mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-07-25 07:35:32 -04:00
md formatting
This commit is contained in:
anarsec
parent
0dc607247e
commit
b6bbc36b6f
8 changed files with 141 additions and 79 deletions
|
|
@ -31,9 +31,9 @@ What is a virtual machine? [Virtualization](/glossary/#virtualization) is the pr
|
|||
|
||||
At the risk of overwhelming you, here is an overview of how Qubes OS is structured. You don't need to memorize any of this to actually use Qubes OS, it can just be helpful to understand the outline of the system before getting started. Each rectangle represents a qube (that is, a virtual machine). Let's break it down.
|
||||
|
||||
#### General Usage
|
||||
## General Usage
|
||||
|
||||
|
||||
|
||||
|
||||
For now, ignore the greyed-out sections of the diagram. Daily use of Qubes OS primarily involves interaction with two components:
|
||||
|
||||
|
|
@ -47,9 +47,9 @@ You'll notice that App qube #1 is connected to the Internet, App qube #2 is offl
|
|||
A Disposable qube is a type of App qube that self-destructs when its originating window closes. Note that while Tails exclusively uses memory (if the Persistent Storage feature is not enabled), Qubes OS uses the hard drive so forensic traces are still possible when using a Disposable.
|
||||
|
||||
|
||||
#### Management Qubes
|
||||
## Management Qubes
|
||||
|
||||
|
||||
|
||||
|
||||
Two more components are necessary to complete the Qubes OS system:
|
||||
|
||||
|
|
@ -71,11 +71,13 @@ Qubes includes Whonix by default for when you need to force all connections thro
|
|||
For data to be recovered from a Qubes OS system, the [Full Disk Encryption](/glossary#full-disk-encryption-fde) would still need to be successfully [bypassed](https://www.csrc.link/threat-library/techniques/targeted-digital-surveillance/authentication-bypass.html) (such as by seizing the computer when it is turned on, or the use of a weak password). If the Tails Persistent Storage feature is in use, any data that is configured to persist faces the same issue.
|
||||
|
||||
Our recommendation is to use Qubes OS:
|
||||
|
||||
* As a daily-use computer
|
||||
* For opening untrusted files or links. Many anarchist projects require this, such as website moderation, publications, etc.
|
||||
* For tasks or workflows where Tails is too limiting or not applicable
|
||||
|
||||
And to use Tails:
|
||||
|
||||
* For writing and submitting communiques
|
||||
* For action research
|
||||
* For provisioning and connecting to hacking infrastructure
|
||||
|
|
@ -88,6 +90,7 @@ Qubes OS runs ideally on a laptop with a solid-state drive (SSD, which is faster
|
|||
The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you up and running. Do not set up dual boot - an other OS could be used to compromise Qubes OS. If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you though it, or first learn command line basics and GPG (required during the [verification stage](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/).
|
||||
|
||||
In the post-installation:
|
||||
|
||||
* Tick the checkmark for Whonix qubes, as well as for updates to happen over Tor.
|
||||
|
||||
* The post-installation gives the option of installing exclusively Debian or Fedora Templates (instead of both), as well as using the Debian Template for all sys qubes (the default is Fedora). Whether you opt to use Debian or Fedora for qubes that don't require Tor is your decision. Privacy Guides [makes the argument](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), yet also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](#post-installation-decisions) for further discussion of this configuration choice.
|
||||
|
|
@ -119,19 +122,19 @@ A special tool exists for moving files and directories (folders) between qubes t
|
|||
From the [docs](https://www.qubes-os.org/doc/how-to-copy-and-move-files/):
|
||||
|
||||
>1. Open a file manager in the qube containing the file you wish to copy (the source qube), right-click on the file you wish to copy or move, and select **Copy to Other AppVM**... or **Move to Other AppVM**....
|
||||
|
||||
|
||||
>2. A dialog box will appear in dom0 asking for the name of the target qube (qube B). Enter or select the desired destination qube name.
|
||||
|
||||
|
||||
>3. If the target qube is not already running, it will be started automatically, and the file will be copied there. It will show up in this directory (which will automatically be created if it does not already exist): `/home/user/QubesIncoming/<source_qube>/<filename>`. If you selected Move rather than Copy, the original file in the source qube will be deleted. (Moving a file is equivalent to copying the file, then deleting the original.)
|
||||
>
|
||||
>4. If you wish, you may now move the file in the target qube to a different directory and delete the /home/user/QubesIncoming/ directory when no longer needed.
|
||||
|
||||
# How to Shutdown Qubes
|
||||
|
||||
|
||||
|
||||
Click on the Domains widget to see which Qubes are currently running, as well as how much memory (RAM) and computing power (CPU) they are using. Each qube uses memory, so when you are done with a qube you should shut it down to free up the memory it is using. Closing windows is not enough - you need to shut each qube down manually when it's no longer needed.
