Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-06-24 06:24:14 -04:00
Code Issues Projects Releases Packages Wiki Activity

qubes update continued

Browse source
This commit is contained in:
anarsec 2024-04-19 17:22:22 +00:00
parent 53a6c6296d
commit 9c9e5152ab
No known key found for this signature in database
2 changed files with 36 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

73
content/posts/qubes/index.md
View file

@ -65,9 +65,9 @@ Another security feature of the Qubes OS structure is that the App qubes don't h
# When to Use Tails vs. Qubes OS # When to Use Tails vs. Qubes OS
Put simply, Tails is easier to use and better protects against *forensics*, while Qubes OS better protects against malware. Put simply, Tails is easier to use and better protects against *forensics*, while Qubes OS better protects against malware.
Qubes OS includes Whonix by default for when you want to force all connections through Tor (this is referred to as Qubes-Whonix because Whonix can also be used with other virtualization technologies). As compared by [Privacy Guides](https://www.privacyguides.org/desktop/#anonymity-focused-distributions) (emphasis added): Qubes OS includes Whonix by default, which forces all connections through Tor. As compared by [Privacy Guides](https://www.privacyguides.org/desktop/#anonymity-focused-distributions) (emphasis added):
> Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. **This means that even if the Workstation is compromised by [malware](/glossary/#malware) of some kind, the true IP address remains hidden.** > Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. **This means that even if the Workstation is compromised by [malware](/glossary/#malware) of some kind, the true IP address remains hidden.**
> >
@ -94,7 +94,7 @@ And to use Qubes OS:
* As an everyday computer * As an everyday computer
* For sanitizing untrusted files * For sanitizing untrusted files
* For tasks or workflows where Tails is too restrictive * For tasks or workflows where Tails is too restrictive
* For increased security against malware in a project, *if* you will be storing sensitive project data long-term on an encrypted volume anyways, because this long-term storage negates the anti-forensic property of Tails. For example, a project's private PGP key needs to be stored long-term, so the benefit of using Tails is negated but the benefit of using Qubes-Whonix remains (increased security against malware). * For increased security against malware in a project, *if* you will be storing sensitive project data long-term on an encrypted volume anyways, because this long-term storage negates the anti-forensic property of Tails. For example, a project's private PGP key needs to be stored long-term, so the benefit of using Tails is negated but the benefit of using Qubes OS remains (increased security against malware).
# Getting Started # Getting Started
@ -254,7 +254,7 @@ The cloned Template we will need is already configured: `debian-12-documents`. G
Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown. Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network and will be destroyed upon shutdown.
## VPNs ## A VPN Qube
You should configure your non-Tor qubes to be forced through a reputable [VPN](/glossary/#vpn-virtual-private-network) (RiseupVPN, Mullvad, or IVPN), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/): You should configure your non-Tor qubes to be forced through a reputable [VPN](/glossary/#vpn-virtual-private-network) (RiseupVPN, Mullvad, or IVPN), for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
@ -270,13 +270,13 @@ If a Disposable keeps crashing, try to increase the amount of RAM allocated to i
# How to Use Disposables # How to Use Disposables
Disposables can be launched from the Applications menu, on the Apps tab. For example, to use a disposable Tor Browser, go to **Application Menu: Apps tab → whonix-workstation-17-dvm → Tor Browser**. This is how you do all your Tor browsing. Once you close all the windows of a disposable, the whole disposable is shut down and reset to the state of its Template — any malware that may have been installed is now gone. Disposables can be launched from the Apps tab of the Applications menu. For example, to use a disposable Tor Browser, go to **Application Menu: Apps tab → whonix-workstation-17-dvm → Tor Browser**. This is how you do all your Tor browsing. Once you close all the windows of a disposable, the whole disposable is shut down and reset to the state of its Template — any malware that may have been installed is now gone.
In contrast, an App qube must be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local`, and `/rw/config` directory. The next time an App qube boots, all locations in its file system other than these three directories will reflect the state of its Template. See how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information. In contrast, an App qube must be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local`, and `/rw/config` directory. The next time an App qube boots, all locations in its file system other than these three directories will reflect the state of its Template. See how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
![](/posts/qubes/disposable.png) ![](/posts/qubes/disposable.png)
In the file manager of an App qube, right-clicking on certain fle types gives you the **Edit In DisposableVM** and **View In DisposableVM** options. This is how we want to open any untrusted files. It will use the default disposable that we set earlier, which is offline. As soon as you close the viewing application, the disposable is reverted to its prior state. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. In contrast, viewing in a disposable is read-only, so if the file does something malicious, it can't write to the App qube you launched it from — this is preferable for files you don't need to edit. In the file manager of an App qube, right-clicking on certain file types gives you the **Edit In DisposableVM** and **View In DisposableVM** options. This is how we want to open any untrusted files. It will use the default disposable that we set earlier, which is offline. If you *edit* the file and save the changes, the changed file will be saved back to the original app qube, overwriting the original. In contrast, if you *view* the file, it opens in a disposable that is read-only — this way, if the file does something malicious it can't write to the App qube you launched it from. This is why it is preferable to only view files that you don't need to edit.
