Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-23 23:01:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

arrows replace >

Browse source
This commit is contained in:
anarsec 2023-06-29 18:40:17 +00:00
parent 5589c4ed6e
commit e50b0f2188
No known key found for this signature in database
5 changed files with 31 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

36
content/posts/qubes/index.md
View file

@ -137,7 +137,7 @@ While Tails [has a Graphical User Interface](https://tails.boum.org/doc/persiste
Software is installed into Templates, which have network access only for their package manager (apt or dnf). Installing a package requires knowing its name, and all can be browsed through a web browser for [Debian](http://packages.debian.org/) as well as [Fedora](https://packages.fedoraproject.org/), or on the command line.
It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, in order to not unnecessarily increase the attack surface of all App qubes based on the default Template. For example, to install packages for working with documents which are not included by default in `debian-11`, I clone it first. Go to **Applications menu > Qubes Tools > Qube Manager**. Right-click `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`.
It is best not to install additional software into the default Template, but rather to install the software into a cloned Template, in order to not unnecessarily increase the attack surface of all App qubes based on the default Template. For example, to install packages for working with documents which are not included by default in `debian-11`, I clone it first. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click `debian-11` and select "Clone qube". Name the new Template `debian-11-documents`.
To install new software, as the [docs](https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-default-repositories) detail:
@ -153,7 +153,7 @@ To install new software, as the [docs](https://www.qubes-os.org/doc/how-to-insta
>
>5. Restart all qubes based on the template.
>
>6. (Recommended) In the relevant qubes **Settings > Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
>6. (Recommended) In the relevant qubes **Settings Applications** tab, select the new application(s) from the list, and press **OK**. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see [here](https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/) for troubleshooting.)
![menu](menu.png)
Remember, you should not be running `apt update` or `dnf update`.
@ -165,7 +165,7 @@ You may want to use software that is not present in the Debian/Fedora repositori
# How to Organize Your Qubes
The next step is to decide how to organize your system - there is much more flexibility in this regard than in a monolithic system like Tails. In general, you should try to use disposables to connect to the Internet whenever possible. Here is our recommended set-up for the typical user, which can be futher extended as needed.
After installation, a number of qubes already exist. Click on the Applications Menu to see all of them. We will delete the following default App qubes because they use the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu > Qubes Tools > Qube Manager**. Right-click and select "Delete qube" for each.
After installation, a number of qubes already exist. Click on the Applications Menu to see all of them. We will delete the following default App qubes because they use the Internet without being disposable: `work`, `personal`, and `untrusted`. Go to **Applications menu → Qubes Tools → Qube Manager**. Right-click and select "Delete qube" for each.
How the App qubes will be organized, without displaying service qubes or Templates:
@ -179,22 +179,22 @@ How the App qubes will be organized, without displaying service qubes or Templat
It's possible to just use the system as it is now, but let's show you how to create an App qube and a disposable.
* **A Monero qube**. Lets say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize that activity. Go to **Applications menu > Qubes Tools > Create Qubes VM**
* **A Monero qube**. Lets say you want to use the Monero wallet for an anarchist project. We'll create a new qube to compartmentalize that activity. Go to **Applications menu → Qubes Tools → Create Qubes VM**
* **Name**: Project-monero
* **Color**: Yellow
* **Type**: AppVM
* **Template**: whonix-ws-16
* **Networking**: sys-whonix
* The official Monero wallet is natively included in whonix-ws. Now that the qube exists, in the **Settings > Applications** tab, bring Monero Wallet into the Selected column, and press **OK**. The shortcut will now appear in the Applications Menu.
* The official Monero wallet is natively included in whonix-ws. Now that the qube exists, in the **Settings Applications** tab, bring Monero Wallet into the Selected column, and press **OK**. The shortcut will now appear in the Applications Menu.
* **An offline disposable qube**. Right now both disposables have networking (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu > Qubes Tools > Create Qubes VM**
* **An offline disposable qube**. Right now both disposables have networking (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM**
* **Name**: debian-11-offline-dvm
* **Color**: Black
* **Type**: AppVM
* **Template**: debian-11-documents
* **Networking**: none
* You could equally use Fedora. In the new qubes' **Settings > Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the offline disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template.