|
||||
|
||||
|
||||
|
||||
|
||||
# How to Install Software
|
||||
While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html) for installing any additional software, at this time Qubes OS does not, so new software must be installed from the command line. If unfamilar with either the command line or how software works in Linux, check out [Linux Essentials](/posts/linux/) to get acquainted. For choosing what additional software to install, keep in mind that an application being [open-source](/glossary/#open-source) is an essential criteria, but is insufficient to be considered secure. The list of [included software for Tails](https://tails.boum.org/doc/about/features/index.en.html#index1h1) will cover many of your needs with reputable choices.
|
||||
|
|
@ -155,7 +158,8 @@ To install new software, as the [docs](https://www.qubes-os.org/doc/how-to-insta
|
|||
>5. Restart all qubes based on the template.
|
||||
>
|
||||
>6. (Recommended) In the relevant qubes’ **Settings → Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
|
||||
|
||||
|
||||
|
||||
|
||||
Remember, you should not be running `apt update` or `dnf update`.
|
||||
|
||||
|
|
@ -170,7 +174,7 @@ After installation, a number of qubes already exist. Click on the Applications M
|
|||
|
||||
How the App qubes will be organized, without displaying service qubes or Templates:
|
||||
|
||||
|
||||
|
||||
|
||||
* **A vault qube**. This will be used for all data storage, because a qube that doesn't need networking shouldn't have it. This qube can be reassigned to the `debian-11-documents` Template so that trusted files can be opened there.
|
||||
|
||||
|
|
@ -199,6 +203,7 @@ It's possible to just use the system as it is now, but let's show you how to cre
|
|||
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network, and which is destroyed upon being exited.
|
||||
|
||||
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to configure qubes that otherwise require advanced command line use to set up. Available configurations include:
|
||||
|
||||
* **Split-gpg**: GPG keys live in an offline qube and their access is tightly controlled
|
||||
* **Split-ssh**: SSH keys live in an offline qube and their access is tightly controlled
|
||||
* **Mullvad-vpn**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the only reputable VPN companies - they accept cryptocurrency, and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
|
||||
|
|
@ -214,11 +219,12 @@ Disposables can be launched from the Applications menu; the disposable will be a
|
|||
Once you close all windows of a disposable, the whole disposable shuts down and is destroyed. The next time that it boots, the disposable will completely reflect the state of its Template. In contrast, an App qube needs to be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local` and `/rw/config` directory. The next time that it boots, all locations in the file system of an App qube other than these three directories will reflect the state of its Template. Take a look at how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
In the file manager of an App qube, right-clicking on certain types of files will give the option **Edit In DisposableVM** and **View In DisposableVM**. This is exactly how we want to open any untrusted files stored in our vault qube. It will use the default disposable that we set earlier, which is offline. Once you close the viewing application the whole disposable will be destroyed. If you have edited the file and saved the changes, the changed file will be saved back to the original app qube, overwriting the original. By contrast, viewing in a disposable is read-only, so if the file executes something malicious, it can't write to the App qube you launched it from - this is preferred for files you don't need to edit.
|
||||
|
||||
If your file is opening in a different application than what you require, you'll need to change the disposable Template default:
|
||||
|
||||
1. Send a file of this type to your disposable Template (in our case, `debian-11-offline-dvm`).
|
||||
2. Open the file manager for the disposable Template.
|
||||
3. Select the file, right-click **Properties**.
|
||||
|
|
@ -287,6 +293,7 @@ Tor Browser can't upload files from `/home/user/QubesIncoming/` due to how permi
|
|||
|
||||
# Password Management
|
||||
Passwords should be managed with KeePassXC from the `vault` App qube. If unfamiliar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This leaves three passwords that must be memorized:
|
||||
|
||||
1. [LUKS](/glossary/#luks) password (first boot password)
|
||||
2. User password (second boot password)
|
||||
3. KeePassXC password
|
||||
|
|
@ -298,6 +305,7 @@ It is possible to have [Windows qubes](https://www.qubes-os.org/doc/windows/), t
|
|||
|
||||
# Best Practices
|
||||
There is a lot more flexibility in how you configure Qubes OS than Tails, but most of the [Tails best practices](/posts/tails-best/) still apply. To summarize, in the order of the Tails article:
|
||||
|
||||
* Protecting your identity
|
||||
* Still [clean metadata](/posts/metadata/) from files before sharing them.
|
||||
* Compartmentalization is baked into Qubes OS; instead of restarting Tails, use a dedicated qube.
|
||||
|
|
@ -318,11 +326,12 @@ There is a lot more flexibility in how you configure Qubes OS than Tails, but mo
|
|||
* Open attachments in a qube that is disposable and offline.
|
||||
* Open links in a Whonix qube that is disposable.
|
||||
|
||||
#### Post-installation Decisions
|
||||
## Post-installation Decisions
|
||||
|
||||
During the [post-installation of Qubes OS](#getting-started), you have the option of installing exclusively Debian or Fedora Templates (instead of both). You also have the option of using the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates, and to convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will either be Whonix or Kicksecure - Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
|
||||
|
||||
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template you will clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend to use disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
|
||||
|
||||
* Go to **Applications menu → Qubes Tools → Create Qubes VM**
|
||||
* Name: kicksecure-16-dvm
|
||||
* Color: purple
|
||||
|
|
@ -332,10 +341,12 @@ Kicksecure is not currently [available as a Template](https://www.kicksecure.com
|
|||
* In the new qubes' **Settings → Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template.
