Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-23 13:11:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

Improve text presentation

Browse Source
This commit is contained in:
Andrew David Wong 2022-10-27 15:00:36 -07:00
parent e217ec873a
commit ed14e7840f
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 191 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

366
user/how-to-guides/how-to-organize-your-qubes.md
View File

@ -56,28 +56,29 @@ the other. Alice's setup looks like this:
![[Alice's system: digram 1](/attachment/doc/howto_use_qubes_alice_1.png)](/attachment/doc/howto_use_qubes_alice_1.png)
- Several qubes for writing code. Here's where she runs her IDE, commits code,
and signs her commits. These qubes are based on different templates depending
on which tools and which development environment she needs. In general, Alice
likes to have a separate qube of this type for each client or each project.
This allows her to keep everything organized and avoid accidentally mixing up
any access credentials or client code, which could be disastrous. This also
allows her to truthfully tell her clients that their code is always securely
isolated from all her other clients. She likes to use the [Qubes
firewall](/doc/firewall/) to restrict these qubes' network access to only the
code repositories she needs in that qube in order to avoid accidentally
interacting with anything else on her local network or on the internet. Alice
also has some qubes of this type for personal programming projects that she
works on just for fun when she has "free time" (whatever that is).
- **Several qubes for writing code.** Here's where she runs her IDE, commits
code, and signs her commits. These qubes are based on different templates
depending on which tools and which development environment she needs. In
general, Alice likes to have a separate qube of this type for each client or
each project. This allows her to keep everything organized and avoid
accidentally mixing up any access credentials or client code, which could be
disastrous. This also allows her to truthfully tell her clients that their
code is always securely isolated from all her other clients. She likes to use
the [Qubes firewall](/doc/firewall/) to restrict these qubes' network access
to only the code repositories she needs in that qube in order to avoid
accidentally interacting with anything else on her local network or on the
internet. Alice also has some qubes of this type for personal programming
projects that she works on just for fun when she has "free time" (whatever
that is).
- Several qubes for building and testing. Again, Alice usually likes to have
one of these for each client or project in order to keep things organized.
However, this can become rather cumbersome and memory-intensive when many
such qubes are running at the same time, so Alice will sometimes use the same
qube for building and testing, or for multiple projects that require the same
environment, when she decides that the marginal benefits of extra
compartmentalization aren't worth the trouble. Here's where she pulls any
dependencies she needs, compiles her code, runs her build toolchain, and
- **Several qubes for building and testing.** Again, Alice usually likes to
have one of these for each client or project in order to keep things
organized. However, this can become rather cumbersome and memory-intensive
when many such qubes are running at the same time, so Alice will sometimes
use the same qube for building and testing, or for multiple projects that
require the same environment, when she decides that the marginal benefits of
extra compartmentalization aren't worth the trouble. Here's where she pulls
any dependencies she needs, compiles her code, runs her build toolchain, and
tests her deliverables. In some cases, she finds it useful to use
[standalones](/doc/standalones-and-hvms/) for these so that it's easier to
quickly [install different pieces of software](/doc/how-to-install-software/)
@ -95,9 +96,9 @@ the other. Alice's setup looks like this:
![[Alice's system: diagram 2](/attachment/doc/howto_use_qubes_alice_2.png)](/attachment/doc/howto_use_qubes_alice_2.png)
- Several email qubes. Since Alice is a command-line aficionado, she likes to
use a terminal-based email client, so both her work and personal email qubes
are based on a template with
- **Several email qubes.** Since Alice is a command-line aficionado, she likes
to use a terminal-based email client, so both her work and personal email
qubes are based on a template with
[Mutt](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/mutt.md)
installed. The email qubes where she sends and receives PGP-signed and
encrypted email securely accesses the private keys in her PGP backend qube
@ -105,41 +106,43 @@ the other. Alice's setup looks like this:
Mutt to open all attachment files in [disposable
qubes](/doc/how-to-use-disposables/).