If your file opens in an application other than the one you want, you'll need to change the default for the disposable Template: If your file opens in an application other than the one you want, you'll need to change the default for the disposable Template:
@ -288,52 +288,50 @@ If your file opens in an application other than the one you want, you'll need to
6. Delete the file from the disposable Template (remember to empty the trash). 6. Delete the file from the disposable Template (remember to empty the trash).
7. Shut down the disposable Template for the change to take effect. 7. Shut down the disposable Template for the change to take effect.
For PDF files, right-click and select **Convert To Trusted PDF**, and for image files, right-click and select **Convert To Trusted Img**. This will sanitize the file so that it can go from untrusted to trusted. It does this by converting it to images in a disposable and wiping the metadata. You can also use disposables to "sanitize" an untrusted file, which means making it trusted. It does this by converting it to images in a disposable and wiping the metadata. For PDF files, right-click and select **Convert To Trusted PDF**, and for image files, right-click and select **Convert To Trusted Img**. See [the guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) to open all file types in a disposable by default.
You can set it up so that certain types of files in an App qube open in a disposable by default. However, setting PDF files to always open in a disposable is not failsafe — some files may have their name end in `.pdf`, but in fact be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd still like to set the default to open only PDF files in a disposable, right-click a PDF file and select **Open With Other Application → qvm-open-in-dvm**.
# How to Use Devices (like USBs) # How to Use Devices (like USBs)
To learn how to attach devices, let's format the empty USB or hard drive that will be used for backups. Attaching the USB to an offline disposable mitigates against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB). To learn how to attach devices, let's format the empty USB or hard drive that will be used for backups. Attaching the USB to an offline disposable mitigates against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB).
1. Go to **Applications menu → Disposable: debian-12-offline-dvm → Disks**. The disposable will have a name with a random number such as disp4653. If Disks does not exist, make the change in the **Settings → Applications** tab. 1. Go to **Applications menu: Apps tab → debian-12-offline-dvm → Disks**. The disposable will have a name with a random number such as disp4653. If Disks is not displayed in the menu, make the change in the **Settings → Applications** tab.
2. The Qubes Devices widget is used to attach a USB drive (or just its partitions) to any qube. Just click on the widget and plug in your USB drive (see the screenshot [above](/posts/qubes/#how-to-shutdown-qubes)). The new entry will be under "Data (Block) Devices", typically `sys-usb:sda` is the one you want (`sda1` is a partition and would need to be mounted manually). Hover over the entry and attach it to the disposable you just started (in the case of the example above, disp4653). 2. The Qubes Devices widget is used to attach a USB drive (or just its partitions) to any qube. Just click on the widget and plug in your USB drive (see the screenshot [above](/posts/qubes/#how-to-shutdown-qubes)). The new entry will be under "Data (Block) Devices", typically `sys-usb:sda` is the one you want (`sda1` is a partition and would need to be mounted manually). Hover over the entry and attach it to the disposable you just started (in the case of the example above, disp4653).
3. The empty USB or hard drive should now appear in the Disks application. Format the empty device, and then create a new encrypted partition [as you would in Tails](/posts/tails/#how-to-create-an-encrypted-usb). You can use the same LUKS password for the backup that you use for your Qubes OS LUKS because you will need to memorize it to restore from backup and it will contain the same data. 3. The empty USB or hard drive should now appear in the Disks application. Format the empty device, and then create a new encrypted partition [as you would in Tails](/posts/tails/#how-to-create-an-encrypted-usb). You can use the same LUKS password that you use for your Qubes OS LUKS because it will need to be reliably memorized to restore a backup (i.e. you may lose access to your KeePassXC file in a scenario where you need your backups) and the USB will contain the same data as your Qubes OS drive.
4. Before removing the USB drive, first eject it using the Qubes Devices widget, which will eject it from the qube. Then go to **Applications menu → sys-usb → Files** and select "Safely Remove Drive" to eject it from the computer. 4. Before removing the USB drive, first eject it using the Qubes Devices widget, which will eject it from the qube. Then go to **Applications menu → sys-usb → Files** and select "Safely Remove Drive" to eject it from the computer. After the USB is ejected, restart sys-usb to take advantage of it being disposable.
