20 KiB
| layout | title | permalink | redirect_from | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| doc | Installation guide | /doc/installation-guide/ |
|
Installation guide
Welcome to the Qubes OS installation guide! This guide will walk you through the process of installing Qubes. Please read it carefully and thoroughly, as it contains important information for ensuring that your Qubes OS installation is functional and secure.
Pre-installation
Hardware requirements
Qubes OS has very specific system requirements. To ensure compatibility, we strongly recommend using Qubes-certified hardware. Other hardware may require you to perform significant troubleshooting. You may also find it helpful to consult the Hardware Compatibility List.
Even on supported hardware, you must ensure that IOMMU-based virtualization is activated in the BIOS. Without it, Qubes OS won't be able to enforce isolation. For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (Intel VT-d) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply AMD-Vi). This parameter should be activated in your computer's BIOS, alongside the standard Virtualization (Intel VT-x) and AMD Virtualization (AMD-V) extensions. This external guide made for Intel-based boards can help you figure out how to enter your BIOS to locate and activate those settings. If those settings are not nested under the Advanced tab, you might find them under the Security tab.
Copying the ISO onto the installation medium
Start by downloading a Qubes ISO.
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a dual-layer DVD, a Blu-ray disc, or a USB drive. The size of each Qubes ISO is available on the downloads page by hovering over the download button.
If you choose to use a USB drive, copy the ISO onto the USB device, e.g. using dd:
$ sudo dd if=Qubes-RX-x86_64.iso of=/dev/sdY status=progress bs=1048576 && sync
Change Qubes-RX-x86_64.iso to the filename of the version you're installing, and change /dev/sdY to the correct target device e.g., /dev/sdc).
Make sure to write to the entire device (e.g., /dev/sdc) rather than just a single partition (e.g., /dev/sdc1).
On Windows, you can use the Rufus tool to write the ISO to a USB key. MediaTest is not recommended. Be sure to select "DD image" mode (after selecting the Qubes ISO):
If you are an advanced user, and you would like to customize your installation, please see custom installation. Otherwise, follow the instructions below.
Installation
This section will demonstrate a simple installation using mostly default settings.
Getting to the boot screen
Just after you power on your machine, make the Qubes OS medium available to the computer by inserting your DVD or USB drive. Shortly after the Power-on self-test (POST) is completed, you should be greeted with the Qubes OS boot screen.
From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options. You can choose one of three options:
- Install Qubes OS
- Test this media and install Qubes OS
- Troubleshooting
Select the option to test this media and install Qubes OS.
If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If Windows 10 is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an advanced reboot.
After the POST, you may have a chance to choose a boot device. You may wish to select the USB drive or DVD drive as a temporary boot option so that the next time you boot, your internal storage device will be selected first.
The installer home screen
On the first screen, you are asked to select the language that will be used during the installation process. When you are done, select Continue.
Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not. If the test fails, a window will pop up.
Do not panic. It may simply indicate that IOMMU-virtualization hasn't been activated in the BIOS. Return to the hardware requirements section to learn how to activate it. If the setting is not configured correctly, it means that your hardware won't be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.
If the test passes, you will reach the installation summary screen. The installer loads Xen right at the beginning. If you can see the installer's graphical screen, and you pass the compatibility check that runs immediately afterward, Qubes OS is likely to work on your system!
Like Fedora, Qubes OS uses the Anaconda installer. Those that are familiar with RPM-based distributions should feel at home.
Installation summary
The Installation summary screen allows you to change how the system will be installed and configured, including localization settings. At minimum, you are required to select the storage device on which Qubes OS will be installed.
Localization
Let's assume you wish to add a German keyboard layout. Go to Keyboard Layout, press the "Plus" symbol, search for "German" as indicated in the screenshot and press "Add". If you want it be your default language, select the "German" entry in the list and press the arrow button. Click on "Done" in the upper left corner, and you're ready to go!
The process to select a new language is similar to the process to select a new keyboard layout. Follow the same process in the "Language Support" entry.
You can have as many keyboard layout and languages as you want. Post-install, you will be able to switch between them and install others.
Don't forget to select your time and date by clicking on the Time & Date entry.