- Several qubes for communication tools, like Signal, Slack, Zoom, Telegram,
IRC, and Discord. This is where she teleconferences and chats with clients.
She uses [USB passthrough](/doc/how-to-use-usb-devices/) to attach her webcam
to each qube as needed and detaches it afterward. Likewise, she gives each
qube access to her microphone while it's needed, then removes access
afterward. This way, she doesn't have to trust any given video chat program's
mute button and doesn't have to worry about being spied on when she's not on
a call. She also has a qube for social media platforms like Twitter, Reddit,
and Hacker News for networking and keeping up with new developments (or so
she claims; in reality, it's mostly for feuds over programming language
superiority, Vim vs. Emacs wars, and tabs vs. spaces crusades).
- **Several qubes for communication tools,** like Signal, Slack, Zoom,
Telegram, IRC, and Discord. This is where she teleconferences and chats with
clients. She uses [USB passthrough](/doc/how-to-use-usb-devices/) to attach
her webcam to each qube as needed and detaches it afterward. Likewise, she
gives each qube access to her microphone while it's needed, then removes
access afterward. This way, she doesn't have to trust any given video chat
program's mute button and doesn't have to worry about being spied on when
she's not on a call. She also has a qube for social media platforms like
Twitter, Reddit, and Hacker News for networking and keeping up with new
developments (or so she claims; in reality, it's mostly for feuds over
programming language superiority, Vim vs. Emacs wars, and tabs vs. spaces
crusades).
- A GPG backend vault. Vaults are completely offline qubes that are isolated
from the network. This particular vault holds Alice's private keys (e.g., for
code signing and email) and is securely accessed by several other "frontend"
qubes via the [Split GPG](/doc/split-gpg/) system. Split GPG allows only the
frontend qubes that Alice explicitly authorizes to have the ability to
request PGP operations (e.g., signing and encryption) in the backend vault.
Even then, no qube ever has direct access to Alice's private keys except the
backend vault itself.
- **A GPG backend vault.** Vaults are completely offline qubes that are
isolated from the network. This particular vault holds Alice's private keys
(e.g., for code signing and email) and is securely accessed by several other
"frontend" qubes via the [Split GPG](/doc/split-gpg/) system. Split GPG
allows only the frontend qubes that Alice explicitly authorizes to have the
ability to request PGP operations (e.g., signing and encryption) in the
backend vault. Even then, no qube ever has direct access to Alice's private
keys except the backend vault itself.
- A password manager vault. This is another completely offline,
- **A password manager vault.** This is another completely offline,
network-isolated qube where Alice uses her offline password manager,
KeePassXC, to store all of her usernames and passwords. She uses the [secure
copy and paste](/doc/how-to-copy-and-paste-text/) system to quickly copy
credentials into other qubes whenever she needs to log into anything.
- Personal qubes. One of the things Alice loves the most about Qubes is that
she can use it for both work *and* personal stuff without having to worry
about cross-contamination. Accordingly, she has several qubes that pertain to
her personal life. For example, she has an offline vault that holds her
medical documents, test results, and vaccination records. She has another
offline vault for her government documents, birth certificate, scans of her
passport, and so on. She also has some personal social media accounts in a
separate qube for keeping up with family members and friends from school.
- **Personal qubes.** One of the things Alice loves the most about Qubes is
that she can use it for both work *and* personal stuff without having to
worry about cross-contamination. Accordingly, she has several qubes that
pertain to her personal life. For example, she has an offline vault that
holds her medical documents, test results, and vaccination records. She has
another offline vault for her government documents, birth certificate, scans
of her passport, and so on. She also has some personal social media accounts
in a separate qube for keeping up with family members and friends from
school.
When she finishes her work for a given client, Alice sends off her
deliverables, [backs up](/doc/how-to-back-up-restore-and-migrate/) the qubes
@ -171,18 +174,18 @@ for work, which contains:
![[A diagram of Bob's system](/attachment/doc/howto_use_qubes_bob.png)](/attachment/doc/howto_use_qubes_bob.png)
- One offline qube for writing. It runs only LibreOffice Writer. This is where
Bob does all of his writing. This window is usually open side-by-side with
another window containing research or material from a source.
