Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Revise installation guides

Browse Source 
These revisions focus mainly on improving language, presentation, and
organization. The core instructions are largely preserved, though some
new information and links to other resources are added.
This commit is contained in:
Andrew David Wong 2020-09-01 22:49:41 -05:00
parent 04cfdbac23
commit bb4acaeac1
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
2 changed files with 252 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
user/downloading-installing-upgrading/install-security.md
View File

@ -1,6 +1,6 @@
---
layout: doc
title: Installation Security
title: Installation security
permalink: /doc/install-security/
redirect_from:
- /en/doc/install-security/
@ -8,89 +8,75 @@ redirect_from:
- /wiki/InstallSecurity/
---
# Installation Security Considerations #
# Installation security
There are several security matters to consider before and during the Qubes
installation process.
There are several security matters to consider before and during the Qubes installation process.
## Trusting your hardware
## Trusting your Hardware ##
No operating system, not even Qubes, can help you if you're installing it on hardware that is already compromised.
This includes CPUs, GPUs, SSDs, HDDs, the motherboard, BIOS/EFI/UEFI, and all relevant firmware.
Unfortunately, in today's world of undetectable supply chain attacks, there are no easy solutions.
(Tools like [Anti Evil Maid (AEM)][AEM] can help with *maintaining* the trustworthiness of your hardware, but not with establishing it in the first place.)
Some users have chosen to use tools like [Coreboot], [Heads], and [Skulls].
No operating system, not even Qubes, can help you if you're installing it on
hardware that is already compromised. This includes CPUs, GPUs, SSDs, HDDs, and
BIOS/EFI/UEFI. Unfortunately, in today's world of undetectable supply chain
attacks, there are no easy solutions. (Tools like [Anti Evil Maid (AEM)][AEM]
can help with *maintaining* the trustworthiness of your hardware, but not with
establishing it in the first place.)
## Verifying the Qubes ISO
You should [verify] the PGP signature on your Qubes ISO before you install from it.
However, if the machine on which you attempt the verification process is already compromised, it could falsely claim that a malicious ISO has a good signature.
Therefore, in order to be certain that your Qubes ISO is trustworthy, you require a trustworthy machine.
But how can you be certain *that* machine is trustworthy?
Only by using another trusted machine, and so forth.
This is a [classic problem].
While various [solutions] have been proposed, the point is that each user must ultimately make a choice about whether to trust that a file is non-malicious.
## Verifying the Qubes ISO ##
## Choosing an installation medium
You should [verify] the PGP signature on your Qubes ISO before you install
from it. However, if the machine on which you attempt the verification process
is already compromised, it could falsely claim that a malicious ISO has a good
signature. Therefore, in order to be certain that your Qubes ISO is trustworthy,
you require a trustworthy machine. But how can you be certain *that* machine is
trustworthy? Only by using another trusted machine, and so forth. This is a
[classic problem]. While various [solutions] have been proposed, the point is
that each user must ultimately make a choice about whether to trust that a file
is non-malicious.
So, after taking some measures to verify its integrity and authenticity, you've decided to trust your Qubes ISO.
Great!
Now you must decide what sort of medium on which to write it so that you can install from it.
From a Qubes-specific security perspective, each has certain pros and cons.
## Choosing an Installation Medium ##
So, after taking some measures to verify its integrity and authenticity, you've
decided to trust your Qubes ISO. Great! Now you must decide what sort of medium
on which to write it so that you can install from it. From a Qubes-specific
security perspective, each has certain pros and cons.
### USB Drives ###
### USB drives
Pros:
* Works via USB, including with a [USB qube].
* Non-fixed capacity. (Easy to find one on which the ISO can fit.)
* Non-fixed capacity.
(Easy to find one on which the ISO can fit.)
Cons:
* Rewritable. (If the drive is mounted to a compromised machine, the ISO could
be maliciously altered after it has been written to the drive.)
