Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-28 09:04:24 -04:00
Code Issues Projects Releases Packages Wiki Activity

standarize em dashes

Browse source
This commit is contained in:
anarsec 2024-04-15 03:17:44 +00:00
parent d6f4ad9d2e
commit 5d9796b043
No known key found for this signature in database
12 changed files with 98 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

64
content/posts/qubes/index.md
View file

@ -21,9 +21,9 @@ Qubes OS can be configured to force all Internet connections through the [Tor ne
# Who is Qubes OS For?
Given that anarchists are [regularly targeted](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS - both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
Given that anarchists are [regularly targeted](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/malware.html) for hacking in repressive investigations, Qubes OS is an excellent choice for us. AnarSec [recommends](/recommendations) Qubes OS for everyday use, and [below](#when-to-use-tails-vs-qubes-os) we compare when it is appropriate to use Tails vs. Qubes OS both have unique strengths. While Tails is so easy to use that you don't even need to know anything about Linux, Qubes OS is a bit more involved, but still designed to be accessible to users with limited technical know-how, like journalists. This guide is labelled as "intermediate", though if you need to extensively customize your set up or troubleshoot something, it is more likely to be "advanced".
Even if you don't do anything directly incriminating on the computer you use every day, if it were compromised, this would still give investigators a field day for [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html) - knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to communicate with other comrades, so making our personal computers difficult to hack is an important baseline for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.
Even if you don't do anything directly incriminating on the computer you use every day, if it were compromised, this would still give investigators a field day for [network mapping](https://www.notrace.how/threat-library/techniques/network-mapping.html) knowing who you talk to and what you talk to them about, what projects you are involved in, what websites you read, etc. Most anarchists use everyday computers for some anarchist projects and to communicate with other comrades, so making our personal computers difficult to hack is an important baseline for all anarchists. That said, the time investment to learn Qubes OS isn't for everyone. For those with limited energy to put towards increased anonymity and security, Tails is much more straightforward.
# How Does Qubes OS Work?
@ -48,7 +48,7 @@ Ignore the greyed-out parts of the diagram for now. Daily use of Qubes OS primar
You'll notice that App qube #1 is connected to the Internet, App qube #2 is offline, while App qube #3 is connected to the Internet via Tor and is Disposable. Note that Whonix is actually split between two qubes: the workstation (App qube #3) and the gateway (sys-whonix). This has the security property that if the workstation qube is compromised, the gateway qube (where Tor runs) is not.
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails uses only memory (when the Persistent Storage feature is not enabled), Qubes OS uses the hard drive, so a Disposable qube will leave forensic traces on your computer - a Disposable isn't intended to be anti-forensic, it's intended to reset a qube in case it is compromised by malware.
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails uses only memory (when the Persistent Storage feature is not enabled), Qubes OS uses the hard drive, so a Disposable qube will leave forensic traces on your computer a Disposable isn't intended to be anti-forensic, it's intended to reset a qube in case it is compromised by malware.
## Management Qubes
@ -59,9 +59,9 @@ Two more components are needed to complete the Qubes OS system:
* **Admin qube**. This is the small, isolated and trusted qube that manages the other qubes. It's very protected because if it's compromised, it's game over. It uses a technology called Xen as the hypervisor. It is also called dom0, which is a Xen naming convention. The Admin qube has no network connectivity and is only used to run the [desktop environment](https://en.wikipedia.org/wiki/Desktop_environment) and [window manager](https://en.wikipedia.org/wiki/Window_manager).
* **Template qubes**. These are where applications and operating system files live and where you install and update software. Each App qube is based on a Template qube, and the App qube can only read from the Template, not write to it. This means that the more sensitive system files are protected from whatever happens in an App qube - they are not retained between App qube restarts. Multiple App qubes can be based on a single Template, which has the convenient feature that updating one Template will update all App qubes based on that Template.
