Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-07-28 17:24:47 -04:00
Code Issues Projects Releases Packages Wiki Activity

Convert to RST

Browse source 
This is done using tools at
https://github.com/maiska/qubes-translation-utilz, commit
4c8e2a7f559fd37e29b51769ed1ab1c6cf92e00d.
This commit is contained in:
Marek Marczykowski-Górecki 2025-07-04 14:23:09 +02:00
parent e3db139fe3
commit 7e464d0f40
No known key found for this signature in database
GPG key ID: F32894BE9684938A
428 changed files with 32833 additions and 29703 deletions
Download patch file Download diff file Expand all files Collapse all files

27
user/downloading-installing-upgrading/download-mirrors.md
View file

@ -1,27 +0,0 @@
---
lang: en
layout: doc
permalink: /downloads/mirrors/
ref: 148
title: Download mirrors
---
**Note:** The Qubes OS Project has no control over or access to data collected at these mirrors.
List of Download Mirrors
------------------------
The full list of known Qubes download mirrors is available [here](/downloads/#mirrors).
Instructions for Mirror Operators
---------------------------------
If you are interested in offering a mirror for Qubes downloads, thank you!
We greatly appreciate your offer, and we hope these brief instructions are
helpful in streamlining the process.
* We are happy to provide rsync or HTTP master.
* Our preferred frequency is **once every 24 hours**, but anything up to once
every 6-8 hours is fine.
* For technical accommodations, please contact [Wojtek](/team/#wojtek-porczyk) or [Marek](/team/#marek-marczykowski-górecki).
* For website updates and fixes, please contact [unman](/team/#unman).

28
user/downloading-installing-upgrading/download-mirrors.rst Normal file
View file

@ -0,0 +1,28 @@
================
Download mirrors
================
**Note:** The Qubes OS Project has no control over or access to data collected at these mirrors.
List of Download Mirrors
------------------------
The full list of known Qubes download mirrors is available `here <https://www.qubes-os.org/downloads/#mirrors>__.
Instructions for Mirror Operators
---------------------------------
If you are interested in offering a mirror for Qubes downloads, thank you! We greatly appreciate your offer, and we hope these brief instructions are helpful in streamlining the process.
- We are happy to provide rsync or HTTP master.
- Our preferred frequency is **once every 24 hours**, but anything up to once every 6-8 hours is fine.
- For technical accommodations, please contact `Wojtek <https://www.qubes-os.org/team/#wojtek-porczyk>`__ or `Marek <https://www.qubes-os.org/team/#marek-marczykowski-górecki>`__.
- For website updates and fixes, please contact `unman <https://www.qubes-os.org/team/#unman>`__.

11
user/downloading-installing-upgrading/downloads.md
View file

@ -1,11 +0,0 @@
---
lang: en
layout: site
permalink: /downloads/
redirect_from:
- /doc/QubesDownloads/
- /wiki/QubesDownloads/
ref: 2
title: Download Qubes&nbsp;OS
---
{% include downloads.html %}

78
user/downloading-installing-upgrading/install-security.md
View file

@ -1,78 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/install-security/
redirect_from:
- /en/doc/install-security/
- /doc/InstallSecurity/
- /wiki/InstallSecurity/
ref: 149
title: Installation security
---
There are several security matters to consider before and during the Qubes installation process.
## Trusting your hardware
No operating system, not even Qubes, can help you if you're installing it on hardware that is already compromised.
This includes CPUs, GPUs, SSDs, HDDs, the motherboard, BIOS/EFI/UEFI, and all relevant firmware.
Unfortunately, in today's world of undetectable supply chain attacks, there are no easy solutions.
(Tools like [Anti Evil Maid (AEM)](/doc/anti-evil-maid/) can help with *maintaining* the trustworthiness of your hardware, but not with establishing it in the first place.)
Some users have chosen to use tools like [Coreboot](https://www.coreboot.org/), [Heads](https://osresearch.net/), and [Skulls](https://github.com/merge/skulls).
## Verifying the Qubes ISO
You should [verify](/security/verifying-signatures/) the PGP signature on your Qubes ISO before you install from it.
However, if the machine on which you attempt the verification process is already compromised, it could falsely claim that a malicious ISO has a good signature.
Therefore, in order to be certain that your Qubes ISO is trustworthy, you require a trustworthy machine.
But how can you be certain *that* machine is trustworthy?
Only by using another trusted machine, and so forth.
This is a [classic problem](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf).
While various [solutions](https://www.dwheeler.com/trusting-trust/) have been proposed, the point is that each user must ultimately make a choice about whether to trust that a file is non-malicious.
## Choosing an installation medium
So, after taking some measures to verify its integrity and authenticity, you've decided to trust your Qubes ISO.
Great!
Now you must decide what sort of medium on which to write it so that you can install from it.
From a Qubes-specific security perspective, each has certain pros and cons.
### USB drives
Pros:
* Works via USB, including with a [USB qube](/doc/usb-qubes/).
* Non-fixed capacity.
(Easy to find one on which the ISO can fit.)
Cons:
* Rewritable.
(If the drive is mounted to a compromised machine, the ISO could be maliciously altered after it has been written to the drive.)
* Untrustworthy firmware.
(Firmware can be malicious even if the drive is new.
Plugging a drive with rewritable firmware into a compromised machine can also [compromise the drive](https://web.archive.org/web/20160304013434/https://srlabs.de/badusb/).
Installing from a compromised drive could compromise even a brand new Qubes installation.)
### Optical discs
Pros:
* Read-only available.
(If you use read-only media, you don't have to worry about the ISO being maliciously altered after it has been written to the disc.
You then have the option of verifying the signature on multiple different machines.)
Cons:
* Fixed capacity.
(If the size of the ISO is larger than your disc, it will be inconvenient.)
* Passthrough recording (a.k.a., "burning") is not supported by Xen.
(This mainly applies if you're upgrading from a previous version of Qubes.)
Currently, the only options for recording optical discs (e.g., CDs, DVDs, BRDs) in Qubes are:
1. Use a USB optical drive.
2. Attach a SATA optical drive to a secondary SATA controller, then assign this secondary SATA controller to an app qube.
3. Use a SATA optical drive attached to dom0.
(Option 3 violates the Qubes security model since it entails transferring an untrusted ISO to dom0 in order to burn it to disc, which leaves only the other two options.)
Considering the pros and cons of each, perhaps a USB drive with non-rewritable (or at least cryptographically-signed) firmware and a physical write-protect switch might be the best option.

73
user/downloading-installing-upgrading/install-security.rst Normal file
View file

@ -0,0 +1,73 @@
=====================
Installation security
=====================
There are several security matters to consider before and during the Qubes installation process.
Trusting your hardware
----------------------
No operating system, not even Qubes, can help you if youre installing it on hardware that is already compromised. This includes CPUs, GPUs, SSDs, HDDs, the motherboard, BIOS/EFI/UEFI, and all relevant firmware. Unfortunately, in todays world of undetectable supply chain attacks, there are no easy solutions. (Tools like :doc:`Anti Evil Maid (AEM) </user/security-in-qubes/anti-evil-maid>` can help with *maintaining* the trustworthiness of your hardware, but not with establishing it in the first place.) Some users have chosen to use tools like `Coreboot <https://www.coreboot.org/>`__, `Heads <https://osresearch.net/>`__, and `Skulls <https://github.com/merge/skulls>`__.
Verifying the Qubes ISO
-----------------------
You should :doc:`verify </project-security/verifying-signatures>` the PGP signature on your Qubes ISO before you install from it. However, if the machine on which you attempt the verification process is already compromised, it could falsely claim that a malicious ISO has a good signature. Therefore, in order to be certain that your Qubes ISO is trustworthy, you require a trustworthy machine. But how can you be certain *that* machine is trustworthy? Only by using another trusted machine, and so forth. This is a `classic problem <https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf>`__. While various `solutions <https://www.dwheeler.com/trusting-trust/>`__ have been proposed, the point is that each user must ultimately make a choice about whether to trust that a file is non-malicious.
Choosing an installation medium
-------------------------------
So, after taking some measures to verify its integrity and authenticity, youve decided to trust your Qubes ISO. Great! Now you must decide what sort of medium on which to write it so that you can install from it. From a Qubes-specific security perspective, each has certain pros and cons.
USB drives
^^^^^^^^^^
Pros:
- Works via USB, including with a :doc:`USB qube </user/advanced-topics/usb-qubes>`.
- Non-fixed capacity. (Easy to find one on which the ISO can fit.)
Cons:
- Rewritable. (If the drive is mounted to a compromised machine, the ISO could be maliciously altered after it has been written to the drive.)
- Untrustworthy firmware. (Firmware can be malicious even if the drive is new. Plugging a drive with rewritable firmware into a compromised machine can also `compromise the drive <https://web.archive.org/web/20160304013434/https://srlabs.de/badusb/>`__. Installing from a compromised drive could compromise even a brand new Qubes installation.)
Optical discs
^^^^^^^^^^^^^
Pros:
- Read-only available. (If you use read-only media, you dont have to worry about the ISO being maliciously altered after it has been written to the disc. You then have the option of verifying the signature on multiple different machines.)
Cons:
- Fixed capacity. (If the size of the ISO is larger than your disc, it will be inconvenient.)
- Passthrough recording (a.k.a., “burning”) is not supported by Xen. (This mainly applies if youre upgrading from a previous version of Qubes.) Currently, the only options for recording optical discs (e.g., CDs, DVDs, BRDs) in Qubes are:
1. Use a USB optical drive.
2. Attach a SATA optical drive to a secondary SATA controller, then assign this secondary SATA controller to an app qube.
3. Use a SATA optical drive attached to dom0.
(Option 3 violates the Qubes security model since it entails transferring an untrusted ISO to dom0 in order to burn it to disc, which leaves only the other two options.)
Considering the pros and cons of each, perhaps a USB drive with non-rewritable (or at least cryptographically-signed) firmware and a physical write-protect switch might be the best option.

301
user/downloading-installing-upgrading/installation-guide-4.1.md
View file

@ -1,301 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/installation-guide-4.1/
redirect_from:
ref: 901
title: Qubes 4.1 Installation guide
---
Welcome to the Qubes OS installation guide! This guide will walk you through the process of installing Qubes. Please read it carefully and thoroughly, as it contains important information for ensuring that your Qubes OS installation is functional and secure.
## Pre-installation
### Hardware requirements
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Qubes has no control over what happens on your computer before you install it. No software can provide security if it is installed on compromised hardware. Do not install Qubes on a computer you don't trust. See <a href="/doc/install-security/">installation security</a> for more information.
</div>
Qubes OS has very specific [system requirements](/doc/system-requirements/). To ensure compatibility, we strongly recommend using [Qubes-certified hardware](/doc/certified-hardware/). Other hardware may require you to perform significant troubleshooting. You may also find it helpful to consult the [Hardware Compatibility List](/hcl/).
Even on supported hardware, you must ensure that [IOMMU-based virtualization](https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit#Virtualization) is activated in the BIOS or UEFI. Without it, Qubes OS won't be able to enforce isolation. For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (**Intel VT-d**) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply **AMD-Vi**). This parameter should be activated in your computer's BIOS or UEFI, alongside the standard Virtualization (**Intel VT-x**) and AMD Virtualization (**AMD-V**) extensions. This [external guide](https://web.archive.org/web/20200112220913/https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html) made for Intel-based boards can help you figure out how to enter your BIOS or UEFI to locate and activate those settings. If those settings are not nested under the Advanced tab, you might find them under the Security tab.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Qubes OS is not meant to be installed inside a virtual machine as a guest hypervisor. In other words, <b>nested virtualization</b> is not supported. In order for a strict compartmentalization to be enforced, Qubes OS needs to be able to manage the hardware directly.
</div>
### Copying the ISO onto the installation medium
Pick the most secure existing computer and OS you have available for downloading and copying the Qubes ISO onto the installation medium. [Download](/downloads/) a Qubes ISO.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Any file you download from the internet could be malicious, even if it appears to come from a trustworthy source. Our philosophy is to <a href="/faq/#what-does-it-mean-to-distrust-the-infrastructure">distrust the infrastructure</a>. Regardless of how you acquire your Qubes ISO, <a href="/security/verifying-signatures/">verify its authenticity</a> before continuing.
</div>
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a USB drive, dual-layer DVD, or Blu-ray disc. The size of each Qubes ISO is available on the [downloads](/downloads/) page by hovering over the download button. The instructions below assume you've chosen a USB drive as your medium. If you've chosen a different medium, please adapt the instructions accordingly.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> There are important <a href="/doc/install-security/">security considerations</a> to keep in mind when choosing an installation medium. Advanced users may wish to <a href="/security/verifying-signatures/#how-to-re-verify-installation-media-after-writing">re-verify their installation media after writing</a>.
</div>
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Be careful to choose the correct device when copying the ISO, or you may lose data. We strongly recommended making a full backup before modifying any devices.
</div>
#### Linux ISO to USB
On Linux, if you choose to use a USB drive, copy the ISO onto the USB device, e.g. using `dd`:
```
$ sudo dd if=Qubes-RX-x86_64.iso of=/dev/sdY status=progress bs=1048576 conv=fsync
```
Change `Qubes-RX-x86_64.iso` to the filename of the version you're installing, and change `/dev/sdY` to the correct target device e.g., `/dev/sdc`). Make sure to write to the entire device (e.g., `/dev/sdc`) rather than just a single partition (e.g., `/dev/sdc1`).
#### Windows ISO to USB
On Windows, you can use the [Rufus](https://rufus.akeo.ie/) tool to write the ISO to a USB key. Be sure to select "Write in DD Image mode" *after* selecting the Qubes ISO and pressing "START" on the Rufus main window.
<div class="alert alert-info" role="alert">
<i class="fa fa-info-circle"></i>
<b>Note:</b> Using Rufus to create the installation medium means that you <a href="https://github.com/QubesOS/qubes-issues/issues/2051">won't be able</a> to choose the "Test this media and install Qubes OS" option mentioned in the example below. Instead, choose the "Install Qubes OS" option.
</div>
[![Rufus menu](/attachment/doc/rufus-menu.png)](/attachment/doc/rufus-menu.png)
[![Rufus DD image mode](/attachment/doc/rufus-dd-image-mode.png)](/attachment/doc/rufus-dd-image-mode.png)
## Installation
This section will demonstrate a simple installation using mostly default settings.
### Getting to the boot screen
"Booting" is the process of starting your computer. When a computer boots up, it first runs low-level software before the main operating system. Depending on the computer, this low-level software is may be called the ["BIOS"](https://en.wikipedia.org/wiki/BIOS) or ["UEFI"](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface).
Since you're installing Qubes OS, you'll need to access your computer's BIOS or UEFI menu so that you can tell it to boot from the USB drive to which you just copied the Qubes installer ISO.
To begin, power off your computer and plug the USB drive into a USB port, but don't press the power button yet. Right after you press the power button, you'll have to immediately press a specific key to enter the BIOS or UEFI menu. The key to press varies from brand to brand. `Esc`, `Del`, and `F10` are common ones. If you're not sure, you can search the web for `<COMPUTER_MODEL> BIOS key` or `<COMPUTER_MODEL> UEFI key` (replacing `<COMPUTER_MODEL>` with your specific computer model) or look it up in your computer's manual.
Once you know the key to press, press your computer's power button, then repeatedly press that key until you've entered your computer's BIOS or UEFI menu. To give you and idea of what you should be looking for, we've provided a couple of example photos below.
Here's an example of what the BIOS menu looks like on a ThinkPad T430:
[![ThinkPad T430 BIOS menu](/attachment/doc/Thinkpad-t430-bios-main.jpg)](/attachment/doc/Thinkpad-t430-bios-main.jpg)
And here's an example of what a UEFI menu looks like:
[![UEFI menu](/attachment/doc/uefi.jpeg)](/attachment/doc/uefi.jpeg)
Once you access your computer's BIOS or UEFI menu, you'll want to go to the "boot menu," which is where you tell your computer which devices to boot from. The goal is to tell the computer to boot from your USB drive so that you can run the Qubes installer. If your boot menu lets you select which device to boot from first, simply select your USB drive. (If you have multiple entries that all look similar to your USB drive, and you're not sure which one is correct, one option is just to try each one until it works.) If, on the other hand, your boot menu presents you with a list of boot devices in order, then you'll want to move your USB drive to the top so that the Qubes installer runs before anything else.
Once you're done on the boot menu, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If you're not sure whether you've saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, don't press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If you're successful in this step, after a few seconds you'll be presented with the Qubes installer screen:
[![Boot screen](/attachment/doc/boot-screen.png)](/attachment/doc/boot-screen.png)
From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options. You can choose one of three options:
* Install Qubes OS
* Test this media and install Qubes OS
* Troubleshooting
Select the option to test this media and install Qubes OS.
<div class="alert alert-info" role="alert">
<i class="fa fa-info-circle"></i>
<b>Note:</b> If the latest stable release is not compatible with your hardware, you may wish to consider <a href="/doc/testing/">testing a newer release</a>.
</div>
If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an [advanced reboot](https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings).
### The installer home screen
On the first screen, you are asked to select the language that will be used during the installation process. When you are done, select **Continue**.
[![welcome](/attachment/doc/welcome-to-qubes-os-installation-screen.png)](/attachment/doc/welcome-to-qubes-os-installation-screen.png)
Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not. If the test fails, a window will pop up.
[![Unsupported hardware detected](/attachment/doc/unsupported-hardware-detected.png)](/attachment/doc/unsupported-hardware-detected.png)
Do not panic. It may simply indicate that IOMMU-virtualization hasn't been activated in the BIOS or UEFI. Return to the [hardware requirements](#hardware-requirements) section to learn how to activate it. If the setting is not configured correctly, it means that your hardware won't be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.
If the test passes, you will reach the installation summary screen. The installer loads Xen right at the beginning. If you can see the installer's graphical screen, and you pass the compatibility check that runs immediately afterward, Qubes OS is likely to work on your system!
Like Fedora, Qubes OS uses the Anaconda installer. Those that are familiar with RPM-based distributions should feel at home.
### Installation summary
<div class="alert alert-success" role="alert">
<i class="fa fa-check-circle"></i>
<b>Did you know?</b> The Qubes OS installer is completely offline. It doesn't even load any networking drivers, so there is no possibility of internet-based data leaks or attacks during the installation process.
</div>
The Installation summary screen allows you to change how the system will be installed and configured, including localization settings. At minimum, you are required to select the storage device on which Qubes OS will be installed.
[![Installation summary not ready](/attachment/doc/installation-summary-not-ready.png)](/attachment/doc/installation-summary-not-ready.png)
### Localization
Let's assume you wish to add a German keyboard layout. Go to Keyboard Layout, press the "Plus" symbol, search for "German" as indicated in the screenshot and press "Add". If you want it be your default language, select the "German" entry in the list and press the arrow button. Click on "Done" in the upper left corner, and you're ready to go!
[![Keyboard layout selection](/attachment/doc/keyboard-layout-selection.png)](/attachment/doc/keyboard-layout-selection.png)
The process to select a new language is similar to the process to select a new keyboard layout. Follow the same process in the "Language Support" entry.
[![Language support selection](/attachment/doc/language-support-selection.png)](/attachment/doc/language-support-selection.png)
You can have as many keyboard layout and languages as you want. Post-install, you will be able to switch between them and install others.
Don't forget to select your time and date by clicking on the Time & Date entry.
[![Time and date](/attachment/doc/time-and-date.png)](/attachment/doc/time-and-date.png)
### Software
[![Add-ons](/attachment/doc/add-ons.png)](/attachment/doc/add-ons.png)
On the software selection tab, you can choose which software to install in Qubes OS. Two options are available:
* **Debian:** Select this option if you would like to use [Debian](/doc/templates/debian/) qubes in addition to the default Fedora qubes.
* **Whonix:** Select this option if you would like to use [Whonix](https://www.whonix.org/wiki/Qubes) qubes. Whonix allows you to use [Tor](https://www.torproject.org/) securely within Qubes.
Whonix lets you route some or all of your network traffic through Tor for greater privacy. Depending on your threat model, you may need to install Whonix templates right away.
Regardless of your choices on this screen, you will always be able to install these and other [templates](/doc/templates/) later. If you're short on disk space, you may wish to deselect these options.
By default, Qubes OS comes preinstalled with the lightweight Xfce4 desktop environment. Other desktop environments will be available to you after the installation is completed, though they may not be officially supported (see [advanced topics](/doc/#advanced-topics)).
Press **Done** to go back to the installation summary screen.
### Installation destination
Under the System section, you must choose the installation destination. Select the storage device on which you would like to install Qubes OS.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Be careful to choose the correct installation target, or you may lose data. We strongly recommended making a full backup before proceeding.
</div>
Your installation destination can be an internal or external storage drive, such as an SSD, HDD, or USB drive. The installation destination must have a least 32 GiB of free space available.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> The installation destination cannot be the same as the installation medium. For example, if you're installing Qubes OS <em>from</em> a USB drive <em>onto</em> a USB drive, they must be two distinct USB drives, and they must both be plugged into your computer at the same time. (Note: This may not apply to advanced users who partition their devices appropriately.)
</div>
Installing an operating system onto a USB drive can be a convenient way to try Qubes. However, USB drives are typically much slower than internal SSDs. We recommend a very fast USB 3.0 drive for decent performance. Please note that a minimum storage of 32 GiB is required. If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device. Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
[![Select storage device](/attachment/doc/select-storage-device.png)](/attachment/doc/select-storage-device.png)
<div class="alert alert-success" role="alert">
<i class="fa fa-check-circle"></i>
<b>Did you know?</b> By default, Qubes OS uses <a href="https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup">LUKS</a>/<a href="https://en.wikipedia.org/wiki/Dm-crypt">dm-crypt</a> to encrypt everything except the <code>/boot</code> partition.
</div>
As soon as you press **Done**, the installer will ask you to enter a passphrase for disk encryption. The passphrase should be complex. Make sure that your keyboard layout reflects what keyboard you are actually using. When you're finished, press **Done**.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> If you forget your encryption passphrase, there is no way to recover it.
</div>
[![Select storage passhprase](/attachment/doc/select-storage-passphrase.png)](/attachment/doc/select-storage-passphrase.png)
When you're ready, press **Begin Installation**.
[![Installation summary ready](/attachment/doc/installation-summary-ready.png)](/attachment/doc/installation-summary-ready.png)
### Create your user account
While the installation process is running, you can create your user account. This is what you'll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
Select **User Creation** to define a new user with administrator privileges and a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
[![Account name and password](/attachment/doc/account-name-and-password.png)](/attachment/doc/account-name-and-password.png)
When the installation is complete, press **Reboot**. Don't forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
## Post-installation
### First boot
If the installation was successful, you should now see the GRUB menu during the boot process.
[![Grub boot menu](/attachment/doc/grub-boot-menu.png)](/attachment/doc/grub-boot-menu.png)
Just after this screen, you will be asked to enter your encryption passphrase.
[![Unlock storage device screen](/attachment/doc/unlock-storage-device-screen.png)](/attachment/doc/unlock-storage-device-screen.png)
### Initial Setup
You're almost done. Before you can start using Qubes OS, some configuration is needed.
[![Initial setup menu](/attachment/doc/initial-setup-menu.png)](/attachment/doc/initial-setup-menu.png)
By default, the installer will create a number of qubes (depending on the options you selected during the installation process). These are designed to give you a more ready-to-use environment from the get-go.
[![Initial setup menu configuration](/attachment/doc/initial-setup-menu-configuration.png)](/attachment/doc/initial-setup-menu-configuration.png)
Let's briefly go over the options:
* **Create default system qubes:** These are the core components of the system, required for things like internet access.
* **Create default application qubes:** These are how you compartmentalize your digital life. There's nothing special about the ones the installer creates. They're just suggestions that apply to most people. If you decide you don't want them, you can always delete them later, and you can always create your own.
* **Create Whonix Gateway and Workstation qubes:** If you want to use Whonix, you should select this option.
* **Enabling system and template updates over the Tor anonymity network using Whonix:** If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
* **Create USB qube holding all USB controllers:** Just like the network qube for the network stack, the USB qube isolates the USB controllers.
* **Use sys-net qube for both networking and USB devices:** You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
* **Do not configure anything:** This is for very advanced users only. If you select this option, you'll have to set everything up manually afterward.
When you're satisfied with you choices, press **Done**. This configuration process may take a while, depending on the speed and compatibility of your system.
After the configuration is done, you will be greeted by the login screen. Enter your password and log in.
[![Login screen](/attachment/doc/login-screen.png)](/attachment/doc/login-screen.png)
Congratulations, you are now ready to use Qubes OS!
[![Desktop menu](/attachment/doc/desktop-menu.png)](/attachment/doc/desktop-menu.png)
## Next steps
### Updating
Next, [update](/doc/how-to-update/) your installation to ensure you have the latest security updates. Frequently updating is one of the best ways to remain secure against new threats.
### Security
The Qubes OS Project occasionally issues [Qubes Security Bulletins (QSBs)](/security/qsb/) as part of the [Qubes Security Pack (qubes-secpack)](/security/pack/). It is important to make sure that you receive all QSBs in a timely manner so that you can take action to keep your system secure. (While [updating](#updating) will handle most security needs, there may be cases in which additional action from you is required.) For this reason, we strongly recommend that every Qubes user subscribe to the [qubes-announce](/support/#qubes-announce) mailing list.
In addition to QSBs, the Qubes OS Project also publishes [Canaries](/security/canary/), XSA summaries, template releases and end-of-life notices, and other items of interest to Qubes users. Since these are not essential for all Qubes users to read, they are not sent to [qubes-announce](/support/#qubes-announce) in order to keep the volume on that list low. However, we expect that most users, especially novice users, will find them helpful. If you are interested in these additional items, we encourage you to subscribe to the [Qubes News RSS feed](/feed.xml) or join one of our other [venues](/support/), where these news items are also announced.
For more information about Qubes OS Project security, please see the [security center](/security/).
### Backups
It is extremely important to make regular backups so that you don't lose your data unexpectedly. The [Qubes backup system](/doc/how-to-back-up-restore-and-migrate/) allows you to do this securely and easily.
### Submit your HCL report
Consider giving back to the Qubes community and helping other users by [generating and submitting a Hardware Compatibility List (HCL) report](/doc/how-to-use-the-hcl/#generating-and-submitting-new-reports).
### Get Started
Find out [Getting Started](/doc/getting-started/) with Qubes, check out the other [How-To Guides](/doc/#how-to-guides), and learn about [Templates](/doc/#templates).
## Getting help
* We work very hard to make the [documentation](/doc/) accurate, comprehensive useful and user friendly. We urge you to read it! It may very well contain the answers to your questions. (Since the documentation is a community effort, we'd also greatly appreciate your help in [improving](/doc/how-to-edit-the-documentation/) it!)
* If issues arise during installation, see the [Installation Troubleshooting](/doc/installation-troubleshooting) guide.
* If you don't find your answer in the documentation, please see [Help, Support, Mailing Lists, and Forum](/support/) for places to ask.
* Please do **not** email individual members of the Qubes team with questions about installation or other problems. Instead, please see [Help, Support, Mailing Lists, and Forum](/support/) for appropriate places to ask questions.