* Go to **Applications menu > Qubes Tools > Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm`
* You could equally use Fedora. In the new qubes' **Settings Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the offline disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template.
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Set the default disposable Template to `debian-11-offline-dvm`
* Now, if a malicious document achieves code execution after being opened, it will be in an empty Qube that has no network, and which is destroyed upon being exited.
[Qubes Task Manager](https://qubes.3isec.org/tasks.html) is a Graphical User Interface to configure qubes that otherwise require advanced command line use to set up. Available configurations include:
@ -205,10 +205,10 @@ It's possible to just use the system as it is now, but let's show you how to cre
If you want your qubes that are not using Tor to be forced through a VPN, this is the easiest way to set that up.
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - if an App qube is close to filling up, the Disk Space Monitor widget will have a notification. To increase the private storage size of any given qube, in the qubes' **Settings > Basic** tab, change "Private storage max size". This storage won't be used immediately, it is just the max that can be used by that qube.
By default, App qubes only have 2 GB of private storage. This small amount will fill up quickly - if an App qube is close to filling up, the Disk Space Monitor widget will have a notification. To increase the private storage size of any given qube, in the qubes' **Settings Basic** tab, change "Private storage max size". This storage won't be used immediately, it is just the max that can be used by that qube.
# How to Use Disposables
Disposables can be launched from the Applications menu; the disposable will be at the top, and the disposable Template near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu > Disposable: whonix-16-ws-dvm > Tor Browser**. This is how you do all Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, this can be accomplished from the Qubes Domains widget, in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would start yet another disposable.
Disposables can be launched from the Applications menu; the disposable will be at the top, and the disposable Template near the bottom. For example, to use a disposable Tor Browser, go to **Application Menu → Disposable: whonix-16-ws-dvm → Tor Browser**. This is how you do all Tor browsing. If you launch a disposable application, but then want to access the file manager for the same disposable qube, this can be accomplished from the Qubes Domains widget, in the top-right corner of the interface. If you were to simply select "Files" from the Applications menu, this would start yet another disposable.
Once you close all windows of a disposable, the whole disposable shuts down and is destroyed. The next time that it boots, the disposable will completely reflect the state of its Template. In contrast, an App qube needs to be shut down manually (using the Qubes Domains widget), and will persist data in the `/home`, `/usr/local` and `/rw/config` directory. The next time that it boots, all locations in the file system of an App qube other than these three directories will reflect the state of its Template. Take a look at how [inheritance and persistence](https://www.qubes-os.org/doc/templates/#inheritance-and-persistence) works for Templates, App qubes, and disposables for more information.
@ -228,12 +228,12 @@ If your file is opening in a different application than what you require, you'll
For PDF files, right-clicking will also give the option **Convert To Trusted PDF**. This will sanitize the PDF file so that it can go from being untrusted to trusted. This is achieved by it being converted into images in a disposable, and cleaning the metadata.
Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to set the default of only opening PDF files in a disposable, right-click a PDF and select **Open With Other Application > qvm-open-in-dvm**.
Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to set the default of only opening PDF files in a disposable, right-click a PDF and select **Open With Other Application qvm-open-in-dvm**.
# How to Use Devices (like USBs)
To learn how to attach devices, we will format the empty USB or hard drive you will be using for backups. The USB will be attached to an offline disposable to mitigate against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB).
1. Go to **Applications menu > Disposable: debian-11-offline-dvm > Disks**. The disposable will have a name with a random number like disp4653. If Disks is not present, make the change on the **Settings > Applications** tab.
1. Go to **Applications menu → Disposable: debian-11-offline-dvm → Disks**. The disposable will have a name with a random number like disp4653. If Disks is not present, make the change on the **Settings Applications** tab.
![widget](media-removable.png)
@ -243,7 +243,7 @@ To learn how to attach devices, we will format the empty USB or hard drive you w
3. The empty USB or hard drive should now be displayed in the Disks application. Format the empty device and then create a new encrypted partition, [like you would in Tails](/posts/tails/#how-to-create-an-encrypted-usb). You can use the same LUKS password as is used for your Qubes OS LUKS, because you will need to memorize it to restore from backup, and it will contain the same data.