* **Template qubes**. These are where applications and operating system files live and where you install and update software. Each App qube is based on a Template qube, and the App qube can only read from the Template, not write to it. This means that the more sensitive system files are protected from whatever happens in an App qube they are not retained between App qube restarts. Multiple App qubes can be based on a single Template, which has the convenient feature that updating one Template will update all App qubes based on that Template.
Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware - only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's not possible to compromise the hardware from a compromised App qube.
Another security feature of the Qubes OS structure is that the App qubes don't have direct access to the hardware only the Admin qube can directly access the hard drive and only the Service qubes can directly access the networking, USB, microphone and camera hardware. This means that it's not possible to compromise the hardware from a compromised App qube.
# When to Use Tails vs. Qubes OS
@ -77,7 +77,7 @@ Qubes OS includes Whonix by default (Qubes-Whonix) for when you want to force al
For more information on how Whonix compares to Tails against different types of deanonymization attacks, see the [Whonix documentation](https://www.whonix.org/wiki/Comparison_with_Others#Circumventing_Proxy_Obedience_Design).
In order to recover data from a Qubes OS system when it is turned off, an adversary would still need to successfully [bypass](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) the [Full Disk Encryption](/glossary#full-disk-encryption-fde) (e.g. by seizing the computer when it is turned on, or cracking a weak password). In order to recover data from a Tails system when it is turned off, **the situation is the same if any data is saved to Persistent Storage or an encrypted USB** - this saved data is no longer protected by anti-forensic features but by Full Disk Encryption.
In order to recover data from a Qubes OS system when it is turned off, an adversary would still need to successfully [bypass](https://www.notrace.how/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) the [Full Disk Encryption](/glossary#full-disk-encryption-fde) (e.g. by seizing the computer when it is turned on, or cracking a weak password). In order to recover data from a Tails system when it is turned off, **the situation is the same if any data is saved to Persistent Storage or an encrypted USB** this saved data is no longer protected by anti-forensic features but by Full Disk Encryption.
Our recommendation is to use Tails:
@ -102,7 +102,7 @@ Qubes OS works best on a laptop with a solid state drive (SSD, which is faster t
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation).
[Do not set up "dual boot"](https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot) - another operating system could be used to compromise Qubes OS.
[Do not set up "dual boot"](https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot) another operating system could be used to compromise Qubes OS.
After you first boot Qubes OS, there is a post-installation:
@ -112,7 +112,7 @@ After you first boot Qubes OS, there is a post-installation:
* Make sys-net disposable. If you are using Wi-Fi instead of Ethernet, you will need to re-enter the Wi-Fi password after every boot.
The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin - stop here to read it! The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but can be difficult for a new user to navigate. We'll go over some basics here that aren't already covered on the Getting Started page.
The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin stop here to read it! The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but can be difficult for a new user to navigate. We'll go over some basics here that aren't already covered on the Getting Started page.
# How to Update
@ -151,7 +151,7 @@ From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
![](/posts/qubes/r4.1-widgets.png)
Click on the Domains widget to see which Qubes are currently running and how much memory (RAM) and processing power (CPU) they are using. Each qube uses memory, so when you are done with a qube, you should shut it down to free up the memory it is using. Closing windows isn't enough - you need to shut down the qube when you're done with it.
Click on the Domains widget to see which Qubes are currently running and how much memory (RAM) and processing power (CPU) they are using. Each qube uses memory, so when you are done with a qube, you should shut it down to free up the memory it is using. Closing windows isn't enough you need to shut down the qube when you're done with it.
![](/posts/qubes/shutdown.png)
@ -192,11 +192,11 @@ Remember that you should not run `apt update` or `dnf update`.
Returning to the example above, I start a terminal in the `debian-12-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs gnome-disk-utility`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk - you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). If the software is available on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) - if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). If the software is available on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
# How to Organize Your Qubes
The next step is to decide how to organize your system - the options are much more flexible in Qubes OS than in a monolithic system like Tails (and more prone to user error). In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended setup for the typical user, which can be tweaked as needed.