420
user/downloading-installing-upgrading/installation-guide-4.1.rst Normal file
View file

@ -0,0 +1,420 @@
============================
Qubes 4.1 Installation guide
============================
Welcome to the Qubes OS installation guide! This guide will walk you through the process of installing Qubes. Please read it carefully and thoroughly, as it contains important information for ensuring that your Qubes OS installation is functional and secure.
Pre-installation
----------------
Hardware requirements
^^^^^^^^^^^^^^^^^^^^^
.. DANGER::
**Warning:** Qubes has no control over what happens on your computer before you install it. No software can provide security if it is installed on compromised hardware. Do not install Qubes on a computer you dont trust. See :doc:`installation security </user/downloading-installing-upgrading/install-security>` for more information.
Qubes OS has very specific :doc:`system requirements </user/hardware/system-requirements>`. To ensure compatibility, we strongly recommend using :doc:`Qubes-certified hardware </user/hardware/certified-hardware/certified-hardware>`. Other hardware may require you to perform significant troubleshooting. You may also find it helpful to consult the `Hardware Compatibility List <https://www.qubes-os.org/hcl/>`__.
Even on supported hardware, you must ensure that `IOMMU-based virtualization <https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit#Virtualization>`__ is activated in the BIOS or UEFI. Without it, Qubes OS wont be able to enforce isolation. For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (**Intel VT-d**) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply **AMD-Vi**). This parameter should be activated in your computers BIOS or UEFI, alongside the standard Virtualization (**Intel VT-x**) and AMD Virtualization (**AMD-V**) extensions. This `external guide <https://web.archive.org/web/20200112220913/https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html>`__ made for Intel-based boards can help you figure out how to enter your BIOS or UEFI to locate and activate those settings. If those settings are not nested under the Advanced tab, you might find them under the Security tab.
.. warning::
**Note:** Qubes OS is not meant to be installed inside a virtual machine as a guest hypervisor. In other words, *nested virtualization* is not supported. In order for a strict compartmentalization to be enforced, Qubes OS needs to be able to manage the hardware directly.
Copying the ISO onto the installation medium
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Pick the most secure existing computer and OS you have available for downloading and copying the Qubes ISO onto the installation medium. `Download <https://www.qubes-os.org/downloads/>`__ a Qubes ISO.
.. DANGER::
**Warning:** Any file you download from the internet could be malicious, even if it appears to come from a trustworthy source. Our philosophy is to :ref:`distrust the infrastructure <introduction/faq:what does it mean to "distrust the infrastructure"?>` . Regardless of how you acquire your Qubes ISO, :doc:`verify its authenticity </project-security/verifying-signatures>` before continuing.
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a USB drive, dual-layer DVD, or Blu-ray disc. The size of each Qubes ISO is available on the `downloads <https://www.qubes-os.org/downloads/>`__ page by hovering over the download button. The instructions below assume youve chosen a USB drive as your medium. If youve chosen a different medium, please adapt the instructions accordingly.
.. warning::
**Note:** There are important :doc:`security considerations </user/downloading-installing-upgrading/install-security>` to keep in mind when choosing an installation medium. Advanced users may wish to :ref:`re-verify their installation media after writing <project-security/verifying-signatures:how to re-verify installation media after writing>` .
.. DANGER::
**Warning:** Be careful to choose the correct device when copying the ISO, or you may lose data. We strongly recommended making a full backup before modifying any devices.
Linux ISO to USB
^^^^^^^^^^^^^^^^
On Linux, if you choose to use a USB drive, copy the ISO onto the USB device, e.g. using ``dd``:
.. code:: bash
$ sudo dd if=Qubes-RX-x86_64.iso of=/dev/sdY status=progress bs=1048576 conv=fsync
Change ``Qubes-RX-x86_64.iso`` to the filename of the version youre installing, and change ``/dev/sdY`` to the correct target device e.g., ``/dev/sdc``). Make sure to write to the entire device (e.g., ``/dev/sdc``) rather than just a single partition (e.g., ``/dev/sdc1``).
Windows ISO to USB
^^^^^^^^^^^^^^^^^^
On Windows, you can use the `Rufus <https://rufus.akeo.ie/>`__ tool to write the ISO to a USB key. Be sure to select “Write in DD Image mode” *after* selecting the Qubes ISO and pressing “START” on the Rufus main window.
.. note::
**Note:** Using Rufus to create the installation medium means that you `wont be able <https://github.com/QubesOS/qubes-issues/issues/2051>`__ to choose the “Test this media and install Qubes OS” option mentioned in the example below. Instead, choose the “Install Qubes OS” option.
|Rufus menu|
|Rufus DD image mode|
Installation
------------
This section will demonstrate a simple installation using mostly default settings.
Getting to the boot screen
^^^^^^^^^^^^^^^^^^^^^^^^^^
“Booting” is the process of starting your computer. When a computer boots up, it first runs low-level software before the main operating system. Depending on the computer, this low-level software is may be called the `“BIOS” <https://en.wikipedia.org/wiki/BIOS>`__ or `“UEFI” <https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface>`__.
Since youre installing Qubes OS, youll need to access your computers BIOS or UEFI menu so that you can tell it to boot from the USB drive to which you just copied the Qubes installer ISO.
To begin, power off your computer and plug the USB drive into a USB port, but dont press the power button yet. Right after you press the power button, youll have to immediately press a specific key to enter the BIOS or UEFI menu. The key to press varies from brand to brand. ``Esc``, ``Del``, and ``F10`` are common ones. If youre not sure, you can search the web for ``<COMPUTER_MODEL> BIOS key`` or ``<COMPUTER_MODEL> UEFI key`` (replacing ``<COMPUTER_MODEL>`` with your specific computer model) or look it up in your computers manual.
Once you know the key to press, press your computers power button, then repeatedly press that key until youve entered your computers BIOS or UEFI menu. To give you and idea of what you should be looking for, weve provided a couple of example photos below.
Heres an example of what the BIOS menu looks like on a ThinkPad T430:
|ThinkPad T430 BIOS menu|
And heres an example of what a UEFI menu looks like:
|UEFI menu|
Once you access your computers BIOS or UEFI menu, youll want to go to the “boot menu,” which is where you tell your computer which devices to boot from. The goal is to tell the computer to boot from your USB drive so that you can run the Qubes installer. If your boot menu lets you select which device to boot from first, simply select your USB drive. (If you have multiple entries that all look similar to your USB drive, and youre not sure which one is correct, one option is just to try each one until it works.) If, on the other hand, your boot menu presents you with a list of boot devices in order, then youll want to move your USB drive to the top so that the Qubes installer runs before anything else.
Once youre done on the boot menu, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If youre not sure whether youve saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, dont press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If youre successful in this step, after a few seconds youll be presented with the Qubes installer screen:
|Boot screen|
From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the “Tab” key will reveal options. You can choose one of three options:
- Install Qubes OS
- Test this media and install Qubes OS
- Troubleshooting
Select the option to test this media and install Qubes OS.
.. note::
**Note:** If the latest stable release is not compatible with your hardware, you may wish to consider :doc:`testing a newer release </user/downloading-installing-upgrading/testing>` .
If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an `advanced reboot <https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings>`__.
The installer home screen
^^^^^^^^^^^^^^^^^^^^^^^^^
On the first screen, you are asked to select the language that will be used during the installation process. When you are done, select **Continue**.
|welcome|
Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not. If the test fails, a window will pop up.
|Unsupported hardware detected|
Do not panic. It may simply indicate that IOMMU-virtualization hasnt been activated in the BIOS or UEFI. Return to the `hardware requirements <#hardware-requirements>`__ section to learn how to activate it. If the setting is not configured correctly, it means that your hardware wont be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.
If the test passes, you will reach the installation summary screen. The installer loads Xen right at the beginning. If you can see the installers graphical screen, and you pass the compatibility check that runs immediately afterward, Qubes OS is likely to work on your system!
Like Fedora, Qubes OS uses the Anaconda installer. Those that are familiar with RPM-based distributions should feel at home.
Installation summary
^^^^^^^^^^^^^^^^^^^^
.. note::
**Did you know?** The Qubes OS installer is completely offline. It doesnt even load any networking drivers, so there is no possibility of internet-based data leaks or attacks during the installation process.
The Installation summary screen allows you to change how the system will be installed and configured, including localization settings. At minimum, you are required to select the storage device on which Qubes OS will be installed.
|Installation summary not ready|
Localization
^^^^^^^^^^^^
Lets assume you wish to add a German keyboard layout. Go to Keyboard Layout, press the “Plus” symbol, search for “German” as indicated in the screenshot and press “Add”. If you want it be your default language, select the “German” entry in the list and press the arrow button. Click on “Done” in the upper left corner, and youre ready to go!
|Keyboard layout selection|
The process to select a new language is similar to the process to select a new keyboard layout. Follow the same process in the “Language Support” entry.
|Language support selection|
You can have as many keyboard layout and languages as you want. Post-install, you will be able to switch between them and install others.
Dont forget to select your time and date by clicking on the Time & Date entry.
|Time and date|
Software
^^^^^^^^
|Add-ons|
On the software selection tab, you can choose which software to install in Qubes OS. Two options are available:
- **Debian:** Select this option if you would like to use :doc:`Debian </user/templates/debian/debian>` qubes in addition to the default Fedora qubes.
- **Whonix:** Select this option if you would like to use `Whonix <https://www.whonix.org/wiki/Qubes>`__ qubes. Whonix allows you to use `Tor <https://www.torproject.org/>`__ securely within Qubes.
Whonix lets you route some or all of your network traffic through Tor for greater privacy. Depending on your threat model, you may need to install Whonix templates right away.
Regardless of your choices on this screen, you will always be able to install these and other :doc:`templates </user/templates/templates>` later. If youre short on disk space, you may wish to deselect these options.
By default, Qubes OS comes preinstalled with the lightweight Xfce4 desktop environment. Other desktop environments will be available to you after the installation is completed, though they may not be officially supported (see :ref:`advanced topics <advanced-topics>`).
Press **Done** to go back to the installation summary screen.
Installation destination
^^^^^^^^^^^^^^^^^^^^^^^^
Under the System section, you must choose the installation destination. Select the storage device on which you would like to install Qubes OS.
.. DANGER::
**Warning:** Be careful to choose the correct installation target, or you may lose data. We strongly recommended making a full backup before proceeding.
Your installation destination can be an internal or external storage drive, such as an SSD, HDD, or USB drive. The installation destination must have a least 32 GiB of free space available.
.. warning::
**Note:** The installation destination cannot be the same as the installation medium. For example, if youre installing Qubes OS *from* a USB drive *onto* a USB drive, they must be two distinct USB drives, and they must both be plugged into your computer at the same time. (**Note:** This may not apply to advanced users who partition their devices appropriately.)
Installing an operating system onto a USB drive can be a convenient way to try Qubes. However, USB drives are typically much slower than internal SSDs. We recommend a very fast USB 3.0 drive for decent performance. Please note that a minimum storage of 32 GiB is required. If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device. Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
|Select storage device|
.. note::
**Did you know?** By default, Qubes OS uses `LUKS <https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup>`__ /`dm-crypt <https://en.wikipedia.org/wiki/Dm-crypt>`__ to encrypt everything except the ``/boot`` partition.
As soon as you press **Done**, the installer will ask you to enter a passphrase for disk encryption. The passphrase should be complex. Make sure that your keyboard layout reflects what keyboard you are actually using. When youre finished, press **Done**.
.. DANGER::
**Warning:** If you forget your encryption passphrase, there is no way to recover it.
|Select storage passhprase|
When youre ready, press **Begin Installation**.
|Installation summary ready|
Create your user account
^^^^^^^^^^^^^^^^^^^^^^^^
While the installation process is running, you can create your user account. This is what youll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
Select **User Creation** to define a new user with administrator privileges and a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
|Account name and password|
When the installation is complete, press **Reboot**. Dont forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
Post-installation
-----------------
First boot
^^^^^^^^^^
If the installation was successful, you should now see the GRUB menu during the boot process.
|Grub boot menu|
Just after this screen, you will be asked to enter your encryption passphrase.
|Unlock storage device screen|
Initial Setup
^^^^^^^^^^^^^
Youre almost done. Before you can start using Qubes OS, some configuration is needed.
|Initial setup menu|
By default, the installer will create a number of qubes (depending on the options you selected during the installation process). These are designed to give you a more ready-to-use environment from the get-go.
|Initial setup menu configuration|
Lets briefly go over the options:
- **Create default system qubes:** These are the core components of the system, required for things like internet access.
- **Create default application qubes:** These are how you compartmentalize your digital life. Theres nothing special about the ones the installer creates. Theyre just suggestions that apply to most people. If you decide you dont want them, you can always delete them later, and you can always create your own.
- **Create Whonix Gateway and Workstation qubes:** If you want to use Whonix, you should select this option.
- **Enabling system and template updates over the Tor anonymity network using Whonix:** If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
- **Create USB qube holding all USB controllers:** Just like the network qube for the network stack, the USB qube isolates the USB controllers.
- **Use sys-net qube for both networking and USB devices:** You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
- **Do not configure anything:** This is for very advanced users only. If you select this option, youll have to set everything up manually afterward.
When youre satisfied with you choices, press **Done**. This configuration process may take a while, depending on the speed and compatibility of your system.
After the configuration is done, you will be greeted by the login screen. Enter your password and log in.
|Login screen|
Congratulations, you are now ready to use Qubes OS!
|Desktop menu|
Next steps
----------
Updating
^^^^^^^^
Next, :doc:`update </user/how-to-guides/how-to-update>` your installation to ensure you have the latest security updates. Frequently updating is one of the best ways to remain secure against new threats.
Security
^^^^^^^^
The Qubes OS Project occasionally issues `Qubes Security Bulletins (QSBs) <https://www.qubes-os.org/security/qsb/>`__ as part of the :doc:`Qubes Security Pack (qubes-secpack) </project-security/security-pack>`. It is important to make sure that you receive all QSBs in a timely manner so that you can take action to keep your system secure. (While `updating <#updating>`__ will handle most security needs, there may be cases in which additional action from you is required.) For this reason, we strongly recommend that every Qubes user subscribe to the :ref:`qubes-announce <introduction/support:qubes-announce>` mailing list.
In addition to QSBs, the Qubes OS Project also publishes `Canaries <https://www.qubes-os.org/security/canary/>`__, XSA summaries, template releases and end-of-life notices, and other items of interest to Qubes users. Since these are not essential for all Qubes users to read, they are not sent to :ref:`qubes-announce <introduction/support:qubes-announce>` in order to keep the volume on that list low. However, we expect that most users, especially novice users, will find them helpful. If you are interested in these additional items, we encourage you to subscribe to the `Qubes News RSS feed <https://www.qubes-os.org/feed.xml>`__ or join one of our other :doc:`venues </introduction/support>`, where these news items are also announced.
For more information about Qubes OS Project security, please see the :doc:`security center </project-security/security>`.
Backups
^^^^^^^
It is extremely important to make regular backups so that you dont lose your data unexpectedly. The :doc:`Qubes backup system </user/how-to-guides/how-to-back-up-restore-and-migrate>` allows you to do this securely and easily.
Submit your HCL report
^^^^^^^^^^^^^^^^^^^^^^
Consider giving back to the Qubes community and helping other users by :ref:`generating and submitting a Hardware Compatibility List (HCL) report <user/hardware/how-to-use-the-hcl:generating and submitting new reports>`.
Get Started
^^^^^^^^^^^
Find out :doc:`Getting Started </introduction/getting-started>` with Qubes, check out the other :ref:`How-To Guides <how-to-guides>`, and learn about :ref:`Templates <templates>`.
Getting help
------------
- We work very hard to make the :doc:`documentation </index>` accurate, comprehensive useful and user friendly. We urge you to read it! It may very well contain the answers to your questions. (Since the documentation is a community effort, wed also greatly appreciate your help in `improving <https://www.qubes-os.org/doc/how-to-edit-the-documentation/>`__ it!)
- If issues arise during installation, see the :doc:`Installation Troubleshooting </user/troubleshooting/installation-troubleshooting>` guide.
- If you dont find your answer in the documentation, please see :doc:`Help, Support, Mailing Lists, and Forum </introduction/support>` for places to ask.
- Please do **not** email individual members of the Qubes team with questions about installation or other problems. Instead, please see :doc:`Help, Support, Mailing Lists, and Forum </introduction/support>` for appropriate places to ask questions.
.. |Rufus menu| image:: /attachment/doc/rufus-menu.png
.. |Rufus DD image mode| image:: /attachment/doc/rufus-dd-image-mode.png
.. |ThinkPad T430 BIOS menu| image:: /attachment/doc/Thinkpad-t430-bios-main.jpg
.. |UEFI menu| image:: /attachment/doc/uefi.jpeg
.. |Boot screen| image:: /attachment/doc/boot-screen.png
.. |welcome| image:: /attachment/doc/welcome-to-qubes-os-installation-screen.png
.. |Unsupported hardware detected| image:: /attachment/doc/unsupported-hardware-detected.png
.. |Installation summary not ready| image:: /attachment/doc/installation-summary-not-ready.png
.. |Keyboard layout selection| image:: /attachment/doc/keyboard-layout-selection.png
.. |Language support selection| image:: /attachment/doc/language-support-selection.png
.. |Time and date| image:: /attachment/doc/time-and-date.png
.. |Add-ons| image:: /attachment/doc/add-ons.png
.. |Select storage device| image:: /attachment/doc/select-storage-device.png
.. |Select storage passhprase| image:: /attachment/doc/select-storage-passphrase.png
.. |Installation summary ready| image:: /attachment/doc/installation-summary-ready.png
.. |Account name and password| image:: /attachment/doc/account-name-and-password.png
.. |Grub boot menu| image:: /attachment/doc/grub-boot-menu.png
.. |Unlock storage device screen| image:: /attachment/doc/unlock-storage-device-screen.png
.. |Initial setup menu| image:: /attachment/doc/initial-setup-menu.png
.. |Initial setup menu configuration| image:: /attachment/doc/initial-setup-menu-configuration.png
.. |Login screen| image:: /attachment/doc/login-screen.png
.. |Desktop menu| image:: /attachment/doc/desktop-menu.png