Webcams and microphones are considered devices and must be attached to an App qube to be used. Cameras and microphones are considered devices and must be attached to an App qube to be used.
There are command line instructions for setting up an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice) — we recommend configuring a confirmation prompt. We also recommend enabling a USB keyboard [on a dedicated USB controller](https://www.qubes-os.org/doc/usb-qubes/#qubes-41-how-to-enable-a-usb-keyboard-on-a-separate-usb-controller). There are command line instructions for setting up an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice) — if you decide to use these, we recommend configuring a confirmation prompt, and storing both in a [tamper-evident manner](/posts/tamper). We also recommend enabling a USB keyboard [on a dedicated USB controller](https://www.qubes-os.org/doc/usb-qubes/#qubes-41-how-to-enable-a-usb-keyboard-on-a-separate-usb-controller).
You don't always need to attach a USB drive to another qube with the Qubes Devices widget — external devices are also accessible directly from sys-usb, through the File Manager. You can [copy specific files](/posts/qubes/#how-to-copy-and-move-files) between the USB and another App qube without having to attach the USB controller to the App qube. After the USB is ejected, restart sys-usb to take advantage of it being disposable. You don't always need to attach a USB drive to another qube with the Qubes Devices widget — external devices are also accessible directly from sys-usb, through the File Manager. You can [copy specific files](/posts/qubes/#how-to-copy-and-move-files) between the USB and another App qube without having to attach the USB controller to the App qube.
# How to Backup # How to Backup
Once your qubes are organized the way you want them, you should back up your system. Depending on your needs, we recommend a weekly backup. We also recommend making a redundant backup that you store off-site and synchronize monthly (to protect against data loss in a [house raid](https://notrace.how/threat-library/techniques/house-raid.html)). Once your qubes are organized the way you want them, you should back up your system. Depending on your needs, we recommend a weekly backup. We also recommend making a redundant backup that you store off-site and synchronize monthly (to protect against data loss in a [house raid](https://notrace.how/threat-library/techniques/house-raid.html)). You can simply have two backup USBs that you switch out at the off-site location (rather than bringing a backup USB home to update it monthly, which leaves you vulnerable to having no off-site backups during this time window).
Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup): Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup):
>1. Go to **Applications menu → Qubes Tools → Backup Qubes**. >1. Go to **Applications menu → Qubes Tools → Backup Qubes**.
> >
>2. Move the VMs that you want to back up to the right-hand Selected column. VMs in the left-hand Available column will not be backed up. You may choose whether to compress backups by checking or unchecking the Compress the backup box. Compressed backups will be smaller but take more time to create. Once you have selected all desired VMs, click Next. >2. Move the VMs that you want to back up to the right-hand Selected column. VMs in the left-hand Available column will not be backed up. You may choose whether to compress backups by checking or unchecking the Compress the backup box. Compressed backups will be smaller but take more time to create. We recommend selecting any App qubes with irreplaceable data, and documenting how you have configured your Templates, Service qubes and dom0 so that you don't need to back them up. Once you have selected all desired VMs, click Next.
> >
>3. Go to **Applications menu → Disposable: debian-12-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be saving your backup to and attach it to the qube ([see above for instructions on creating and attaching this drive](/posts/qubes/#how-to-use-devices-like-usbs)). The drive should now be displayed at **Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in the LUKS partition called `backups`. >3. Go to **Applications menu: Apps tab → debian-12-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or external drive you will be saving your backup to and attach it to the qube ([see above for instructions on creating and attaching this drive](/posts/qubes/#how-to-use-devices-like-usbs)). The drive should now be displayed at **Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in the LUKS partition called `backups`.
> >
>4. In Backup Qubes, select the destination for the backup: >4. In Backup Qubes, select the destination for the backup:
>* **Target qube**: select the disposable, named something like disp1217. >* **Target qube**: select the disposable, named something like disp1217.
>* **Backup directory**: click **...** to select the newly created folder `backups`. >* **Backup directory**: click **...** to select the newly created folder `backups`.
>5. Set an encryption passphrase, which can be the same as your Qubes OS user passphrase, because you will need to memorize it to restore from backup, and it will contain the same data. This is dom0, so you won't be able to paste it from a password manager. >5. Enter an encryption passphrase, which can be the same as your Qubes OS user passphrase, because you will need to memorize it to restore from backup, and it will contain the same data. This is dom0, so you won't be able to paste it from a password manager.
>6. Untick "Save settings as default backup profile", and press **Next**. >6. Untick "Save settings as default backup profile", and press **Next**.
