anonymousland/_information/Qubes-OS.md

336 lines
7.5 KiB
Markdown
Raw Normal View History

---
layout: default1
2022-12-28 18:42:08 -05:00
description: A page containing various information related to QubesOS
title: Qubes OS
2022-08-06 19:48:45 -04:00
permalink: /qubes
---
<div style="text-align:center;">
A collection of Qubes OS-related information.
</div>
<br>
2022-11-12 23:03:50 -05:00
Website: [https://qubes-os.org](https://qubes-os.org) <button type="button" class="btn btn-default btn-xs"><a href="http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/">Tor</a></button>
<br>
#### Table of contents:
-\>> [Best Practices](#best-practices) <br>
-\>> [Template Setup](#template-setup) <br>
- -\> *[Debian](#debian)* <br>
- -\> *[Security](#debian-security)* <br>
- -\> *[Fedora](#fedora)* <br>
- -\> *[Upgrading Fedora](#upgrading-fedora)* <br>
- -\> *[Whonix](#whonix)* <br>
-\>> [Links & Resources](#links--resources) <br>
- -\> *[Customizations](#customizations)* <br>
- -\> *[Guides](#guides)* <br>
- -\> *[Templates](#templates)* <br>
- -\> *[Wiki](#wiki)* <br>
<br>
### Best Practices
- All repositories should be routed over Tor and [onionized](https://anonymousland.org/#onionizing-repositories)
- Each application should be installed in its own separate minimal template Qube (provided your system has applicable resources for such)
- `sys-usb` should be configured on a laptop
- Avoid using `sleep` on a Qubes system
2022-12-20 14:52:19 -05:00
- Read all of the Qubes documentation
- Frequently visit the Qubes forums
- Consider creating a shutdown script / shortcut
- Consider if you would benefit by creating backups of your Qubes system
- Update frequently
2022-12-06 11:56:00 -05:00
- Harden Qubes if applicable (Debian kicksecure, Fedora CORP hardened-malloc, etc.)
2022-12-28 18:42:08 -05:00
- Setup a bios password along with a power-on password
- Use an SSD for the Qubes system
<br>
### Template Setup
Small notes for template setup
2023-01-17 17:52:28 -05:00
Proxying `wget`:
Edit ``/etc/wgetrc``
Add:
```
use_proxy=yes
http_proxy=127.0.0.1:8082
https_proxy=127.0.0.1:8082
```
<br>
#### Debian
Running in Dom0:
```
sudo qubes-dom0-update qubes-template-debian-11-minimal
```
2022-08-29 22:48:36 -04:00
```
qvm-run --pass-io -u root template-debian-11-minimal 'apt instal qubes-core-agent-passwordless-root'
```
Running inside the template:
```
sudo apt update
```
Installing packages
```
sudo apt install qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git apt-transport-tor curl
```
Configuring git proxy
```
2022-08-12 13:12:22 -04:00
git config --global http.proxy http://127.0.0.1:8082/
```
<br>
#### Debian Security
```
sudo apt-get install grub2 qubes-kernel-vm-support
```
```
sudo apt-get -t bullseye-backports --no-install-recommends install linux-image-amd64 linux-headers-amd64
```
```
2022-09-02 16:44:58 -04:00
sudo grub-install /dev/xvda
```
2022-08-07 09:28:46 -04:00
Adding the Kicksecure repository:
```
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
```
```
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
```
```
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
```
2022-08-07 09:28:46 -04:00
Installing Kicksecure package:
2022-08-07 09:28:46 -04:00
``kicksecure-qubes-cli`` and ``kicksecure-qubes-gui`` are available.