306
user/downloading-installing-upgrading/installation-guide.md
View file

@ -1,306 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/installation-guide/
redirect_from:
- /en/doc/installation-guide/
- /doc/InstallationGuide/
- /wiki/InstallationGuide/
- /doc/InstallationGuideR1/
- /doc/InstallationGuideR2B1/
- /doc/InstallationGuideR2B2/
- /doc/InstallationGuideR2B3/
- /doc/InstallationGuideR2rc1/
- /doc/InstallationGuideR2rc2/
- /doc/InstallationGuideR3.0rc1/
- /doc/InstallationGuideR3.0rc2/
- /doc/live-usb/
- /doc/custom-install/
- /doc/encryption-config/
ref: 153
title: Installation guide
---
Welcome to the Qubes OS installation guide! This guide will walk you through the process of installing Qubes. Please read it carefully and thoroughly, as it contains important information for ensuring that your Qubes OS installation is functional and secure.
## Pre-installation
### Hardware requirements
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Qubes has no control over what happens on your computer before you install it. No software can provide security if it is installed on compromised hardware. Do not install Qubes on a computer you don't trust. See <a href="/doc/install-security/">installation security</a> for more information.
</div>
Qubes OS has very specific [system requirements](/doc/system-requirements/). To ensure compatibility, we strongly recommend using [Qubes-certified hardware](/doc/certified-hardware/). Other hardware may require you to perform significant troubleshooting. You may also find it helpful to consult the [Hardware Compatibility List](/hcl/).
Even on supported hardware, you must ensure that [IOMMU-based virtualization](https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit#Virtualization) is activated in the BIOS or UEFI. Without it, Qubes OS won't be able to enforce isolation. For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (**Intel VT-d**) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply **AMD-Vi**). This parameter should be activated in your computer's BIOS or UEFI, alongside the standard Virtualization (**Intel VT-x**) and AMD Virtualization (**AMD-V**) extensions. This [external guide](https://web.archive.org/web/20200112220913/https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html) made for Intel-based boards can help you figure out how to enter your BIOS or UEFI to locate and activate those settings. If those settings are not nested under the Advanced tab, you might find them under the Security tab.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Qubes OS is not meant to be installed inside a virtual machine as a guest hypervisor. In other words, <b>nested virtualization</b> is not supported. In order for a strict compartmentalization to be enforced, Qubes OS needs to be able to manage the hardware directly.
</div>
### Copying the ISO onto the installation medium
Pick the most secure existing computer and OS you have available for downloading and copying the Qubes ISO onto the installation medium. [Download](/downloads/) a Qubes ISO. If your Internet connection is unstable and the download is interrupted, you could resume the partial download with `wget --continue` in case you are currently using wget for downloading or use a download-manager with resume capability. Alternatively you can download installation ISO via BitTorrent that sometimes enables higher download speeds and more reliable downloads of large files.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Any file you download from the internet could be malicious, even if it appears to come from a trustworthy source. Our philosophy is to <a href="/faq/#what-does-it-mean-to-distrust-the-infrastructure">distrust the infrastructure</a>. Regardless of how you acquire your Qubes ISO, <a href="/security/verifying-signatures/">verify its authenticity</a> before continuing.
</div>
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a USB drive, dual-layer DVD, or Blu-ray disc. The size of each Qubes ISO is available on the [downloads](/downloads/) page by hovering over the download button. The instructions below assume you've chosen a USB drive as your medium. If you've chosen a different medium, please adapt the instructions accordingly.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> There are important <a href="/doc/install-security/">security considerations</a> to keep in mind when choosing an installation medium. Advanced users may wish to <a href="/security/verifying-signatures/#how-to-re-verify-installation-media-after-writing">re-verify their installation media after writing</a>.
</div>
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Be careful to choose the correct device when copying the ISO, or you may lose data. We strongly recommended making a full backup before modifying any devices.
</div>
#### Linux ISO to USB
On Linux, if you choose to use a USB drive, copy the ISO onto the USB device, e.g. using `dd`:
```
$ sudo dd if=Qubes-RX-x86_64.iso of=/dev/sdY status=progress bs=1048576 conv=fsync
```
Change `Qubes-RX-x86_64.iso` to the filename of the version you're installing, and change `/dev/sdY` to the correct target device e.g., `/dev/sdc`). Make sure to write to the entire device (e.g., `/dev/sdc`) rather than just a single partition (e.g., `/dev/sdc1`).
#### Windows ISO to USB
On Windows, you can use the [Rufus](https://rufus.ie/) tool to write the ISO to a USB key. Be sure to select "Write in DD Image mode" *after* selecting the Qubes ISO and pressing "START" on the Rufus main window.
<div class="alert alert-info" role="alert">
<i class="fa fa-info-circle"></i>
<b>Note:</b> Using Rufus to create the installation medium means that you <a href="https://github.com/QubesOS/qubes-issues/issues/2051">won't be able</a> to choose the "Test this media and install Qubes OS" option mentioned in the example below. Instead, choose the "Install Qubes OS" option.
</div>
[![Rufus menu](/attachment/doc/rufus-menu.png)](/attachment/doc/rufus-menu.png)
[![Rufus DD image mode](/attachment/doc/rufus-dd-image-mode.png)](/attachment/doc/rufus-dd-image-mode.png)
## Installation
This section will demonstrate a simple installation using mostly default settings.
### Getting to the boot screen
"Booting" is the process of starting your computer. When a computer boots up, it first runs low-level software before the main operating system. Depending on the computer, this low-level software may be called the ["BIOS"](https://en.wikipedia.org/wiki/BIOS) or ["UEFI"](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface).
Since you're installing Qubes OS, you'll need to access your computer's BIOS or UEFI menu so that you can tell it to boot from the USB drive to which you just copied the Qubes installer ISO.
To begin, power off your computer and plug the USB drive into a USB port, but don't press the power button yet. Right after you press the power button, you'll have to immediately press a specific key to enter the BIOS or UEFI menu. The key to press varies from brand to brand. `Esc`, `Del`, and `F10` are common ones. If you're not sure, you can search the web for `<COMPUTER_MODEL> BIOS key` or `<COMPUTER_MODEL> UEFI key` (replacing `<COMPUTER_MODEL>` with your specific computer model) or look it up in your computer's manual.
Once you know the key to press, press your computer's power button, then repeatedly press that key until you've entered your computer's BIOS or UEFI menu. To give you an idea of what you should be looking for, we've provided a couple of example photos below.
Here's an example of what the BIOS menu looks like on a ThinkPad T430:
[![ThinkPad T430 BIOS menu](/attachment/doc/Thinkpad-t430-bios-main.jpg)](/attachment/doc/Thinkpad-t430-bios-main.jpg)
And here's an example of what a modern UEFI menu looks like:
[![UEFI menu](/attachment/doc/uefi.jpeg)](/attachment/doc/uefi.jpeg)
Once you access your computer's BIOS or UEFI menu, you'll want to go to the "boot menu", which is where you tell your computer which devices to boot from. The goal is to tell the computer to boot from your USB drive so that you can run the Qubes installer. If your boot menu lets you select which device to boot from first, simply select your USB drive. (If you have multiple entries that all look similar to your USB drive, and you're not sure which one is correct, one option is just to try each one until it works.) If, on the other hand, your boot menu presents you with a list of boot devices in order, then you'll want to move your USB drive to the top so that the Qubes installer runs before anything else.
Then, if you are on a computer using UEFI, you'll have to disable [Secure Boot](https://en.m.wikipedia.org/wiki/UEFI#SECURE-BOOT) to allow Qubes OS to boot.
Once you're done with the settings, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If you're not sure whether you've saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, don't press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If you're successful in this step, after a few seconds you'll be presented with the Qubes installer screen:
[![Boot screen](/attachment/doc/boot-screen-4.2.png)](/attachment/doc/boot-screen-4.2.png)
From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options. You can choose one of five options:
* Install Qubes OS
* Test this media and install Qubes OS
* Troubleshooting - verbose boot
* Rescue a Qubes OS system
* Install Qubes OS 4.2.1 using kernel-latest
Select the option to test this media and install Qubes OS.
<div class="alert alert-info" role="alert">
<i class="fa fa-info-circle"></i>
<b>Note:</b> If the latest stable release is not compatible with your hardware, you may wish to consider installing using the latest kernel. Be aware that this has not been as well tested as the standard kernel.
</div>
If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an [advanced reboot](https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings).
### The installer home screen
On the first screen, you are asked to select the language that will be used during the installation process. When you are done, select **Continue**.
[![Language selection window](/attachment/doc/welcome-to-qubes-os-installation-screen-4.2.png)](/attachment/doc/welcome-to-qubes-os-installation-screen-4.2.png)
Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not. If the test fails, a window will pop up.
[![Unsupported hardware detected](/attachment/doc/unsupported-hardware-detected.png)](/attachment/doc/unsupported-hardware-detected.png)
Do not panic. It may simply indicate that IOMMU-virtualization hasn't been activated in the BIOS or UEFI. Return to the [hardware requirements](#hardware-requirements) section to learn how to activate it. If the setting is not configured correctly, it means that your hardware won't be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.
If the test passes, you will reach the installation summary screen. The installer loads Xen right at the beginning. If you can see the installer's graphical screen, and you pass the compatibility check that runs immediately afterward, Qubes OS is likely to work on your system!
Like Fedora, Qubes OS uses the Anaconda installer. Those that are familiar with RPM-based distributions should feel at home.
### Installation summary
<div class="alert alert-success" role="alert">
<i class="fa fa-check-circle"></i>
<b>Did you know?</b> The Qubes OS installer is completely offline. It doesn't even load any networking drivers, so there is no possibility of internet-based data leaks or attacks during the installation process.
</div>
The Installation summary screen allows you to change how the system will be installed and configured, including localization settings. At minimum, you are required to select the storage device on which Qubes OS will be installed.
[![Installation summary screen awaiting input ](/attachment/doc/installation-summary-not-ready-4.2.png)](/attachment/doc/installation-summary-not-ready-4.2.png)
### Localization
Let's assume you wish to add a German keyboard layout. Go to Keyboard Layout, press the "Plus" symbol, search for "German" as indicated in the screenshot and press "Add". If you want it be your default language, select the "German" entry in the list and press the arrow button. Click on "Done" in the upper left corner, and you're ready to go!
[![Keyboard layout selection](/attachment/doc/keyboard-layout-selection.png)](/attachment/doc/keyboard-layout-selection.png)
The process to select a new language is similar to the process to select a new keyboard layout. Follow the same process in the "Language Support" entry.
[![Language support selection](/attachment/doc/language-support-selection.png)](/attachment/doc/language-support-selection.png)
You can have as many keyboard layout and languages as you want. Post-install, you will be able to switch between them and install others.
Don't forget to select your time and date by clicking on the Time & Date entry.
[![Time and date](/attachment/doc/time-and-date.png)](/attachment/doc/time-and-date.png)
### Installation destination
Under the System section, you must choose the installation destination. Select the storage device on which you would like to install Qubes OS.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Be careful to choose the correct installation target, or you may lose data. We strongly recommended making a full backup before proceeding.
</div>
Your installation destination can be an internal or external storage drive, such as an SSD, HDD, or USB drive. The installation destination must have a least 32 GiB of free space available.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> The installation destination cannot be the same as the installation medium. For example, if you're installing Qubes OS <em>from</em> a USB drive <em>onto</em> a USB drive, they must be two distinct USB drives, and they must both be plugged into your computer at the same time. (Note: This may not apply to advanced users who partition their devices appropriately.)
</div>
Installing an operating system onto a USB drive can be a convenient way to try Qubes. However, USB drives are typically much slower than internal SSDs. We recommend a very fast USB 3.0 drive for decent performance. Please note that a minimum storage of 32 GiB is required. If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device. Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
[![Select storage device screen](/attachment/doc/select-storage-device-4.2.png)](/attachment/doc/select-storage-device-4.2.png)
<div class="alert alert-success" role="alert">
<i class="fa fa-check-circle"></i>
<b>Did you know?</b> By default, Qubes OS uses <a href="https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup">LUKS</a>/<a href="https://en.wikipedia.org/wiki/Dm-crypt">dm-crypt</a> to encrypt everything except the <code>/boot</code> partition.
</div>
As soon as you press **Done**, the installer will ask you to enter a passphrase for disk encryption. The passphrase should be complex. Make sure that your keyboard layout reflects what keyboard you are actually using. When you're finished, press **Done**.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> If you forget your encryption passphrase, there is no way to recover it.
</div>
[![Select storage passphrase](/attachment/doc/select-storage-passphrase.png)](/attachment/doc/select-storage-passphrase.png)
### Create your user account
Select "User Creation" to create your user account. This is what you'll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
The new user you create has full administrator privileges and is protected by a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
[![Account name and password creation window. ](/attachment/doc/account-name-and-password-4.2.png)](/attachment/doc/account-name-and-password-4.2.png)
### Installation
When you have completed all the items marked with the warning icon, press **Begin Installation**.
Installation can take some time.
[![Windows showing installation complete and Reboot button. ](/attachment/doc/installation-complete-4.2.png)](/attachment/doc/installation-complete-4.2.png)
When the installation is complete, press **Reboot System**. Don't forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
## Post-installation
### First boot
If the installation was successful, you should now see the GRUB menu during the boot process.
[![Grub boot menu](/attachment/doc/grub-boot-menu.png)](/attachment/doc/grub-boot-menu.png)
Just after this screen, you will be asked to enter your encryption passphrase.
[![Screen to enter device decryption password](/attachment/doc/unlock-storage-device-screen-4.2.png)](/attachment/doc/unlock-storage-device-screen-4.2.png)
### Initial Setup
You're almost done. Before you can start using Qubes OS, some configuration is needed.
[![Window with link for final configuration ](/attachment/doc/initial-setup-menu-4.2.png)](/attachment/doc/initial-setup-menu-4.2.png)
Click on the item marked with the warning triangle to enter the configuration screen.
[![Initial configuration menu](/attachment/doc/initial-setup-menu-configuration-4.2.png)](/attachment/doc/initial-setup-menu-configuration-4.2.png)
By default, the installer will create a number of qubes (depending on the options you selected during the installation process). These are designed to give you a more ready-to-use environment from the get-go.
Let's briefly go over the options:
* **Templates Configuration:** Here you can decide which [templates](../templates/) you want to have installed, and which will be the default template.
* **Create default system qubes:** These are the core components of the system, required for things like internet access. You can opt to have some created as [disposables](../glossary#disposable)
* **Create default application qubes:** These are how you compartmentalize your digital life. There's nothing special about the ones the installer creates. They're just suggestions that apply to most people. If you decide you don't want them, you can always delete them later, and you can always create your own.
* **Use a qube to hold all USB controllers:** Just like the network qube for the network stack, the USB qube isolates the USB controllers.
* **Use sys-net qube for both networking and USB devices:** You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
* **Create Whonix Gateway and Workstation qubes:** If you want to use [Whonix](https://www.whonix.org/wiki/Qubes), you should select this option.
* **Enabling system and template updates over the Tor anonymity network using Whonix:** If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
* **Do not configure anything:** This is for very advanced users only. If you select this option, you will have to manually set up everything.
When you're satisfied with your choices, press **Done**. This configuration process may take a while, depending on the speed and compatibility of your system.
After configuration is done, you will be greeted by the login screen. Enter your password and log in.
[![Login screen](/attachment/doc/login-screen.png)](/attachment/doc/login-screen.png)
Congratulations, you are now ready to use Qubes OS!
[![Desktop menu](/attachment/doc/desktop-menu.png)](/attachment/doc/desktop-menu.png)
## Next steps
### Updating
Next, [update](/doc/how-to-update/) your installation to ensure you have the latest security updates. Frequently updating is one of the best ways to remain secure against new threats.
### Security
The Qubes OS Project occasionally issues [Qubes Security Bulletins (QSBs)](/security/qsb/) as part of the [Qubes Security Pack (qubes-secpack)](/security/pack/). It is important to make sure that you receive all QSBs in a timely manner so that you can take action to keep your system secure. (While [updating](#updating) will handle most security needs, there may be cases in which additional action from you is required.) For this reason, we strongly recommend that every Qubes user subscribe to the [qubes-announce](/support/#qubes-announce) mailing list.
In addition to QSBs, the Qubes OS Project also publishes [Canaries](/security/canary/), XSA summaries, template releases and end-of-life notices, and other items of interest to Qubes users. Since these are not essential for all Qubes users to read, they are not sent to [qubes-announce](/support/#qubes-announce) in order to keep the volume on that list low. However, we expect that most users, especially novice users, will find them helpful. If you are interested in these additional items, we encourage you to subscribe to the [Qubes News RSS feed](/feed.xml) or join one of our other [venues](/support/), where these news items are also announced.
For more information about Qubes OS Project security, please see the [security center](/security/).
### Backups
It is extremely important to make regular backups so that you don't lose your data unexpectedly. The [Qubes backup system](/doc/how-to-back-up-restore-and-migrate/) allows you to do this securely and easily.
### Submit your HCL report
Consider giving back to the Qubes community and helping other users by [generating and submitting a Hardware Compatibility List (HCL) report](/doc/how-to-use-the-hcl/#generating-and-submitting-new-reports).
### Get Started
Find out [Getting Started](/doc/getting-started/) with Qubes, check out the other [How-To Guides](/doc/#how-to-guides), and learn about [Templates](/doc/#templates).
## Getting help
* We work very hard to make the [documentation](/doc/) accurate, comprehensive useful and user friendly. We urge you to read it! It may very well contain the answers to your questions. (Since the documentation is a community effort, we'd also greatly appreciate your help in [improving](/doc/how-to-edit-the-documentation/) it!)
* If issues arise during installation, see the [Installation Troubleshooting](/doc/installation-troubleshooting) guide.
* If you don't find your answer in the documentation, please see [Help, Support, Mailing Lists, and Forum](/support/) for places to ask.
* Please do **not** email individual members of the Qubes team with questions about installation or other problems. Instead, please see [Help, Support, Mailing Lists, and Forum](/support/) for appropriate places to ask questions.

408
user/downloading-installing-upgrading/installation-guide.rst Normal file
View file