- **One offline qube for writing.** It runs only LibreOffice Writer. This is
where Bob does all of his writing. This window is usually open side-by-side
with another window containing research or material from a source.
- Multiple email qubes. One is for receiving emails from the general public.
Another is for emailing his editor and colleagues. Both are based on a
[minimal template](/doc/templates/minimal/) with Thunderbird installed. He's
configured both to open all attachments in
- **Multiple email qubes.** One is for receiving emails from the general
public. Another is for emailing his editor and colleagues. Both are based on
a [minimal template](/doc/templates/minimal/) with Thunderbird installed.
He's configured both to open all attachments in
[disposables](/doc/how-to-use-disposables/) that are offline in case an
attachment contains a beacon that tries to phone home.
- Whonix qubes. He has the standard `sys-whonix` service qube for providing
- **Whonix qubes.** He has the standard `sys-whonix` service qube for providing
Torified network access, and he uses disposable `anon-workstation` app qubes
for using Tor Browser to do research on stories he's writing. Since the topic
is often of a sensitive nature and might implicate powerful individuals, it's
@ -195,8 +198,8 @@ for work, which contains:
with have said that they can't take a chance with any other form of
communication.
- Two qubes for
[Signal](https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md).
- **Two qubes for
[Signal](https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md).**
Bob has two Signal app qubes (both on the same template in which the Signal
desktop app is installed). One is linked to his own mobile number for
communicating with co-workers and other known, trusted contacts. The other is
@ -204,7 +207,7 @@ for work, which contains:
confidentially. This is especially useful for individuals who don't use Tor
but for whom unencrypted communication could be dangerous.
- Several data vaults. When someone sends Bob material that turns out to be
- **Several data vaults.** When someone sends Bob material that turns out to be
useful, or when he comes across useful material while doing his own research,
he stores a copy in a completely offline, network-isolated vault qube. Most
of these files are PDFs and images, though some are audio files, videos, and
@ -213,14 +216,14 @@ for work, which contains:
different vaults (usually one for each story or topic) just in case. This has
the side benefit of helping to keep things organized.
- A [VPN
- **A [VPN
qube](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md)
and associated qubes for accessing work resources. The servers at work can
and associated qubes for accessing work resources.** The servers at work can
only be accessed from the organization's network, so Bob has certain qubes
that are connected to a VPN qube so that he can upload his work and access
anything he needs on the local network when he's not physically there.
- A password manager vault. Bob stores all of his login credentials in the
- **A password manager vault.** Bob stores all of his login credentials in the
default password manager that came with his offline vault qube. He [securely
copies and pastes](/doc/how-to-copy-and-paste-text/) them into other qubes as
needed.
@ -254,22 +257,26 @@ cybercrime policies, rarely, if ever, do they explicitly guarantee
reimbursement in the event that a *customer* gets hacked (rather than the
institution itself).
Carol looked into how thieves might actually try to steal her hard-earned
wealth and was surprised to learn that they have all sorts of ploys that she
had never even considered. For example, she had assumed that any theft would,
at the bare minimum, have to involve transferring money out of her account.
That seems like a safe assumption. But then she read about "pump and dump"
attacks, where thieves buy up some penny stock, hack into innocent people's
brokerage accounts, then use the victims' funds to buy that same penny stock,
"pumping" up its price so that the thieves can "dump" their shares on the
market, leaving the victims with worthless shares. No money is ever transferred
into or out of the victims' account; it's just used to buy and sell securities.
So, all the safeguards preventing new bank accounts from being added or
requiring extra approval for outbound transfers do nothing to protect victims'
funds in cases like these. And this is just one example! Carol realized that
she couldn't assume that existing safeguards against specific, known attacks
were enough. She had to think about security at a more fundamental level and
design it into her digital life from the ground up.
