anonymousland/_information/Qubes-OS.md
2022-12-21 18:29:00 -05:00

7.0 KiB
Raw Blame History

layout description title permalink
default1 For Qubes OS Qubes OS /qubes
A collection of Qubes OS-related information.

Website: https://qubes-os.org Tor


Table of contents:

->> Best Practices
->> Template Setup

->> Links & Resources


Best Practices

  • All repositories should be routed over Tor and onionized

  • Each application should be installed in its own separate minimal template Qube (provided your system has applicable resources for such)

  • sys-usb should be configured on a laptop

  • Avoid using sleep on a Qubes system

  • Read all of the Qubes documentation

  • Frequently visit the Qubes forums

  • Consider creating a shutdown script / shortcut

  • Consider if you would benefit by creating backups of your Qubes system

  • Update frequently

  • Harden Qubes if applicable (Debian kicksecure, Fedora CORP hardened-malloc, etc.)


Template Setup

Small notes for template setup


Debian

Running in Dom0:

sudo qubes-dom0-update qubes-template-debian-11-minimal
qvm-run --pass-io -u root template-debian-11-minimal 'apt instal qubes-core-agent-passwordless-root'

Running inside the template:

sudo apt update

Installing packages

sudo apt install qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git apt-transport-tor curl

Configuring git proxy

git config --global http.proxy http://127.0.0.1:8082/

Debian Security

sudo apt-get install grub2 qubes-kernel-vm-support
sudo apt-get -t bullseye-backports --no-install-recommends install linux-image-amd64 linux-headers-amd64
sudo grub-install /dev/xvda

Adding the Kicksecure repository:

curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Installing Kicksecure package:

kicksecure-qubes-cli and kicksecure-qubes-gui are available.

sudo apt install --no-install-recommends kicksecure-qubes-cli

Installing LKRG:

sudo apt install --no-install-recommends lkrg-dkms

Enabling Hardened Malloc:

echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload

Fedora

Running in Dom0:

sudo qubes-dom0-update qubes-template-fedora-36-minimal
qvm-run --pass-io -u root template-fedora-36-minimal 'apt instal qubes-core-agent-passwordless-root'

Running inside the template:

sudo dnf update

Installing packages

sudo dnf install qubes-core-agent-passwordless-root qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git

Configuring git proxy

git config --global http.proxy http://127.0.0.1:8082/

Upgrading Fedora

Running in Dom0:

qvm-clone fedora-35 fedora-36
truncate -s 5GB /var/tmp/template-upgrade-cache.img
qvm-run -a fedora-36 gnome-terminal
dev=$(sudo losetup -f --show /var/tmp/template-upgrade-cache.img)
qvm-block attach fedora-36 dom0:${dev##*/}

Running inside Fedora-36:

sudo mkfs.ext4 /dev/xvdi
sudo mount /dev/xvdi /mnt/removable
sudo dnf clean all
sudo dnf --releasever=36--setopt=cachedir=/mnt/removable --best --allowerasing distro-sync

Running inside Dom0:

qvm-shutdown fedora-36
sudo losetup -d $dev
rm /var/tmp/template-upgrade-cache.img

Whonix

Whonix-GW and Whonix-WS should be upgraded via:

upgrade-nonroot

Installing LKRG:

sudo apt install --no-install-recommends lkrg-dkms

Enabling Hardened Malloc:

echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload


Customizations


Guides


Templates


Wiki