* Untrustworthy firmware. (Firmware can be malicious even if the drive is new.
Plugging a drive with rewritable firmware into a compromised machine can
also [compromise the drive][BadUSB]. Installing from a compromised drive
could compromise even a brand new Qubes installation.)
* Rewritable.
(If the drive is mounted to a compromised machine, the ISO could be maliciously altered after it has been written to the drive.)
* Untrustworthy firmware.
(Firmware can be malicious even if the drive is new.
Plugging a drive with rewritable firmware into a compromised machine can also [compromise the drive][BadUSB].
Installing from a compromised drive could compromise even a brand new Qubes installation.)
### Optical Discs ###
### Optical discs
Pros:
* Read-only available. (If you use read-only media, you don't have to worry
about the ISO being maliciously altered after it has been written to the
disc. You then have the option of verifying the signature on multiple
different machines.)
* Read-only available.
(If you use read-only media, you don't have to worry about the ISO being maliciously altered after it has been written to the disc.
You then have the option of verifying the signature on multiple different machines.)
Cons:
* Fixed capacity. (If the size of the ISO is larger than your disc, it will be
inconvenient.)
* Passthrough recording (a.k.a., "burning") is not supported by Xen. (This
mainly applies if you're upgrading from a previous version of Qubes.)
Currently, the only options for recording optical discs (e.g., CDs, DVDs,
BRDs) in Qubes are:
* Fixed capacity.
(If the size of the ISO is larger than your disc, it will be inconvenient.)
* Passthrough recording (a.k.a., "burning") is not supported by Xen.
(This mainly applies if you're upgrading from a previous version of Qubes.)
Currently, the only options for recording optical discs (e.g., CDs, DVDs, BRDs) in Qubes are:
1. Use a USB optical drive.
2. Attach a SATA optical drive to a secondary SATA controller, then assign
this secondary SATA controller to an AppVM.
2. Attach a SATA optical drive to a secondary SATA controller, then assign this secondary SATA controller to an AppVM.
3. Use a SATA optical drive attached to dom0.
(Option 3 violates the Qubes security model since it entails transferring an
untrusted ISO to dom0 in order to burn it to disc, which leaves only the
other two options.)
(Option 3 violates the Qubes security model since it entails transferring an untrusted ISO to dom0 in order to burn it to disc, which leaves only the other two options.)
Considering the pros and cons of each, perhaps a USB drive with non-rewritable
(or at least cryptographically-signed) firmware and a physical write-protect
switch might be the option.
Considering the pros and cons of each, perhaps a USB drive with non-rewritable (or at least cryptographically-signed) firmware and a physical write-protect switch might be the best option.
[AEM]: /doc/anti-evil-maid/
@ -99,4 +85,7 @@ switch might be the option.
[solutions]: https://www.dwheeler.com/trusting-trust/
[USB qube]: /doc/usb-qubes/#creating-and-using-a-usb-qube
[BadUSB]: https://srlabs.de/badusb/
[Coreboot]: https://www.coreboot.org/
[Heads]: http://osresearch.net/
[Skulls]: https://github.com/merge/skulls

382
user/downloading-installing-upgrading/installation-guide.md
View File

@ -1,6 +1,6 @@
---
layout: doc
title: Installation Guide
title: Installation guide
permalink: /doc/installation-guide/
redirect_from:
- /en/doc/installation-guide/
@ -16,169 +16,174 @@ redirect_from:
- /doc/InstallationGuideR3.0rc2/
---
Installation Guide
==================
# Installation guide
Welcome to the Qubes OS installation guide!
This guide will walk you through the process of installing Qubes.
Please read it carefully and thoroughly, as it contains important information for ensuring that your Qubes OS installation is functional and secure.
Pre-installation
----------------
## Pre-installation
### Hardware Requirements ###
### Hardware requirements
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Qubes has no control over what happens on your computer before you install it.