<div class="alert alert-caution" role="alert">
<i class="fa fa-exclamation-triangle"></i>
Carol looked into how thieves might actually try to steal her hard-earned
wealth and was surprised to learn that they have all sorts of ploys that she
had never even considered. For example, she had assumed that any theft would,
at the bare minimum, have to involve transferring money out of her account.
That seems like a safe assumption. But then she read about "pump and dump"
attacks, where thieves buy up some penny stock, hack into innocent people's
brokerage accounts, then use the victims' funds to buy that same penny stock,
"pumping" up its price so that the thieves can "dump" their shares on the
market, leaving the victims with worthless shares. No money is ever
transferred into or out of the victims' account; it's just used to buy and
sell securities. So, all the safeguards preventing new bank accounts from
being added or requiring extra approval for outbound transfers do nothing to
protect victims' funds in cases like these. And this is just one example!
Carol realized that she couldn't assume that existing safeguards against
specific, known attacks were enough. She had to think about security at a
more fundamental level and design it into her digital life from the ground
up.
</div>
After learning about all this, Carol decided that it was ultimately up to her
to take care of her own cybersecurity. She couldn't rely on anyone else to do
@ -289,7 +296,7 @@ her setup looks like this:
![[A diagram of Carol's system](/attachment/doc/howto_use_qubes_carol.png)](/attachment/doc/howto_use_qubes_carol.png)
- One qube for each investment firm and bank. Carol has a few different
- **One qube for each investment firm and bank.** Carol has a few different
retirement accounts, brokerage accounts, and bank accounts. She treats each
qube like a "secure terminal" for accessing only that one institution's
website. She makes her transactions and saves any statements and
@ -300,40 +307,41 @@ her setup looks like this:
based on a [minimal template](/doc/templates/minimal/) with just a web
browser (which doubles as a PDF viewer) and a file manager installed.
- One qube for all her credit card accounts. Carol started to make a separate
qube for each credit card account but ultimately decided against it. For one
thing, the consumer protections for credit card fraud in her country are much
better than for losing assets to theft or fraud in a bank or brokerage
account, so the security risk isn't as high. Second, there's actually not a
whole lot that an attacker could do with access to her credit cards' online
accounts or her old credit card statements, since online access to these
generally doesn't allow spending or withdrawing any money. So, even the worst
case scenario here wouldn't be catastrophic, unlike with her bank and
brokerage accounts. Third, she's not too worried about any of her credit card
company websites being used to attach each other or her qube (As long as it's
contained to a single qube, she's fine with that level of risk.) Last, but
not least: She has way too many credit cards! While Carol is very frugal, she
likes to collect the sign-up bonuses that are offered for opening new cards,
so she's accumulated quite a few of them. (However, she's always careful to
pay off her balance each month, so she never pays interest. She's also pretty
disciplined about only spending what she would have spent *anyway* and not
being tempted to spend more just to meet a spending requirement or because
she can.) At any rate, Carol has decided that the tiny benefit she stands to
gain from having a separate qube for every credit card website wouldn't be
worth the hassle of having to manage so many extra qubes.
- **One qube for all her credit card accounts.** Carol started to make a
separate qube for each credit card account but ultimately decided against it.
For one thing, the consumer protections for credit card fraud in her country
are much better than for losing assets to theft or fraud in a bank or
brokerage account, so the security risk isn't as high. Second, there's
actually not a whole lot that an attacker could do with access to her credit
cards' online accounts or her old credit card statements, since online access
to these generally doesn't allow spending or withdrawing any money. So, even
the worst case scenario here wouldn't be catastrophic, unlike with her bank
and brokerage accounts. Third, she's not too worried about any of her credit
card company websites being used to attach each other or her qube (As long as
it's contained to a single qube, she's fine with that level of risk.) Last,
but not least: She has way too many credit cards! While Carol is very frugal,
she likes to collect the sign-up bonuses that are offered for opening new
cards, so she's accumulated quite a few of them. (However, she's always
careful to pay off her balance each month, so she never pays interest. She's
also pretty disciplined about only spending what she would have spent
*anyway* and not being tempted to spend more just to meet a spending
requirement or because she can.) At any rate, Carol has decided that the tiny
benefit she stands to gain from having a separate qube for every credit card
website wouldn't be worth the hassle of having to manage so many extra qubes.
