it is easy to destroy an encrypted USB you no longer need in order to revert to a blank slate of "no trace", but the equivalent with Qubes OS requires destroying the hard drive.
Our recommendation is to use Tails:
@ -94,11 +96,9 @@ And to use Qubes OS:
* For tasks or workflows where Tails is too restrictive
* For increased security against malware in a project, *if* you will be storing sensitive project data long-term on an encrypted volume anyways, because this long-term storage negates the anti-forensic property of Tails. For example, a project's private PGP key needs to be stored long-term, so the benefit of using Tails is negated but the benefit of using Qubes-Whonix remains (increased security against malware).
Keep in mind that with Tails it is easy to destroy an encrypted USB you no longer need in order to revert to a blank slate of "no trace", but the equivalent with Qubes OS requires destroying the hard drive.
# Getting Started
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. Check this [hardware compatibility list](https://www.qubes-os.org/hcl/) to see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop. We recommend the ThinkPad X230 because it's the only developer-tested laptop model and is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and [Best Practices](/posts/qubes/#hardware-security) for further discussion of hardware security.
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. Check this [hardware compatibility list](https://www.qubes-os.org/hcl/) to see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop. We recommend the ThinkPad X230 because it's the only developer-tested laptop model and it is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and [Best Practices](/posts/qubes/#hardware-security) for further discussion of hardware security.
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation).
@ -108,9 +108,9 @@ After you first boot Qubes OS, there is a post-installation:
* Check the boxes for Whonix qubes, and for updates to happen over Tor.
* The post-installation gives the you option to install only Debian or only Fedora Templates (instead of both), and to use the Debian Template for all sys qubes (the default is Fedora). Whether you choose to use Debian or Fedora for qubes that don't require Tor is up to you. The Privacy Guides project [argue](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), but also recommend [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](/posts/qubes/#post-installation-decisions) for further discussion of this configuration choice.
* The post-installation gives the you option to install only Debian or only Fedora Templates (instead of both), and to use the Debian Template for all sys qubes (the default is Fedora). Whether you choose to use Debian or Fedora for qubes that don't require Tor is up to you, but this guide assumes you choose Debian. The Privacy Guides project [argues](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), but also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](/posts/qubes/#post-installation-decisions) for further discussion of this configuration choice.
* Make sys-net disposable. If you are using Wi-Fi instead of Ethernet, you will need to re-enter the Wi-Fi password after every boot.
* Make sys-net disposable. If you are using Wi-Fi instead of Ethernet, you will need to re-enter the Wi-Fi password after every boot (you can simply paste it from your password manager).
The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin — stop here to read it! The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but can be difficult for a new user to navigate. We'll go over some basics here that aren't already covered on the Getting Started page.
@ -157,14 +157,14 @@ Click on the Domains widget to see which Qubes are currently running and how muc
# How to Install Software
While Tails [has a Graphical User Interface](https://tails.net/doc/persistent_storage/additional_software/index.en.html) (GUI) for installing additional software, Qubes OS does not at this time, so new software must be installed from the command line. If you are unfamiliar with the command line or how software works in Linux, see [Linux Essentials](/posts/linux/) to get acquainted. When choosing what additional software to install, keep in mind that being [open-source](/glossary/#open-source) is an essential criteria, but not sufficient to be considered secure. The list of [included software for Tails](https://tails.net/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
While Tails can install additional software through [a Graphical User Interface](https://tails.net/doc/persistent_storage/additional_software/index.en.html) (GUI, the "point and click" alternative to the [Command Line Interface](/glossary/#command-line-interface-cli)), Qubes OS cannot at this time, so new software must be installed from the command line. If you are unfamiliar with the command line or how software works in Linux, see [Linux Essentials](/posts/linux/) to get acquainted. When choosing what additional software to install, keep in mind that being [open-source](/glossary/#open-source) is an essential criteria, but not sufficient to be considered secure. The list of [included software for Tails](https://tails.net/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, which can be found using a web browser for both [Debian](http://packages.debian.org/) and [Fedora](https://packages.fedoraproject.org/), or on the command line.
It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, to avoid unnecessarily increasing the attack surface of all App qubes based on the default Template. The basic formula is:
1) Clone Template
2) Install additional packages on the cloned Template
2) Install additional packages in the cloned Template
3) Create an App qube based on the cloned Template
4) Optional: Make this App qube a disposable
@ -192,63 +192,78 @@ Remember that you should not run `apt update` or `dnf update`.
Returning to the example above, I start a terminal in the `debian-12-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs gnome-disk-utility`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk — you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). If the software is available on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) — if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk — you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). Basically, deb and rpm files are installed into Templates as you would expect, while AppImages, Snaps and Flatpaks are installed into App qubes.
If the software is available as a Flatpak on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) — if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
# How to Organize Your Qubes
The next step is to decide how to organize your system — the options are much more flexible in Qubes OS than in a monolithic system like Tails (and more prone to user error). In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended setup for the typical user, which can be tweaked as needed.
After installation, a number of qubes will already exist by default. Click on the Applications Menu to see them all. We are going to delete the following default App qubes because they connect to the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.
After installation, a number of qubes will already exist by default. Click on the Applications Menu to see them all. We are going to delete the following default App qubes because they connect to the Internet without being disposable: `anon-whonix`, `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.
How the App qubes will be organized, without displaying service qubes or Templates:
This is how the App qubes will be organized, without displaying service qubes or Templates:
![](/posts/qubes/diagram.png)
* **A vault qube**. This is used for all data storage because you don't need internet to store files. This qube can be reassigned to the `debian-12-documents` Template so that trusted files can be opened there.
* **A disposable Whonix-Workstation qube (`whonix-workstation-17-dvm`)**.