Software
On the software selection tab, you can choose which software to install in Qubes OS. Two options are available:
- Debian: Select this option if you would like to use Debian qubes in addition to the default Fedora qubes.
- Whonix: Select this option if you would like to use Whonix qubes. Whonix allows you to use Tor securely within Qubes.
Whonix lets you route some or all of your network traffic through Tor for greater privacy. Depending on your threat model, you may need to install Whonix templates right away.
Regardless of your choices on this screen, you will always be able to install these and other TemplateVMs later. If you're short on disk space, you may wish to deselect these options.
By default, Qubes OS comes preinstalled with the lightweight Xfce4 desktop environment. Other desktop environments will be available to you after the installation is completed, though they may not be officially supported (see advanced configuration).
Press Done to go back to the installation summary screen.
Installation destination
Under the System section, you must choose the installation destination. Select the storage device on which you would like to install Qubes OS.
Your installation destination can be an internal or external storage drive, such as an SSD, HDD, or USB drive. The installation destination must have a least 32 GiB of free space available.
Installing an operating system onto a USB drive can be a convenient way to try Qubes. However, USB drives are typically much slower than internal SSDs. We recommend a very fast USB 3.0 drive for decent performance. Please note that a minimum storage of 32 GiB is required. If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device. Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
As soon as you press Done, the installer will ask you to enter a passphrase for disk encryption. The passphrase should be complex. Make sure that your keyboard layout reflects what keyboard you are actually using. When you're finished, press Done.
When you're ready, press Begin Installation.
Create your user account
While the installation process is running, you can create your user account. This is what you'll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
Select User Creation to define a new user with administrator privileges and a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
When the installation is complete, press Reboot. Don't forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
Post-installation
First boot
If the installation was successful, you should now see the GRUB menu during the boot process.
Just after this screen, you will be asked to enter your encryption passphrase.
Initial Setup
You're almost done. Before you can start using Qubes OS, some configuration is needed.
By default, the installer will create a number of qubes (depending on the options you selected during the installation process). These are designed to give you a more ready-to-use environment from the get-go.
Let's briefly go over the options:
- Create default system qubes: These are the core components of the system, required for things like internet access.
- Create default application qubes: These are how you compartmentalize your digital life. There's nothing special about the ones the installer creates. They're just suggestions that apply to most people. If you decide you don't want them, you can always delete them later, and you can always create your own.
- Create Whonix Gateway and Workstation qubes:
If you want to use Whonix, you should select this option.
- Enabling system and template updates over the Tor anonymity network using Whonix: If you select this option, then whenever you install or update software in dom0 or a TemplateVM, the internet traffic will go through Tor.
- Create USB qube holding all USB controllers:
Just like the network qube for the network stack, the USB qube isolates the USB controllers.
- Use sys-net qube for both networking and USB devices: You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
- Do not configure anything: This is for very advanced users only. If you select this option, you'll have to set everything up manually afterward.
When you're satisfied with you choices, press Done. This configuration process may take a while, depending on the speed and compatibility of your system.
After the configuration is done, you will be greeted by the login screen. Enter your password and log in.
Congratulations, you are now ready to use Qubes OS!
Next steps
Updating
Next, update your installation to ensure you have the latest security updates. Frequently updating is one of the best ways to remain secure against new threats.
Backups
It is extremely important to make regular backups so that you don't lose your data unexpectedly. The Qubes backup system allows you to do this securely and easily.
Submit your HCL report
Consider giving back to the Qubes community and helping other users by generating and submitting a Hardware Compatibility List (HCL) report.
Get Started
Get Started with Qubes, and read more about Common Tasks and Managing Operating Systems within Qubes.
Getting help
-
We work very hard to make the documentation accurate, comprehensive useful and user friendly. We urge you to read it! It may very well contain the answers to your questions. (Since the documentation is a community effort, we'd also greatly appreciate your help in improving it!)
-
If issues arise during installation, see the Installation Troubleshooting guide.
-
If you don't find your answer in the documentation, please see Help, Support, Mailing Lists, and Forum for places to ask.
-
Please do not email individual members of the Qubes team with questions about installation or other problems. Instead, please see Help, Support, Mailing Lists, and Forum for appropriate places to ask questions.