- One qube for credit monitoring, credit reports, and credit history services.
Carol has worked hard to build up a good credit score, and she's concerned
about identity theft, so she has one qube dedicated to managing her free
credit monitoring services and downloading her free annual credit reports.
- **A qube for credit monitoring, credit reports, and credit history
services.** Carol has worked hard to build up a good credit score, and she's
concerned about identity theft, so she has one qube dedicated to managing her
free credit monitoring services and downloading her free annual credit
reports.
- Two qubes for taxes. Carol has a [Windows
- **Two qubes for taxes.** Carol has a [Windows
qube](https://github.com/Qubes-Community/Contents/blob/master/docs/os/windows/windows.md)
for running her Windows-only tax software. She also has an offline vault
where she stores all of her tax-related forms and documents, organized by
year.
- One qube for financial planning and tracking. Carol loves spreadsheets, so
- **A qube for financial planning and tracking.** Carol loves spreadsheets, so
this offline qube is where she maintains a master spreadsheet to track all of
her investments and her savings rate. She also keeps her budgeting
spreadsheet, insurance spreadsheet, and written investment policy statement
@ -341,16 +349,19 @@ her setup looks like this:
software, like LibreOffice and Gnumeric (so that Carol can run her own Monte
Carlo simulations).
- Various email qubes. Carol likes to have one email qube for her most
- **Various email qubes.** Carol likes to have one email qube for her most
important financial accounts; a separate one for her credit cards accounts,
online shopping accounts, and insurance companies; and another one for
personal email. They're all based on the same template with Thunderbird
installed.
- A password manager vault. A network-isolated qube where Carol stores all of
her account usernames and passwords in KeePassXC. She uses the [Qubes global
clipboard](/doc/how-to-copy-and-paste-text/) to copy and paste them into her
other qubes when she needs to log into her accounts.
- **A password manager vault.** A network-isolated qube where Carol stores all
of her account usernames and passwords in KeePassXC. She uses the [Qubes
global clipboard](/doc/how-to-copy-and-paste-text/) to copy and paste them
into her other qubes when she needs to log into her accounts.
## Bonus: Carol explores new financial technology
The vast majority of Carol's assets are in broad-based, low-cost,
passively-managed indexed funds. Lately, however, she's started getting
@ -365,9 +376,9 @@ she has the self-discipline to invest only what she can afford to lose, so
she's decided to dip her toe in the water by allocating a small portion of her
portfolio. This has led her to add the following to her Qubes setup:
- A standalone qube for running Bitcoin Core and an offline wallet vault. Carol
finds the design and security properties of Bitcoin very interesting, so
she's experimenting with running a full node. She also created a
- **A standalone qube for running Bitcoin Core and an offline wallet vault.**
Carol finds the design and security properties of Bitcoin very interesting,
so she's experimenting with running a full node. She also created a
network-isolated vault in order to try running a copy of Bitcoin Core
completely offline as a "cold storage" wallet. She's still trying to figure
out how this compares to an actual hardware wallet, paper wallet, or
@ -377,12 +388,12 @@ portfolio. This has led her to add the following to her Qubes setup:
Qubes](https://github.com/Qubes-Community/Contents/blob/master/docs/security/split-bitcoin.md)
and is interested in exploring that further.
- Whonix qubes. Carol read somewhere that Bitcoin nodes should be run over Tor
for privacy and security. She found it very convenient that Whonix is already
integrated into Qubes, so she simply set her Bitcoin Core "full node" qube to
use `sys-whonix` as its networking qube.
- **Whonix qubes.** Carol read somewhere that Bitcoin nodes should be run over
Tor for privacy and security. She found it very convenient that Whonix is
already integrated into Qubes, so she simply set her Bitcoin Core "full node"
qube to use `sys-whonix` as its networking qube.