```
sudo apt install --no-install-recommends kicksecure-qubes-cli
```
Installing LKRG:
```
sudo apt install --no-install-recommends lkrg-dkms
2022-08-06 19:48:45 -04:00
```
Enabling Hardened Malloc:
```
2022-08-07 09:51:15 -04:00
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
```
<br>
#### Fedora
Running in Dom0:
```
2023-01-19 00:04:41 -05:00
sudo qubes-dom0-update qubes-template-fedora-37-minimal
```
2022-08-29 22:49:13 -04:00
```
qvm-run --pass-io -u root template-fedora-36-minimal 'apt instal qubes-core-agent-passwordless-root'
```
Running inside the template:
```
sudo dnf update
```
Installing packages
```
sudo dnf install qubes-core-agent-passwordless-root qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git
```
Configuring git proxy
```
2022-08-12 13:12:22 -04:00
git config --global http.proxy http://127.0.0.1:8082/
```
<br>
#### Upgrading Fedora
Running in Dom0:
```
2023-01-19 00:04:41 -05:00
qvm-clone fedora-36 fedora-37
```
```
truncate -s 5GB /var/tmp/template-upgrade-cache.img
```
```
2023-01-19 00:04:41 -05:00
qvm-run -a fedora-37 gnome-terminal
```
```
dev=$(sudo losetup -f --show /var/tmp/template-upgrade-cache.img)
```
```
2023-01-19 00:04:41 -05:00
qvm-block attach fedora-37 dom0:${dev##*/}
```
2023-01-19 00:04:41 -05:00
Running inside Fedora-37:
```
sudo mkfs.ext4 /dev/xvdi
```
```
sudo mount /dev/xvdi /mnt/removable
```
```
sudo dnf clean all
```
```
2023-01-19 00:04:41 -05:00
sudo dnf --releasever=37--setopt=cachedir=/mnt/removable --best --allowerasing distro-sync
```
Running inside Dom0:
```
2023-01-19 00:04:41 -05:00
qvm-shutdown fedora-37
```
```
sudo losetup -d $dev
```
```
rm /var/tmp/template-upgrade-cache.img
```
<br>
#### Whonix
Whonix-GW and Whonix-WS should be upgraded via:
```
upgrade-nonroot
```
Installing LKRG:
```
sudo apt install --no-install-recommends lkrg-dkms
```
Enabling Hardened Malloc:
```
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
```
<br>
### Links & Resources
2022-11-13 00:13:27 -05:00
- [qpowerkill](https://github.com/NobodySpecial256/qpowerkill)
- [Qubes for security auditing](https://forum.qubes-os.org/t/qubes-for-organizational-security-auditing-talk-notes/199)
2022-10-03 22:58:27 -04:00
- [Qubes-lite with KVM and Wayland](https://roscidus.com/blog/blog/2021/03/07/qubes-lite-with-kvm-and-wayland/)
<br>
#### Customizations
2022-12-05 14:34:09 -05:00
- [Wallpapers](https://forum.qubes-os.org/t/qubes-os-wallpapers/2819)
- [KDE](https://forum.qubes-os.org/t/kde-changing-the-way-you-use-qubes/4730)
- [XFCE Global Dark Mode](https://forum.qubes-os.org/t/guide-xfce-global-dark-mode-in-qubes-4-0-4-1/10757)
2022-10-06 18:30:39 -04:00
<br>
#### Guides
2023-02-01 15:37:27 -05:00
- [Creating sys-dns](https://forum.qubes-os.org/t/guide-how-to-setup-a-sys-dns-qube/13749)
2023-01-17 17:50:02 -05:00
- [Using Kloak](https://forum.qubes-os.org/t/tutorial-how-to-use-kloak-with-usb-keyboards/14134)
2022-12-21 18:29:00 -05:00
- [Advanced Browser Fingerprinting](https://forum.qubes-os.org/t/advanced-browser-fingerprinting/12379)
- [Monero Wallet Isolation](https://forum.qubes-os.org/t/monero-wallet-daemon-isolation-with-qubes-whonix/1121)
2022-12-05 14:26:50 -05:00
- [Foms giant list of Qubes OS workarounds, tweaks and shenanigans](https://forum.qubes-os.org/t/fom-s-giant-list-of-qubes-os-workarounds-tweaks-and-shenanigans/15162)
- [Fully ephemeral dispvms](https://forum.qubes-os.org/t/fully-ephemeral-dispvms/12030)
- [Opening all files in disposable qube](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674)
- [Kicksecure Guide](https://forum.qubes-os.org/t/guide-kicksecure-for-disp-sys/13324)
2022-09-03 10:24:21 -04:00
- [Qubes OS installation encrypted boot and header](https://forum.qubes-os.org/t/qubes-os-installation-detached-encrypted-boot-and-header/6205)
2022-08-31 20:38:01 -04:00
- [Trezor Bridge in 4.1](https://forum.qubes-os.org/t/how-to-set-up-the-trezor-bridge-in-4-1/11103)
- [split-ProtonMail](https://forum.qubes-os.org/t/guide-split-protonmail-offline-send-receive-qubes-pm-bridge-vm/11096)
- [How to create an Android Qube](https://forum.qubes-os.org/t/how-to-create-an-android-qube/8467)
<br>
#### Templates
- [Windows](https://github.com/elliotkillick/qvm-create-windows-qube)
- [Minimal](https://www.qubes-os.org/doc/templates/minimal/)
2022-10-06 18:30:39 -04:00
<br>
#### Wiki
2022-11-12 23:03:50 -05:00
- [Hardened-Kernel](https://www.kicksecure.com/wiki/Hardened-kernel) <button type="button" class="btn btn-default btn-xs"><a href="http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Hardened-kernel">Tor</a></button>
2022-11-12 23:03:50 -05:00
- [VM Fingerprinting](https://www.whonix.org/wiki/VM_Fingerprinting) <button type="button" class="btn btn-default btn-xs"><a href="http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/VM_Fingerprinting">Tor</a></button>