@ -0,0 +1,408 @@
==================
Installation guide
==================
Welcome to the Qubes OS installation guide! This guide will walk you through the process of installing Qubes. Please read it carefully and thoroughly, as it contains important information for ensuring that your Qubes OS installation is functional and secure.
Pre-installation
----------------
Hardware requirements
^^^^^^^^^^^^^^^^^^^^^
.. DANGER::
**Warning:** Qubes has no control over what happens on your computer before you install it. No software can provide security if it is installed on compromised hardware. Do not install Qubes on a computer you dont trust. See :doc:`installation security </user/downloading-installing-upgrading/install-security>` for more information.
Qubes OS has very specific :doc:`system requirements </user/hardware/system-requirements>`. To ensure compatibility, we strongly recommend using :doc:`Qubes-certified hardware </user/hardware/certified-hardware/certified-hardware>`. Other hardware may require you to perform significant troubleshooting. You may also find it helpful to consult the `Hardware Compatibility List <https://www.qubes-os.org/hcl/>`__.
Even on supported hardware, you must ensure that `IOMMU-based virtualization <https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit#Virtualization>`__ is activated in the BIOS or UEFI. Without it, Qubes OS wont be able to enforce isolation. For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (**Intel VT-d**) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply **AMD-Vi**). This parameter should be activated in your computers BIOS or UEFI, alongside the standard Virtualization (**Intel VT-x**) and AMD Virtualization (**AMD-V**) extensions. This `external guide <https://web.archive.org/web/20200112220913/https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html>`__ made for Intel-based boards can help you figure out how to enter your BIOS or UEFI to locate and activate those settings. If those settings are not nested under the Advanced tab, you might find them under the Security tab.
.. warning::
**Note:** Qubes OS is not meant to be installed inside a virtual machine as a guest hypervisor. In other words, *nested virtualization* is not supported. In order for a strict compartmentalization to be enforced, Qubes OS needs to be able to manage the hardware directly.
Copying the ISO onto the installation medium
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Pick the most secure existing computer and OS you have available for downloading and copying the Qubes ISO onto the installation medium. `Download <https://www.qubes-os.org/downloads/>`__ a Qubes ISO. If your Internet connection is unstable and the download is interrupted, you could resume the partial download with ``wget --continue`` in case you are currently using wget for downloading or use a download-manager with resume capability. Alternatively you can download installation ISO via BitTorrent that sometimes enables higher download speeds and more reliable downloads of large files.
.. DANGER::
**Warning:** Any file you download from the internet could be malicious, even if it appears to come from a trustworthy source. Our philosophy is to :ref:`distrust the infrastructure <introduction/faq:what does it mean to "distrust the infrastructure"?>` . Regardless of how you acquire your Qubes ISO, :doc:`verify its authenticity </project-security/verifying-signatures>` before continuing.
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a USB drive, dual-layer DVD, or Blu-ray disc. The size of each Qubes ISO is available on the `downloads <https://www.qubes-os.org/downloads/>`__ page by hovering over the download button. The instructions below assume youve chosen a USB drive as your medium. If youve chosen a different medium, please adapt the instructions accordingly.
.. warning::
**Note:** There are important :doc:`security considerations </user/downloading-installing-upgrading/install-security>` to keep in mind when choosing an installation medium. Advanced users may wish to :ref:`re-verify their installation media after writing <project-security/verifying-signatures:how to re-verify installation media after writing>` .
.. DANGER::
**Warning:** Be careful to choose the correct device when copying the ISO, or you may lose data. We strongly recommended making a full backup before modifying any devices.
Linux ISO to USB
^^^^^^^^^^^^^^^^
On Linux, if you choose to use a USB drive, copy the ISO onto the USB device, e.g. using ``dd``:
.. code:: bash
$ sudo dd if=Qubes-RX-x86_64.iso of=/dev/sdY status=progress bs=1048576 conv=fsync
Change ``Qubes-RX-x86_64.iso`` to the filename of the version youre installing, and change ``/dev/sdY`` to the correct target device e.g., ``/dev/sdc``). Make sure to write to the entire device (e.g., ``/dev/sdc``) rather than just a single partition (e.g., ``/dev/sdc1``).
Windows ISO to USB
^^^^^^^^^^^^^^^^^^
On Windows, you can use the `Rufus <https://rufus.ie/>`__ tool to write the ISO to a USB key. Be sure to select “Write in DD Image mode” *after* selecting the Qubes ISO and pressing “START” on the Rufus main window.
.. note::
**Note:** Using Rufus to create the installation medium means that you `wont be able <https://github.com/QubesOS/qubes-issues/issues/2051>`__ to choose the “Test this media and install Qubes OS” option mentioned in the example below. Instead, choose the “Install Qubes OS” option.
|Rufus menu|
|Rufus DD image mode|
Installation
------------
This section will demonstrate a simple installation using mostly default settings.
Getting to the boot screen
^^^^^^^^^^^^^^^^^^^^^^^^^^
“Booting” is the process of starting your computer. When a computer boots up, it first runs low-level software before the main operating system. Depending on the computer, this low-level software may be called the `“BIOS” <https://en.wikipedia.org/wiki/BIOS>`__ or `“UEFI” <https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface>`__.
Since youre installing Qubes OS, youll need to access your computers BIOS or UEFI menu so that you can tell it to boot from the USB drive to which you just copied the Qubes installer ISO.
To begin, power off your computer and plug the USB drive into a USB port, but dont press the power button yet. Right after you press the power button, youll have to immediately press a specific key to enter the BIOS or UEFI menu. The key to press varies from brand to brand. ``Esc``, ``Del``, and ``F10`` are common ones. If youre not sure, you can search the web for ``<COMPUTER_MODEL> BIOS key`` or ``<COMPUTER_MODEL> UEFI key`` (replacing ``<COMPUTER_MODEL>`` with your specific computer model) or look it up in your computers manual.
Once you know the key to press, press your computers power button, then repeatedly press that key until youve entered your computers BIOS or UEFI menu. To give you an idea of what you should be looking for, weve provided a couple of example photos below.
Heres an example of what the BIOS menu looks like on a ThinkPad T430:
|ThinkPad T430 BIOS menu|
And heres an example of what a modern UEFI menu looks like:
|UEFI menu|
Once you access your computers BIOS or UEFI menu, youll want to go to the “boot menu”, which is where you tell your computer which devices to boot from. The goal is to tell the computer to boot from your USB drive so that you can run the Qubes installer. If your boot menu lets you select which device to boot from first, simply select your USB drive. (If you have multiple entries that all look similar to your USB drive, and youre not sure which one is correct, one option is just to try each one until it works.) If, on the other hand, your boot menu presents you with a list of boot devices in order, then youll want to move your USB drive to the top so that the Qubes installer runs before anything else.
Then, if you are on a computer using UEFI, youll have to disable `Secure Boot <https://en.m.wikipedia.org/wiki/UEFI#SECURE-BOOT>`__ to allow Qubes OS to boot.
Once youre done with the settings, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If youre not sure whether youve saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, dont press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If youre successful in this step, after a few seconds youll be presented with the Qubes installer screen:
|Boot screen|
From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the “Tab” key will reveal options. You can choose one of five options:
- Install Qubes OS
- Test this media and install Qubes OS
- Troubleshooting - verbose boot
- Rescue a Qubes OS system
- Install Qubes OS 4.2.1 using kernel-latest
Select the option to test this media and install Qubes OS.
.. note::
**Note:** If the latest stable release is not compatible with your hardware, you may wish to consider installing using the latest kernel. Be aware that this has not been as well tested as the standard kernel.
If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an `advanced reboot <https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings>`__.
The installer home screen
^^^^^^^^^^^^^^^^^^^^^^^^^
On the first screen, you are asked to select the language that will be used during the installation process. When you are done, select **Continue**.
|Language selection window|
Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not. If the test fails, a window will pop up.
|Unsupported hardware detected|
Do not panic. It may simply indicate that IOMMU-virtualization hasnt been activated in the BIOS or UEFI. Return to the `hardware requirements <#hardware-requirements>`__ section to learn how to activate it. If the setting is not configured correctly, it means that your hardware wont be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.
If the test passes, you will reach the installation summary screen. The installer loads Xen right at the beginning. If you can see the installers graphical screen, and you pass the compatibility check that runs immediately afterward, Qubes OS is likely to work on your system!
Like Fedora, Qubes OS uses the Anaconda installer. Those that are familiar with RPM-based distributions should feel at home.
Installation summary
^^^^^^^^^^^^^^^^^^^^
.. note::
**Did you know?** The Qubes OS installer is completely offline. It doesnt even load any networking drivers, so there is no possibility of internet-based data leaks or attacks during the installation process.
The Installation summary screen allows you to change how the system will be installed and configured, including localization settings. At minimum, you are required to select the storage device on which Qubes OS will be installed.
|Installation summary screen awaiting input|
Localization
^^^^^^^^^^^^
Lets assume you wish to add a German keyboard layout. Go to Keyboard Layout, press the “Plus” symbol, search for “German” as indicated in the screenshot and press “Add”. If you want it be your default language, select the “German” entry in the list and press the arrow button. Click on “Done” in the upper left corner, and youre ready to go!
|Keyboard layout selection|
The process to select a new language is similar to the process to select a new keyboard layout. Follow the same process in the “Language Support” entry.
|Language support selection|
You can have as many keyboard layout and languages as you want. Post-install, you will be able to switch between them and install others.
Dont forget to select your time and date by clicking on the Time & Date entry.
|Time and date|
Installation destination
^^^^^^^^^^^^^^^^^^^^^^^^
Under the System section, you must choose the installation destination. Select the storage device on which you would like to install Qubes OS.
.. DANGER::
**Warning:** Be careful to choose the correct installation target, or you may lose data. We strongly recommended making a full backup before proceeding.
Your installation destination can be an internal or external storage drive, such as an SSD, HDD, or USB drive. The installation destination must have a least 32 GiB of free space available.
.. warning::
**Note:** The installation destination cannot be the same as the installation medium. For example, if youre installing Qubes OS *from* a USB drive *onto* a USB drive, they must be two distinct USB drives, and they must both be plugged into your computer at the same time. (**Note:** This may not apply to advanced users who partition their devices appropriately.)
Installing an operating system onto a USB drive can be a convenient way to try Qubes. However, USB drives are typically much slower than internal SSDs. We recommend a very fast USB 3.0 drive for decent performance. Please note that a minimum storage of 32 GiB is required. If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device. Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
|Select storage device screen|
.. note::
**Did you know?** By default, Qubes OS uses `LUKS <https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup>`__ /`dm-crypt <https://en.wikipedia.org/wiki/Dm-crypt>`__ to encrypt everything except the ``/boot`` partition.
As soon as you press **Done**, the installer will ask you to enter a passphrase for disk encryption. The passphrase should be complex. Make sure that your keyboard layout reflects what keyboard you are actually using. When youre finished, press **Done**.
.. DANGER::
**Warning:** If you forget your encryption passphrase, there is no way to recover it.
|Select storage passphrase|
Create your user account
^^^^^^^^^^^^^^^^^^^^^^^^
Select “User Creation” to create your user account. This is what youll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
The new user you create has full administrator privileges and is protected by a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
|Account name and password creation window.|
.. _installation-1:
Installation
^^^^^^^^^^^^
When you have completed all the items marked with the warning icon, press **Begin Installation**.
Installation can take some time. |Windows showing installation complete and Reboot button.| When the installation is complete, press **Reboot System**. Dont forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
Post-installation
-----------------
First boot
^^^^^^^^^^
If the installation was successful, you should now see the GRUB menu during the boot process.
|Grub boot menu|
Just after this screen, you will be asked to enter your encryption passphrase.
|Screen to enter device decryption password|
Initial Setup
^^^^^^^^^^^^^
Youre almost done. Before you can start using Qubes OS, some configuration is needed.
|Window with link for final configuration| Click on the item marked with the warning triangle to enter the configuration screen. |Initial configuration menu|
By default, the installer will create a number of qubes (depending on the options you selected during the installation process). These are designed to give you a more ready-to-use environment from the get-go.
Lets briefly go over the options:
- **Templates Configuration:** Here you can decide which :doc:`templates </user/templates/templates>` you want to have installed, and which will be the default template.
- **Create default system qubes:** These are the core components of the system, required for things like internet access. You can opt to have some created as :ref:`disposables <user/reference/glossary:disposable>`.
- **Create default application qubes:** These are how you compartmentalize your digital life. Theres nothing special about the ones the installer creates. Theyre just suggestions that apply to most people. If you decide you dont want them, you can always delete them later, and you can always create your own.
- **Use a qube to hold all USB controllers:** Just like the network qube for the network stack, the USB qube isolates the USB controllers.
- **Use sys-net qube for both networking and USB devices:** You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
- **Create Whonix Gateway and Workstation qubes:** If you want to use `Whonix <https://www.whonix.org/wiki/Qubes>`__, you should select this option.
- **Enabling system and template updates over the Tor anonymity network using Whonix:** If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
- **Do not configure anything:** This is for very advanced users only. If you select this option, you will have to manually set up everything.
When youre satisfied with your choices, press **Done**. This configuration process may take a while, depending on the speed and compatibility of your system.
After configuration is done, you will be greeted by the login screen. Enter your password and log in.
|Login screen|
Congratulations, you are now ready to use Qubes OS!
|Desktop menu|
Next steps
----------
Updating
^^^^^^^^
Next, :doc:`update </user/how-to-guides/how-to-update>` your installation to ensure you have the latest security updates. Frequently updating is one of the best ways to remain secure against new threats.
Security
^^^^^^^^
The Qubes OS Project occasionally issues `Qubes Security Bulletins (QSBs) <https://www.qubes-os.org/security/qsb/>`__ as part of the :doc:`Qubes Security Pack (qubes-secpack) </project-security/security-pack>`. It is important to make sure that you receive all QSBs in a timely manner so that you can take action to keep your system secure. (While `updating <#updating>`__ will handle most security needs, there may be cases in which additional action from you is required.) For this reason, we strongly recommend that every Qubes user subscribe to the :ref:`qubes-announce <introduction/support:qubes-announce>` mailing list.
In addition to QSBs, the Qubes OS Project also publishes `Canaries <https://www.qubes-os.org/security/canary/>`__, XSA summaries, template releases and end-of-life notices, and other items of interest to Qubes users. Since these are not essential for all Qubes users to read, they are not sent to :ref:`qubes-announce <introduction/support:qubes-announce>` in order to keep the volume on that list low. However, we expect that most users, especially novice users, will find them helpful. If you are interested in these additional items, we encourage you to subscribe to the `Qubes News RSS feed <https://www.qubes-os.org/feed.xml>`__ or join one of our other :doc:`venues </introduction/support>`, where these news items are also announced.
For more information about Qubes OS Project security, please see the :doc:`security center </project-security/security>`.
Backups
^^^^^^^
It is extremely important to make regular backups so that you dont lose your data unexpectedly. The :doc:`Qubes backup system </user/how-to-guides/how-to-back-up-restore-and-migrate>` allows you to do this securely and easily.
Submit your HCL report
^^^^^^^^^^^^^^^^^^^^^^
Consider giving back to the Qubes community and helping other users by :ref:`generating and submitting a Hardware Compatibility List (HCL) report <user/hardware/how-to-use-the-hcl:generating and submitting new reports>`.
Get Started
^^^^^^^^^^^
Find out :doc:`Getting Started </introduction/getting-started>` with Qubes, check out the other :ref:`How-To Guides <how-to-guides>`, and learn about :ref:`Templates <templates>`.
Getting help
------------
- We work very hard to make the :doc:`documentation </index>` accurate, comprehensive useful and user friendly. We urge you to read it! It may very well contain the answers to your questions. (Since the documentation is a community effort, wed also greatly appreciate your help in `improving <https://www.qubes-os.org/doc/how-to-edit-the-documentation/>`__ it!)
- If issues arise during installation, see the :doc:`Installation Troubleshooting </user/troubleshooting/installation-troubleshooting>` guide.
- If you dont find your answer in the documentation, please see :doc:`Help, Support, Mailing Lists, and Forum </introduction/support>` for places to ask.
- Please do **not** email individual members of the Qubes team with questions about installation or other problems. Instead, please see :doc:`Help, Support, Mailing Lists, and Forum </introduction/support>` for appropriate places to ask questions.
.. |Rufus menu| image:: /attachment/doc/rufus-menu.png
.. |Rufus DD image mode| image:: /attachment/doc/rufus-dd-image-mode.png
.. |ThinkPad T430 BIOS menu| image:: /attachment/doc/Thinkpad-t430-bios-main.jpg
.. |UEFI menu| image:: /attachment/doc/uefi.jpeg
.. |Boot screen| image:: /attachment/doc/boot-screen-4.2.png
.. |Language selection window| image:: /attachment/doc/welcome-to-qubes-os-installation-screen-4.2.png
.. |Unsupported hardware detected| image:: /attachment/doc/unsupported-hardware-detected.png
.. |Installation summary screen awaiting input| image:: /attachment/doc/installation-summary-not-ready-4.2.png
.. |Keyboard layout selection| image:: /attachment/doc/keyboard-layout-selection.png
.. |Language support selection| image:: /attachment/doc/language-support-selection.png
.. |Time and date| image:: /attachment/doc/time-and-date.png
.. |Select storage device screen| image:: /attachment/doc/select-storage-device-4.2.png
.. |Select storage passphrase| image:: /attachment/doc/select-storage-passphrase.png
.. |Account name and password creation window.| image:: /attachment/doc/account-name-and-password-4.2.png
.. |Windows showing installation complete and Reboot button.| image:: /attachment/doc/installation-complete-4.2.png
.. |Grub boot menu| image:: /attachment/doc/grub-boot-menu.png
.. |Screen to enter device decryption password| image:: /attachment/doc/unlock-storage-device-screen-4.2.png
.. |Window with link for final configuration| image:: /attachment/doc/initial-setup-menu-4.2.png
.. |Initial configuration menu| image:: /attachment/doc/initial-setup-menu-configuration-4.2.png
.. |Login screen| image:: /attachment/doc/login-screen.png
.. |Desktop menu| image:: /attachment/doc/desktop-menu.png

68
user/downloading-installing-upgrading/supported-releases.md
View file

@ -1,68 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/supported-releases/
redirect_from:
- /doc/supported-versions/
ref: 154
title: Supported releases
---
This page details the level and period of support for releases of operating systems in the Qubes ecosystem.
## Qubes OS
Qubes OS releases are supported for **six months** after each subsequent major or minor release (see [Version Scheme](/doc/version-scheme/)). The current release and past major releases are always available on the [Downloads](/downloads/) page, while all ISOs, including past minor releases, are available from our [download mirrors](/downloads/#mirrors).
| Qubes OS | Start Date | End Date | Status |
| ----------- | ---------- | ---------- | -------------- |
| Release 1 | 2012-09-03 | 2015-03-26 | Unsupported |
| Release 2 | 2014-09-26 | 2016-04-01 | Unsupported |
| Release 3.0 | 2015-10-01 | 2016-09-09 | Unsupported |
| Release 3.1 | 2016-03-09 | 2017-03-29 | Unsupported |
| Release 3.2 | 2016-09-29 | 2019-03-28 | Unsupported |
| Release 4.0 | 2018-03-28 | 2022-08-04 | Unsupported |
| Release 4.1 | 2022-02-04 | 2024-06-18 | Unsupported |
| Release 4.2 | 2023-12-18 | TBD | Supported |
| Release 4.3 | TBD | TBD | In development |
### Note on patch releases
Please note that patch releases, such as 3.2.1 and 4.0.1, do not designate separate, new major or minor releases of Qubes OS. Rather, they designate their respective major or minor releases, such as 3.2 and 4.0, inclusive of all package updates up to a certain point. For example, installing Release 4.0 and fully updating it results in the same system as installing Release 4.0.1. Therefore, patch releases are not displayed as separate rows on any of the tables on this page.
## Dom0
The table below shows the OS used for dom0 in each Qubes OS release.
| Qubes OS | Dom0 OS |
| ----------- | --------- |
| Release 1 | Fedora 13 |
| Release 2 | Fedora 18 |
| Release 3.0 | Fedora 20 |
| Release 3.1 | Fedora 20 |
| Release 3.2 | Fedora 23 |
| Release 4.0 | Fedora 25 |
| Release 4.1 | Fedora 32 |
| Release 4.2 | Fedora 37 |
### Note on dom0 and EOL
Dom0 is isolated from domUs. DomUs can access only a few interfaces, such as Xen, device backends (in the dom0 kernel and in other VMs, such as the NetVM), and Qubes tools (gui-daemon, qrexec-daemon, etc.). These components are [security-critical](/doc/security-critical-code/), and we provide updates for all of them (when necessary), regardless of the support status of the base distribution. For this reason, we consider it safe to continue using a given base distribution in dom0 even after it has reached end-of-life (EOL).
## Templates
The following table shows select [template](/doc/templates/) (and [standalone](/doc/standalones-and-hvms/)) releases that are currently supported. Currently, only [Fedora](/doc/templates/fedora/) and [Debian](/doc/templates/debian/) templates are officially supported by the Qubes OS Project. [Whonix](https://www.whonix.org/wiki/Qubes) templates are supported by our partner, the [Whonix Project](https://www.whonix.org/). Qubes support for each template ends when that upstream release reaches end-of-life (EOL), even if that release is included in the table below. Please see below for distribution-specific notes.
It is the responsibility of each distribution to clearly notify its users in advance of its own EOL dates, and it is users' responsibility to heed these notices by upgrading to supported releases. As a courtesy to Qubes users, we attempt to pass along upstream EOL notices we receive for select distributions, but our ability to do this reliably is dependent on the upstream distribution's practices. For example, if a distribution provides a mailing list similar to [qubes-announce](/support/#qubes-announce), which allows us to receive only very important, infrequent messages, including EOL announcements, we are much more likely to be able to pass along EOL notices to Qubes users reliably. Qubes users can always check the EOL status of an upstream release on the upstream distribution's website (see [Fedora EOL](https://fedoraproject.org/wiki/End_of_life) and [Debian Releases](https://wiki.debian.org/DebianReleases)).
| Qubes OS | Fedora | Debian |
| ----------- | ------ | ------ |
| Release 4.2 | 41 | 12 |
### Note on Debian support
Debian releases have two EOL dates: regular and [long-term support (LTS)](https://wiki.debian.org/LTS). See [Debian Production Releases](https://wiki.debian.org/DebianReleases#Production_Releases) for a chart that illustrates this. Qubes support ends at the *regular* EOL date, *not* the LTS EOL date, unless a specific exception has been made.
### Note on Whonix support
[Whonix](https://www.whonix.org/wiki/Qubes) templates are supported by our partner, the [Whonix Project](https://www.whonix.org/). The Whonix Project has set its own support policy for Whonix templates in Qubes. Please see the [Qubes-Whonix version support policy](https://www.whonix.org/wiki/About#Qubes_Hosts) for details.

138
user/downloading-installing-upgrading/supported-releases.rst Normal file
View file

@ -0,0 +1,138 @@
==================
Supported releases
==================
This page details the level and period of support for releases of operating systems in the Qubes ecosystem.
Qubes OS
--------
Qubes OS releases are supported for **six months** after each subsequent major or minor release (see :doc:`Version Scheme </developer/releases/version-scheme>`). The current release and past major releases are always available on the `Downloads <https://www.qubes-os.org/downloads/>`__ page, while all ISOs, including past minor releases, are available from our `download mirrors <https://www.qubes-os.org/downloads/#mirrors>`__.
.. list-table::
:widths: 11 11 11 11
:align: center
:header-rows: 1
* - Qubes OS
- Start Date
- End Date
- Status
* - Release 1
- 2012-09-03
- 2015-03-26
- Unsupported
* - Release 2
- 2014-09-26
- 2016-04-01
- Unsupported
* - Release 3.0
- 2015-10-01
- 2016-09-09
- Unsupported
* - Release 3.1
- 2016-03-09
- 2017-03-29
- Unsupported
* - Release 3.2
- 2016-09-29
- 2019-03-28
- Unsupported
* - Release 4.0
- 2018-03-28
- 2022-08-04
- Unsupported
* - Release 4.1
- 2022-02-04
- 2024-06-18
- Unsupported
* - Release 4.2
- 2023-12-18
- TBD
- Supported
* - Release 4.3
- TBD
- TBD
- In development
Note on patch releases
^^^^^^^^^^^^^^^^^^^^^^
Please note that patch releases, such as 3.2.1 and 4.0.1, do not designate separate, new major or minor releases of Qubes OS. Rather, they designate their respective major or minor releases, such as 3.2 and 4.0, inclusive of all package updates up to a certain point. For example, installing Release 4.0 and fully updating it results in the same system as installing Release 4.0.1. Therefore, patch releases are not displayed as separate rows on any of the tables on this page.
Dom0
----
The table below shows the OS used for dom0 in each Qubes OS release.
.. list-table::
:widths: 11 11
:align: center
:header-rows: 1
* - Qubes OS
- Dom0 OS
* - Release 1
- Fedora 13
* - Release 2
- Fedora 18
* - Release 3.0
- Fedora 20
* - Release 3.1
- Fedora 20
* - Release 3.2
- Fedora 23
* - Release 4.0
- Fedora 25
* - Release 4.1
- Fedora 32
* - Release 4.2
- Fedora 37
Note on dom0 and EOL
^^^^^^^^^^^^^^^^^^^^
Dom0 is isolated from domUs. DomUs can access only a few interfaces, such as Xen, device backends (in the dom0 kernel and in other VMs, such as the NetVM), and Qubes tools (gui-daemon, qrexec-daemon, etc.). These components are :doc:`security-critical </developer/system/security-critical-code>`, and we provide updates for all of them (when necessary), regardless of the support status of the base distribution. For this reason, we consider it safe to continue using a given base distribution in dom0 even after it has reached end-of-life (EOL).
Templates
---------
The following table shows select :doc:`template </user/templates/templates>` (and :doc:`standalone </user/advanced-topics/standalones-and-hvms>`) releases that are currently supported. Currently, only :doc:`Fedora </user/templates/fedora/fedora>` and :doc:`Debian </user/templates/debian/debian>` templates are officially supported by the Qubes OS Project. `Whonix <https://www.whonix.org/wiki/Qubes>`__ templates are supported by our partner, the `Whonix Project <https://www.whonix.org/>`__. Qubes support for each template ends when that upstream release reaches end-of-life (EOL), even if that release is included in the table below. Please see below for distribution-specific notes.
It is the responsibility of each distribution to clearly notify its users in advance of its own EOL dates, and it is users responsibility to heed these notices by upgrading to supported releases. As a courtesy to Qubes users, we attempt to pass along upstream EOL notices we receive for select distributions, but our ability to do this reliably is dependent on the upstream distributions practices. For example, if a distribution provides a mailing list similar to :ref:`qubes-announce <introduction/support:qubes-announce>`, which allows us to receive only very important, infrequent messages, including EOL announcements, we are much more likely to be able to pass along EOL notices to Qubes users reliably. Qubes users can always check the EOL status of an upstream release on the upstream distributions website (see `Fedora EOL <https://fedoraproject.org/wiki/End_of_life>`__ and `Debian Releases <https://wiki.debian.org/DebianReleases>`__).
.. list-table::
:widths: 11 11 11
:align: center
:header-rows: 1
* - Qubes OS
- Fedora
- Debian
* - Release 4.2
- 41
- 12
Note on Debian support
^^^^^^^^^^^^^^^^^^^^^^
Debian releases have two EOL dates: regular and `long-term support (LTS) <https://wiki.debian.org/LTS>`__. See `Debian Production Releases <https://wiki.debian.org/DebianReleases#Production_Releases>`__ for a chart that illustrates this. Qubes support ends at the *regular* EOL date, *not* the LTS EOL date, unless a specific exception has been made.
Note on Whonix support
^^^^^^^^^^^^^^^^^^^^^^
`Whonix <https://www.whonix.org/wiki/Qubes>`__ templates are supported by our partner, the `Whonix Project <https://www.whonix.org/>`__. The Whonix Project has set its own support policy for Whonix templates in Qubes. Please see the `Qubes-Whonix version support policy <https://www.whonix.org/wiki/About#Qubes_Hosts>`__ for details.

58
user/downloading-installing-upgrading/testing.md
View file

@ -1,58 +0,0 @@
---
advanced: true
lang: en
layout: doc
permalink: /doc/testing/
ref: 147
title: Testing new releases and updates
---
Testing new Qubes OS releases and updates is one of the most helpful ways in which you can [contribute](/doc/contributing/) to the Qubes OS Project. If you're interested in helping with this, please [join the testing team](https://forum.qubes-os.org/t/joining-the-testing-team/5190). There are several different types of testing, which we'll cover below.
**Warning:** Software testing is intended for advanced users and developers. You should only attempt to do this if you know what you're doing. Never rely on code that is in testing for critical work!
## Releases
How to test upcoming Qubes OS releases:
- Test the latest release candidate (RC) on the [downloads](/downloads/) page, if one is currently available. (Or try an older RC from our [FTP server](https://ftp.qubes-os.org/iso/).)
- Try the [signed weekly builds](https://qubes.notset.fr/iso/). ([Learn more](https://forum.qubes-os.org/t/16929) and [track their status](https://github.com/fepitre/updates-status-iso/issues).)
- Use [qubes-builder](/doc/qubes-builder-v2/) to build the latest release yourself.
- (No support) Experiment with developer alpha ISOs found from time to time at [Qubes OpenQA](https://openqa.qubes-os.org/).
Please make sure to [report any bugs you encounter](/doc/issue-tracking/).
See [Version scheme](/doc/version-scheme/) for details about release versions and schedules. See [Release checklist](/doc/releases/todo/) for details about the RC process.
## Updates
How to test updates:
- Enable [dom0 testing repositories](/doc/how-to-install-software-in-dom0/#testing-repositories).
- Enable [template testing repositories](/doc/how-to-install-software/#testing-repositories).
Every new update is first uploaded to the `security-testing` repository if it is a security update or `current-testing` if it is a normal update. The update remains in `security-testing` or `current-testing` for a minimum of one week. On occasion, an exception is made for a particularly critical security update, which is immediately pushed to the `current` stable repository. In general, however, security updates remain in `security-testing` for two weeks before migrating to `current`. Normal updates generally remain in `current-testing` until they have been sufficiently tested by the community, which can last weeks or even months, depending on the amount of feedback received (see [Providing feedback](#providing-feedback)).
"Sufficient testing" is, in practice, a fluid term that is up the developers' judgment. In general, it means either that no negative feedback and at least one piece of positive feedback has been received or that the package has been in `current-testing` for long enough, depending on the component and the complexity of the changes.
A limitation of the current testing setup is that it is only possible to migrate the *most recent version* of a package from `current-testing` to `current`. This means that, if a newer version of a package is uploaded to `current-testing`, it will no longer be possible to migrate any older versions of that same package from `current-testing` to `current`, even if one of those older versions has been deemed stable enough. While this limitation can be inconvenient, the benefits outweigh the costs, since it greatly simplifies the testing and reporting process.
## Templates
How to test [templates](/doc/templates/):
- For official templates, enable the `qubes-templates-itl-testing` repository, then [install](/doc/templates/#installing) the desired template.
- For community templates, enable the `qubes-templates-community-testing` repository, then [install](/doc/templates/#installing) the desired template.
To temporarily enable any of these repos, use the `--enablerepo=<repo-name>` option. Example commands:
```
qvm-template --enablerepo=qubes-templates-itl-testing list --available
qvm-template --enablerepo=qubes-templates-itl-testing install <template_name>
```
To enable any of these repos permanently, change the corresponding `enabled` value to `1` in `/etc/qubes/repo-templates`. To disable any of these repos permanently, change the corresponding `enabled` value to `0`.
## Providing feedback
Since the whole point of testing software is to discover and fix bugs, your feedback is an essential part of this process. We use an [automated build process](https://github.com/QubesOS/qubes-infrastructure/blob/master/README.md). For every package that is uploaded to a testing repository, a GitHub issue is created in the [updates-status](https://github.com/QubesOS/updates-status/issues) repository for tracking purposes. We welcome any kind of feedback on any package in any testing repository. Even a simple <span class="fa fa-thumbs-up" title="Thumbs Up"></span> "thumbs up" or <span class="fa fa-thumbs-down" title="Thumbs Down"></span> "thumbs down" reaction on the package's associated issue would help us to decide whether the package is ready to be migrated to a stable repository. If you [report a bug](/doc/issue-tracking/) in a package that is in a testing repository, please reference the appropriate issue in [updates-status](https://github.com/QubesOS/updates-status/issues).