- Various qubes for DeFi and web3. Carol has also started getting into DeFi
- **Various qubes for DeFi and web3.** Carol has also started getting into DeFi
(decentralized finance) and web3 on Ethereum and other smart contract
blockchains, so a friend recommended that she get a Ledger hardware wallet.
She downloaded the Ledger Live software in an app qube and [set up her system
@ -396,8 +407,8 @@ portfolio. This has led her to add the following to her Qubes setup:
this qube so she can use Metamask in conjunction with her Ledger to interact
with smart contracts and decentralized exchanges.
- Various qubes for research and centralized exchanges. Carol uses these when
she wants to check block explorer websites, coin listing and market cap
- **Various qubes for research and centralized exchanges.** Carol uses these
when she wants to check block explorer websites, coin listing and market cap
sites, aggregation tools, or just to see what the latest buzz is on Crypto
Twitter.
@ -421,16 +432,21 @@ everyone will want to use the same email client. On the other hand, almost
everyone will need a password manager, and it pretty much always makes sense to
keep it in an offline, network-isolated vault.
As you gain experience with Qubes, you may find yourself disagreeing with some
of the decisions our fictional friends made. That's okay! There are many
different ways to organize a Qubes system, and the most important criterion is
that it serves the needs of its owner. Since everyone's needs are different,
it's perfectly normal to find yourself doing things a bit differently.
Nonetheless, there are some general principles that almost all users find
helpful when they're first starting out. As you're designing your own Qubes
system, keep in mind some of the following lessons from our case studies:
<div class="alert alert-info" role="alert">
<i class="fa fa-circle-info"></i>
As you gain experience with Qubes, you may find yourself disagreeing with
some of the decisions our fictional friends made. That's okay! There are many
different ways to organize a Qubes system, and the most important criterion
is that it serves the needs of its owner. Since everyone's needs are
different, it's perfectly normal to find yourself doing things a bit
differently. Nonetheless, there are some general principles that almost all
users find helpful, especially when they're first starting out.
</div>
- You'll probably change your mind as you go. You'll realize that one qube
As you're designing your own Qubes system, keep in mind some of the following
lessons from our case studies:
- **You'll probably change your mind as you go.** You'll realize that one qube
should really be split into two, or you'll realize that it doesn't really
make sense for two qubes to be separate and that they should instead be
merged into one. That's okay. Qubes OS supports your ability to adapt and
@ -438,7 +454,7 @@ system, keep in mind some of the following lessons from our case studies:
eventually settle down, and you'll find your groove. Changes to the way you
organize your qubes will become less drastic and less frequent over time.
- [Make frequent backups.](/doc/how-to-back-up-restore-and-migrate/) Losing
- **[Make frequent backups.](/doc/how-to-back-up-restore-and-migrate/)** Losing
data is never fun, whether it's from an accidental deletion, a system crash,
buggy software, or a hardware failure. By getting into the habit of making
frequent backups now, you'll save yourself from a lot of pain in the future.
@ -451,53 +467,53 @@ system, keep in mind some of the following lessons from our case studies:
anymore without having to worry that you might need them again someday, since
you know you can always restore them from a backup.
- Think about which programs you want to run and where you want to store data.
In some cases, it makes sense to run programs and store data in the same
qube, for example, if the data is generated by that program. In other cases,
it makes sense to have qubes that are exclusively for storing data (e.g.,
offline data storage vaults) and other qubes that are exclusively for running
programs (e.g., web browser-only qubes). Remember that when you make backups,
it's only essential to back up data that can't be replaced. This can allow
you to achieve minimal backups that are quite small compared to the total
size of your installation. Templates, service qubes, and qubes that are used
exclusively for running programs and that contain no data don't necessarily
have to be backed up as long as you're confident that you can recreate them
if needed. This is why it's a good practice to keep notes on which packages
you installed in which templates and which customizations and configurations
you made. Then you can refer to your notes the next time you need to recreate
those qubes. Of course, backing up everything is not a bad idea either. It
may require a bit more time and disk space upfront, but for some people, it
can be just as important as backing up their irreplaceable data. If your
system is mission-critical, and you can't afford more than a certain amount
of downtime, then by all means, back everything up!
