more qubes edits

content/posts/qubes/index.md

@@ -100,7 +100,7 @@ Qubes OS works best on a laptop with a solid state drive (SSD, which is faster t
 
 The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you started. The [verification step](https://www.qubes-os.org/security/verifying-signatures/) requires using the [command line](/glossary/#command-line-interface-cli). If this is over your head, ask a friend to walk you through it. Alternatively, learn the basics of the command line with [Linux Essentials](/posts/linux/) and see the [explanation of a similar verification for Tails](/posts/tails-best/#appendix-gpg-explanation). 
 
-Do not set up "dual boot" - another operating system could be used to compromise Qubes OS.
+[Do not set up "dual boot"](https://www.qubes-os.org/faq/#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot) - another operating system could be used to compromise Qubes OS.
 
 After you first boot Qubes OS, there is a post-installation:
 
@@ -118,7 +118,7 @@ On Qubes OS, you should NOT use the `apt update` or `apt upgrade` commands, whic
 
 > you can [...] start the tool manually by selecting it in the Applications Menu under “Qubes Tools.” Even if no updates have been detected, you can use this tool to check for updates manually at any time by selecting “Enable updates for qubes without known available updates,” then selecting all desired items from the list and clicking “Next.”
 
-Updates take a moment to be detected on a new system, so select "Enable updates...", check the boxes for all qubes, and press **Next**. A Whonix window may pop up asking you to do a command line update, but ignore this since the update will resolve it. Once Qubes Update is complete, reboot. 
+Make sure to have the computer plugged into power whenever you run Qubes Update. Updates take a moment to be detected on a new system, so select "Enable updates...", check the boxes for all qubes, and press **Next**. A Whonix window may pop up asking you to do a command line update, but ignore this since the update will resolve it. Once Qubes Update is complete, reboot. 
 
 # How to Copy and Paste Text
 
@@ -159,7 +159,14 @@ While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persiste
 
 Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, which can be found using a web browser for both [Debian](http://packages.debian.org/) and [Fedora](https://packages.fedoraproject.org/), or on the command line.  
 
-It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, to avoid unnecessarily increasing the attack surface of all App qubes based on the default Template. For example, to install packages for working with documents, which are not included by default in `debian-11`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`.   
+It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, to avoid unnecessarily increasing the attack surface of all App qubes based on the default Template. The basic formula is:
+
+1) Clone Template
+2) Install additional packages on the cloned Template
+3) Create an App qube based on the cloned Template
+4) Optional: Make this App qube a disposable
+
+For example, to install packages for working with documents, which are not included by default in `debian-11`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right click on `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`.   
 
 To install new software, as described in the [docs](https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-default-repositories): 
 
@@ -181,7 +188,7 @@ To install new software, as described in the [docs](https://www.qubes-os.org/doc
 
 Remember that you should not run `apt update` or `dnf update`. 
 
-Returning to the example above, I start a terminal in the `debian-11-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
+Returning to the example above, I start a terminal in the `debian-11-documents` Template I just cloned, and then run `sudo apt install libreoffice-writer mat2 bookletimposer gimp gocryptfs gnome-disk-utility`. Once the installation was complete, I shut down the Template. I could then create or assign an App qube to use this Template, and it would now have LibreOffice, etc. Installing software should be the only time most users *need* to use the command line with Qubes OS.
 
 You may want to use software that is not in the Debian/Fedora repositories, which makes things a bit more complicated and also poses a security risk - you must independently assess whether the source is trustworthy, rather than relying on Debian or Fedora. Linux software can be packaged in several ways: deb files (Debian), rpm files (Fedora), AppImages, Snaps and Flatpaks. A [forum post](https://forum.qubes-os.org/t/installing-software-in-qubes-all-methods/9991) outlines your options, and several examples are available in [Encrypted Messaging for Anarchists](/posts/e2ee/). If the software is available on [Flathub](https://flathub.org/home) but not in the Debian/Fedora repositories, you can use [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/) - if the Flathub software is community maintained, this is a [security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
 
@@ -242,6 +249,8 @@ You should configure your non-Tor qubes to be forced through a VPN (RiseupVPN, M
 
 By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - when an App qube is about to run out of space, the Disk Space Monitor widget will alert you. To increase the amount of private storage for any qube, go to the qubes' **Settings → Basic** tab and change the "Private storage max size". This storage won't be used immediately, it's just the maximum that can be used by that qube. 
 