>7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you cant restore your data from it, and you cant be sure that your backup is uncorrupted until you successfully restore. >7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you cant restore your data from it. You can also verify that a backup is not [silently corrupted](https://github.com/QubesOS/qubes-issues/issues/6386) by actually restoring it — first rename the App qube you will restore to avoid confusion.
# Whonix and Tor # Whonix and Tor
The Whonix project has its own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), on which Whonix is based. When Whonix is used in Qubes OS, it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems, but it's preferable to use it on Qubes OS because of the superior isolation it provides. The Whonix project has its own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), on which Whonix is based. When Whonix is used in Qubes OS, it is referred to as Qubes-Whonix. Whonix can be used on other operating systems, but it's preferable to use it on Qubes OS because of the superior isolation it provides.
[Multiple default applications](https://www.whonix.org/wiki/Stream_Isolation#List) on a Whonix-Workstation App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated — this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation). Multiple default applications on a Whonix-Workstation App qube are [configured to use unique circuits](https://www.whonix.org/wiki/Stream_Isolation#List) of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated — this is called [stream isolation](https://www.whonix.org/wiki/Stream_Isolation).
To take advantage of compartmentalization, create separate Whonix-Workstation App qubes for distinct activities/identities, as we did [above](/posts/qubes/#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice not to use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) at the same time: To take advantage of compartmentalization, create separate Whonix-Workstation App qubes for distinct activities/identities, as we did [above](/posts/qubes/#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice not to use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) at the same time:
@ -341,9 +339,9 @@ To take advantage of compartmentalization, create separate Whonix-Workstation Ap
Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory. Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory.
Like any software, the Tor Browser has vulnerabilities that can be exploited — various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting. Like any software, the Tor Browser has vulnerabilities that can be exploited — various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Whonix up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting.
Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template — the disposable Template will be updated automatically. Occasionally, Tor Browser will notify you that a new version is available before it can be updated by using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template — the disposable Template will be updated automatically.
# Password Management # Password Management
@ -357,23 +355,23 @@ Shutdown Qubes OS whenever you are away from the computer for more than a few mi
# Windows Qubes # Windows Qubes
It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), although the installation is a bit involved. This allows programs not available for Linux, such as the Adobe Creative Suite programs, to be used from Qubes OS (ideally offline). Installing "cracked" software downloaded from a torrent is not recommended, as these files are often malicious. The Adobe Creative Suite can be downloaded from Adobe and then cracked using [GenP](https://www.reddit.com/r/GenP/wiki/redditgenpguides/#wiki_guide_.232_-_dummy_guide_for_first_timers_genp_.28method_1.3A_cc.2Bgenp.29). It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), although the installation is a bit involved. This allows programs not available for Linux, such as the Adobe Creative Suite programs, to be used from Qubes OS (ideally offline). Installing "cracked" software downloaded from a torrent is not recommended, as these files are often malicious. The Adobe Creative Suite can be downloaded from Adobe and then cracked using [GenP](https://www.reddit.com/r/GenP/wiki/redditgenpguides/).
# Best Practices # Best Practices
Configuring Qubes OS is much more flexible than configuring Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article: Configuring Qubes OS is much more flexible than configuring Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
* Protecting your identity * Protecting your identity
* Still [clean metadata](/posts/metadata/) from files before you share them. * [Clean metadata](/posts/metadata/) from files before you share them.
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube. * Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
* Limitations of the Tor network * Limitations of the Tor network
* For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail). * For sensitive activities, don't use Internet connections that could deanonymize you, and prioritize .onion links when available. BusKill is also [available for Qubes OS](https://www.buskill.in/qubes-os/) (and we recommend not obtaining it through the mail).
* If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further discussion of deciding what Internet to use. * If you might be a target for physical surveillance, consider doing [surveillance detection](https://notrace.how/threat-library/mitigations/surveillance-detection.html) and [anti-surveillance](https://notrace.how/threat-library/mitigations/anti-surveillance.html) before going to a cafe to use the Internet. Alternatively, use a Wi-Fi antenna from indoors. See the Tails article for further advice on deciding what Internet to use.
* Reducing risks when using untrusted computers * Reducing risks when using untrusted computers
* The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.net/install/expert/index.en.html). * The [verification stage](https://www.qubes-os.org/security/verifying-signatures/) of the Qubes OS installation is equivalent to the [GnuPG verification of Tails](https://tails.net/install/expert/index.en.html).
* Only attach USBs and external drives to a qube that is disposable and offline. * Only attach USBs and external drives to a qube that is disposable and offline.