- **Think about which programs you want to run and where you want to store
data.** In some cases, it makes sense to run programs and store data in the
same qube, for example, if the data is generated by that program. In other
cases, it makes sense to have qubes that are exclusively for storing data
(e.g., offline data storage vaults) and other qubes that are exclusively for
running programs (e.g., web browser-only qubes). Remember that when you make
backups, it's only essential to back up data that can't be replaced. This can
allow you to achieve minimal backups that are quite small compared to the
total size of your installation. Templates, service qubes, and qubes that are
used exclusively for running programs and that contain no data don't
necessarily have to be backed up as long as you're confident that you can
recreate them if needed. This is why it's a good practice to keep notes on
which packages you installed in which templates and which customizations and
configurations you made. Then you can refer to your notes the next time you
need to recreate those qubes. Of course, backing up everything is not a bad
idea either. It may require a bit more time and disk space upfront, but for
some people, it can be just as important as backing up their irreplaceable
data. If your system is mission-critical, and you can't afford more than a
certain amount of downtime, then by all means, back everything up!
- Introspect on your own behavior. For example, if you find yourself wanting to
find some way to get two qubes to share the same storage space, then this is
probably a sign that those two qubes shouldn't be separate in the first
place. Sharing storage with each other largely breaks down the secure wall
between them, making the separation somewhat pointless. But you probably had
a good reason for wanting to make them two separate qubes instead of one to
begin with. What exactly was that reason? If it has to do with security, then
why are you okay with them freely sharing data that could allow one to infect
the other? If you're sure sharing the data wouldn't cause one to infect the
other, then what's the security rationale for keeping them separate? By
critically examining your own thought process in this way, you can uncover
inconsistencies and contradictions that allow you to better refine your
system, resulting in a more logical organization that serves your needs
better and better over time.
- **Introspect on your own behavior.** For example, if you find yourself
wanting to find some way to get two qubes to share the same storage space,
then this is probably a sign that those two qubes shouldn't be separate in
the first place. Sharing storage with each other largely breaks down the
secure wall between them, making the separation somewhat pointless. But you
probably had a good reason for wanting to make them two separate qubes
instead of one to begin with. What exactly was that reason? If it has to do
with security, then why are you okay with them freely sharing data that could
allow one to infect the other? If you're sure sharing the data wouldn't cause
one to infect the other, then what's the security rationale for keeping them
separate? By critically examining your own thought process in this way, you
can uncover inconsistencies and contradictions that allow you to better
refine your system, resulting in a more logical organization that serves your
needs better and better over time.
- Don't assume that just because *you* can't find a way to attack your system,
an adversary wouldn't be able to. When you're thinking about whether it's a
good idea to combine different activities or data in a single qube, for
example, you might think, "Well, I can't really see how these pose a risk to
each other." The problem is that we often miss attack vectors that
- **Don't assume that just because *you* can't find a way to attack your
system, an adversary wouldn't be able to.** When you're thinking about
whether it's a good idea to combine different activities or data in a single
qube, for example, you might think, "Well, I can't really see how these pose
a risk to each other." The problem is that we often miss attack vectors that
sophisticated adversaries spot and can use against us. After all, most people
don't think that using a conventional monolithic operating system is risky,
when in reality their entire digital life can be taken down in one fell
swoop. That's why a good rule of thumb is: When in doubt, compartmentalize.
- On the other hand, compartmentalization --- like everything else --- can be
taken to an extreme. The appropriate amount depends on your temperament,
- **But remember that compartmentalization --- like everything else --- can be
taken to an extreme.** The appropriate amount depends on your temperament,
time, patience, experience, risk tolerance, and expertise. In short, there
can be such a thing as *too much* compartmentalization! You also have to be
able to actually *use* your computer efficiently to do the things you need to