+If a Disposable keeps crashing, try to increase the amount of RAM allocated to it: go to the disposable Template's **Settings → Advanced** tab and increase the "Initial memory" and "Max memory". 
+
 # How to Use Disposables 
 
 Disposables can be launched from the Applications menu: the disposable is at the top, and the disposable Template is near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all your Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, you can do so from the Qubes Domains widget in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would launch another disposable. 
@@ -296,7 +305,7 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
 >
 >2. Move the VMs that you want to back up to the right-hand Selected column. VMs in the left-hand Available column will not be backed up. You may choose whether to compress backups by checking or unchecking the Compress the backup box. Compressed backups will be smaller but take more time to create. Once you have selected all desired VMs, click Next.
 >
->3. Go to **Applications menu → Disposable: debian-11-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be saving your backup to and attach it to the qube ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory called `backups`.
+>3. Go to **Applications menu → Disposable: debian-11-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be saving your backup to and attach it to the qube ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in the LUKS partition called `backups`.
 >
 >4. In Backup Qubes, select the destination for the backup: 
 >* **Target qube**: select the disposable, named something like disp1217. 
@@ -317,6 +326,8 @@ To take advantage of compartmentalization, create separate Whonix-Workstation Ap
 
 Tor Browser won't be able to upload files from `/home/user/QubesIncoming/` due to how permissions are set, so you'll need to move files to another location in `/home/user/` to upload them, such as the Downloads directory.
 
+Like any software, the Tor Browser has vulnerabilities that can be exploited - various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest.** The vast majority of exploits against Tor Browser will not work with the Safest setting. 
+
 Occasionally, a new version of the Tor Browser will be available before it can be updated using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-ws-16`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do NOT run this tool from a disposable Template - the disposable Template will be updated automatically.
 
 # Password Management 
@@ -324,10 +335,10 @@ Occasionally, a new version of the Tor Browser will be available before it can b
 Manage passwords by using KeePassXC from the `vault` App qube. If you are not familiar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This approach requires you to memorize three passwords:
 
 1. [LUKS](/glossary/#luks) password (first boot password)
-2. User password (second boot password), much less important than LUKS
+2. User password (second boot password, which is much less important than LUKS)
 3. KeePassXC password
 
-For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords). 
+Shutdown Qubes OS whenever you are away from the computer for more than a few minutes. For advice on password quality, see [Tails Best Practices](/posts/tails-best/#passwords). 
 
 # Windows Qubes
 

content/posts/tails-best/index.md

@@ -213,7 +213,7 @@ For Tails, you need to memorize two passphrases:
 1) The [LUKS](/glossary/#luks) "personal data" USB passphrase, where your KeePassXC file is stored.
 2) The KeePassXC passphrase
 
-If you are using Persistent Storage, this is another passphrase that you will have to enter on the Welcome Screen at boot time, but it can be the same as 1. 
+If you are using Persistent Storage, this is another passphrase that you will have to enter on the Welcome Screen at boot time, but it can be the same as 1. Shutdown Tails whenever you are away from the computer for more than a few minutes.
 
 ## Encrypted containers 
 

content/posts/tails/index.md

@@ -258,7 +258,7 @@ The Onion Circuits application shows which Tor circuit a server connection (webs
 
 ![](safest.png)
 
-Like any software, the Tor Browser has vulnerabilities that can be exploited - various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Change**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest**. The vast majority of exploits against Tor Browser will not work with the Safest setting. 
+Like any software, the Tor Browser has vulnerabilities that can be exploited - various police agencies have Tor Browser exploits for serious cases. To mitigate this, it's important to keep Tails up to date, and you should increase the Tor Browser's security settings: click the shield icon, and then click **Settings...**. By default, it's set to Standard, which maintains a browsing experience comparable to a regular browser. **We strongly recommend that you set it to the most restrictive setting before you start browsing: Safest**. The vast majority of exploits against Tor Browser will not work with the Safest setting. 
 
 The layout of some pages may be changed, and some types of content may be disabled (SVG images, click-to-play videos, etc.). For example, this site has two things that will be blocked in Safest mode because they rely on Javascript: dark mode and the article's table of contents. Some sites will not work at all with these restrictions; if you have reason to trust them, you can view them with a less restrictive setting on a site-by-site basis. Remember that both "Standard" and "Safer" settings allow scripts to work, which can [break your anonymity](https://arstechnica.com/information-technology/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/) in a worst-case scenario.