Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-24 23:25:44 -04:00
Code Issues Projects Releases Packages Wiki Activity

reformat unnecessary lists

Browse source
This commit is contained in:
anarsec 2024-04-22 00:04:19 +00:00
parent 8ae907510f
commit 745de9bf7d
No known key found for this signature in database
5 changed files with 54 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

65
content/posts/qubes/index.md
View file

@ -98,7 +98,7 @@ And to use Qubes OS:
# Getting Started
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. Check this [hardware compatibility list](https://www.qubes-os.org/hcl/) to see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop. We recommend the ThinkPad X230 because it's the only developer-tested laptop model and it is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and [Best Practices](/posts/qubes/#hardware-security) for further discussion of hardware security.
Qubes OS works best on a laptop with a solid state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. Check this [hardware compatibility list](https://www.qubes-os.org/hcl/) to see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/tails-best/#to-mitigate-against-remote-attacks) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep that in mind when buying your laptop. We recommend the ThinkPad X230 because it's the only developer-tested laptop model and it is easily found in refurbished computer stores for around $200 USD. See the list of [community-recommended computers](https://forum.qubes-os.org/t/5560) for some other options, and the [appendix](/posts/qubes/#appendix-hardware-security) for further discussion of hardware security.
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation).
@ -108,7 +108,7 @@ After you first boot Qubes OS, there is a post-installation:
* Check the boxes for Whonix qubes, and for updates to happen over Tor.
* The post-installation gives the you option to install only Debian or only Fedora Templates (instead of both), and to use the Debian Template for all sys qubes (the default is Fedora). Whether you choose to use Debian or Fedora for qubes that don't require Tor is up to you, but this guide assumes you choose Debian. The Privacy Guides project [argues](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), but also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](/posts/qubes/#post-installation-decisions) for further discussion of this configuration choice.
* The post-installation gives the you option to install only Debian or only Fedora Templates (instead of both), and to use the Debian Template for all sys qubes (the default is Fedora). Whether you choose to use Debian or Fedora for qubes that don't require Tor is up to you, but this guide assumes you choose Debian. The Privacy Guides project [argues](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), but also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See the [appendix](/posts/qubes/#appendix-post-installation-decisions) for further discussion of this configuration choice.
* Make sys-net disposable. If you are using Wi-Fi instead of Ethernet, you will need to re-enter the Wi-Fi password after every boot (you can simply paste it from your password manager).
@ -361,27 +361,41 @@ It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), a
Configuring Qubes OS is much more flexible than configuring Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
* Protecting your identity
* [Clean metadata](/posts/metadata/) from files before you share them.
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
* Limitations of the Tor network
* For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet to use.
* Reducing risks when using untrusted computers
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.net/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. Unlike for Tails, it's not possible to remove the hard drive because it is used by the operating system. Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive.
* Encryption
* Passwords: [See above](/posts/qubes/#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/). The Qubes OS documentation can be used to configure [Split-GPG](https://www.qubes-os.org/doc/split-gpg/) — this is an advanced configuration where private GPG keys are stored in an offline qube and access to them is strictly controlled.
* Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defense — Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
* Open attachments in a disposable and offline qube.
* Open links in a disposable Whonix-Workstation qube.
## Protecting your identity
## Post-installation Decisions
* [Clean metadata](/posts/metadata/) from files before you share them.
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
## Limitations of the Tor network
* For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet to use.
## Reducing risks when using untrusted computers
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.net/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. Unlike for Tails, it's not possible to remove the hard drive because it is used by the operating system. Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive.
## Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defense — Qubes OS is designed to protect against [phishing](/glossary/#phishing) attacks.
* Open attachments in a disposable and offline qube.
* Open links in a disposable Whonix-Workstation qube.
## Encryption
* Passwords: [See above](/posts/qubes/#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
* Encrypted communication: Use [Cwtch](https://cwtch.im/). See [Encrypted Messaging for Anarchists](/posts/e2ee/). The Qubes OS documentation can be used to configure [Split-GPG](https://www.qubes-os.org/doc/split-gpg/) — this is an advanced configuration where private GPG keys are stored in an offline qube and access to them is strictly controlled.
# Wrapping Up
The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend that you start using Qubes OS gradually, as trying to learn everything at once can be overwhelming. But we promise, it's not as complicated as it seems at first!
# Appendix: Post-installation Decisions
During the [post-installation of Qubes OS](/posts/qubes/#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure — Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
@ -398,7 +412,7 @@ To create a Kicksecure disposable, go to **Applications menu → Qubes Tools →
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes, set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-17-dvm` Template.
## Hardware Security
# Appendix: Hardware Security
Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
@ -416,7 +430,7 @@ Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the
Qubes OS also applies appropriate software mitigation to this class of attacks at the hypervisor level, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
## OPSEC for Memory Use
# Appendix: OPSEC for Memory Use
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that no longer receives microcode updates, the operational security (OPSEC) suggestion is to limit the presence of secrets in memory that could lead to leaks. Each running qube uses memory, and a compromised qube could use such vulnerabilities to read and exfiltrate memory used by other qubes. Disposables are reset after they are shut down, so we can assume that their compromise would likely be temporary. Perform sensitive operations in qubes without networking, and shut down secure qubes when not in use. Make sure to always be aware of which qubes are running simultaneously — it is best to only have trusted qubes alongside each other.
@ -431,6 +445,3 @@ To address "future not-yet-identified vulnerabilities of this kind" on older har
* shut down the vault qube,
* unpause the untrusted qube(s), and paste the credential
# Wrapping Up
The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend that you start using Qubes OS gradually, as trying to learn everything at once can be overwhelming. But we promise, it's not as complicated as it seems at first!