The next step is to decide how to organize your system the options are much more flexible in Qubes OS than in a monolithic system like Tails (and more prone to user error). In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended setup for the typical user, which can be tweaked as needed.
After installation, a number of qubes will already exist by default. Click on the Applications Menu to see them all. We are going to delete the following default App qubes because they connect to the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.
@ -207,7 +207,7 @@ How the App qubes will be organized, without displaying service qubes or Templat
* **A vault qube**. This is used for all data storage because you don't need internet to store files. This qube can be reassigned to the `debian-12-documents` Template so that trusted files can be opened there.
* **A disposable Whonix-Workstation qube (`whonix-workstation-17-dvm`)**.
* [Remember](#general-usage) - Whonix works by using the Whonix-Workstation Template (`whonix-workstation-17`) for the App qube, and the Whonix-Gateway Template (`whonix-gateway-17`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway - all your activity takes place in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
* [Remember](#general-usage) Whonix works by using the Whonix-Workstation Template (`whonix-workstation-17`) for the App qube, and the Whonix-Gateway Template (`whonix-gateway-17`) for a separate Service qube called `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never touch the Whonix-Gateway all your activity takes place in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
* Disposables appear in Applications Menu in a way that can be confusing. You will see two entries for this qube: the **whonix-workstation-17-dvm** entry in the Apps menu, which is where you launch applications from, and the **whonix-workstation-17-dvm** entry in the Templates menu, which is the Template for the disposable (do not use applications from here).
* You can think of a disposable Whonix-Workstation qube as similar to Tails: system-wide Tor, and deletion after shutdown (without the anti-forensics property, as noted above).
* Do not customize the disposable Template at all to resist fingerprinting.
@ -225,7 +225,7 @@ If you wanted, you could use the system as is, but let's create an App qube and
* **Template**: whonix-workstation-17
* **Networking**: sys-whonix
* Now that the qube exists, [install the Monero wallet into the App qube](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). Then, in the **Settings → Applications** tab, move Monero Wallet to the Selected column and press **OK**. The shortcut will now appear in the Applications Menu.
* This App qube is not made disposable - we prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.
* This App qube is not made disposable we prefer all networked qubes to be disposable, but a simple setup requires data persistence for the wallet to work properly.
* **An offline disposable qube**. At the moment, both disposables are networked (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM**
* **Name**: debian-12-offline-dvm
@ -233,7 +233,7 @@ If you wanted, you could use the system as is, but let's create an App qube and
* **Type**: AppVM
* **Template**: debian-12-documents
* **Networking**: none
* You can also use Fedora. In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable at the top of the Applications Menu - make sure you are working in the disposable, not the disposable Template.
* You can also use Fedora. In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the offline disposable at the top of the Applications Menu make sure you are working in the disposable, not the disposable Template.
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-12-offline-dvm`
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.
@ -241,15 +241,15 @@ If you wanted, you could use the system as is, but let's create an App qube and
* **Split-GPG**: GPG keys live in an offline qube and access to them is strictly controlled
* **Split-SSH**: SSH keys live in an offline qube and access to them is strictly controlled
* **Mullvad-VPN**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the few reputable VPN companies - they accept cryptocurrency and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
* **Mullvad-VPN**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the few reputable VPN companies they accept cryptocurrency and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
* **sys-VPN**: A VPN qube that uses the OpenVPN protocol
* **split-XMR**: The Monero wallet lives in an offline qube and access to it is strictly controlled.
You should configure your non-Tor qubes to be forced through a VPN (RiseupVPN, Mullvad, or IVPN), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks especially those targeting messaging apps more difficult to perform and less effective.
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - when an App qube is about to run out of space, the Disk Space Monitor widget will alert you. To increase the amount of private storage for any qube, go to the qubes' **Settings → Basic** tab and change the "Private storage max size". This storage won't be used immediately, it's just the maximum that can be used by that qube.