81
user/downloading-installing-upgrading/testing.rst Normal file
View file

@ -0,0 +1,81 @@
================================
Testing new releases and updates
================================
.. warning::
This page is intended for advanced users.
Testing new Qubes OS releases and updates is one of the most helpful ways in which you can :doc:`contribute </introduction/contributing>` to the Qubes OS Project. If youre interested in helping with this, please `join the testing team <https://forum.qubes-os.org/t/joining-the-testing-team/5190>`__. There are several different types of testing, which well cover below.
**Warning:** Software testing is intended for advanced users and developers. You should only attempt to do this if you know what youre doing. Never rely on code that is in testing for critical work!
Releases
--------
How to test upcoming Qubes OS releases:
- Test the latest release candidate (RC) on the `downloads <https://www.qubes-os.org/downloads/>`__ page, if one is currently available. (Or try an older RC from our `FTP server <https://ftp.qubes-os.org/iso/>`__.)
- Try the `signed weekly builds <https://qubes.notset.fr/iso/>`__. (`Learn more <https://forum.qubes-os.org/t/16929>`__ and `track their status <https://github.com/fepitre/updates-status-iso/issues>`__.)
- Use :doc:`qubes-builder </developer/building/qubes-builder-v2>` to build the latest release yourself.
- (No support) Experiment with developer alpha ISOs found from time to time at `Qubes OpenQA <https://openqa.qubes-os.org/>`__.
Please make sure to :doc:`report any bugs you encounter </introduction/issue-tracking>`.
See :doc:`Version scheme </developer/releases/version-scheme>` for details about release versions and schedules. See :doc:`Release checklist </developer/releases/todo>` for details about the RC process.
Updates
-------
How to test updates:
- Enable :ref:`dom0 testing repositories <user/advanced-topics/how-to-install-software-in-dom0:testing repositories>`.
- Enable :ref:`template testing repositories <user/how-to-guides/how-to-install-software:testing repositories>`.
Every new update is first uploaded to the ``security-testing`` repository if it is a security update or ``current-testing`` if it is a normal update. The update remains in ``security-testing`` or ``current-testing`` for a minimum of one week. On occasion, an exception is made for a particularly critical security update, which is immediately pushed to the ``current`` stable repository. In general, however, security updates remain in ``security-testing`` for two weeks before migrating to ``current``. Normal updates generally remain in ``current-testing`` until they have been sufficiently tested by the community, which can last weeks or even months, depending on the amount of feedback received (see `Providing feedback <#providing-feedback>`__).
“Sufficient testing” is, in practice, a fluid term that is up the developers judgment. In general, it means either that no negative feedback and at least one piece of positive feedback has been received or that the package has been in ``current-testing`` for long enough, depending on the component and the complexity of the changes.
A limitation of the current testing setup is that it is only possible to migrate the *most recent version* of a package from ``current-testing`` to ``current``. This means that, if a newer version of a package is uploaded to ``current-testing``, it will no longer be possible to migrate any older versions of that same package from ``current-testing`` to ``current``, even if one of those older versions has been deemed stable enough. While this limitation can be inconvenient, the benefits outweigh the costs, since it greatly simplifies the testing and reporting process.
Templates
---------
How to test :doc:`templates </user/templates/templates>`:
- For official templates, enable the ``qubes-templates-itl-testing`` repository, then :ref:`install <user/templates/templates:installing>` the desired template.
- For community templates, enable the ``qubes-templates-community-testing`` repository, then :ref:`install <user/templates/templates:installing>` the desired template.
To temporarily enable any of these repos, use the ``--enablerepo=<repo-name>`` option. Example commands:
.. code:: bash
qvm-template --enablerepo=qubes-templates-itl-testing list --available
qvm-template --enablerepo=qubes-templates-itl-testing install <template_name>
To enable any of these repos permanently, change the corresponding ``enabled`` value to ``1`` in ``/etc/qubes/repo-templates``. To disable any of these repos permanently, change the corresponding ``enabled`` value to ``0``.
Providing feedback
------------------
Since the whole point of testing software is to discover and fix bugs, your feedback is an essential part of this process. We use an `automated build process <https://github.com/QubesOS/qubes-infrastructure/blob/master/README.md>`__. For every package that is uploaded to a testing repository, a GitHub issue is created in the `updates-status <https://github.com/QubesOS/updates-status/issues>`__ repository for tracking purposes. We welcome any kind of feedback on any package in any testing repository. Even a simple |thumbsup| “thumbs up” or |thumbsdown| “thumbs down” reaction on the packages associated issue would help us to decide whether the package is ready to be migrated to a stable repository. If you :doc:`report a bug </introduction/issue-tracking>` in a package that is in a testing repository, please reference the appropriate issue in `updates-status <https://github.com/QubesOS/updates-status/issues>`__.
.. |thumbsup| image:: /attachment/doc/like.png
.. |thumbsdown| image:: /attachment/doc/dislike.png

64
user/downloading-installing-upgrading/upgrade/2.md
View file

@ -1,64 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/2/
redirect_from:
- /doc/upgrade-to-r2/
- /en/doc/upgrade-to-r2/
- /doc/UpgradeToR2/
- /doc/UpgradeToR2rc1/
- /wiki/UpgradeToR2rc1/
ref: 156
title: Upgrading to R2
---
Current Qubes R2 Beta 3 (R2B3) systems can be upgraded in-place to the latest R2 (R2) release by following the procedure below.
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users back up the system by using the built-in [backup tool](/doc/backup-restore/).**
Upgrade Template and Standalone VM(s)
-------------------------------------
- Qubes R2 comes with new template based on Fedora 20. You can upgrade existing template according to procedure described [here](/doc/templates/fedora/#upgrading).
- **It also possible to download a new Fedora 20-based template from our repositories**. To do this please first upgrade the Dom0 distro as described in the section below.
While technically it is possible to use old Fedora 18 template on R2, it is strongly recommended to upgrade all the templates and Standalone VMs, because Fedora 18 no longer receive security updates.
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. If more than one template and/or Standalone VMs are used, then it is recommended to upgrade/replace all of them. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/software-update-vm/).
Upgrading dom0
--------------
Note that dom0 in R2 is based on Fedora 20, in contrast to Fedora 18 in previous release, so this operation will upgrade a lot of packages.
1. Open terminal in Dom0. E.g. Start-\>System Settings-\>Konsole.
2. Install all the updates for Dom0:
~~~
sudo qubes-dom0-update
~~~
After this step you should have `qubes-release-2-5` in your Dom0. Important: if you happen to have `qubes-release-2-6*` then you should downgrade to `qubes-release-2-5`! The `qubes-release-2-6*` packages have been uploaded to the testing repos and were kept there for a few hours, until we realized they bring incorrect repo definitions and so we removed them and also have changed the update procedure a bit (simplifying it).
3. Upgrade dom0 to R2:
Note: be sure that the VM used as a update-downloading-vm (by default its the firewallvm based on the default template) has been updated to the latest Qubes packages, specifically `qubes-core-vm-2.1.33` or later. This doesn't imply that the VM must already be upgraded to fc20 -- for Dom0 upgrade we could still use an fc18-based VM (updatevm) it is only important to install the latest Qubes packages there.
~~~
sudo qubes-dom0-update qubes-dom0-dist-upgrade
sudo qubes-dom0-update
~~~
4. If above step completed successfully you should have `qubes-release-2-9` or later. If not, repeat above step with additional `--clean` option.
4a. If you chose not to upgrade your fc18 templates, but instead to download our new fc20-based template you should now be able to do that by simply typing:
~~~
sudo qubes-dom0-update qubes-template-fedora-20-x64
~~~
5. Reboot the system.
Please note that if you use Anti Evil Maid, then it won't be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maid's passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

79
user/downloading-installing-upgrading/upgrade/2.rst Normal file
View file

@ -0,0 +1,79 @@
===============
Upgrading to R2
===============
Current Qubes R2 Beta 3 (R2B3) systems can be upgraded in-place to the latest R2 (R2) release by following the procedure below.
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users back up the system by using the built-in** :doc:`backup tool </user/how-to-guides/how-to-back-up-restore-and-migrate>` **.**
Upgrade Template and Standalone VM(s)
-------------------------------------
- Qubes R2 comes with new template based on Fedora 20. You can upgrade existing template according to procedure described :ref:`here <user/templates/fedora/fedora:upgrading>`.
- **It also possible to download a new Fedora 20-based template from our repositories**. To do this please first upgrade the Dom0 distro as described in the section below.
While technically it is possible to use old Fedora 18 template on R2, it is strongly recommended to upgrade all the templates and Standalone VMs, because Fedora 18 no longer receive security updates.
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. If more than one template and/or Standalone VMs are used, then it is recommended to upgrade/replace all of them. More information on using multiple templates, as well as Standalone VMs, can be found :doc:`here </user/how-to-guides/how-to-install-software>`.
Upgrading dom0
--------------
Note that dom0 in R2 is based on Fedora 20, in contrast to Fedora 18 in previous release, so this operation will upgrade a lot of packages.
1. Open terminal in Dom0. E.g. Start->System Settings->Konsole.
2. Install all the updates for Dom0:
.. code:: bash
sudo qubes-dom0-update
After this step you should have ``qubes-release-2-5`` in your Dom0. Important: if you happen to have ``qubes-release-2-6*`` then you should downgrade to ``qubes-release-2-5``! The ``qubes-release-2-6*`` packages have been uploaded to the testing repos and were kept there for a few hours, until we realized they bring incorrect repo definitions and so we removed them and also have changed the update procedure a bit (simplifying it).
3. Upgrade dom0 to R2:
**Note:** be sure that the VM used as a update-downloading-vm (by default its the firewallvm based on the default template) has been updated to the latest Qubes packages, specifically ``qubes-core-vm-2.1.33`` or later. This doesnt imply that the VM must already be upgraded to fc20 for Dom0 upgrade we could still use an fc18-based VM (updatevm) it is only important to install the latest Qubes packages there.
.. code:: bash
sudo qubes-dom0-update qubes-dom0-dist-upgrade
sudo qubes-dom0-update
4. If above step completed successfully you should have ``qubes-release-2-9`` or later. If not, repeat above step with additional ``--clean`` option.
4a. If you chose not to upgrade your fc18 templates, but instead to download our new fc20-based template you should now be able to do that by simply typing:
.. code:: bash
sudo qubes-dom0-update qubes-template-fedora-20-x64
5. Reboot the system.
Please note that if you use Anti Evil Maid, then it wont be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maids passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

76
user/downloading-installing-upgrading/upgrade/2b1.md
View file

@ -1,76 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/2b1/
redirect_from:
- /doc/upgrade-to-r2b1/
- /en/doc/upgrade-to-r2b1/
- /doc/UpgradeToR2B1/
- /wiki/UpgradeToR2B1/
ref: 163
title: Upgrading to R2B1
---
**Note: Qubes R2 Beta 1 is no longer supported! Please install or upgrade to a newer Qubes R2.**
**Note: This page is kept for historical reasons only! Do not follow the instructions below**
Existing users of Qubes R1 (but not R1 betas!) can upgrade their systems to the latest R2 beta release by following the procedure below. As usual, it is advisable to backup the system before proceeding with the upgrade
Upgrade all Template and Standalone VM(s)
-----------------------------------------
By default, in Qubes R1, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/templates/) and [here](/doc/standalone-and-hvm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
2. Install `qubes-upgrade-vm` package (this package brings in R2 repo definitions and R2 keys)
~~~
sudo yum install qubes-upgrade-vm
~~~
3. Proceed with normal update in the template (this should bring in also the R2 packages for the VMs):
~~~
sudo yum update
~~~
The installer (yum) will prompt to accept the new Qubes R2 signing key:
~~~
Importing GPG key 0x0A40E458:
Userid : "Qubes OS Release 2 Signing Key"
Fingerprint: 3f01 def4 9719 158e f862 66f8 0c73 b9d4 0a40 e458
Package : qubes-upgrade-vm-1.0-1.fc17.x86_64 (@qubes-vm-current)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes-2-primary
Is this ok [y/N]:
~~~
If you see (as is the case on the "screenshot" above) that the new key was imported from a local filesystem (`/etc/pki/rpm-gpg/...`) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your template's filesystem:
- via a legitimate RPM package previously installed (in our case it was the `qubes-upgrade-vm` RPM). Such an RPM must have been signed by one of the keys you decided to trust previously, by default this would be either via the Qubes R1 signing key, or Fedora 17 signing key.
- via system compromise or via some illegal RPM package (e.g. Fedora released package pretending to bring new Firefox). In that case, however, your VM is already compromised, and it careful checking of the new R2 key would not change this situation to any better one. The game is lost for this VM anyway (and all VMs based on this template).
4. Shut down the VM.
Upgrade Dom0
------------
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above.
1. Open terminal in Dom0. E.g. Start-\>System Settings-\>Konsole.
2. Upgrade the `qubes-release` package to the latest version which brings in new repo definitions and R2 signing keys:
~~~
sudo qubes-dom0-update qubes-release
~~~
This should install `qubes-release-1-6` in your Dom0.
3. Install R2 packages:
~~~
sudo qubes-dom0-update --releasever=2
~~~
4. Reboot your system. Please note that if you use Anti Evil Maid, then it won't be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maid's passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

90
user/downloading-installing-upgrading/upgrade/2b1.rst Normal file
View file

@ -0,0 +1,90 @@
=================
Upgrading to R2B1
=================
**Note: Qubes R2 Beta 1 is no longer supported! Please install or upgrade to a newer Qubes R2.**
**Note: This page is kept for historical reasons only! Do not follow the instructions below**
Existing users of Qubes R1 (but not R1 betas!) can upgrade their systems to the latest R2 beta release by following the procedure below. As usual, it is advisable to backup the system before proceeding with the upgrade
Upgrade all Template and Standalone VM(s)
-----------------------------------------
By default, in Qubes R1, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found :doc:`here </user/templates/templates>` and :doc:`here </user/advanced-topics/standalones-and-hvms>`. The steps described in this section should be repeated in *all* users Template and Standalone VMs.
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Managers right-click menu and choose Run Command in VM and type ``gnome-terminal`` there.
2. Install ``qubes-upgrade-vm`` package (this package brings in R2 repo definitions and R2 keys)
.. code:: bash
sudo yum install qubes-upgrade-vm
3. Proceed with normal update in the template (this should bring in also the R2 packages for the VMs):
.. code:: bash
sudo yum update
The installer (yum) will prompt to accept the new Qubes R2 signing key:
.. code:: bash
Importing GPG key 0x0A40E458:
Userid : "Qubes OS Release 2 Signing Key"
Fingerprint: 3f01 def4 9719 158e f862 66f8 0c73 b9d4 0a40 e458
Package : qubes-upgrade-vm-1.0-1.fc17.x86_64 (@qubes-vm-current)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes-2-primary
Is this ok [y/N]:
If you see (as is the case on the “screenshot” above) that the new key was imported from a local filesystem (``/etc/pki/rpm-gpg/...``) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your templates filesystem:
- via a legitimate RPM package previously installed (in our case it was the ``qubes-upgrade-vm`` RPM). Such an RPM must have been signed by one of the keys you decided to trust previously, by default this would be either via the Qubes R1 signing key, or Fedora 17 signing key.
- via system compromise or via some illegal RPM package (e.g. Fedora released package pretending to bring new Firefox). In that case, however, your VM is already compromised, and it careful checking of the new R2 key would not change this situation to any better one. The game is lost for this VM anyway (and all VMs based on this template).
4. Shut down the VM.
Upgrade Dom0
------------
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above.
1. Open terminal in Dom0. E.g. Start->System Settings->Konsole.
2. Upgrade the ``qubes-release`` package to the latest version which brings in new repo definitions and R2 signing keys:
.. code:: bash
sudo qubes-dom0-update qubes-release
This should install ``qubes-release-1-6`` in your Dom0.
3. Install R2 packages:
.. code:: bash
sudo qubes-dom0-update --releasever=2
4. Reboot your system. Please note that if you use Anti Evil Maid, then it wont be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maids passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

109
user/downloading-installing-upgrading/upgrade/2b2.md
View file

@ -1,109 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/2b2/
redirect_from:
- /doc/upgrade-to-r2b2/
- /en/doc/upgrade-to-r2b2/
- /doc/UpgradeToR2B2/
- /wiki/UpgradeToR2B2/
ref: 160
title: Upgrading to R2B2
---
Existing users of Qubes R1 (but not R1 betas!) can upgrade their systems to the latest R2 beta release by following the procedure below. As usual, it is advisable to backup the system before proceeding with the upgrade. While it is possible to upgrade the system **it is strongly recommended to reinstall it**. You will preserve all your data and settings thanks to [backup and restore tools](/doc/backup-restore/).
Upgrade all Template and Standalone VM(s)
-----------------------------------------
**If you have already R2 Beta1 installed, follow standard template update procedure (e.g. "Update VM" button in Qubes Manager) and skip the rest of this section**
By default, in Qubes R1, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/templates/) and [here](/doc/standalone-and-hvm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
2. Install `qubes-upgrade-vm` package (this package brings in R2 repo definitions and R2 keys)
~~~
sudo yum install qubes-upgrade-vm
~~~
3. Proceed with normal update in the template (this should bring in also the R2 packages for the VMs):
~~~
sudo yum update
~~~
The installer (yum) will prompt to accept the new Qubes R2 signing key:
~~~
Importing GPG key 0x0A40E458:
Userid : "Qubes OS Release 2 Signing Key"
Fingerprint: 3f01 def4 9719 158e f862 66f8 0c73 b9d4 0a40 e458
Package : qubes-upgrade-vm-1.0-1.fc17.x86_64 (@qubes-vm-current)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes-2-primary
Is this ok [y/N]:
~~~
If you see (as is the case on the "screenshot" above) that the new key was imported from a local filesystem (`/etc/pki/rpm-gpg/...`) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your template's filesystem:
- via a legitimate RPM package previously installed (in our case it was the `qubes-upgrade-vm` RPM). Such an RPM must have been signed by one of the keys you decided to trust previously, by default this would be either via the Qubes R1 signing key, or Fedora 17 signing key.
- via system compromise or via some illegal RPM package (e.g. Fedora released package pretending to bring new Firefox). In that case, however, your VM is already compromised, and it careful checking of the new R2 key would not change this situation to any better one. The game is lost for this VM anyway (and all VMs based on this template).
4. Shut down the VM.
Installing new template
-----------------------
Qubes R2 Beta2 brings new fedora-18-x64 template (based on Fedora 18). You can install it from Qubes installation DVD. Insert installation DVD into your drive and issue following commands:
~~~
$ sudo -s
# mkdir -p /mnt/cdrom
# mount /dev/cdrom /mnt/cdrom # you can also use ISO image instead of /dev/cdrom; then add -o loop option
# yum install /mnt/cdrom/Packages/q/qubes-template-fedora-18-x64*rpm
# umount /mnt/cdrom
~~~
If you already have fedora-17-x64, you can also upgrade it to fedora-18-x64 following [standard Fedora upgrade procedure](https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum) (only "yum" method will work in Qubes VM).
Upgrade Dom0
------------
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above.
1. Open terminal in Dom0. E.g. Start-\>System Settings-\>Konsole.
2. Upgrade the `qubes-release` package to the latest version which brings in new repo definitions and R2 signing keys:
~~~
sudo qubes-dom0-update qubes-release
~~~
This should install `qubes-release-1-6` in your Dom0.
3. Install R2 upgrade package:
~~~
sudo qubes-dom0-update --releasever=1 qubes-dist-upgrade
~~~
4. Start upgrade process:
~~~
sudo qubes-dist-upgrade
~~~
5. Follow instructions on screen, first stage of upgrade should end up with reboot request.
6. Reboot your system, ensure that you choose "Qubes Upgrade" boot option.
7. When system starts up, login and start start
~~~
sudo qubes-dist-upgrade
~~~
again. This will start second stage of upgrade, here most packages will be upgraded, so this will take a while.
8. You will be prompted to install new bootloader. If you haven't changed anything in this matter from initial installation, just accept the default.
9. Reboot your system. System shutdown may hung because some running system components no longer match that installed on disk; just wait a few minutes and hard reset the system in such case.
10. This is end of upgrade process, you should now have Qubes R2 system.
Please note that if you use Anti Evil Maid, then it won't be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maid's passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

133
user/downloading-installing-upgrading/upgrade/2b2.rst Normal file
View file

@ -0,0 +1,133 @@
=================
Upgrading to R2B2
=================
Existing users of Qubes R1 (but not R1 betas!) can upgrade their systems to the latest R2 beta release by following the procedure below. As usual, it is advisable to backup the system before proceeding with the upgrade. While it is possible to upgrade the system **it is strongly recommended to reinstall it**. You will preserve all your data and settings thanks to :doc:`backup and restore tools </user/how-to-guides/how-to-back-up-restore-and-migrate>`.
Upgrade all Template and Standalone VM(s)
-----------------------------------------
**If you have already R2 Beta1 installed, follow standard template update procedure (e.g. “Update VM” button in Qubes Manager) and skip the rest of this section**
By default, in Qubes R1, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found :doc:`here </user/templates/templates>` and :doc:`here </user/advanced-topics/standalones-and-hvms>`. The steps described in this section should be repeated in *all* users Template and Standalone VMs.
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Managers right-click menu and choose Run Command in VM and type ``gnome-terminal`` there.
2. Install ``qubes-upgrade-vm`` package (this package brings in R2 repo definitions and R2 keys)
.. code:: bash
sudo yum install qubes-upgrade-vm
3. Proceed with normal update in the template (this should bring in also the R2 packages for the VMs):
.. code:: bash
sudo yum update
The installer (yum) will prompt to accept the new Qubes R2 signing key:
.. code:: bash
Importing GPG key 0x0A40E458:
Userid : "Qubes OS Release 2 Signing Key"
Fingerprint: 3f01 def4 9719 158e f862 66f8 0c73 b9d4 0a40 e458
Package : qubes-upgrade-vm-1.0-1.fc17.x86_64 (@qubes-vm-current)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes-2-primary
Is this ok [y/N]:
If you see (as is the case on the “screenshot” above) that the new key was imported from a local filesystem (``/etc/pki/rpm-gpg/...``) you can safely accept the key, without checking its fingerprint. This is because there were only two ways for such a key to make it to your templates filesystem:
- via a legitimate RPM package previously installed (in our case it was the ``qubes-upgrade-vm`` RPM). Such an RPM must have been signed by one of the keys you decided to trust previously, by default this would be either via the Qubes R1 signing key, or Fedora 17 signing key.
- via system compromise or via some illegal RPM package (e.g. Fedora released package pretending to bring new Firefox). In that case, however, your VM is already compromised, and it careful checking of the new R2 key would not change this situation to any better one. The game is lost for this VM anyway (and all VMs based on this template).
4. Shut down the VM.
Installing new template
-----------------------
Qubes R2 Beta2 brings new fedora-18-x64 template (based on Fedora 18). You can install it from Qubes installation DVD. Insert installation DVD into your drive and issue following commands:
.. code:: bash
$ sudo -s
# mkdir -p /mnt/cdrom
# mount /dev/cdrom /mnt/cdrom # you can also use ISO image instead of /dev/cdrom; then add -o loop option
# yum install /mnt/cdrom/Packages/q/qubes-template-fedora-18-x64*rpm
# umount /mnt/cdrom
If you already have fedora-17-x64, you can also upgrade it to fedora-18-x64 following `standard Fedora upgrade procedure <https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum>`__ (only “yum” method will work in Qubes VM).
Upgrade Dom0
------------
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above.
1. Open terminal in Dom0. E.g. Start->System Settings->Konsole.
2. Upgrade the ``qubes-release`` package to the latest version which brings in new repo definitions and R2 signing keys:
.. code:: bash
sudo qubes-dom0-update qubes-release
This should install ``qubes-release-1-6`` in your Dom0.
3. Install R2 upgrade package:
.. code:: bash
sudo qubes-dom0-update --releasever=1 qubes-dist-upgrade
4. Start upgrade process:
.. code:: bash
sudo qubes-dist-upgrade
5. Follow instructions on screen, first stage of upgrade should end up with reboot request.
6. Reboot your system, ensure that you choose “Qubes Upgrade” boot option.
7. When system starts up, login and start start
.. code:: bash
sudo qubes-dist-upgrade
again. This will start second stage of upgrade, here most packages will be upgraded, so this will take a while.
8. You will be prompted to install new bootloader. If you havent changed anything in this matter from initial installation, just accept the default.
9. Reboot your system. System shutdown may hung because some running system components no longer match that installed on disk; just wait a few minutes and hard reset the system in such case.
10. This is end of upgrade process, you should now have Qubes R2 system.
Please note that if you use Anti Evil Maid, then it wont be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maids passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