No software can provide security if it is installed on compromised hardware.
Do not install Qubes on a computer you don't trust.
See <a href="/doc/install-security/">installation security</a> for more information.
</div>
Qubes OS has very specific [system requirements].
To ensure compatibility, we strongly recommend using [Qubes-certified hardware].
Other hardware may require you to perform significant troubleshooting.
You may also find it helpful to consult the [Hardware Compatibility List].
Even on supported hardware, you must ensure that [IOMMU-based virtualization](https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit#Virtualization) is activated in the BIOS.
Even on supported hardware, you must ensure that [IOMMU-based virtualization] is activated in the BIOS.
Without it, Qubes OS won't be able to enforce isolation.
For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (**Intel VT-d**) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply **AMD-Vi**).
This parameter should be activated in your computer's BIOS, alongside the standard Virtualization (**Intel VT-x**) and AMD Virtualization (**AMD-V**) extensions.
This [external guide](https://web.archive.org/web/20200112220913/https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html) made for Intel-based boards can help you figure out how to enter your BIOS to locate and activate those settings.
This [external guide][intel-guide] made for Intel-based boards can help you figure out how to enter your BIOS to locate and activate those settings.
If those settings are not nested under the Advanced tab, you might find them under the Security tab.
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b>Note : </b> As Qubes OS has no control over what is happening before it takes control over the hardware, the motherboard firmware, which is responsible for bootstrapping the hardware and checking it, must be trusted, alongside the hardware itself.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Qubes OS is not meant to be installed inside a virtual machine as a guest hypervisor.
In other words, <b>nested virtualization</b> is not supported.
In order for a strict compartmentalization to be enforced, Qubes OS needs to be able to manage the hardware directly.
</div>
<div class="alert alert-success" role="alert">
<i class="fa fa-info-circle"></i>
<b>Tip : </b> It is up to the user to pick a combination of firmware and hardware that is trustworthy enough.
One can think of <a href="https://www.coreboot.org/">Coreboot</a> and its security-oriented implementation <a href="http://osresearch.net/">Heads</a>, or <a href="https://github.com/merge/skulls">Skulls</a>, which strives to be easy to use.
At present, they are only compatible with the Lenovo Thinkpad X230. See <a href="/doc/certified-hardware">Qubes-certified hardware</a> for other ideas.
### Copying the ISO onto the installation medium
Start by [downloading][downloads] a Qubes ISO.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Any file you download from the internet could be malicious, even if it appears to come from a trustworthy source.
Our philosophy is to <a href="/faq/#what-does-it-mean-to-distrust-the-infrastructure">distrust the infrastructure</a>.
Regardless of how you acquire your Qubes ISO, <a href="/security/verifying-signatures/">verify its authenticity</a> before continuing.
</div>
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b>Note : </b> Qubes OS is not meant to be installed inside a virtual machine as a guest hypervisor.
In other terms, <b>nested virtualization</b> is not supported.
In order for a strict compartmentalization to be enforced, Qubes OS needs to be able to manage the hardware directly.
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a dual-layer DVD, a Blu-ray disc, or a USB drive.
The size of each Qubes ISO is available on the [downloads] page by hovering over the download button.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> There are important <a href="/doc/install-security/">security considerations</a> to keep in mind when choosing an installation medium.
</div>
### Downloading the ISO ###
See the [downloads] page for ISO downloads. Remember, Qubes OS' team have absolutely no control over those servers, so you should consider that they might be compromised, or just be serving compromised ISOs because their operators decided so, for whatever reason.
Always verify the digital signature on the downloaded ISO. Read our guide on [verifying signatures] for more information about how to download and verify our PGP keys and verify the downloaded ISO.
### Copying the ISO onto the installation medium ###
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a dual-layer DVD, a Blu-ray disc, or a USB key.
(The size of each Qubes ISO is listed on the [downloads] page.)
(Note that there are important [security considerations] to keep in mind when choosing an installation medium.)
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Be careful to choose the correct device when copying the ISO, or you may lose data.
We strongly recommended making a full backup before modifying any devices.
</div>
If you choose to use a USB drive, copy the ISO onto the USB device, e.g. using `dd`:
$ sudo dd if=Qubes-R3-x86_64.iso of=/dev/sdX status=progress bs=1048576 && sync
Change `Qubes-R3-x86_64.iso` to the filename of the version you're installing, and change `/dev/sdX` to the correct target device e.g., `/dev/sdc`).
$ sudo dd if=Qubes-RX-x86_64.iso of=/dev/sdY status=progress bs=1048576 && sync
Change `Qubes-RX-x86_64.iso` to the filename of the version you're installing, and change `/dev/sdY` to the correct target device e.g., `/dev/sdc`).
Make sure to write to the entire device (e.g., `/dev/sdc`) rather than just a single partition (e.g., `/dev/sdc1`).
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Attention : </b> Choosing the wrong device could result in data loss.
</div>
On Windows, you can use the [Rufus] tool to write the ISO to a USB key.
MediaTest is not recommended.
Be sure to select "DD image" mode (you need to do that **after** selecting the Qubes ISO):
Be sure to select "DD image" mode (*after* selecting the Qubes ISO):
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Attention : </b> If you do that on Windows 10, you can only install Qubes without MediaTest, which isnt recommended.
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> If you do this on Windows 10, you can only install Qubes without MediaTest, which is not recommended.
</div>
![Rufus menu](/attachment/wiki/InstallationGuide/rufus-menu.png)
![Rufus DD image mode](/attachment/wiki/InstallationGuide/rufus-dd-image-mode.png)
If you are an advanced user and you would like to customize your installation, please see [Custom Installation]. Otherwise, follow the instructions below.
If you are an advanced user, and you would like to customize your installation, please see [custom installation].
Otherwise, follow the instructions below.
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b>Note : </b> This guide will demonstrate a simple installation using mostly default settings.
</div>
## Installation
Installation
------------
This section will demonstrate a simple installation using mostly default settings.
### Getting to the boot screen ###
### Getting to the boot screen
Just after you power on your machine, make the Qubes OS medium available to the computer by inserting the DVD or USB key you have previously copied the Qubes OS image to.
Just after you power on your machine, make the Qubes OS medium available to the computer by inserting your DVD or USB drive.
Shortly after the Power-on self-test (POST) is completed, you should be greeted with the Qubes OS boot screen.
![Boot screen](/attachment/wiki/InstallationGuide/boot-screen.png)
<div class="alert alert-info" role="alert">
<i class="fa fa-info-circle"></i>
<b>Note : </b> On UEFI install, there is no boot menu on Qubes OS 4.0 by design.
It goes straight to the installer.
The boot menu will be back in Qubes OS 4.1.
<i class="fa fa-info-circle"></i>
<b>Note:</b> When installing Qubes OS 4.0 on UEFI, there is intentionally no boot menu.
It goes straight to the installer.
The boot menu will be back in Qubes OS 4.1.
</div>
From there, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options.
You can choose one of three options : install Qubes OS ; test this media and install Qubes OS ; troubleshooting. Select the option to test this media and install Qubes OS.
From here, you can navigate the boot screen using the arrow keys on your keyboard.
Pressing the "Tab" key will reveal options.
You can choose one of three options:
* Install Qubes OS
* Test this media and install Qubes OS
* Troubleshooting
Select the option to test this media and install Qubes OS.
If the boot screen does not appear, there are several options to troubleshoot.
First, try rebooting your computer.
If it still loads your currently installed operating system or does not pick up your installation medium, make sure the boot order is set up appropriately.
If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately.
The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer.
If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an [advanced reboot](https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings).
Ideally, you would temporarily select the USB device or DVD drive as a boot up option, so that the next time you boot, your internal storage device will be selected first.
If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order.
This may require an [advanced reboot].
<div class="alert alert-success" role="alert">
<i class="fa fa-info-circle"></i>
<b>Tip : </b> After the POST, you may have a chance to temporally pick a booting device.
</div>
After the POST, you may have a chance to choose a boot device.
You may wish to select the USB drive or DVD drive as a temporary boot option so that the next time you boot, your internal storage device will be selected first.
![Boot order](/attachment/wiki/InstallationGuide/boot-order.png)
### The installer home screen ###
### The installer home screen
On the first screen, you are asked to pick the language that will be used during the installation process.
When you are done, select "Continue".
On the first screen, you are asked to select the language that will be used during the installation process.
When you are done, select **Continue**.
<img src="/attachment/wiki/InstallationGuide/welcome-to-qubes-os-installation-screen.png">
![welcome](/attachment/wiki/InstallationGuide/welcome-to-qubes-os-installation-screen.png)
Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not.
If the test fails, a window will pop up.
![Unsupported hardware detected](/attachment/wiki/InstallationGuide/unsupported-hardware-detected.png)
Do not panic : it may simply indicate that IOMMU-virtualization hasn't been activated in the BIOS.
Return to the [Hardware Requirements](/doc/installation-guide/#hardware-requirements) section to learn how to activate it.
If the setting is not configured correctly, it means that your hardware won't be able to leverage some of Qubes OS security features such as a strict isolation of the network and USB adapter.
Do not panic.
It may simply indicate that IOMMU-virtualization hasn't been activated in the BIOS.
Return to the [hardware requirements] section to learn how to activate it.
If the setting is not configured correctly, it means that your hardware won't be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.
If the test passes, you will reach the Installation summary screen.
If the test passes, you will reach the installation summary screen.
The installer loads Xen right at the beginning.
If you can see the installer's graphical screen, and you pass the compatibility check that runs immediately afterward, Qubes OS is likely to work on your system!
<div class="alert alert-info" role="alert">
<i class="fa fa-info-circle"></i>
<b>Note : </b> The installer loads Xen right at the beginning, so if you can see the installer's graphical screen and you pass the compatibility check that runs immediately after that, Qubes OS is likely to work on your system !
Like Fedora, Qubes OS uses the Anaconda installer.
Those that are familiar with RPM-based distributions should feel at home.
### Installation summary
<div class="alert alert-success" role="alert">
<i class="fa fa-check-circle"></i>
<b>Did you know?</b> The Qubes OS installer is completely offline.
It doesn't even load any networking drivers, so there is no possibility of internet-based data leaks or attacks during the installation process.
</div>
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b>Note : </b> Like Fedora, Qubes OS uses the Anaconda installer.
Those that are familiar with RPM-based distributions should feel at home.
</div>
### Installation summary ###
The Installation summary screen allows you to change how the end-system will be installed and configured, including localization settings.
At minimum, you are required to pick a storage device on which Qubes OS will be installed.
The Installation summary screen allows you to change how the system will be installed and configured, including localization settings.
At minimum, you are required to select the storage device on which Qubes OS will be installed.
![Installation summary not ready](/attachment/wiki/InstallationGuide/installation-summary-not-ready.png)
### Localization ###
### Localization
Let's assume you wish to add a German keyboard layout.
Go to Keyboard Layout, press the "Plus" symbol, search for "German" as indicated in the screenshot and press "Add".
If you want it be your default language, select the "German" entry in the list and press the arrow button.
Click on "Done" in the upper left corner and you are ready to go !
Let's assume you wish to add a German keyboard layout.
Go to Keyboard Layout, press the "Plus" symbol, search for "German" as indicated in the screenshot and press "Add".
If you want it be your default language, select the "German" entry in the list and press the arrow button.
Click on "Done" in the upper left corner, and you're ready to go!
![Keyboard layout selection](/attachment/wiki/InstallationGuide/keyboard-layout-selection.png)
@ -187,152 +192,165 @@ Follow the same process in the "Language Support" entry.
![Language support selection](/attachment/wiki/InstallationGuide/language-support-selection.png)
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b>Note : </b> You can have as many keyboard layout and languages as you want.
Post-install, you will be able to switch between them and install others.
</div>
You can have as many keyboard layout and languages as you want.
Post-install, you will be able to switch between them and install others.
Don't forget to select your time and date by clicking on the Time & Date entry.
![Time and date](/attachment/wiki/InstallationGuide/time-and-date.png)
### Software ###
Under the Software section, you can change the installation source.
As we are demonstrating a simple installation, it is assumed that you are installing Qubes OS using a local medium such as a DVD, so this option won't be illustrated.
### Software
![Add-ons](/attachment/wiki/InstallationGuide/add-ons.png)
Go instead to the Software selection tab, where you can choose which software to install alongside Qubes OS.
Two Add-Ons are available :
On the software selection tab, you can choose which software to install in Qubes OS.
Two options are available:
* **Debian template** : Install these templates if you wish to base some of your Qubes virtual machines on Debian instead of Fedora.
* **Whonix** : Install Whonix templates if you wish for some of your qubes to be based on Whonix.
Whonix lets you route all of your network traffic through Tor if you see fit.
For more information about Whonix, have a look at their [website](https://www.whonix.org/).
* **Debian:** Select this option if you would like to use [Debian] qubes in addition to the default Fedora qubes.
* **Whonix:** Select this option if you would like to use [Whonix] qubes.
Whonix allows you to use [Tor] securely within Qubes.
Whonix lets you route some or all of your network traffic through Tor for greater privacy.
Depending on your threat model, you may need to install Whonix templates right away.
Note that you will also be able to install Add-Ons after the installation is completed.
If you wish for your system to be more lightweight, do not hesitate to un-check those options.
Regardless of your choices on this screen, you will always be able to install these and other [TemplateVMs] later.
If you're short on disk space, you may wish to deselect these options.
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b> Note : </b> By default, Qubes OS comes preinstalled with the lightweight Xfce desktop environment for dom0, the main domain.
Other desktop environments will be available to you after the installation is completed, although they may not be officially supported.
By default, Qubes OS comes preinstalled with the lightweight Xfce4 desktop environment.
Other desktop environments will be available to you after the installation is completed, though they may not be officially supported (see [advanced configuration]).
Press **Done** to go back to the installation summary screen.
### Installation destination
Under the System section, you must choose the installation destination.
Select the storage device on which you would like to install Qubes OS.
Ensure that your your target destination has a least 32 GiB of free space available.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Be careful to choose the correct installation target, or you may lose data.
We strongly recommended making a full backup before proceeding.
</div>
Click on "Done" as soon as you have made your choice to go back to Installation summary screen.
### Installation destination ###
Under the System section, you need to pick the installation destination.
For this step to be completed, you need to select which storage device you would like your system to be installed on. Under the Device Selection section, make sure that you select the correct installation destination.
Ensure that your your target destination has a least 32 GiB of free space available.
For this setup, options will be left unchanged.
By default, Qubes OS will partition the system itself with LVM on top of LUKS encryption, and will claim the entire storage device.
![Select storage device](/attachment/wiki/InstallationGuide/select-storage-device.png)
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Attention : </b> Any data on the target storage device will eventually be deleted during the installation process, so make your selection carefully (a separate confirmation dialog will appear if there are available partitions on the disk).
<div class="alert alert-success" role="alert">
<i class="fa fa-check-circle"></i>
<b>Did you know?</b> Qubes OS uses full-disk AES encryption (FDE) via LUKS by default.
</div>
As soon as you leave the current window by pressing "Done", Qubes OS will ask you to pick a passphrase to unlock encrypted partition.
The passphrase should be complex. Keep it in a safe place.
Make sure that your keyboard layout reflects what keyboard you are actually using and click on "Done" to start the installation process!
As soon as you press **Done**, the installer will ask you to enter a passphrase for disk encryption.
The passphrase should be complex.
Make sure that your keyboard layout reflects what keyboard you are actually using.
When you're finished, press **Done**.
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> If you forget your encryption passphrase, there is no way to recover it.
</div>
![Select storage passhprase](/attachment/wiki/InstallationGuide/select-storage-passphrase.png)
Installing an operating system onto a USB drive can be a convenient and secure method of ensuring that your data is protected and remains portable.
If you want to install Qubes OS onto a USB drive, just select the USB device as the storage location for the OS.
Be advised that a minimum storage of 32 GB is required and that a *fast* USB 3.0 compatible drive is mandatory to achieve decent performance.
Also, bear in mind that the installation process is likely to take longer than an installation on a internal storage disk.
Installing an operating system onto a USB drive can be a convenient way to try out Qubes OS.
However, USB drivers are typically much slower than internal SSDs.
We recommend a very fast USB 3.0 drive for decent performance.
Please note that a minimum storage of 32 GiB is required.
If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device.
Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b>Note : </b> See <a href="/doc/custom-install/">the Custom Installation</a> for more options.
</div>
You are now ready to go. Press the "Begin Installation" button.
When you're ready, press **Begin Installation**.
![Installation summary ready](/attachment/wiki/InstallationGuide/installation-summary-ready.png)
### Pick your user name ###
### Create your user account
While the installation is ongoing, a new user needs to be created. Click on "User Creation" to define a new user with administrator privileges and a password.
Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
While the installation process is running, you can create your user account.
This is what you'll use to log in after disk decryption and when unlocking the screen locker.
This is a purely local, offline account in dom0.
By design, Qubes OS is a single-user operating system, so this is just for you.
Select **User Creation** to define a new user with administrator privileges and a password.
Just as for the disk encryption, this password should be complex.
The root account is deactivated and should remain as such.
![Account name and password](/attachment/wiki/InstallationGuide/account-name-and-password.png)
When the installation is complete, click on the "Reboot" button.
Don't forget to remove the installation media, otherwise you may end up seeing the Qubes OS boot screen again.
When the installation is complete, press **Reboot**.
Don't forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
<div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i>
<b>Note : </b> By design, Qubes OS is a single user operating system.
</div>
## Post-installation
Post-installation
-----------------
### First boot
### First boot ###
If Qubes OS has been successfully installed, you should see the GRUB menu during the booting process.
If the installation was successful, you should now see the GRUB menu during the boot process.
![Grub boot menu](/attachment/wiki/InstallationGuide/grub-boot-menu.png)
Just after this screen, you will be asked to unlock your storage device.
Just after this screen, you will be asked to enter your encryption passphrase.
![Unlock storage device screen](/attachment/wiki/InstallationGuide/unlock-storage-device-screen.png)
### Initial Setup ###
### Initial Setup
You're almost done. Before you can start using Qubes OS, some configuration is needed.
By default, Qubes OS will create a number of qubes, based on Fedora templates or Whonix templates, so that you can have a more ready-to-use environnement from the get-go.
You're almost done.
Before you can start using Qubes OS, some configuration is needed.
![Initial setup menu](/attachment/wiki/InstallationGuide/initial-setup-menu.png)
* **Create default system qubes** : it is recommended to use system qubes as they offer some of the core functionalities brought by Qubes OS, including network isolation and disposable qubes
* **Create default application qubes** : application qubes are pre-configured qubes meant to be used for specific purposes, such as work or personal.
* **Create Whonix Gateway and Workstation qubes** : in order to be able to use Tor for dedicated qubes, you need this option to be activated.
* **Enabling system and template updates over the Tor anonymity network using Whonix** : this option allows the use of Tor system-wide rather than only for specific qubes.
* **Create USB qube holding all USB controllers** : just like the network qube for the network stack, the USB qube allows to capture the USB controller and to manage USB devices through it.
* **Use sys-net qube for both networking and USB devices** : it saves some memory as only sys-net will be running, instead of sys-net and sys-usb, but also allows easy use of USB networking devices (like 3G/LTE modems) directly in sys-net.
* **Do not configure anything** : This is only for advanced users, as you won't have network access out of the box.
By default, the installer will create a number of qubes (depending on the options you selected during the installation process).
These are designed to give you a more ready-to-use environment from the get-go.
![Initial setup menu configuration](/attachment/wiki/InstallationGuide/initial-setup-menu-configuration.png)
When you are satisfied with you choices, click on "Done".
Pre-selected qubes will be installed and configured, which can take up to 15 minutes.
Let's briefly go over the options:
After the configuration is done, you will be greeted by a login screen. Enter your password and log in.
* **Create default system qubes:**
These are the core components of the system, required for things like internet access.
* **Create default application qubes:**
These are how you compartmentalize your digital life.
There's nothing special about the ones the installer creates.
They're just suggestions that apply to most people.
If you decide you don't want them, you can always delete them later, and you can always create your own.
* **Create Whonix Gateway and Workstation qubes:**
If you want to use Whonix, you should select this option.
* **Enabling system and template updates over the Tor anonymity network using Whonix:**
If you select this option, then whenever you install or update software in dom0 or a TemplateVM, the internet traffic will go through Tor.
* **Create USB qube holding all USB controllers:**
Just like the network qube for the network stack, the USB qube isolates the USB controllers.
* **Use sys-net qube for both networking and USB devices:**
You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
* **Do not configure anything:**
This is for very advanced users only.
If you select this option, you'll have to set everything up manually afterward.
When you're satisfied with you choices, press **Done**.
This configuration process may take a while, depending on the speed and compatibility of your system.
After the configuration is done, you will be greeted by the login screen.
Enter your password and log in.
![Login screen](/attachment/wiki/InstallationGuide/login-screen.png)
Congratulations, you are now ready to use Qubes OS !
Congratulations, you are now ready to use Qubes OS!
![Desktop menu](/attachment/wiki/InstallationGuide/desktop-menu.png)
### Updating ###
## Next steps
### Updating
Next, [update] your installation to ensure you have the latest security updates.
Frequently updating is one of the best ways to remain secure against new threats.
### Backups ###
### Backups
It is extremely important to make regular backups so that you don't lose your data unexpectedly.
The [Qubes backup system] allows you to do this securely and easily.
Upgrading Qubes OS
------------------
Read more about [Common Tasks] and [Managing Operating Systems within Qubes].
For instructions on upgrading an existing installation, see [Upgrade Guides].
Getting Help
------------
## Getting help
* We work very hard to make the [documentation] accurate, comprehensive useful and user friendly.
We urge you to read it! It may very well contain the answers to your questions.
@ -360,4 +378,16 @@ Getting Help
[Help, Support, Mailing Lists, and Forum]: /support/
[update]: /doc/updating-qubes-os/
[Qubes backup system]: /doc/backup-restore/
[Common Tasks]: /doc/#common-tasks
[Managing Operating Systems within Qubes]: /doc/#managing-operating-systems-within-qubes
[installation security]: /doc/install-security/
[IOMMU-based virtualization]: https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit#Virtualization
[intel-guide]: https://web.archive.org/web/20200112220913/https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html
[advanced reboot]: https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings
[hardware requirements]: #hardware-requirements
[Debian]: /doc/templates/debian/
[Whonix]: /doc/whonix/
[Tor]: https://www.torproject.org/
[TemplateVMs]: /doc/templates/
[advanced configuration]: /doc/#advanced-configuration