* To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/). * To mitigate physical attacks on the computer, buy a dedicated laptop from a refurbished store, make the laptop screws [tamper-evident, and use tamper-evident storage](/posts/tamper/).
* To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. Unlike for Tails, it's not possible to remove the hard drive because it is used by the operating system. Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive (and App qubes don't have write access to their templates). * To mitigate remote attacks on the computer, you can use anonymous Wi-Fi. You can also replace the BIOS with [HEADS](/posts/tails-best/#to-mitigate-against-remote-attacks), though this is advanced. Unlike for Tails, it's not possible to remove the hard drive because it is used by the operating system. Qubes OS already isolates the Bluetooth interface, camera, and microphone. USBs with secure firmware are less important thanks to the isolation provided by sys-usb, and a USB with a physical write-protect switch is unnecessary because the operating system files are stored on the hard drive.
* Encryption * Encryption
* Passwords: [See above](/posts/qubes/#password-management) * Passwords: [See above](/posts/qubes/#password-management)
* Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense. * Encrypted containers: Gocryptfs works the same way, and is useful for a second layer of defense.
@ -387,19 +385,18 @@ Configuring Qubes OS is much more flexible than configuring Tails, but most of t
During the [post-installation of Qubes OS](/posts/qubes/#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure — Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora. During the [post-installation of Qubes OS](/posts/qubes/#getting-started), you have the option to install only Debian or only Fedora Templates (instead of both). You also have the option to use the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates and convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will be either Whonix or Kicksecure — Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template, clone the Debian Template — follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend using disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable: Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template, clone the Debian Template — follow the [Kicksecure documentation for "distribution morphing" on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend using disposable qubes whenever possible when connecting to the Internet.
* Go to **Applications menu → Qubes Tools → Create Qubes VM** To create a Kicksecure disposable, go to **Applications menu → Qubes Tools → Create Qubes VM**:
* Name: kicksecure-17-dvm
* Color: purple
* Type: AppVM
* Template: kicksecure-17
* Networking: default (sys-firewall)
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable at the top of the Applications Menu — make sure you are working in the disposable, not the disposable Template.
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes: * **Name**: kicksecure-17-dvm
* **Color**: purple
* **Type**: AppVM
* **Template**: kicksecure-17
* **Networking**: default (sys-firewall)
* In the new qubes' **Settings → Advanced** tab, under "Other", check "Disposable Template", then press **OK**. You will now see the disposable in the Apps tab of the Applications Menu. Make sure you are not working in the disposable Template (the same name in the Templates tab of the Applications menu).
* Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-17-dvm` Template. Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If you set all sys qubes to use the Debian Template during the Qubes OS installation, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-12-dvm`. If you want to use disposable Kicksecure for sys qubes, set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-17-dvm` Template.
## Hardware Security ## Hardware Security

4
content/recommendations/_index.md
View file

@ -22,9 +22,7 @@ We agree with the conclusion of an overview of [targeted surveillance measures i
>**[Operating system](/glossary#operating-system-os)**: **Qubes OS** has better security than Tails for many use cases, but has a steeper learning curve and no anti-forensic features. However, it is accessible enough for journalists and other non-technical users. Basic knowledge of using Linux is required — see [Linux Essentials](/posts/linux). Qubes OS can even run Windows programs such as Adobe InDesign, but much more securely than a standard Windows computer. See [Qubes OS for Anarchists](/posts/qubes/). >**[Operating system](/glossary#operating-system-os)**: **Qubes OS** has better security than Tails for many use cases, but has a steeper learning curve and no anti-forensic features. However, it is accessible enough for journalists and other non-technical users. Basic knowledge of using Linux is required — see [Linux Essentials](/posts/linux). Qubes OS can even run Windows programs such as Adobe InDesign, but much more securely than a standard Windows computer. See [Qubes OS for Anarchists](/posts/qubes/).
See [When to Use Tails vs. Qubes OS](/posts/qubes/#when-to-use-tails-vs-qubes-os) See [When to Use Tails vs. Qubes OS](/posts/qubes/#when-to-use-tails-vs-qubes-os). We do not offer "harm reduction" advice for Windows or macOS computers, as this is already widespread and gives a false sense of privacy and security.
We do not offer "harm reduction" advice for Windows or macOS computers, as this is already widespread and gives a false sense of privacy and security. If you need to use one of these operating systems, see The Hitchhikers Guide to Online Anonymity for tutorials on [Windows](https://anonymousplanet.org/guide.html#windows-host-os) and [macOS](https://anonymousplanet.org/guide.html#macos-host-os).
## Encrypted Messaging ## Encrypted Messaging