77
user/downloading-installing-upgrading/upgrade/2b3.md
View file

@ -1,77 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/2b3/
redirect_from:
- /doc/upgrade-to-r2b3/
- /en/doc/upgrade-to-r2b3/
- /doc/UpgradeToR2B3/
- /wiki/UpgradeToR2B3/
ref: 157
title: Upgrading to R2B3
---
Current Qubes R2 Beta 2 (R2B2) systems can be upgraded in-place to the latest R2 Beta 3 (R2B3) release by following the procedure below. However, upgrading in-place is riskier than performing a clean installation, since there are more things which can go wrong. For this reason, **we strongly recommended that users perform a [clean installation](/doc/installation-guide/) of Qubes R2 Beta 3**.
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users back up the system by using the built-in [backup tool](/doc/backup-restore/).**
Experienced users may be comfortable accepting the risks of upgrading in-place. Such users may wish to first attempt an in-place upgrade. If nothing goes wrong, then some time and effort will have been saved. If something does go wrong, then the user can simply perform a clean installation, and no significant loss will have occurred (as long as the user [backed up](/doc/backup-restore/) correctly!).
Upgrade all Template and Standalone VM(s)
-----------------------------------------
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/software-update-vm/). The steps described in this section should be repeated in *all* user's Template and Standalone VMs.
It is critical to complete this step **before** proceeding to dom0 upgrade. Otherwise you will most likely ends with unusable system.
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
2. Proceed with normal update in the template:
~~~
sudo yum update
~~~
3. Ensure that you've got qubes-core-vm package version 2.1.13-3.fc18:
~~~
rpm -q qubes-core-vm
~~~
4. Update the system to R2 beta3 packages:
~~~
sudo yum --enablerepo=qubes-vm-r2b3-current update
~~~
5. **Do not** shutdown the VM.
Upgrading dom0
--------------
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above. Also make sure you haven't shutdown any of: netvm, firewallvm, fedora-18-x64 (or to be more precise: template which your netvm and firewallvm is based on).
1. Open terminal in Dom0. E.g. Start-\>System Settings-\>Konsole.
2. Upgrade the `qubes-release` package to the latest version which brings in new repo definitions and R2 signing keys:
~~~
sudo qubes-dom0-update qubes-release
~~~
This should install `qubes-release-2-3.1` in your Dom0.
3. Upgrade dom0 to R2 beta3:
~~~
sudo qubes-dom0-update --enablerepo=qubes-dom0-r2b3-current
~~~
4. If above step completed successfully you should have qubes-core-dom0 at least 2.1.34. If not, repeat above step with additional `--clean` option.
5. Now is the time to shutdown all the VMs:
~~~
qvm-shutdown --all --wait
~~~
6. Reboot the system.
Please note that if you use Anti Evil Maid, then it won't be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maid's passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

89
user/downloading-installing-upgrading/upgrade/2b3.rst Normal file
View file

@ -0,0 +1,89 @@
=================
Upgrading to R2B3
=================
Current Qubes R2 Beta 2 (R2B2) systems can be upgraded in-place to the latest R2 Beta 3 (R2B3) release by following the procedure below. However, upgrading in-place is riskier than performing a clean installation, since there are more things which can go wrong. For this reason, **we strongly recommended that users perform a** :doc:`clean installation </user/downloading-installing-upgrading/installation-guide>` **of Qubes R2 Beta 3**.
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users back up the system by using the built-in** :doc:`backup tool </user/how-to-guides/how-to-back-up-restore-and-migrate>` **.**
Experienced users may be comfortable accepting the risks of upgrading in-place. Such users may wish to first attempt an in-place upgrade. If nothing goes wrong, then some time and effort will have been saved. If something does go wrong, then the user can simply perform a clean installation, and no significant loss will have occurred (as long as the user :doc:`backed up </user/how-to-guides/how-to-back-up-restore-and-migrate>` correctly!).
Upgrade all Template and Standalone VM(s)
-----------------------------------------
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found :doc:`here </user/how-to-guides/how-to-install-software>`. The steps described in this section should be repeated in *all* users Template and Standalone VMs.
It is critical to complete this step **before** proceeding to dom0 upgrade. Otherwise you will most likely ends with unusable system.
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Managers right-click menu and choose Run Command in VM and type ``gnome-terminal`` there.
2. Proceed with normal update in the template:
.. code:: bash
sudo yum update
3. Ensure that youve got qubes-core-vm package version 2.1.13-3.fc18:
.. code:: bash
rpm -q qubes-core-vm
4. Update the system to R2 beta3 packages:
.. code:: bash
sudo yum --enablerepo=qubes-vm-r2b3-current update
5. **Do not** shutdown the VM.
Upgrading dom0
--------------
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above. Also make sure you havent shutdown any of: netvm, firewallvm, fedora-18-x64 (or to be more precise: template which your netvm and firewallvm is based on).
1. Open terminal in Dom0. E.g. Start->System Settings->Konsole.
2. Upgrade the ``qubes-release`` package to the latest version which brings in new repo definitions and R2 signing keys:
.. code:: bash
sudo qubes-dom0-update qubes-release
This should install ``qubes-release-2-3.1`` in your Dom0.
3. Upgrade dom0 to R2 beta3:
.. code:: bash
sudo qubes-dom0-update --enablerepo=qubes-dom0-r2b3-current
4. If above step completed successfully you should have qubes-core-dom0 at least 2.1.34. If not, repeat above step with additional ``--clean`` option.
5. Now is the time to shutdown all the VMs:
.. code:: bash
qvm-shutdown --all --wait
6. Reboot the system.
Please note that if you use Anti Evil Maid, then it wont be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maids passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.

167
user/downloading-installing-upgrading/upgrade/3_0.md
View file

@ -1,167 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/3.0/
redirect_from:
- /doc/upgrade-to-r3.0/
- /en/doc/upgrade-to-r3.0/
- /doc/UpgradeToR3.0/
- /doc/UpgradeToR3.0rc1/
ref: 159
title: Upgrading to R3.0
---
**This instruction is highly experimental, the official way to upgrade from R2 is to backup the data and reinstall the system. Use at your own risk!**
Current Qubes R3.0 (R3.0) systems can be upgraded in-place to the latest R3.0 by following the procedure below. However, upgrading in-place is riskier than performing a clean installation, since there are more things which can go wrong. For this reason, **we strongly recommended that users perform a [clean installation](/doc/installation-guide/) of Qubes R3.0**.
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users back up the system by using the built-in [backup tool](/doc/backup-restore/).**
Experienced users may be comfortable accepting the risks of upgrading in-place. Such users may wish to first attempt an in-place upgrade. If nothing goes wrong, then some time and effort will have been saved. If something does go wrong, then the user can simply perform a clean installation, and no significant loss will have occurred (as long as the user [backed up](/doc/backup-restore/) correctly!).
## Upgrade all Template and Standalone VM(s)
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found [here](/doc/software-update-vm/). The steps described in this section should be repeated in **all** user's Template and Standalone VMs.
It is critical to complete this step **before** proceeding to dom0 upgrade. Otherwise you will most likely end with unusable system.
### Upgrade Fedora template:
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
2. Install `qubes-upgrade-vm` package:
```
sudo yum install qubes-upgrade-vm
```
3. Proceed with normal update in the template:
```
sudo yum update
```
You'll need to accept "Qubes Release 3 Signing Key" - it is delivered by signed qubes-upgrade-vm package (verify that the message is about local file), so you don't need to manually verify it.
4. Shutdown the template.
### Upgrade Debian template:
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Manager's right-click menu and choose Run Command in VM and type `gnome-terminal` there.
2. Update repository definition:
```
sudo cp /etc/apt/sources.list.d/qubes-r2.list
/etc/apt/sources.list.d/qubes-r3-upgrade.list
sudo sed -i 's/r2/r3.0/' /etc/apt/sources.list.d/qubes-r3-upgrade.list
```
3. Proceed with normal update in the template:
```
sudo apt-get update
sudo apt-get dist-upgrade
```
There will be some error messages during the process, but our tests does
not revealed any negative consequences.
Update of `qubesdb-vm` package will restart the service, which will fail
(after 3min timeout), but you can ignore this problem for now. After
completing the whole upgrade the service will be properly restarted.
4. Shutdown the template.
## Upgrading dom0
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above. Also make sure you haven't shutdown any of: netvm, firewallvm - you will not be able to start them again.
1. Open terminal in Dom0. E.g. Start-\>System Settings-\>Konsole.
2. Upgrade the `qubes-release` package to the latest version which brings in new repo definitions and R2 signing keys:
```
sudo qubes-dom0-update qubes-release
```
This should install `qubes-release-2-12` in your Dom0.
3. Upgrade dom0 to R3.0:
```
sudo qubes-dom0-update --releasever=3.0
```
After this step, until you reboot the system, most of the qvm-* tools will not work.
4. If above step completed successfully you should have `qubes-core-dom0` at least 3.0.8. If not, repeat above step with additional `--clean` option.
5. Enable Xen services:
```
sudo systemctl enable xenconsoled.service xenstored.service
```
6. Reboot the system.
- It may happen that the system hang during the reboot. Hard reset the system in such case, all the filesystems are unmounted at this stage.
Please note that if you use Anti Evil Maid, then it won't be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maid's passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.
Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0 repositories. Especially Fedora 21 - default Qubes R3.0 template:
```
sudo qubes-dom0-update qubes-template-fedora-21
```
## Upgrading template on already upgraded dom0
If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be more complicated. This can be the case when you restore backup done on Qubes R2.
When you start R2 template/standalone VM on R3.0, there will be some limitations:
1. qrexec will not connect (you will see an error message during VM startup)
2. GUI will not connect - you will not see any VM window
3. VM will not be configured - especially it will not have network access
Because of above limitations, you will need to configure some of those manually. The instruction assumes the VM name is `custom-template`, but the same instructions can be applied to a standalone VM.
1. Check the VM network parameters, you will need them later:
```shell_session
[user@dom0 ~]$ qvm-ls -n custom-template
-------------------+----+--------+-------+------+-------------+-------+-------------+---------+-------------+
name | on | state | updbl | type | netvm | label | ip | ip back | gateway/DNS |
-------------------+----+--------+-------+------+-------------+-------+-------------+---------+-------------+
[custom-template] | | Halted | Yes | Tpl | *firewallvm | black | 10.137.1.53 | n/a | 10.137.1.1 |
```
2. Start the VM from command line:
```shell_session
[user@dom0 ~]$ qvm-start custom-template
--> Loading the VM (type = template)...
--> Starting Qubes DB...
--> Setting Qubes DB info for the VM...
--> Updating firewall rules...
--> Starting the VM...
--> Starting the qrexec daemon...
Waiting for VM's qrexec agent.............................................................Cannot connect to 'custom-template' qrexec agent for 60 seconds, giving up
ERROR: Cannot execute qrexec-daemon!
```
You can interrupt with Ctrl-C that qrexec waiting process.
3. Access VM console:
```
[user@dom0 ~]$ virsh -c xen:/// console custom-template
```
4. Configure network according to parameters retrieved in first step:
```
ip addr add 10.137.1.53/32 dev eth0
ip route add 10.137.1.1/32 dev eth0
ip route add via 10.137.1.1
echo nameserver 10.137.1.1 > /etc/resolv.conf
```
5. Proceed with normal upgrade instruction described on this page.

198
user/downloading-installing-upgrading/upgrade/3_0.rst Normal file
View file

@ -0,0 +1,198 @@
=================
Upgrading to R3.0
=================
**This instruction is highly experimental, the official way to upgrade from R2 is to backup the data and reinstall the system. Use at your own risk!**
Current Qubes R3.0 (R3.0) systems can be upgraded in-place to the latest R3.0 by following the procedure below. However, upgrading in-place is riskier than performing a clean installation, since there are more things which can go wrong. For this reason, **we strongly recommended that users perform a** :doc:`clean installation </user/downloading-installing-upgrading/installation-guide>` **of Qubes R3.0**.
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users back up the system by using the built-in** :doc:`backup tool </user/how-to-guides/how-to-back-up-restore-and-migrate>` **.**
Experienced users may be comfortable accepting the risks of upgrading in-place. Such users may wish to first attempt an in-place upgrade. If nothing goes wrong, then some time and effort will have been saved. If something does go wrong, then the user can simply perform a clean installation, and no significant loss will have occurred (as long as the user :doc:`backed up </user/how-to-guides/how-to-back-up-restore-and-migrate>` correctly!).
Upgrade all Template and Standalone VM(s)
-----------------------------------------
By default, in Qubes R2, there is only one template, however users are free to create more templates for special purposes, as well as Standalone VMs. More information on using multiple templates, as well as Standalone VMs, can be found :doc:`here </user/how-to-guides/how-to-install-software>`. The steps described in this section should be repeated in **all** users Template and Standalone VMs.
It is critical to complete this step **before** proceeding to dom0 upgrade. Otherwise you will most likely end with unusable system.
Upgrade Fedora template:
^^^^^^^^^^^^^^^^^^^^^^^^
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Managers right-click menu and choose Run Command in VM and type ``gnome-terminal`` there.
2. Install ``qubes-upgrade-vm`` package:
.. code:: bash
sudo yum install qubes-upgrade-vm
3. Proceed with normal update in the template:
.. code:: bash
sudo yum update
Youll need to accept “Qubes Release 3 Signing Key” - it is delivered by signed qubes-upgrade-vm package (verify that the message is about local file), so you dont need to manually verify it.
4. Shutdown the template.
Upgrade Debian template:
^^^^^^^^^^^^^^^^^^^^^^^^
1. Open terminal in the template (or standalone VM). E.g. use the Qubes Managers right-click menu and choose Run Command in VM and type ``gnome-terminal`` there.
2. Update repository definition:
.. code:: bash
sudo cp /etc/apt/sources.list.d/qubes-r2.list
/etc/apt/sources.list.d/qubes-r3-upgrade.list
sudo sed -i 's/r2/r3.0/' /etc/apt/sources.list.d/qubes-r3-upgrade.list
3. Proceed with normal update in the template:
.. code:: bash
sudo apt-get update
sudo apt-get dist-upgrade
There will be some error messages during the process, but our tests does not revealed any negative consequences. Update of ``qubesdb-vm`` package will restart the service, which will fail (after 3min timeout), but you can ignore this problem for now. After completing the whole upgrade the service will be properly restarted.
4. Shutdown the template.
Upgrading dom0
--------------
Be sure to do steps described in this section after *all* your template and standalone VMs got updated as described in the section above. Also make sure you havent shutdown any of: netvm, firewallvm - you will not be able to start them again.
1. Open terminal in Dom0. E.g. Start->System Settings->Konsole.
2. Upgrade the ``qubes-release`` package to the latest version which brings in new repo definitions and R2 signing keys:
.. code:: bash
sudo qubes-dom0-update qubes-release
This should install ``qubes-release-2-12`` in your Dom0.
3. Upgrade dom0 to R3.0:
.. code:: bash
sudo qubes-dom0-update --releasever=3.0
After this step, until you reboot the system, most of the qvm-* tools will not work.
4. If above step completed successfully you should have ``qubes-core-dom0`` at least 3.0.8. If not, repeat above step with additional ``--clean`` option.
5. Enable Xen services:
.. code:: bash
sudo systemctl enable xenconsoled.service xenstored.service
6. Reboot the system.
- It may happen that the system hang during the reboot. Hard reset the system in such case, all the filesystems are unmounted at this stage.
Please note that if you use Anti Evil Maid, then it wont be able to unseal the passphrase this time, because the Xen, kernel, and initramfs binaries have changed. Once the system boots up again, you could reseal your Anti Evil Maids passphrase to the new configuration. Please consult Anti Evil Maid documentation for explanation on how to do that.
Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0 repositories. Especially Fedora 21 - default Qubes R3.0 template:
.. code:: bash
sudo qubes-dom0-update qubes-template-fedora-21
Upgrading template on already upgraded dom0
-------------------------------------------
If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be more complicated. This can be the case when you restore backup done on Qubes R2.
When you start R2 template/standalone VM on R3.0, there will be some limitations:
1. qrexec will not connect (you will see an error message during VM startup)
2. GUI will not connect - you will not see any VM window
3. VM will not be configured - especially it will not have network access
Because of above limitations, you will need to configure some of those manually. The instruction assumes the VM name is ``custom-template``, but the same instructions can be applied to a standalone VM.
1. Check the VM network parameters, you will need them later:
.. code:: bash
[user@dom0 ~]$ qvm-ls -n custom-template
-------------------+----+--------+-------+------+-------------+-------+-------------+---------+-------------+
name | on | state | updbl | type | netvm | label | ip | ip back | gateway/DNS |
-------------------+----+--------+-------+------+-------------+-------+-------------+---------+-------------+
[custom-template] | | Halted | Yes | Tpl | *firewallvm | black | 10.137.1.53 | n/a | 10.137.1.1 |
2. Start the VM from command line:
.. code:: bash
[user@dom0 ~]$ qvm-start custom-template
--> Loading the VM (type = template)...
--> Starting Qubes DB...
--> Setting Qubes DB info for the VM...
--> Updating firewall rules...
--> Starting the VM...
--> Starting the qrexec daemon...
Waiting for VM's qrexec agent.............................................................Cannot connect to 'custom-template' qrexec agent for 60 seconds, giving up
ERROR: Cannot execute qrexec-daemon!
You can interrupt with Ctrl-C that qrexec waiting process.
3. Access VM console:
.. code:: bash
[user@dom0 ~]$ virsh -c xen:/// console custom-template
4. Configure network according to parameters retrieved in first step:
.. code:: bash
ip addr add 10.137.1.53/32 dev eth0
ip route add 10.137.1.1/32 dev eth0
ip route add via 10.137.1.1
echo nameserver 10.137.1.1 > /etc/resolv.conf
5. Proceed with normal upgrade instruction described on this page.

124
user/downloading-installing-upgrading/upgrade/3_1.md
View file

@ -1,124 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/3.1/
redirect_from:
- /doc/upgrade-to-r3.1/
- /en/doc/upgrade-to-r3.1/
- /doc/UpgradeToR3.1/
- /doc/UpgradeToR3.1rc1/
ref: 155
title: Upgrading to R3.1
---
**Before attempting either an in-place upgrade or a clean installation, we
strongly recommend that users [back up their systems](/doc/backup-restore/).**
Current Qubes R3.0 systems can be upgraded in-place to the latest R3.1
by following the procedure below.
## Upgrade all Template and Standalone VM(s)
By default, in Qubes R3.0, there is only one template. However, users are
free to create more templates for special purposes, as well as standalones.
More information on using multiple templates, as well as standalones, can be
found [here](/doc/software-update-vm/). The steps described in this
section should be repeated in **all** the user's Template and Standalone VMs.
### Upgrade Fedora templates:
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM
Manager's right-click menu, choose "Run Command in VM," and type
`gnome-terminal` there.)
2. Install the `qubes-upgrade-vm` package:
```
sudo yum install qubes-upgrade-vm
```
3. Proceed with a normal upgrade in the template:
```
sudo yum upgrade
```
4. Shut down the template.
### Upgrade Debian (and Whonix) templates:
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM
Manager's right-click menu, choose "Run Command in VM," and type
`gnome-terminal` there.)
2. Update repository definition:
```
sudo cp /etc/apt/sources.list.d/qubes-r3.list /etc/apt/sources.list.d/qubes-r3-upgrade.list
sudo sed -i 's/r3.0/r3.1/' /etc/apt/sources.list.d/qubes-r3-upgrade.list
```
3. Proceed with a normal update in the template:
```
sudo apt-get update
sudo apt-get dist-upgrade
```
4. Remove unnecessary now file:
```
sudo rm -f /etc/apt/sources.list.d/qubes-r3-upgrade.list
```
5. Shut down the template.
## Upgrading dom0
**Important:** Do not perform the steps described in this section until **all**
your Template and Standalone VMs have been upgraded as described in the previous
section. Also, do not shut down `sys-net` or `sys-firewall`, since you will not
be able to start them again until after the entire in-place upgrade procedure is
complete.
1. Open a terminal in Dom0. (E.g., Start -\> System Settings -\> Konsole.)
2. Upgrade dom0 to R3.1:
```
sudo qubes-dom0-update --releasever=3.1
```
At this point, most of the `qvm-*` tools will stop working until after you
reboot the system.
3. If the previous step completed successfully, your `qubes-core-dom0` version
should be `3.1.4` or higher. If it's not, repeat the previous step with the
`--clean` option.
4. Reboot dom0.
- The system may hang during the reboot. If that happens, do not panic. All
the filesystems will have already been unmounted at this stage, so you can
simply perform a hard reboot (e.g., hold the physical power button down
until the machine shuts off, wait a moment, then press it again to start it
back up).
Please note that if you use [Anti Evil Maid](/doc/anti-evil-maid), it won't be
able to unseal the passphrase the first time the system boots after performing
this in-place upgrade procedure since the Xen, kernel, and initramfs binaries
will have changed. Once the system boots up again, you can reseal your Anti Evil
Maid passphrase to the new configuration. Please consult the Anti Evil Maid
[documentation](/doc/anti-evil-maid) for instructions on how to do that.
If you use USB VM, you may encounter problem with starting it on updated Xen
version (because of strict default settings). Take a look at
[User FAQ](/faq/#i-created-a-usb-vm-and-assigned-usb-controllers-to-it-now-the-usb-vm-wont-boot)
for details.
Once you have upgraded dom0, you can install new templates from Qubes R3.1
repositories, in particular the new default Fedora 23 template:
```
sudo qubes-dom0-update qubes-template-fedora-23
```

115
user/downloading-installing-upgrading/upgrade/3_1.rst Normal file
View file

@ -0,0 +1,115 @@
=================
Upgrading to R3.1
=================
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users** :doc:`back up their systems </user/how-to-guides/how-to-back-up-restore-and-migrate>` **.**
Current Qubes R3.0 systems can be upgraded in-place to the latest R3.1 by following the procedure below.
Upgrade all Template and Standalone VM(s)
-----------------------------------------
By default, in Qubes R3.0, there is only one template. However, users are free to create more templates for special purposes, as well as standalones. More information on using multiple templates, as well as standalones, can be found :doc:`here </user/how-to-guides/how-to-install-software>`. The steps described in this section should be repeated in **all** the users Template and Standalone VMs.
Upgrade Fedora templates:
^^^^^^^^^^^^^^^^^^^^^^^^^
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM Managers right-click menu, choose “Run Command in VM,” and type ``gnome-terminal`` there.)
2. Install the ``qubes-upgrade-vm`` package:
.. code:: bash
sudo yum install qubes-upgrade-vm
3. Proceed with a normal upgrade in the template:
.. code:: bash
sudo yum upgrade
4. Shut down the template.
Upgrade Debian (and Whonix) templates:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM Managers right-click menu, choose “Run Command in VM,” and type ``gnome-terminal`` there.)
2. Update repository definition:
.. code:: bash
sudo cp /etc/apt/sources.list.d/qubes-r3.list /etc/apt/sources.list.d/qubes-r3-upgrade.list
sudo sed -i 's/r3.0/r3.1/' /etc/apt/sources.list.d/qubes-r3-upgrade.list
3. Proceed with a normal update in the template:
.. code:: bash
sudo apt-get update
sudo apt-get dist-upgrade
4. Remove unnecessary now file:
.. code:: bash
sudo rm -f /etc/apt/sources.list.d/qubes-r3-upgrade.list
5. Shut down the template.
Upgrading dom0
--------------
**Important:** Do not perform the steps described in this section until **all** your Template and Standalone VMs have been upgraded as described in the previous section. Also, do not shut down ``sys-net`` or ``sys-firewall``, since you will not be able to start them again until after the entire in-place upgrade procedure is complete.
1. Open a terminal in Dom0. (E.g., Start -> System Settings -> Konsole.)
2. Upgrade dom0 to R3.1:
.. code:: bash
sudo qubes-dom0-update --releasever=3.1
At this point, most of the ``qvm-*`` tools will stop working until after you reboot the system.
3. If the previous step completed successfully, your ``qubes-core-dom0`` version should be ``3.1.4`` or higher. If its not, repeat the previous step with the ``--clean`` option.
4. Reboot dom0.
- The system may hang during the reboot. If that happens, do not panic. All the filesystems will have already been unmounted at this stage, so you can simply perform a hard reboot (e.g., hold the physical power button down until the machine shuts off, wait a moment, then press it again to start it back up).
Please note that if you use :doc:`Anti Evil Maid </user/security-in-qubes/anti-evil-maid>`, it wont be able to unseal the passphrase the first time the system boots after performing this in-place upgrade procedure since the Xen, kernel, and initramfs binaries will have changed. Once the system boots up again, you can reseal your Anti Evil Maid passphrase to the new configuration. Please consult the Anti Evil Maid :doc:`documentation </user/security-in-qubes/anti-evil-maid>` for instructions on how to do that.
If you use USB VM, you may encounter problem with starting it on updated Xen version (because of strict default settings). Take a look at :ref:`User FAQ <introduction/faq:i created a usb vm and assigned usb controllers to it. now the usb vm won't boot.>` for details.
Once you have upgraded dom0, you can install new templates from Qubes R3.1 repositories, in particular the new default Fedora 23 template:
.. code:: bash
sudo qubes-dom0-update qubes-template-fedora-23

186
user/downloading-installing-upgrading/upgrade/3_2.md
View file

@ -1,186 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/3.2/
redirect_from:
- /doc/upgrade-to-r3.2/
- /en/doc/upgrade-to-r3.2/
- /doc/UpgradeToR3.2/
- /doc/UpgradeToR3.2rc1/
ref: 161
title: Upgrading to R3.2
---
**Before attempting either an in-place upgrade or a clean installation, we
strongly recommend that users [back up their systems](/doc/backup-restore/).**
Current Qubes R3.1 systems can be upgraded in-place to the latest R3.2
by following the procedure below.
## Upgrading dom0
1. Close Qubes Manager (right click on its tray icon -\> Exit)
2. Open a terminal in Dom0. (E.g., Start -\> System Settings -\> Konsole.)
3. Install `qubes-release` package carrying R3.2 repository information.
```
sudo qubes-dom0-update --releasever=3.2 qubes-release
```
- If you made any manual changes to repository definitions, new definitions
will be installed as `/etc/yum.repos.d/qubes-dom0.repo.rpmnew` (you'll see
a message about it during package installation). In such a case, you need
to manually apply the changes to `/etc/yum.repos.d/qubes-dom0.repo` or
simply replace it with .rpmnew file.
- If you are using Debian-based VM as UpdateVM (`sys-firewall` by default),
you need to download few more packages manually, but **do not install
them** yet:
```
sudo qubes-dom0-update systemd-compat-libs perl-libwww-perl perl-Term-ANSIColor perl-Term-Cap gdk-pixbuf2-xlib speexdsp qubes-mgmt-salt-admin-tools lvm2
(...)
Transaction Summary
===============================================================
Install 16 Packages (+ 31 Dependent packages)
Upgrade 4 Packages (+200 Dependent packages)
Total download size: 173 M
Is this ok [y/d/N]: n
Exiting on user command
Your transaction was saved, rerun it with:
yum load-transaction /tmp/yum_save_tx.....
```
4. Upgrade dom0 to R3.2:
```
sudo qubes-dom0-update
```
- You may wish to disable the screensaver "Lock screen" feature for this step, as
during the update XScreensaver may encounter an "Authentication failed" issue,
requiring a hard reboot. Alternatively, you may simply move the mouse regularly.
5. If the previous step completed successfully, your `qubes-core-dom0` version
should be `3.2.3` or higher. This can be verified with the command `yum info
qubes-core-dom0`. If it's not, repeat the previous step with the `--clean` option.
6. Update configuration files.
- Some of configuration files were saved with `.rpmnew` extension as the
actual files were modified. During upgrade, you'll see information about
such cases, like:
```
warning: /etc/salt/minion.d/f_defaults.conf created as /etc/salt/minion.d/f_defaults.conf.rpmnew
```
- This will happen for every configuration you have modified manually and for
a few that has been modified by Qubes scripts. If you are not sure what to
do about them, below is a list of commands to deal with few common cases
(either keep the old one, or replace with the new one):
```
rm -f /etc/group.rpmnew
rm -f /etc/shadow.rpmnew
rm -f /etc/qubes/guid.conf.rpmnew
mv -f /etc/nsswitch.conf{.rpmnew,}
mv -f /etc/pam.d/postlogin{.rpmnew,}
mv -f /etc/salt/minion.d/f_defaults.conf{.rpmnew,}
mv -f /etc/dracut.conf{.rpmnew,}
```
7. Reboot dom0.
Please note that if you use [Anti Evil Maid](/doc/anti-evil-maid), it won't be
able to unseal the passphrase the first time the system boots after performing
this in-place upgrade procedure since the Xen, kernel, and initramfs binaries
will have changed. Once the system boots up again, you can reseal your Anti Evil
Maid passphrase to the new configuration. Please consult the Anti Evil Maid
[documentation](/doc/anti-evil-maid) for instructions on how to do that.
At first login after upgrade you may got a message like this:
``
Your saved session type 'kde-plasma' is not valid any more.
Please select a new one, otherwise 'default' will be used.
``
This is result of upgrade KDE4 (`kde-plasma`) to KDE5 (`plasma`). Simply choose
your favorite desktop environment and continue.
## Upgrade all Template and Standalone VM(s)
By default, in Qubes R3.1, there are few templates and no standalones.
However, users are free to create standalones More information on using
multiple templates, as well as standalones, can be found
[here](/doc/software-update-vm/). The steps described in this section should be
repeated in **all** the user's Template and Standalone VMs.
### Upgrade Fedora templates:
**Note:** This will only upgrade your Fedora template from Qubes 3.1 to Qubes
3.2. This will *not* upgrade your Fedora template from Fedora 23 to Fedora 24.
In order to do that, please see the
[Fedora 23 template upgrade instructions](/doc/templates/fedora/#upgrading).
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM
Manager's right-click menu, choose "Run Command in VM," and type
`gnome-terminal` there.)
2. Install the `qubes-upgrade-vm` package:
```
sudo dnf install --refresh qubes-upgrade-vm
```
3. Proceed with a normal upgrade in the template:
```
sudo dnf upgrade --refresh
```
4. Add new packages (only needed in default template):
```
sudo dnf install qubes-mgmt-salt-vm-connector
```
5. Shut down the template.
### Upgrade Debian (and Whonix) templates:
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM
Manager's right-click menu, choose "Run Command in VM," and type
`gnome-terminal` there.)
2. Update repository definition:
```
sudo cp /etc/apt/sources.list.d/qubes-r3.list /etc/apt/sources.list.d/qubes-r3-upgrade.list
sudo sed -i 's/r3.1/r3.2/' /etc/apt/sources.list.d/qubes-r3-upgrade.list
```
3. Proceed with a normal update in the template:
```
sudo apt-get update
sudo apt-get dist-upgrade
```
4. Add new packages (only needed in default template):
```
sudo apt-get install qubes-mgmt-salt-vm-connector
```
5. Remove unnecessary now file:
```
sudo rm -f /etc/apt/sources.list.d/qubes-r3-upgrade.list
```
6. Shut down the template.

187
user/downloading-installing-upgrading/upgrade/3_2.rst Normal file
View file

@ -0,0 +1,187 @@
=================
Upgrading to R3.2
=================
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users** :doc:`back up their systems </user/how-to-guides/how-to-back-up-restore-and-migrate>` **.**
Current Qubes R3.1 systems can be upgraded in-place to the latest R3.2 by following the procedure below.
Upgrading dom0
--------------
1. Close Qubes Manager (right click on its tray icon -> Exit)
2. Open a terminal in Dom0. (E.g., Start -> System Settings -> Konsole.)
3. Install ``qubes-release`` package carrying R3.2 repository information.
.. code:: bash
sudo qubes-dom0-update --releasever=3.2 qubes-release
- If you made any manual changes to repository definitions, new definitions will be installed as ``/etc/yum.repos.d/qubes-dom0.repo.rpmnew`` (youll see a message about it during package installation). In such a case, you need to manually apply the changes to ``/etc/yum.repos.d/qubes-dom0.repo`` or simply replace it with .rpmnew file.
- If you are using Debian-based VM as UpdateVM (``sys-firewall`` by default), you need to download few more packages manually, but **do not install them** yet:
.. code:: bash
sudo qubes-dom0-update systemd-compat-libs perl-libwww-perl perl-Term-ANSIColor perl-Term-Cap gdk-pixbuf2-xlib speexdsp qubes-mgmt-salt-admin-tools lvm2
(...)
Transaction Summary
===============================================================
Install 16 Packages (+ 31 Dependent packages)
Upgrade 4 Packages (+200 Dependent packages)
Total download size: 173 M
Is this ok [y/d/N]: n
Exiting on user command
Your transaction was saved, rerun it with:
yum load-transaction /tmp/yum_save_tx.....
4. Upgrade dom0 to R3.2:
.. code:: bash
sudo qubes-dom0-update
- You may wish to disable the screensaver “Lock screen” feature for this step, as during the update XScreensaver may encounter an “Authentication failed” issue, requiring a hard reboot. Alternatively, you may simply move the mouse regularly.
5. If the previous step completed successfully, your ``qubes-core-dom0`` version should be ``3.2.3`` or higher. This can be verified with the command ``yum info qubes-core-dom0``. If its not, repeat the previous step with the ``--clean`` option.
6. Update configuration files.
- Some of configuration files were saved with ``.rpmnew`` extension as the actual files were modified. During upgrade, youll see information about such cases, like:
.. code:: bash
warning: /etc/salt/minion.d/f_defaults.conf created as /etc/salt/minion.d/f_defaults.conf.rpmnew
- This will happen for every configuration you have modified manually and for a few that has been modified by Qubes scripts. If you are not sure what to do about them, below is a list of commands to deal with few common cases (either keep the old one, or replace with the new one):
.. code:: bash
rm -f /etc/group.rpmnew
rm -f /etc/shadow.rpmnew
rm -f /etc/qubes/guid.conf.rpmnew
mv -f /etc/nsswitch.conf{.rpmnew,}
mv -f /etc/pam.d/postlogin{.rpmnew,}
mv -f /etc/salt/minion.d/f_defaults.conf{.rpmnew,}
mv -f /etc/dracut.conf{.rpmnew,}
7. Reboot dom0.
Please note that if you use :doc:`Anti Evil Maid </user/security-in-qubes/anti-evil-maid>`, it wont be able to unseal the passphrase the first time the system boots after performing this in-place upgrade procedure since the Xen, kernel, and initramfs binaries will have changed. Once the system boots up again, you can reseal your Anti Evil Maid passphrase to the new configuration. Please consult the Anti Evil Maid :doc:`documentation </user/security-in-qubes/anti-evil-maid>` for instructions on how to do that.
At first login after upgrade you may got a message like this:
``Your saved session type 'kde-plasma' is not valid any more. Please select a new one, otherwise 'default' will be used.``
This is result of upgrade KDE4 (``kde-plasma``) to KDE5 (``plasma``). Simply choose your favorite desktop environment and continue.
Upgrade all Template and Standalone VM(s)
-----------------------------------------
By default, in Qubes R3.1, there are few templates and no standalones. However, users are free to create standalones More information on using multiple templates, as well as standalones, can be found :doc:`here </user/how-to-guides/how-to-install-software>`. The steps described in this section should be repeated in **all** the users Template and Standalone VMs.
Upgrade Fedora templates:
^^^^^^^^^^^^^^^^^^^^^^^^^
**Note:** This will only upgrade your Fedora template from Qubes 3.1 to Qubes 3.2. This will *not* upgrade your Fedora template from Fedora 23 to Fedora 24. In order to do that, please see the :ref:`Fedora 23 template upgrade instructions <user/templates/fedora/fedora:upgrading>`.
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM Managers right-click menu, choose “Run Command in VM,” and type ``gnome-terminal`` there.)
2. Install the ``qubes-upgrade-vm`` package:
.. code:: bash
sudo dnf install --refresh qubes-upgrade-vm
3. Proceed with a normal upgrade in the template:
.. code:: bash
sudo dnf upgrade --refresh
4. Add new packages (only needed in default template):
.. code:: bash
sudo dnf install qubes-mgmt-salt-vm-connector
5. Shut down the template.
Upgrade Debian (and Whonix) templates:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1. Open a terminal in the template (or standalone). (E.g., use Qubes VM Managers right-click menu, choose “Run Command in VM,” and type ``gnome-terminal`` there.)
2. Update repository definition:
.. code:: bash
sudo cp /etc/apt/sources.list.d/qubes-r3.list /etc/apt/sources.list.d/qubes-r3-upgrade.list
sudo sed -i 's/r3.1/r3.2/' /etc/apt/sources.list.d/qubes-r3-upgrade.list
3. Proceed with a normal update in the template:
.. code:: bash
sudo apt-get update
sudo apt-get dist-upgrade
4. Add new packages (only needed in default template):
.. code:: bash
sudo apt-get install qubes-mgmt-salt-vm-connector
5. Remove unnecessary now file:
.. code:: bash
sudo rm -f /etc/apt/sources.list.d/qubes-r3-upgrade.list
6. Shut down the template.

118
user/downloading-installing-upgrading/upgrade/4_0.md
View file

@ -1,118 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/4.0/
redirect_from:
- /doc/upgrade-to-r4.0/
- /en/doc/upgrade-to-r4.0/
- /doc/UpgradeToR4.0/
- /doc/UpgradeToR4.0rc1/
ref: 162
title: Upgrading to R4.0
---
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users [back up their systems](/doc/backup-restore/).**
Current Qubes R3.2 systems cannot be upgraded in-place to R4.0.
A full backup, clean 4.0 install, and restore is required.
This can be done by following the procedure below.
Preparation
-----------
1. Go to [downloads](/downloads/) and prepare a USB drive or DVD with the R4.0 installer.
2. If this is your only computer, and you do not have a R3.2 installer, you should also create a separate R3.2 USB drive or DVD installer at this time.
Backup R3.2
-----------
1. Attach the backup drive you will be using.
These steps assume it is a USB drive.
2. Shutdown all non-essential VMs.
Typically, `sys-usb` will be the only VM you need to leave running.
3. Follow the **Creating a Backup** section in the [Backup, Restoration, and Migration](/doc/backup-restore/) guide to back up **all VMs** except sys-usb.
6. Verify the integrity of your backup by following the **Restoring from a Backup** section in the [Backup, Restoration, and Migration](/doc/backup-restore/) guide and:
* If you're using Qubes Manager, check the box under "Restore options" that says, "Verify backup integrity, do not restore the data."
* If you're using `qvm-backup-restore` from the command-line, use the `--verify-only` option.
7. If your backup verifies successfully, proceed to the next section.
If it does not, **stop**.
Go back and repeat the backup steps, review the documentation, and ask for [help](/support/).
Install R4.0
------------
This section provides general guidance on installing R4.0 as part of migrating from R3.2.
For further details, please see the [installation guide](/doc/installation-guide/).
1. Shut down R3.2 and boot the R4.0 installer.
2. Follow the installation prompts until you get to the drive selection screen.
Choose **I want to make additional space available**.
Select the box at the top of the list in order to select all partitions.
**This will erase the entire drive**, so do this only if Qubes is the only OS installed on your computer.
If you did not successfully verify your backup in the previous section, cancel the installation, and go back to do that now.
3. Complete the R4.0 installation.
Ask for [help](/support/) if you run into trouble.
4. If you are unable to successfully install R4.0 on your system, all is not lost.
Use the R3.2 installer to reinstall R3.2, then restore from your backup.
Restore from your backup
------------------------
1. Welcome to Qubes R4.0!
The first thing you might notice is that **Qubes Manager** is not started by default.
We won't need it for the next step, but we will be starting it later.
2. Since patches may have been released since your installation image was created, update Qubes R4.0 by going to the dom0 command line (**Qubes menu -> Terminal Emulator**) then running:
```
sudo qubes-dom0-update
```
3. Reboot dom0.
4. Go to **Qubes menu -> System Tools -> Qubes Manager** to start it.
5. Follow the **Restoring from a Backup** section in the [Backup, Restoration, and Migration](/doc/backup-restore/) guide.
We recommend that you restore only your [app qubes](/doc/glossary/#app-qube) and [standalones](/doc/glossary/#standalone) from R3.2.
Using [templates](/doc/templates/) and [service qubes](/doc/glossary/#service-qube) from R3.2 is not fully supported (see [#3514](https://github.com/QubesOS/qubes-issues/issues/3514)).
Instead, we recommend using the templates that were created specifically for R4.0, which you can [customize](/doc/software-update-vm/) according to your needs.
For the template OS versions supported in R4.0, see [supported releases](/doc/supported-releases/#templates).
If the restore tool complains about missing templates, you can select the option to restore the app qubes anyway, then change them afterward to use one of the default R4.0 templates.
Note about additional disp-* qubes created during restore
---------------------------------------------------------
One of differences between R3.2 and R4.0 is the handling of disposables.
In R3.2, a disposable inherited its network settings (NetVM and firewall rules) from the calling qube.
In R4.0, this is no longer the case.
Instead, in R4.0 it's possible to create multiple disposable templates and choose which one should be used by each qube.
It's even possible to use different disposable templates for different operations from the same qube.
This allows much more flexibility, since it allows you to differentiate not only network settings, but all of a qube's properties (including its template, memory settings, etc.).
Restoring a backup from R3.2 preserves the old behavior by creating separate disposable template for each network-providing qube (and also `disp-no-netvm` for network-isolated qubes).
Then, each restored qube is configured to use the appropriate disposable template according to its `netvm` or `dispvm_netvm` property from R3.2.
This way, disposables started on R4.0 by qubes restored from a R3.2 backup have the same NetVM settings as they had on R3.2.
If you find this behavior undesirable and want to configure it differently, you can remove those `disp-*` disposable templates.
But, to do so, you must first make sure they are not set as the value for the `default_dispvm` property on any other qube.
Both Qubes Manager and the `qvm-remove` tool will show you where a disposable template is being used, so you can go there and change the setting.
Upgrade all Template and Standalone VM(s)
-----------------------------------------
We strongly recommend that you update **all** templates and standalones before use so that you have the latest security patches from upstream distributions.
In addition, if the default templates have reached EOL (end-of-life) by the time you install R4.0, we strongly recommend that you upgrade them before use.
Please see [supported releases](/doc/supported-releases/) for information on supported OS versions and consult the guides below for specific upgrade instructions:
* [Upgrading Fedora templates](/doc/templates/fedora/#upgrading)
* [Upgrading Debian templates](/doc/templates/debian/#upgrading)
* [Updating Whonix templates](https://www.whonix.org/wiki/Qubes/Update)

102
user/downloading-installing-upgrading/upgrade/4_0.rst Normal file
View file

@ -0,0 +1,102 @@
=================
Upgrading to R4.0
=================
**Before attempting either an in-place upgrade or a clean installation, we strongly recommend that users** :doc:`back up their systems </user/how-to-guides/how-to-back-up-restore-and-migrate>` **.**
Current Qubes R3.2 systems cannot be upgraded in-place to R4.0. A full backup, clean 4.0 install, and restore is required. This can be done by following the procedure below.
Preparation
-----------
1. Go to `downloads <https://www.qubes-os.org/downloads/>`__ and prepare a USB drive or DVD with the R4.0 installer.
2. If this is your only computer, and you do not have a R3.2 installer, you should also create a separate R3.2 USB drive or DVD installer at this time.
Backup R3.2
-----------
1. Attach the backup drive you will be using. These steps assume it is a USB drive.
2. Shutdown all non-essential VMs. Typically, ``sys-usb`` will be the only VM you need to leave running.
3. Follow the **Creating a Backup** section in the :doc:`Backup, Restoration, and Migration </user/how-to-guides/how-to-back-up-restore-and-migrate>` guide to back up **all VMs** except sys-usb.
4. Verify the integrity of your backup by following the **Restoring from a Backup** section in the :doc:`Backup, Restoration, and Migration </user/how-to-guides/how-to-back-up-restore-and-migrate>` guide and:
- If youre using Qubes Manager, check the box under “Restore options” that says, “Verify backup integrity, do not restore the data.”
- If youre using ``qvm-backup-restore`` from the command-line, use the ``--verify-only`` option.
5. If your backup verifies successfully, proceed to the next section. If it does not, **stop**. Go back and repeat the backup steps, review the documentation, and ask for :doc:`help </introduction/support>`.
Install R4.0
------------
This section provides general guidance on installing R4.0 as part of migrating from R3.2. For further details, please see the :doc:`installation guide </user/downloading-installing-upgrading/installation-guide>`.
1. Shut down R3.2 and boot the R4.0 installer.
2. Follow the installation prompts until you get to the drive selection screen. Choose **I want to make additional space available**. Select the box at the top of the list in order to select all partitions. **This will erase the entire drive**, so do this only if Qubes is the only OS installed on your computer. If you did not successfully verify your backup in the previous section, cancel the installation, and go back to do that now.
3. Complete the R4.0 installation. Ask for :doc:`help </introduction/support>` if you run into trouble.
4. If you are unable to successfully install R4.0 on your system, all is not lost. Use the R3.2 installer to reinstall R3.2, then restore from your backup.
Restore from your backup
------------------------
1. Welcome to Qubes R4.0! The first thing you might notice is that **Qubes Manager** is not started by default. We wont need it for the next step, but we will be starting it later.
2. Since patches may have been released since your installation image was created, update Qubes R4.0 by going to the dom0 command line (**Qubes menu -> Terminal Emulator**) then running:
.. code:: bash
sudo qubes-dom0-update
3. Reboot dom0.
4. Go to **Qubes menu -> System Tools -> Qubes Manager** to start it.
5. Follow the **Restoring from a Backup** section in the :doc:`Backup, Restoration, and Migration </user/how-to-guides/how-to-back-up-restore-and-migrate>` guide. We recommend that you restore only your :ref:`app qubes <user/reference/glossary:app qube>` and :ref:`standalones <user/reference/glossary:standalone>` from R3.2. Using :doc:`templates </user/templates/templates>` and :ref:`service qubes <user/reference/glossary:service qube>` from R3.2 is not fully supported (see `#3514 <https://github.com/QubesOS/qubes-issues/issues/3514>`__). Instead, we recommend using the templates that were created specifically for R4.0, which you can :doc:`customize </user/how-to-guides/how-to-install-software>` according to your needs. For the template OS versions supported in R4.0, see :ref:`supported releases <user/downloading-installing-upgrading/supported-releases:templates>`. If the restore tool complains about missing templates, you can select the option to restore the app qubes anyway, then change them afterward to use one of the default R4.0 templates.
Note about additional disp-* qubes created during restore
---------------------------------------------------------
One of differences between R3.2 and R4.0 is the handling of disposables. In R3.2, a disposable inherited its network settings (NetVM and firewall rules) from the calling qube. In R4.0, this is no longer the case. Instead, in R4.0 its possible to create multiple disposable templates and choose which one should be used by each qube. Its even possible to use different disposable templates for different operations from the same qube. This allows much more flexibility, since it allows you to differentiate not only network settings, but all of a qubes properties (including its template, memory settings, etc.).
Restoring a backup from R3.2 preserves the old behavior by creating separate disposable template for each network-providing qube (and also ``disp-no-netvm`` for network-isolated qubes). Then, each restored qube is configured to use the appropriate disposable template according to its ``netvm`` or ``dispvm_netvm`` property from R3.2. This way, disposables started on R4.0 by qubes restored from a R3.2 backup have the same NetVM settings as they had on R3.2.
If you find this behavior undesirable and want to configure it differently, you can remove those ``disp-*`` disposable templates. But, to do so, you must first make sure they are not set as the value for the ``default_dispvm`` property on any other qube. Both Qubes Manager and the ``qvm-remove`` tool will show you where a disposable template is being used, so you can go there and change the setting.
Upgrade all Template and Standalone VM(s)
-----------------------------------------
We strongly recommend that you update **all** templates and standalones before use so that you have the latest security patches from upstream distributions. In addition, if the default templates have reached EOL (end-of-life) by the time you install R4.0, we strongly recommend that you upgrade them before use. Please see :doc:`supported releases </user/downloading-installing-upgrading/supported-releases>` for information on supported OS versions and consult the guides below for specific upgrade instructions:
- :ref:`Upgrading Fedora templates <user/templates/fedora/fedora:upgrading>`
- :ref:`Upgrading Debian templates <user/templates/debian/debian:upgrading>`
- `Updating Whonix templates <https://www.whonix.org/wiki/Qubes/Update>`__