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly when an App qube is about to run out of space, the Disk Space Monitor widget will alert you. To increase the amount of private storage for any qube, go to the qubes' **Settings → Basic** tab and change the "Private storage max size". This storage won't be used immediately, it's just the maximum that can be used by that qube.
If a Disposable keeps crashing, try to increase the amount of RAM allocated to it: go to the disposable Template's **Settings → Advanced** tab and increase the "Initial memory" and "Max memory".
@ -257,13 +257,13 @@ If a Disposable keeps crashing, try to increase the amount of RAM allocated to i
Disposables can be launched from the Applications menu: the disposable is at the top, and the disposable Template is near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all your Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, you can do so from the Qubes Domains widget in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would launch another disposable.
Once you close all the windows of a disposable, the whole disposable is shut down and reset to the state of its Template - any malware that may have been installed is now gone.
Once you close all the windows of a disposable, the whole disposable is shut down and reset to the state of its Template any malware that may have been installed is now gone.
In contrast, an App qube must be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local`, and `/rw/config` directory. The next time an App qube boots, all locations in its file system other than these three directories will reflect the state of its Template. See how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
![](/posts/qubes/disposable.png)
In the file manager of an App qube, right-clicking on certain fle types gives you the **Edit In DisposableVM** and **View In DisposableVM** options. This is how we want to open any untrusted files. It will use the default disposable that we set earlier, which is offline. As soon as you close the viewing application, the disposable is reverted to its prior state. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. In contrast, viewing in a disposable is read-only, so if the file does something malicious, it can't write to the App qube you launched it from - this is preferable for files you don't need to edit.
In the file manager of an App qube, right-clicking on certain fle types gives you the **Edit In DisposableVM** and **View In DisposableVM** options. This is how we want to open any untrusted files. It will use the default disposable that we set earlier, which is offline. As soon as you close the viewing application, the disposable is reverted to its prior state. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. In contrast, viewing in a disposable is read-only, so if the file does something malicious, it can't write to the App qube you launched it from this is preferable for files you don't need to edit.
If your file opens in an application other than the one you want, you'll need to change the default for the disposable Template:
@ -277,7 +277,7 @@ If your file opens in an application other than the one you want, you'll need to
For PDF files, right-click and select **Convert To Trusted PDF**, and for image files, right-click and select **Convert To Trusted Img**. This will sanitize the file so that it can go from untrusted to trusted. It does this by converting it to images in a disposable and wiping the metadata.
You can set it up so that certain types of files in an App qube open in a disposable by default. However, setting PDF files to always open in a disposable is not failsafe - some files may have their name end in `.pdf`, but in fact be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd still like to set the default to open only PDF files in a disposable, right-click a PDF file and select **Open With Other Application → qvm-open-in-dvm**.
You can set it up so that certain types of files in an App qube open in a disposable by default. However, setting PDF files to always open in a disposable is not failsafe some files may have their name end in `.pdf`, but in fact be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd still like to set the default to open only PDF files in a disposable, right-click a PDF file and select **Open With Other Application → qvm-open-in-dvm**.
# How to Use Devices (like USBs)
@ -293,9 +293,9 @@ To learn how to attach devices, let's format the empty USB or hard drive that wi
Webcams and microphones are considered devices and must be attached to an App qube to be used.
There are command line instructions for setting up an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice) - we recommend configuring a confirmation prompt. We also recommend enabling a USB keyboard [on a dedicated USB controller](https://www.qubes-os.org/doc/usb-qubes/#qubes-41-how-to-enable-a-usb-keyboard-on-a-separate-usb-controller).
There are command line instructions for setting up an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice) we recommend configuring a confirmation prompt. We also recommend enabling a USB keyboard [on a dedicated USB controller](https://www.qubes-os.org/doc/usb-qubes/#qubes-41-how-to-enable-a-usb-keyboard-on-a-separate-usb-controller).
You don't always need to attach a USB drive to another qube with the Qubes Devices widget - external devices are also accessible directly from sys-usb, through the File Manager. You can [copy specific files](#how-to-copy-and-move-files) between the USB and another App qube without having to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb to take advantage of it being disposable.
