mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2024-10-01 01:35:57 -04:00
Update Qubes-OS "Qube" instead of VM (#2257)
Signed-off-by: Daniel Gray <dngray@privacyguides.org>
This commit is contained in:
parent
e277417ab2
commit
465e499db1
@ -151,7 +151,7 @@ By design, Tails is meant to completely reset itself after each reboot. Encrypte
|
||||
|
||||
![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right }
|
||||
|
||||
**Qubes OS** is an open-source operating system designed to provide strong security for desktop computing through secure virtual machines (a.k.a. "Qubes"). Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers.
|
||||
**Qubes OS** is an open-source operating system designed to provide strong security for desktop computing through secure virtual machines (or "qubes"). Qubes is based on Xen, the X Window System, and Linux. It can run most Linux applications and use most of the Linux drivers.
|
||||
|
||||
[:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary }
|
||||
[:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" }
|
||||
@ -160,7 +160,7 @@ By design, Tails is meant to completely reset itself after each reboot. Encrypte
|
||||
[:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" }
|
||||
[:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute }
|
||||
|
||||
Qubes OS secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system.
|
||||
Qubes OS secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate *qubes*. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the *qubes* and the core system.
|
||||
|
||||
For further information about how Qubes works, read our full [Qubes OS overview](os/qubes-overview.md) page.
|
||||
|
||||
|
@ -1,54 +1,58 @@
|
||||
---
|
||||
title: "Qubes Overview"
|
||||
icon: simple/qubesos
|
||||
description: Qubes is an operating system built around isolating apps within virtual machines for heightened security.
|
||||
description: Qubes is an operating system built around isolating apps within *qubes* (formerly "VMs") for heightened security.
|
||||
---
|
||||
[**Qubes OS**](../desktop.md#qubes-os) is an open-source operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per-case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/).
|
||||
[**Qubes OS**](../desktop.md#qubes-os) is an open-source operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated *qubes*, (which are Virtual Machines). You can assign each *qube* a level of trust based on its purpose. Qubes OS provides security by using isolation. It only permits actions on a per-case basis and therefore is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/).
|
||||
|
||||
## How does Qubes OS work?
|
||||
|
||||
Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines.
|
||||
Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) *qubes*.
|
||||
|
||||
??? "The term *qubes* is gradually being updated to avoid referring to them as "virtual machines"."
|
||||
|
||||
Some of the information here and on the Qubes OS documentation may contain conflicting language as the "appVM" term is gradually being changed to "qube". Qubes are not entire virtual machines, but maintain similar functionalities to VMs.
|
||||
|
||||
![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png)
|
||||
<figcaption>Qubes Architecture, Credit: What is Qubes OS Intro</figcaption>
|
||||
|
||||
Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser.
|
||||
Each qube has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the domain in which it runs. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser.
|
||||
|
||||
![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png)
|
||||
<figcaption>Qubes window borders, Credit: Qubes Screenshots</figcaption>
|
||||
|
||||
## Why Should I use Qubes?
|
||||
|
||||
Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources.
|
||||
Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong security and isolation, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources, but the idea is that if a single qube is compromised it won't affect the rest of the system.
|
||||
|
||||
Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control.
|
||||
Qubes OS utilizes [dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM for controlling other *qubes* on the host OS, all of which display individual application windows within dom0's desktop environment. There are many uses for this type of architecture. Here are some tasks you can perform. You can see just how much more secure these processes are made by incorporating multiple steps.
|
||||
|
||||
### Copying and Pasting Text
|
||||
|
||||
You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions:
|
||||
|
||||
1. Press **Ctrl+C** to tell the VM you're in that you want to copy something.
|
||||
2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard.
|
||||
3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available.
|
||||
4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer.
|
||||
1. Press **Ctrl+C** to tell the *qube* you're in that you want to copy something.
|
||||
2. Press **Ctrl+Shift+C** to tell the *qube* to make this buffer available to the global clipboard.
|
||||
3. Press **Ctrl+Shift+V** in the destination *qube* to make the global clipboard available.
|
||||
4. Press **Ctrl+V** in the destination *qube* to paste the contents in the buffer.
|
||||
|
||||
### File Exchange
|
||||
|
||||
To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system.
|
||||
To copy and paste files and directories (folders) from one *qube* to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other *qubes*. This is more secure than air-gapped file transfer. An air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system.
|
||||
|
||||
??? info "AppVMs or qubes do not have their own file systems"
|
||||
??? "Qubes do not have their own filesystems."
|
||||
|
||||
You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident.
|
||||
You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between *qubes*. When doing so the changes aren't immediately made and can be easily undone in case of an accident. When you run a *qube*, it does not have a persistent filesystem. You can create and delete files, but these changes are ephemeral.
|
||||
|
||||
### Inter-VM Interactions
|
||||
|
||||
The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/).
|
||||
The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/).
|
||||
|
||||
## Additional Resources
|
||||
|
||||
For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc).
|
||||
|
||||
- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/)
|
||||
- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf)
|
||||
- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html)
|
||||
- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles)
|
||||
- [Arguably the world's most secure operating system](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) (Open Technology Fund)
|
||||
- [Software compartmentalization vs. physical separation](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) (J. Rutkowska)
|
||||
- [Partitioning my digital life into security domains](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) (J. Rutkowska)
|
||||
- [Related Articles](https://www.qubes-os.org/news/categories/#articles) (Qubes OS)
|
||||
|
Loading…
Reference in New Issue
Block a user