126
user/downloading-installing-upgrading/upgrade/4_1.md
View file

@ -1,126 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/4.1/
title: How to upgrade to Qubes 4.1
---
This page explains how to upgrade from Qubes 4.0 to Qubes 4.1. There are two
ways to upgrade: a clean installation or an in-place upgrade. In general, a
clean installation is simpler and less error-prone, but an in-place upgrade
allows you to preserve your customizations.
## Back up
Before attempting either an in-place upgrade or a clean installation, we
strongly recommend that you first [back up your
system](/doc/how-to-back-up-restore-and-migrate/) so that you don't lose any
data.
## Clean installation
If you would prefer to perform a clean installation rather than upgrading
in-place:
1. Create a
[backup](/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) of your
current installation.
2. [Download](/downloads/) the latest 4.1 release.
3. Follow the [installation guide](/doc/installation-guide/) to install Qubes
4.1.
4. [Restore from your
backup](/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) on
your new 4.1 installation.
## In-place upgrade
**Warning:** It is not possible to upgrade directly from releases earlier than
4.0. If you're still on an earlier release, please either perform a [clean
installation of 4.1](#clean-installation) or [upgrade to
4.0](/doc/upgrade/4.0/) first.
The upgrade may take several hours, and will download several gigabytes of
data.
In place upgrade is a complex operation. For this reason, we provide a
`qubes-dist-upgrade` tool to handle all the necessary steps automatically. You
can install it with the following command in the dom0 terminal:
sudo qubes-dom0-update -y qubes-dist-upgrade
The upgrade consists of seven stages --- six before restarting the system ---
labeled "STAGE 0" through "STAGE 5" in the options list below. The seventh stage
is rebuilding the application and features lists, which you can start with the
`--resync-appmenus-features` option.
Full list of options can be obtained with `qubes-dist-upgrade --help`:
Usage: qubes-dist-upgrade [OPTIONS]...
This script is used for updating current QubesOS R4.0 to R4.1.
Options:
--double-metadata-size, -d (STAGE 0) Double current LVM thin pool metadata size.
--update, -t (STAGE 1) Update of dom0, TemplatesVM and StandaloneVM.
--template-standalone-upgrade, -l (STAGE 2) Upgrade templates and standalone VMs to R4.1 repository.
--release-upgrade, -r (STAGE 3) Update 'qubes-release' for Qubes R4.1.
--dist-upgrade, -s (STAGE 4) Upgrade to Qubes R4.1 and Fedora 32 repositories.
--setup-efi-grub, -g (STAGE 5) Setup EFI Grub.
--all, -a Execute all the above stages in one call.
--assumeyes, -y Automatically answer yes for all questions.
--usbvm, -u Current UsbVM defined (default 'sys-usb').
--netvm, -n Current NetVM defined (default 'sys-net').
--updatevm, -f Current UpdateVM defined (default 'sys-firewall').
--skip-template-upgrade, -j Don't upgrade TemplateVM to R4.1 repositories.
--skip-standalone-upgrade, -k Don't upgrade StandaloneVM to R4.1 repositories.
--only-update Apply STAGE 0, 2 and resync appmenus only to
selected qubes (coma separated list).
--keep-running List of extra VMs to keep running during update (coma separated list).
Can be useful if multiple updates proxy VMs are configured.
--max-concurrency How many TemplateVM/StandaloneVM to update in parallel in STAGE 1
(default 4).
--resync-appmenus-features Resync applications and features. To be ran individually
after reboot.
After installing the tool, upgrade can be performed all at once with:
sudo qubes-dist-upgrade --all
Optionally, an `--assumeyes` (or `-y`) option can be used to automatically
accept all the actions without confirmation.
Alternatively, each upgrade stage can be started separately (see the list of
options above).
After completing "STAGE 0" through "STAGE 5", restart the system. Then perform
the final step:
sudo qubes-dist-upgrade --resync-appmenus-features
When this completes, you can start using Qubes OS 4.1.
### Known issues
1. The script does not convert LUKS1 to LUKS2 disk encryption format (fresh
Qubes 4.1 install uses LUKS2 for disk encryption, while earlier versions use
LUKS1).
2. Early Qubes 4.0 pre-releases (before R4.0-rc2) made `/boot/efi` partition
only 200MB, which is too small for R4.1. In case of such partition layout,
clean installation is necessary.
3. If user has created some custom qrexec policy entries, they may not be
correctly handled in R4.1, resulting in denying all the calls. It is advised
to verify if there are not qrexec policy errors in the log after the system
restart - using `journalctl -b` command.
If any early upgrade stage fails, the `qubes-dist-upgrade` tool will try to
restore previous system state. After fixing an issue, the tool can be started
again, to retry the operation. If a later stage (number 3 or later) fails, the
tool may not be able to rollback the changes. But it may still be possible to
retry the upgrade.
## Update
After upgrading or performing a clean installation, we strongly recommend
[updating your system](/doc/how-to-update/).

123
user/downloading-installing-upgrading/upgrade/4_1.rst Normal file
View file

@ -0,0 +1,123 @@
===========================
How to upgrade to Qubes 4.1
===========================
This page explains how to upgrade from Qubes 4.0 to Qubes 4.1. There are two ways to upgrade: a clean installation or an in-place upgrade. In general, a clean installation is simpler and less error-prone, but an in-place upgrade allows you to preserve your customizations.
Back up
-------
Before attempting either an in-place upgrade or a clean installation, we strongly recommend that you first :doc:`back up your system </user/how-to-guides/how-to-back-up-restore-and-migrate>` so that you dont lose any data.
Clean installation
------------------
If you would prefer to perform a clean installation rather than upgrading in-place:
1. Create a :ref:`backup <user/how-to-guides/how-to-back-up-restore-and-migrate:creating a backup>` of your current installation.
2. `Download <https://www.qubes-os.org/downloads/>`__ the latest 4.1 release.
3. Follow the :doc:`installation guide </user/downloading-installing-upgrading/installation-guide>` to install Qubes 4.1.
4. :ref:`Restore from your backup <user/how-to-guides/how-to-back-up-restore-and-migrate:restoring from a backup>` on your new 4.1 installation.
In-place upgrade
----------------
**Warning:** It is not possible to upgrade directly from releases earlier than 4.0. If youre still on an earlier release, please either perform a `clean installation of 4.1 <#clean-installation>`__ or :doc:`upgrade to 4.0 </user/downloading-installing-upgrading/upgrade/4_0>` first.
The upgrade may take several hours, and will download several gigabytes of data.
In place upgrade is a complex operation. For this reason, we provide a ``qubes-dist-upgrade`` tool to handle all the necessary steps automatically. You can install it with the following command in the dom0 terminal:
.. code:: bash
sudo qubes-dom0-update -y qubes-dist-upgrade
The upgrade consists of seven stages — six before restarting the system — labeled “STAGE 0” through “STAGE 5” in the options list below. The seventh stage is rebuilding the application and features lists, which you can start with the ``--resync-appmenus-features`` option.
Full list of options can be obtained with ``qubes-dist-upgrade --help``:
.. code:: bash
Usage: qubes-dist-upgrade [OPTIONS]...
This script is used for updating current QubesOS R4.0 to R4.1.
Options:
--double-metadata-size, -d (STAGE 0) Double current LVM thin pool metadata size.
--update, -t (STAGE 1) Update of dom0, TemplatesVM and StandaloneVM.
--template-standalone-upgrade, -l (STAGE 2) Upgrade templates and standalone VMs to R4.1 repository.
--release-upgrade, -r (STAGE 3) Update 'qubes-release' for Qubes R4.1.
--dist-upgrade, -s (STAGE 4) Upgrade to Qubes R4.1 and Fedora 32 repositories.
--setup-efi-grub, -g (STAGE 5) Setup EFI Grub.
--all, -a Execute all the above stages in one call.
--assumeyes, -y Automatically answer yes for all questions.
--usbvm, -u Current UsbVM defined (default 'sys-usb').
--netvm, -n Current NetVM defined (default 'sys-net').
--updatevm, -f Current UpdateVM defined (default 'sys-firewall').
--skip-template-upgrade, -j Don't upgrade TemplateVM to R4.1 repositories.
--skip-standalone-upgrade, -k Don't upgrade StandaloneVM to R4.1 repositories.
--only-update Apply STAGE 0, 2 and resync appmenus only to
selected qubes (coma separated list).
--keep-running List of extra VMs to keep running during update (coma separated list).
Can be useful if multiple updates proxy VMs are configured.
--max-concurrency How many TemplateVM/StandaloneVM to update in parallel in STAGE 1
(default 4).
--resync-appmenus-features Resync applications and features. To be ran individually
after reboot.
After installing the tool, upgrade can be performed all at once with:
.. code:: bash
sudo qubes-dist-upgrade --all
Optionally, an ``--assumeyes`` (or ``-y``) option can be used to automatically accept all the actions without confirmation.
Alternatively, each upgrade stage can be started separately (see the list of options above).
After completing “STAGE 0” through “STAGE 5”, restart the system. Then perform the final step:
.. code:: bash
sudo qubes-dist-upgrade --resync-appmenus-features
When this completes, you can start using Qubes OS 4.1.
Known issues
^^^^^^^^^^^^
1. The script does not convert LUKS1 to LUKS2 disk encryption format (fresh Qubes 4.1 install uses LUKS2 for disk encryption, while earlier versions use LUKS1).
2. Early Qubes 4.0 pre-releases (before R4.0-rc2) made ``/boot/efi`` partition only 200MB, which is too small for R4.1. In case of such partition layout, clean installation is necessary.
3. If user has created some custom qrexec policy entries, they may not be correctly handled in R4.1, resulting in denying all the calls. It is advised to verify if there are not qrexec policy errors in the log after the system restart - using ``journalctl -b`` command.
If any early upgrade stage fails, the ``qubes-dist-upgrade`` tool will try to restore previous system state. After fixing an issue, the tool can be started again, to retry the operation. If a later stage (number 3 or later) fails, the tool may not be able to rollback the changes. But it may still be possible to retry the upgrade.
Update
------
After upgrading or performing a clean installation, we strongly recommend :doc:`updating your system </user/how-to-guides/how-to-update>`.

118
user/downloading-installing-upgrading/upgrade/4_2.md
View file

@ -1,118 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/4.2/
title: How to upgrade to Qubes 4.2
---
This page explains how to upgrade from Qubes 4.1 to Qubes 4.2. There are two
ways to upgrade: a clean installation or an in-place upgrade. In general, a
clean installation is simpler and less error-prone, but an in-place upgrade
allows you to preserve your customizations.
## Back up
Before attempting either an in-place upgrade or a clean installation, we
strongly recommend that you first [back up your
system](/doc/how-to-back-up-restore-and-migrate/) so that you don't lose any
data.
## Clean installation
If you would prefer to perform a clean installation rather than upgrading
in-place:
1. (optional) Run the updater to ensure all of your templates are in their latest version.
2. Install the `qubes-dist-upgrade` tool. This is the inplace upgrade tool, which is not what we're doing. However it will be needed in order to prepare the templates for the 4.2 version. You install it with the following command in the dom0 terminal:
sudo qubes-dom0-update -y qubes-dist-upgrade
3. Change your templates to use the 4.2 repositories instead of the 4.1 ones. You do this with the following command in the dom0 terminal:
qubes-dist-upgrade --template-standalone-upgrade
**Note**: This step is critical to ensure the templates will receive updates once Qubes 4.1 reaches end-of-life (EOL) and was missing in previous clean installation instructions.
4. Create a [backup](/doc/how-to-back-up-restore-and-migrate/#creating-a-backup) of your
current installation.
5. [Download](/downloads/) the latest 4.2 release.
6. Follow the [installation guide](/doc/installation-guide/) to install Qubes
4.2.
7. [Restore from your backup](/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup) on
your new 4.2 installation.
## In-place upgrade
**Warning:** It is not possible to upgrade directly from releases earlier than
4.1. If you're still on an earlier release, please either perform a [clean
installation of 4.2](#clean-installation) or [upgrade to
4.1](/doc/upgrade/4.1/) first.
The upgrade may take several hours, and will download several gigabytes of
data.
In place upgrade is a complex operation. For this reason, we provide a
`qubes-dist-upgrade` tool to handle all the necessary steps automatically. You
can install it with the following command in the dom0 terminal:
sudo qubes-dom0-update -y qubes-dist-upgrade
The upgrade consists of six stages --- three before restarting the system ---
labeled "STAGE 1" through "STAGE 3" in the options list below, and three after restarting the system --- labeled as "STAGE 4" through "STAGE 6" below.
Full list of options can be obtained with `qubes-dist-upgrade --help`:
Usage: qubes-dist-upgrade [OPTIONS]...
This script is used for updating current QubesOS R4.1 to R4.2.
Options:
--update, -t (STAGE 1) Update of dom0, TemplatesVM and StandaloneVM.
--release-upgrade, -r (STAGE 2) Update 'qubes-release' for Qubes R4.2.
--dist-upgrade, -s (STAGE 3) Upgrade to Qubes R4.2 and Fedora 37 repositories.
--template-standalone-upgrade, -l (STAGE 4) Upgrade templates and standalone VMs to R4.2 repository.
--finalize, -x (STAGE 5) Finalize upgrade. It does:
- resync applications and features
- cleanup salt states
--convert-policy, -p (STAGE 6) Convert qrexec policy in /etc/qubes-rpc/policy
to the new format in /etc/qubes/policy.d.
--all-pre-reboot Execute stages 1 to 3
--all-post-reboot Execute stages 4 to 6
--assumeyes, -y Automatically answer yes for all questions.
--usbvm, -u Current UsbVM defined (default 'sys-usb').
--netvm, -n Current NetVM defined (default 'sys-net').
--updatevm, -f Current UpdateVM defined (default 'sys-firewall').
--skip-template-upgrade, -j Don't upgrade TemplateVM to R4.2 repositories.
--skip-standalone-upgrade, -k Don't upgrade StandaloneVM to R4.2 repositories.
--only-update Apply STAGE 4 and resync appmenus only to
selected qubes (comma separated list).
--keep-running List of extra VMs to keep running during update (comma separated list).
Can be useful if multiple updates proxy VMs are configured.
--max-concurrency How many TemplateVM/StandaloneVM to update in parallel in STAGE 1
(default 4).
After installing the tool, before-reboot stages can be performed at once with:
sudo qubes-dist-upgrade --all-pre-reboot
Optionally, an `--assumeyes` (or `-y`) option can be used to automatically
accept all the actions without confirmation.
Alternatively, each upgrade stage can be started separately (see the list of
options above).
After completing "STAGE 1" through "STAGE 3", restart the system. Then perform
the final steps:
sudo qubes-dist-upgrade --all-post-reboot
After performing those steps, it's recommended to restart the system one last time.
When this completes, you can start using Qubes OS 4.2.
## Update
After upgrading or performing a clean installation, we strongly recommend
[updating your system](/doc/how-to-update/).

131
user/downloading-installing-upgrading/upgrade/4_2.rst Normal file
View file

@ -0,0 +1,131 @@
===========================
How to upgrade to Qubes 4.2
===========================
This page explains how to upgrade from Qubes 4.1 to Qubes 4.2. There are two ways to upgrade: a clean installation or an in-place upgrade. In general, a clean installation is simpler and less error-prone, but an in-place upgrade allows you to preserve your customizations.
Back up
-------
Before attempting either an in-place upgrade or a clean installation, we strongly recommend that you first :doc:`back up your system </user/how-to-guides/how-to-back-up-restore-and-migrate>` so that you dont lose any data.
Clean installation
------------------
If you would prefer to perform a clean installation rather than upgrading in-place:
1. (optional) Run the updater to ensure all of your templates are in their latest version.
2. Install the ``qubes-dist-upgrade`` tool. This is the inplace upgrade tool, which is not what were doing. However it will be needed in order to prepare the templates for the 4.2 version. You install it with the following command in the dom0 terminal:
.. code:: bash
sudo qubes-dom0-update -y qubes-dist-upgrade
3. Change your templates to use the 4.2 repositories instead of the 4.1 ones. You do this with the following command in the dom0 terminal:
.. code:: bash
qubes-dist-upgrade --template-standalone-upgrade
**Note**: This step is critical to ensure the templates will receive updates once Qubes 4.1 reaches end-of-life (EOL) and was missing in previous clean installation instructions.
4. Create a :ref:`backup <user/how-to-guides/how-to-back-up-restore-and-migrate:creating a backup>` of your current installation.
5. `Download <https://www.qubes-os.org/downloads/>`__ the latest 4.2 release.
6. Follow the :doc:`installation guide </user/downloading-installing-upgrading/installation-guide>` to install Qubes 4.2.
7. :ref:`Restore from your backup <user/how-to-guides/how-to-back-up-restore-and-migrate:restoring from a backup>` on your new 4.2 installation.
In-place upgrade
----------------
**Warning:** It is not possible to upgrade directly from releases earlier than 4.1. If youre still on an earlier release, please either perform a `clean installation of 4.2 <#clean-installation>`__ or :doc:`upgrade to 4.1 </user/downloading-installing-upgrading/upgrade/4_1>` first.
The upgrade may take several hours, and will download several gigabytes of data.
In place upgrade is a complex operation. For this reason, we provide a ``qubes-dist-upgrade`` tool to handle all the necessary steps automatically. You can install it with the following command in the dom0 terminal:
.. code:: bash
sudo qubes-dom0-update -y qubes-dist-upgrade
The upgrade consists of six stages — three before restarting the system — labeled “STAGE 1” through “STAGE 3” in the options list below, and three after restarting the system — labeled as “STAGE 4” through “STAGE 6” below.
Full list of options can be obtained with ``qubes-dist-upgrade --help``:
.. code:: bash
Usage: qubes-dist-upgrade [OPTIONS]...
This script is used for updating current QubesOS R4.1 to R4.2.
Options:
--update, -t (STAGE 1) Update of dom0, TemplatesVM and StandaloneVM.
--release-upgrade, -r (STAGE 2) Update 'qubes-release' for Qubes R4.2.
--dist-upgrade, -s (STAGE 3) Upgrade to Qubes R4.2 and Fedora 37 repositories.
--template-standalone-upgrade, -l (STAGE 4) Upgrade templates and standalone VMs to R4.2 repository.
--finalize, -x (STAGE 5) Finalize upgrade. It does:
- resync applications and features
- cleanup salt states
--convert-policy, -p (STAGE 6) Convert qrexec policy in /etc/qubes-rpc/policy
to the new format in /etc/qubes/policy.d.
--all-pre-reboot Execute stages 1 to 3
--all-post-reboot Execute stages 4 to 6
--assumeyes, -y Automatically answer yes for all questions.
--usbvm, -u Current UsbVM defined (default 'sys-usb').
--netvm, -n Current NetVM defined (default 'sys-net').
--updatevm, -f Current UpdateVM defined (default 'sys-firewall').
--skip-template-upgrade, -j Don't upgrade TemplateVM to R4.2 repositories.
--skip-standalone-upgrade, -k Don't upgrade StandaloneVM to R4.2 repositories.
--only-update Apply STAGE 4 and resync appmenus only to
selected qubes (comma separated list).
--keep-running List of extra VMs to keep running during update (comma separated list).
Can be useful if multiple updates proxy VMs are configured.
--max-concurrency How many TemplateVM/StandaloneVM to update in parallel in STAGE 1
(default 4).
After installing the tool, before-reboot stages can be performed at once with:
.. code:: bash
sudo qubes-dist-upgrade --all-pre-reboot
Optionally, an ``--assumeyes`` (or ``-y``) option can be used to automatically accept all the actions without confirmation.
Alternatively, each upgrade stage can be started separately (see the list of options above).
After completing “STAGE 1” through “STAGE 3”, restart the system. Then perform the final steps:
.. code:: bash
sudo qubes-dist-upgrade --all-post-reboot
After performing those steps, its recommended to restart the system one last time.
When this completes, you can start using Qubes OS 4.2.
Update
------
After upgrading or performing a clean installation, we strongly recommend :doc:`updating your system </user/how-to-guides/how-to-update>`.

22
user/downloading-installing-upgrading/upgrade/upgrade.md
View file

@ -1,22 +0,0 @@
---
lang: en
layout: doc
permalink: /doc/upgrade/
ref: 158
title: Upgrade guides
---
These guides are for upgrading from one version of Qubes to another.
If you're just looking to update your system while staying on the same version,
see [how to update](/doc/how-to-update/).
* [Upgrade from 1 to 2 Beta 1](/doc/upgrade/2b1/)
* [Upgrade from 1 to 2 Beta 2](/doc/upgrade/2b2/)
* [Upgrade from 2 Beta 2 to 2 Beta 3](/doc/upgrade/2b3/)
* [Upgrade from 2 Beta 3 to 2](/doc/upgrade/2/)
* [Upgrade from 2 to 3.0](/doc/upgrade/3.0/)
* [Upgrade from 3.0 to 3.1](/doc/upgrade/3.1/)
* [Upgrade from 3.1 to 3.2](/doc/upgrade/3.2/)
* [Upgrade from 3.2 to 4.0](/doc/upgrade/4.0/)
* [Upgrade from 4.0 to 4.1](/doc/upgrade/4.1/)
* [Upgrade from 4.1 to 4.2](/doc/upgrade/4.2/)

31
user/downloading-installing-upgrading/upgrade/upgrade.rst Normal file
View file

@ -0,0 +1,31 @@
==============
Upgrade guides
==============
These guides are for upgrading from one version of Qubes to another. If youre just looking to update your system while staying on the same version, see :doc:`how to update </user/how-to-guides/how-to-update>`.
.. toctree::
:maxdepth: 1
Upgrade from 1 to 2 Beta 1 </user/downloading-installing-upgrading/upgrade/2b1>
Upgrade from 1 to 2 Beta 2 </user/downloading-installing-upgrading/upgrade/2b2>
Upgrade from 2 Beta 2 to 2 Beta 3 </user/downloading-installing-upgrading/upgrade/2b3>
Upgrade from 2 Beta 3 to 2 </user/downloading-installing-upgrading/upgrade/2>
Upgrade from 2 to 3.0 </user/downloading-installing-upgrading/upgrade/3_0>
Upgrade from 3.0 to 3.1 </user/downloading-installing-upgrading/upgrade/3_1>
Upgrade from 3.1 to 3.2 </user/downloading-installing-upgrading/upgrade/3_2>
Upgrade from 3.2 to 4.0 </user/downloading-installing-upgrading/upgrade/4_0>
Upgrade from 4.0 to 4.1 </user/downloading-installing-upgrading/upgrade/4_1>
Upgrade from 4.1 to 4.2 </user/downloading-installing-upgrading/upgrade/4_2>