|
||||
|
||||
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If during the Qubes OS installation, you set all sys qubes to use the Debian Template, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-11-dvm`. If you want to use disposable Kicksecure for sys qubes:
|
||||
|
||||
* Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template.
|
||||
|
||||
#### Hardware Security
|
||||
## Hardware Security
|
||||
Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
|
||||
|
||||
* **Root of trust**: A secure element to store secrets that can be used as a root of trust during the boot process.
|
||||
* **Blobs:** Newer hardware comes with [binary blobs](https://en.wikipedia.org/wiki/Binary_blob) which require trusting corporations to do the right thing, while some older hardware is available without binary blobs.
|
||||
* **Microcode updates**: Newer hardware gets [microcode](https://en.wikipedia.org/wiki/Microcode) updates to the CPU which (ideally) address security vulnerabilities as they are discovered, while older hardware doesn't after it is considered End Of Life. The [Heads threat model page](https://osresearch.net/Heads-threat-model/#binary-blobs-microcode-updates-and-transient-execution-vulnerabilities) explains why CPU vulnerabilities matter:
|
||||
|
|
@ -343,21 +354,23 @@ Hardware security is a nuanced subject, with three prominent factors at play for
|
|||
>"With the disclosure of the Spectre and Meltdown vulnerabilities in January 2018, it became apparent that most processors manufactured since the late 1990s can potentially be compromised by attacks made possible because of [transient execution CPU vulnerabilities](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability). [...] Future not-yet-identified vulnerabilities of this kind is likely. For users of Qubes OS, this class of vulnerabilities can additionally compromise the enforced isolation of virtual machines, and it is prudent to take the risks associated with these vulnerabilities into account when deciding on a platform on which to run Heads and Qubes OS."
|
||||
|
||||
Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the **ThinkPad X230** and the **ThinkPad T430** strike a relatively unique balance, because they both use the [Ivy generation](https://en.wikipedia.org/wiki/Ivy_Bridge_(microarchitecture)) of CPUs and they are both compatible with Heads:
|
||||
|
||||
* **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process - the Thinkpad X230 and T430 have TPM v1.1.
|
||||
* **Blobs**: No binary blobs are present on these models after Heads is installed, with the exception of the Intel Management Engine (which can be "neutered") and the ethernet blob (which can be generated).
|
||||
* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this CPU generation](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Newer hardware uses CPUs with other extensions that are vulnerable to new attack vectors - the Ivy generation is unimpacted by these.
|
||||
|
||||
Qubes OS also applies proper software mitigation to this class of attacks at the level of the hypervisor, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
|
||||
|
||||
#### OPSEC for Memory Use
|
||||
## OPSEC for Memory Use
|
||||
To address "future not-yet-identified vulnerabilities of this kind" on older hardware that is no longer receiving microcode updates, the OPSEC suggestion is to limit the presence of secrets in memory that could result in leaks. Every qube that is running is using memory, and a compromised qube could use such vulnerabilities to read and exfiltrate the memory being used by other qubes. Disposables will be reset after being shutdown, so we can assume that their compromise would likely be transient. Perform sensitive operations in qubes with no networking, and shutdown secure qubes when not in use. Pay attention to which qubes are running simultaneously:
|
||||
|
||||
* [vault qube](#how-to-organize-your-qubes):
|
||||
* Do not run an unlocked KeePassXC database at the same time as a highly-untrusted qube.
|
||||
* Rather than having only one vault qube which stores all files (as described above), you can compartmentalize by having different vault qubes dedicated to specific activities (i.e. `vault-personal`, `vault-project1`, etc.). This means that if a networked qube is compromised while working on project1, [intentional sniffing](https://www.qubes-os.org/doc/data-leaks/) will not have potential access to all files, but only to those files that are compartmentalized for project1.
|
||||
* sys-usb: Disposable. Only run when needed, and shutdown when finished.
|
||||
* sys-net: Disposable. Only run when needed, and shutdown when finished. Shutdown when performing sensitive operations in other qubes, as far as possible. Restart before activities which require sys-net (i.e. email, ssh sessions, etc.).
|
||||
|
||||
#### Remove Passwordless Root
|
||||
## Remove Passwordless Root
|
||||
By default, Qubes OS does not require a password for root permissions (in other words, you can run a command with `sudo` without a password). The [docs](https://www.qubes-os.org/doc/vm-sudo/) explain the rationale for this decision. In alignment with the security principle of defense-in-depth, we recommend enabling a password for root permissions. Forcing an adversary to successfully execute privilege escalation can be a mitigating factor, considering the hardening of Kicksecure/Whonix Templates as well as the limited time window provided by disposables.
|
||||
|
||||
If you are comfortable with the command line, follow the [docs](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) for replacing passwordless root access with a Dom0 user prompt in Debian/Whonix/Kicksecure Templates.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue