Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-03-13 10:16:29 -04:00
Code Issues Packages Projects Releases Wiki Activity

preparation rst conversion

Browse Source
This commit is contained in:
qm 2024-08-11 19:39:45 -04:00
parent bdda0ae8dc
commit d7d03089f8
6 changed files with 27 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
developer/code/code-signing.md
View File

@ -146,7 +146,7 @@ Although GitHub adds a little green `Verified` button next to the commit, the [s
If the commit is not signed, you can see the message
> policy/qubesos/code-signing — No signature found
3. If the commit is signed, the key is downloaded from a GPG key server.
2. If the commit is signed, the key is downloaded from a GPG key server.
If you can see the following error message, please check if you have uploaded the key to a key server.
> policy/qubesos/code-signing — Unable to verify (no valid key found)

14
user/how-to-guides/backup-emergency-restore-v3.md
View File

@ -66,7 +66,7 @@ any GNU/Linux system with the following procedure.
supported message digest algorithms can be found with `openssl
list-message-digest-algorithms`.
5. Read the `backup-header`. You'll need some of this information later. The
4. Read the `backup-header`. You'll need some of this information later. The
file will look similar to this:
[user@restore ~]$ cat backup-header
@ -80,7 +80,7 @@ any GNU/Linux system with the following procedure.
**Note:** If you see `version=2` here, go to [Emergency Backup Recovery -
format version 2](/doc/backup-emergency-restore-v2/) instead.
6. Verify the integrity of the `private.img` file which houses your data.
5. Verify the integrity of the `private.img` file which houses your data.
[user@restore ~]$ cd vm1/
[user@restore vm1]$ openssl dgst -sha512 -hmac "$backup_pass" private.img.000
@ -100,7 +100,7 @@ any GNU/Linux system with the following procedure.
complete list of supported message digest algorithms can be found with
`openssl list-message-digest-algorithms`.
7. Decrypt the `private.img` file.
6. Decrypt the `private.img` file.
[user@restore vm1]$ find -name 'private.img.*[0-9]' | sort -V | xargs cat | openssl enc -d -md MD5 -pass pass:"$backup_pass" -aes-256-cbc -out private.img.dec
@ -110,7 +110,7 @@ any GNU/Linux system with the following procedure.
complete list of supported cipher algorithms can be found with `openssl
list-cipher-algorithms`.
8. Decompress the decrypted `private.img` file.
7. Decompress the decrypted `private.img` file.
[user@restore vm1]$ zforce private.img.dec
private.img.dec -- replaced with private.img.dec.gz
@ -124,19 +124,19 @@ any GNU/Linux system with the following procedure.
[user@restore vm1]$ mv private.img.dec private.img.dec.bz2
[user@restore vm1]$ bunzip2 private.img.dec.bz2
9. Untar the decrypted and decompressed `private.img` file.
8. Untar the decrypted and decompressed `private.img` file.
[user@restore vm1]$ tar -xvf private.img.dec
vm1/private.img
10. Mount the private.img file and access your data.
9. Mount the private.img file and access your data.
[user@restore vm1]$ sudo mkdir /mnt/img
[user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/
[user@restore vm1]$ cat /mnt/img/home/user/your_data.txt
This data has been successfully recovered!
11. Success! If you wish to recover data from more than one VM in your backup,
10. Success! If you wish to recover data from more than one VM in your backup,
simply repeat steps 5--9 for each additional VM.

12
user/security-in-qubes/mfa.md
View File

@ -197,14 +197,14 @@ website](https://docs.nitrokey.com/software/nitropy/all-platforms/installation).
the template take effect in your USB app qube) or install the packages inside
your USB VM as well if you would like to avoid rebooting it.
1. Install [qubes-app-yubikey](https://github.com/QubesOS/qubes-app-yubikey) in
2. Install [qubes-app-yubikey](https://github.com/QubesOS/qubes-app-yubikey) in
dom0. This provides the program to authenticate with password and YubiKey / NitroKey3.
```
sudo qubes-dom0-update qubes-yubikey-dom0
```
2. Configure your YubiKey / NitroKey3:
3. Configure your YubiKey / NitroKey3:
**YubiKey**
@ -260,7 +260,7 @@ of this method. If you want to switch to a different NitroKey later, delete the
Do the same if for some reason your counters get desynchronized (it stops working), e.g. due
to connectivity issues (NitroKey3A Minis are known to wear out quickly).
3. **YubiKey**
4. **YubiKey**
Paste your `AESKEY` into `/etc/qubes/yk-keys/yk-secret-key.hex` in dom0.
@ -274,7 +274,7 @@ to connectivity issues (NitroKey3A Minis are known to wear out quickly).
Create the file `/etc/qubes/yk-keys/nk-hotp-secret` in dom0 and paste your `AESKEY`
(in base 32 format) into it.
4. As mentioned before, you need to define a new password that is only used in
5. As mentioned before, you need to define a new password that is only used in
combination with the YubiKey / NitroKey3. You can write this password in plain text into
`/etc/qubes/yk-keys/login-pass` in dom0. This is considered safe as dom0 is
ultimately trusted anyway.
@ -298,7 +298,7 @@ ultimately trusted anyway.
echo -n "$password" | openssl dgst -sha1 | cut -f2 -d ' '
```
5. To enable multi-factor authentication for a service, you need to add
6. To enable multi-factor authentication for a service, you need to add
```
auth include yubikey
@ -314,7 +314,7 @@ display manager and so on.
It is important, that `auth include yubikey` is added at the beginning of
these files, otherwise it will most likely not work.
6. Adjust the USB VM name in case you are using something other than the default
7. Adjust the USB VM name in case you are using something other than the default
`sys-usb` by editing `/etc/qubes/yk-keys/vm` in dom0.
#### Usage

2
user/security-in-qubes/split-gpg.md
View File

@ -152,7 +152,7 @@ Note that, because this makes it easier to accept Split GPG's qrexec authorizati
### Thunderbird 78 and higher
Starting with version 78, Thunderbird has a built-in PGP feature and no longer requires the Enigmail extension. For users coming from the Enigmail extension, the built-in functionality is more limited currently, including that **public keys must live in your work-email qube with Thunderbird rather than your offline work-gpg qube**.
Starting with version 78, Thunderbird has a built-in PGP feature and no longer requires the Enigmail extension. For users coming from the Enigmail extension, the built-in functionality is more limited currently, including that **public keys must live in your** `work-email` **qube with Thunderbird rather than your offline** `work-gpg` **qube**.
In `work-email`, use the Thunderbird config editor (found at the bottom of preferences/options), and search for `mail.openpgp.allow_external_gnupg`. Switch the value to true. Still in config editor, search for `mail.openpgp.alternative_gpg_path`. Set its value to `/usr/bin/qubes-gpg-client-wrapper`. Restart Thunderbird after this change.

10
user/templates/windows/qubes-windows-tools-4-1.md
View File

@ -79,7 +79,7 @@ In the future this step will not be necessary anymore, because we will sign our
The Xen PV Drivers bundled with QWT are signed by a Linux Foundation certificate. Thus Windows 10 and 11 do not require this security mitigation.
**Warning:** it is recommended to increase the default value of Windows VM's `qrexec_timeout` property from 60 (seconds) to, for example, 300. During one of the first reboots after Windows Tools installation Windows user profiles are moved onto the private VM's virtual disk (private.img) and this operation can take some time. Moving profiles and, later on, updating a Windows installation, is performed in an early boot phase when `qrexec` is not yet running, so timeout may occur with the default value. To change the property use this command in `dom0`: *(where <VMname> is the name of your Windows VM)*
**Warning:** it is recommended to increase the default value of Windows VM's `qrexec_timeout` property from 60 (seconds) to, for example, 300. During one of the first reboots after Windows Tools installation Windows user profiles are moved onto the private VM's virtual disk (private.img) and this operation can take some time. Moving profiles and, later on, updating a Windows installation, is performed in an early boot phase when `qrexec` is not yet running, so timeout may occur with the default value. To change the property use this command in `dom0`: *(where* `<VMname>` *is the name of your Windows VM)*
[user@dom0 ~] $ qvm-prefs <VMname> qrexec_timeout 7200
@ -137,7 +137,7 @@ Installing the Qubes Windows Tools on Windows 7, 8.1, 10 and 11 both as a Standa
5. After successful installation, the Windows VM must be shut down and started again, possibly a couple of times. On each shutdown, wait until the VM is really stopped, i.e. Qubes shows no more activity.
6. Qubes will automatically detect that the tools have been installed in the VM and will set appropriate properties for the VM, such as `qrexec_installed`, `guiagent_installed`, and `default_user`. This can be verified (but is not required) using the `qvm-prefs` command *(where <VMname> is the name of your Windows VM)*:
6. Qubes will automatically detect that the tools have been installed in the VM and will set appropriate properties for the VM, such as `qrexec_installed`, `guiagent_installed`, and `default_user`. This can be verified (but is not required) using the `qvm-prefs` command *(where* `<VMname>` *is the name of your Windows VM)*:
[user@dom0 ~] $ qvm-prefs <VMname>
@ -173,7 +173,7 @@ Installing the Qubes Windows Tools on Windows 7, 8.1, 10 and 11 both as a Standa
If Windows is used in a TemplateVM / AppVM combination, this registry fix has to be applied to the TemplateVM, as the `HKLM` registry key belongs to the template-based part of the registry.
10. Lastly to enable file copy operations to a Windows VM, the `default_user` property of this VM should be set to the `<username>` that you use to login to the Windows VM. This can be done via the following command on a `dom0` terminal: *(where <VMname> is the name of your Windows VM)*
10. Lastly to enable file copy operations to a Windows VM, the `default_user` property of this VM should be set to the `<username>` that you use to login to the Windows VM. This can be done via the following command on a `dom0` terminal: *(where* `<VMname>` *is the name of your Windows VM)*
`[user@dom0 ~] $ qvm-prefs <VMname> default_user <username>`
@ -267,7 +267,7 @@ Windows qubes can be used as disposables, like any other Linux-based qubes. On c
- Name the link, e.g. as `Command Prompt`.
- Close the Window with `OK`.
- Shut down this AppVM.
- In the Qube Manager, refresh the applications of the newly created AppVM and select those applications that you want to make available from the disposable. Alternatively, in dom0 execute the command `qvm-sync-appmenus <VMname>`, *where <VMname> is the name of your windows qube*.
- In the Qube Manager, refresh the applications of the newly created AppVM and select those applications that you want to make available from the disposable. Alternatively, in dom0 execute the command `qvm-sync-appmenus <VMname>`, *where* `<VMname>` *is the name of your windows qube*.
- In the Qube Manager, go to the "Advanced" tab and enable the option `Disposable template` for your Windows qube. Alternatively, in dom0 execute the commands `qvm-prefs <VMname> template_for_dispvms True` and `qvm-features <VMname> appmenus-dispvm 1`.
- Click `Apply`.
- Still in the Advanced tab, select your Windows qube as its own `Default disposable template`. Alternatively, in dom0 execute the command `qvm-prefs <VMname> default_dispvm <VMname>`.
@ -277,7 +277,7 @@ Now you should have a menu `Disposable: <VMname>` containing the applications th
For further information on usage of disposables, see [How to use disposables](/doc/how-to-use-disposables/).
**Caution:** *If a Windows-based disposable is used from another qube via the Open/Edit in DisposableVM command, this disposable may not close automatically, due to the command prompt window still running in this dispvm. In this case, the disposable has to be shut down manually.*
**Caution:** *If a Windows-based disposable is used from another qube via the* `Open/Edit in DisposableVM` *command, this disposable may not close automatically, due to the command prompt window still running in this dispvm. In this case, the disposable has to be shut down manually.*
## Installation logs

14
user/troubleshooting/installation-troubleshooting.md
View File

@ -66,15 +66,15 @@ These errors may also occur due to an incompatible Nvidia graphics card. If you
2. Enter GRUB, move the selection to the first choice, and then press the Tab key.
3. Now, you are in edit mode. Move the text cursor with your arrow key and after ``kernel=`` line, add:
```
nouveau.modeset=0 rd.driver.blacklist=nouveau video=vesa:off
```
```bash
nouveau.modeset=0 rd.driver.blacklist=nouveau video=vesa:off
```
If the above code doesn't fix the problem, replace it with:
If the above code doesn't fix the problem, replace it with:
```
noexitboot=1 modprobe.blacklist=nouveau rd.driver.blacklist=nouveau --- intitrd.img
```
```bash
noexitboot=1 modprobe.blacklist=nouveau rd.driver.blacklist=nouveau --- intitrd.img
```
For more information, look at the [Nvidia Troubleshooting guide](https://forum.qubes-os.org/t/19021#disabling-nouveau).