You don't always need to attach a USB drive to another qube with the Qubes Devices widget external devices are also accessible directly from sys-usb, through the File Manager. You can [copy specific files](#how-to-copy-and-move-files) between the USB and another App qube without having to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb to take advantage of it being disposable.
# How to Backup
@ -320,7 +320,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
The Whonix project has its own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), on which Whonix is based. When Whonix is used in Qubes OS, it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems, but it's preferable to use it on Qubes OS because of the superior isolation it provides.
[Multiple default applications](https://www.whonix.org/wiki/Stream_Isolation#List) on a Whonix-Workstation App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated - this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation).
[Multiple default applications](https://www.whonix.org/wiki/Stream_Isolation#List) on a Whonix-Workstation App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation).
To take advantage of compartmentalization, create separate Whonix-Workstation App qubes for distinct activities/identities, as we did [above](#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice not to use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) at the same time:
@ -328,9 +328,9 @@ To take advantage of compartmentalization, create separate Whonix-Workstation Ap
Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory.
Like any software, the Tor Browser has vulnerabilities that can be exploited - various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting.
Like any software, the Tor Browser has vulnerabilities that can be exploited various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting.
Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template - the disposable Template will be updated automatically.
Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template the disposable Template will be updated automatically.
# Password Management
@ -366,15 +366,15 @@ Configuring Qubes OS is much more flexible than configuring Tails, but most of t
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/).
* Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defense - Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
* This is where Qubes OS really shines. Awareness is no longer your only defense Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
* Open attachments in a disposable and offline qube.
* Open links in a disposable Whonix-Workstation qube.
## Post-installation Decisions
During the [post-installation of Qubes OS](#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure - Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
During the [post-installation of Qubes OS](#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template, clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend using disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template, clone the Debian Template follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend using disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
* Go to **Applications menu → Qubes Tools → Create Qubes VM**
* Name: kicksecure-17-dvm
@ -382,7 +382,7 @@ Kicksecure is not currently [available as a Template](https://www.kicksecure.com
* Type: AppVM
* Template: kicksecure-17
* Networking: default (sys-firewall)
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable at the top of the Applications Menu - make sure you are working in the disposable, not the disposable Template.
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable at the top of the Applications Menu make sure you are working in the disposable, not the disposable Template.
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes:
@ -400,15 +400,15 @@ Hardware security is a nuanced subject, with three prominent factors at play for
Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the **ThinkPad X230** and **ThinkPad T430** strike a relatively unique balance because they both use the [Ivy generation](https://en.wikipedia.org/wiki/Ivy_Bridge_(microarchitecture)) of CPUs and are both compatible with Heads:
* **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process - the Thinkpad X230 and T430 have TPM v1.1.
* **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process the Thinkpad X230 and T430 have TPM v1.1.
* **Blobs**: There are no binary blobs on these models after Heads is installed, except for the Intel Management Engine (which can be neutered) and the Ethernet blob (which can be generated).
* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this generation of CPUs](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Newer hardware uses CPUs with different extensions that are vulnerable to new attack vectors - the Ivy generation is not affected by these.
* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this generation of CPUs](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Newer hardware uses CPUs with different extensions that are vulnerable to new attack vectors the Ivy generation is not affected by these.
Qubes OS also applies appropriate software mitigation to this class of attacks at the hypervisor level, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
## OPSEC for Memory Use
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Make sure to always be aware of which qubes are running simultaneously - it is best to only have trusted qubes alongside each other.
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Make sure to always be aware of which qubes are running simultaneously it is best to only have trusted qubes alongside each other.
* sys-usb: Disposable. Run only when needed, and shut down when finished. Restart after using an untrusted USB device.
* sys-net: Disposable. Run only when needed, and shut down when finished. Shut down when performing sensitive operations in other qubes, if possible. Restart before compartmentalized activities that require high security.