4. Before removing the USB drive, first eject it using the Qubes Devices widget, which ejects it from the qube. Then go to **Applications menu > sys-usb > Files**, and select "Safely Remove Drive" to eject it from the computer.
4. Before removing the USB drive, first eject it using the Qubes Devices widget, which ejects it from the qube. Then go to **Applications menu → sys-usb → Files**, and select "Safely Remove Drive" to eject it from the computer.
There are command line instructions for using an [external keyboard](https://www.qubes-os.org/doc/usb-qubes/#manual-setup-for-usb-keyboards) or [mouse](https://www.qubes-os.org/doc/usb-qubes/#usb-mice). Webcams and microphones are considered devices, and must be attached to an App qube in order to use them.
@ -254,18 +254,18 @@ As soon as your qubes are organized in the way that you would like, backup your
Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#creating-a-backup):
>1. Go to **Applications menu > Qubes Tools > Backup Qubes**.
>1. Go to **Applications menu → Qubes Tools → Backup Qubes**.
>
>2. Move the VMs that you want to back up to the right-hand Selected column. VMs in the left-hand Available column will not be backed up. You may choose whether to compress backups by checking or unchecking the Compress the backup box. Compressed backups will be smaller but take more time to create. Once you have selected all desired VMs, click Next.
>
>3. Go to **Applications menu > Disposable: debian-11-offline-dvm > Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be backing up to and attach it ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **+ Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in it called `backups`.
>3. Go to **Applications menu → Disposable: debian-11-offline-dvm → Files** to start a file manager in an offline disposable. Plug in the LUKS USB or hard drive you will be backing up to and attach it ([see above for instructions on creating and attaching this drive](#how-to-use-devices-like-usbs)). The drive should now be displayed at **+ Other Locations** in the file manager. Mount the LUKS partition by entering your password. Create a new directory in it called `backups`.
>
>4. In Backup Qubes, select the destination for the backup:
>* **Target qube**: select the disposable, named something like disp1217.
>* **Backup directory**: click **...** to select the newly created folder `backups`.
>5. Set an encryption passphrase, which can be the same as your Qubes OS user passphrase, because you will need to memorize it to restore from backup, and it will contain the same data. This is dom0, so you won't be able to paste it from a password manager.
>6. Untick "Save settings as default backup profile", and press **Next**.
>7. Once the backup is complete, test restore your backup. Go to **Applications menu > Qubes Tools > Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you cant restore your data from it, and you cant be sure that your backup is not corrupted until you try to restore.
>7. Once the backup is complete, test restore your backup. Go to **Applications menu → Qubes Tools → Restore Backup**. DO NOT FORGET to select **Test restore to verify backup integrity (no data actually restored)**. A test restore is optional but strongly recommended. A backup is useless if you cant restore your data from it, and you cant be sure that your backup is not corrupted until you try to restore.
# Whonix and Tor
The Whonix project has their own [extensive documentation](https://www.whonix.org/wiki/Documentation), as does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), upon which it is based. When Whonix is used in Qubes OS it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems as well, but it's preferable to use it on Qubes OS due to the superior isolation it provides.
@ -317,13 +317,13 @@ There is a lot more flexibility in how you configure Qubes OS than Tails, but mo
During the [post-installation of Qubes OS](#getting-started), you have the option of installing exclusively Debian or Fedora Templates (instead of both). You also have the option of using the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates, and to convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will either be Whonix or Kicksecure - Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.
Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template you will clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend to use disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
* Go to **Applications menu > Qubes Tools > Create Qubes VM**
* Go to **Applications menu → Qubes Tools → Create Qubes VM**
* Name: kicksecure-16-dvm
* Color: purple
* Type: AppVM
* Template: kicksecure-16
* Networking: default (sys-firewall)
* In the new qubes' **Settings > Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template.
* In the new qubes' **Settings Advanced** tab, under "Other" tick "Disposable Template", then press **OK**. You will now see the disposable present at the top of the Applications Menu - make sure to work in the disposable, and not the disposable Template.
Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If during the Qubes OS installation, you set all sys qubes to use the Debian Template, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-11-dvm`. If you want to use disposable Kicksecure for sys qubes:
* Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template.