* [Remember](/posts/qubes/#general-usage) Whonix works by using the Whonix-Workstation Template (`whonix-workstation-17`) for the App qube, and the Whonix-Gateway Template (`whonix-gateway-17`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway — all your activity takes place in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
* Disposables appear in Applications Menu in a way that can be confusing. You will see two entries for this qube: the **whonix-workstation-17-dvm** entry in the Apps menu, which is where you launch applications from, and the **whonix-workstation-17-dvm** entry in the Templates menu, which is the Template for the disposable (do not use applications from here).
* [Remember](/posts/qubes/#general-usage) that Whonix works by using the Whonix-Workstation Template (`whonix-workstation-17`) for the App qube, and the Whonix-Gateway Template (`whonix-gateway-17`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway — all your activity takes place in an App qube using the Whonix-Workstation Template. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
* Disposables appear in the Applications Menu in a way that can be confusing. You will see two entries for this qube: the **whonix-workstation-17-dvm** entry in the Apps menu, which is where you launch applications from, and the **whonix-workstation-17-dvm** entry in the Templates menu, which is the Template for the disposable (do not use applications from here).
* You can think of a disposable Whonix-Workstation qube as similar to Tails: system-wide Tor, and deletion after shutdown (without the anti-forensics property, as noted above).
* Do not customize the disposable Template at all to resist fingerprinting.
* **A disposable Debian or Fedora qube**. The default `debian/fedora-dvm` qube (depending on your post-installation decision) is disposable, and is great for web browsing that blocks Tor, such as logging into online banking.
* **A disposable Debian or Fedora qube**. The default `debian/fedora-dvm` qube (depending on your post-installation decision) is disposable, and it is great for web browsing that blocks Tor, such as logging into online banking.
## Creating Qubes
If you wanted, you could use the system as is, but let's create an App qube and a disposable so that you have more options.
* **A Monero qube**. Say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize this activity. Go to **Applications menu → Qubes Tools → Create Qubes VM**
* **Name**: Project-monero
* **Color**: Yellow
* **Type**: AppVM
* **Template**: whonix-workstation-17
* **Networking**: sys-whonix
* Now that the qube exists, [install the Monero wallet into the App qube](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). Then, in the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
* This App qube is not made disposable — we prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.
### An App qube for Monero
* **An offline disposable qube**. At the moment, both disposables are networked (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM**
* **Name**: debian-12-offline-dvm
* **Color**: Black
* **Type**: AppVM
* **Template**: debian-12-documents
* **Networking**: none
* You can also use Fedora. In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable at the top of the Applications Menu — make sure you are working in the disposable, not the disposable Template.
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.
Say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize this activity.
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface for creating and configuring qubes that would otherwise require advanced command line configuration. Available configurations include:
Go to **Applications menu → Qubes Tools → Create Qubes VM**:
* **Split-GPG**: GPG keys live in an offline qube and access to them is strictly controlled
* **Split-SSH**: SSH keys live in an offline qube and access to them is strictly controlled
* **Mullvad-VPN**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the few reputable VPN companies — they accept cryptocurrency and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
* **sys-VPN**: A VPN qube that uses the OpenVPN protocol
* **split-XMR**: The Monero wallet lives in an offline qube and access to it is strictly controlled.
* **Name**: Project-monero
* **Color**: Yellow
* **Type**: AppVM
* **Template**: whonix-workstation-17
* **Networking**: sys-whonix
* Now that the qube exists, install the Monero wallet into the App qube, following the [instructions for "Kicksecure-Qubes App qube"](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube).
* In the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
You should configure your non-Tor qubes to be forced through a VPN (RiseupVPN, Mullvad, or IVPN), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
This App qube is not disposable. We prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.
Note that we don't need to clone the Template because the Monero wallet is a Flatpak, so it is installed into the App qube, not into the Template.
### A disposable that is offline
At the moment, both disposables are networked (with and without Tor). To finish, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents).
The cloned Template we will need is already configured: `debian-12-documents`. Go to **Applications menu → Qubes Tools → Create Qubes VM**:
* **Name**: debian-12-offline-dvm
* **Color**: Black
* **Type**: AppVM
* **Template**: debian-12-documents
* **Networking**: none
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable in the Apps tab of the Applications Menu. Make sure you are not working in the disposable Template (the same name in the Templates tab of the Applications menu).
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`
Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.
## VPNs
You should configure your non-Tor qubes to be forced through a reputable [VPN](/glossary/#vpn-virtual-private-network) (RiseupVPN, Mullvad, or IVPN), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
There are guides for [the Mullvad app](https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/), [Mullvad without the app](https://forum.qubes-os.org/t/tutorial-4-2-4-1-mullvad-wireguard-with-qubes/21172), and [the IVPN app](https://forum.qubes-os.org/t/ivpn-app-4-2-setup-guide/23804).
## Additional Settings
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly — when an App qube is about to run out of space, the Disk Space Monitor widget will alert you. To increase the amount of private storage for any qube, go to the qubes' **Settings → Basic** tab and change the "Private storage max size". This storage won't be used immediately, it's just the maximum that can be used by that qube.
If a Disposable keeps crashing, try to increase the amount of RAM allocated to it: go to the disposable Template's **Settings → Advanced** tab and increase the "Initial memory" and "Max memory".
@ -362,7 +377,7 @@ Configuring Qubes OS is much more flexible than configuring Tails, but most of t
* Encryption
* Passwords: [See above](/posts/qubes/#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/).
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/). The Qubes OS documentation can be used to configure [Split-GPG](https://www.qubes-os.org/doc/split-gpg/) — this is an advanced configuration where private GPG keys are stored in an offline qube and access to them is strictly controlled.
* Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defense — Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
* Open attachments in a disposable and offline qube.