mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-26 07:49:34 -05:00
2f701a7190
Merge branch 'pr-1333'
597 lines
36 KiB
Markdown
597 lines
36 KiB
Markdown
---
|
||
lang: en
|
||
layout: doc
|
||
permalink: /doc/how-to-organize-your-qubes/
|
||
title: How to organize your qubes
|
||
---
|
||
|
||
When people first learn about Qubes OS, their initial reaction is often, "Wow,
|
||
this looks really cool! But... what can I actually *do* with it?" It's not
|
||
always obvious which qubes you should create, what you should do in each one,
|
||
and whether your organizational ideas makes sense from a security or usage
|
||
perspective.
|
||
|
||
Each qube is essentially a secure compartment, and you can create as many of
|
||
them as you like and connect them to each other in various ways. They're sort
|
||
of like Lego blocks in the sense that you can build whatever you want. But if
|
||
you're not sure what to build, then this open-ended freedom can be daunting.
|
||
It's a bit like staring at a blank document when you first sit down to write
|
||
something. The possibilities are endless, and you may not know where to begin!
|
||
|
||
The truth is that no one else can tell you *exactly* how you should organize
|
||
your qubes, as there is no single correct answer to that question. It depends
|
||
on your needs, desires, and preferences. Every user's optimal setup will be
|
||
different. However, what we *can* do is provide you with some illustrative
|
||
examples based on questionnaires and interviews with Qubes users and
|
||
developers, as well as our own personal experience and insight from using Qubes
|
||
over the years. You may be able to adapt some of these examples to fit your own
|
||
unique situation. More importantly, walking you through the rationale behind
|
||
various decisions will teach you how to apply the same thought process to your
|
||
own organizational decisions. Let's begin!
|
||
|
||
|
||
## Alice, the software developer
|
||
|
||
Alice is a freelance dev who works on several projects for different clients
|
||
simultaneously. The projects have varying requirements and often different
|
||
build environments. She has a separate set of qubes for each project. She keeps
|
||
them organized by coming up with a naming scheme, such as:
|
||
|
||
```
|
||
clientA-code
|
||
clientA-build
|
||
clientA-test
|
||
clientA-prod
|
||
projectB-code
|
||
projectB-build-test
|
||
projectB-prod
|
||
...
|
||
```
|
||
|
||
This helps her keep groups of qubes organized in a set. Some of her qubes are
|
||
based on [Debian templates](/doc/templates/debian/), while others are based on
|
||
[Fedora templates](/doc/templates/fedora/). The reason for this is that some
|
||
software packages are more readily available in one distribution as opposed to
|
||
the other. Alice's setup looks like this:
|
||
|
||
[![Alice's system: diagram 1](/attachment/doc/howto_use_qubes_alice_1.png)](/attachment/doc/howto_use_qubes_alice_1.png)
|
||
|
||
- **Several qubes for writing code.** Here's where she runs her IDE, commits
|
||
code, and signs her commits. These qubes are based on different templates
|
||
depending on which tools and which development environment she needs. In
|
||
general, Alice likes to have a separate qube of this type for each client or
|
||
each project. This allows her to keep everything organized and avoid
|
||
accidentally mixing up any access credentials or client code, which could be
|
||
disastrous. This also allows her to truthfully tell her clients that their
|
||
code is always securely isolated from all her other clients. She likes to use
|
||
the [Qubes firewall](/doc/firewall/) to restrict these qubes' network access
|
||
to only the code repositories she needs in that qube in order to avoid
|
||
accidentally interacting with anything else on her local network or on the
|
||
internet. Alice also has some qubes of this type for personal programming
|
||
projects that she works on just for fun when she has "free time" (whatever
|
||
that is).
|
||
|
||
- **Several qubes for building and testing.** Again, Alice usually likes to
|
||
have one of these for each client or project in order to keep things
|
||
organized. However, this can become rather cumbersome and memory-intensive
|
||
when many such qubes are running at the same time, so Alice will sometimes
|
||
use the same qube for building and testing, or for multiple projects that
|
||
require the same environment, when she decides that the marginal benefits of
|
||
extra compartmentalization aren't worth the trouble. Here's where she pulls
|
||
any dependencies she needs, compiles her code, runs her build toolchain, and
|
||
tests her deliverables. In some cases, she finds it useful to use
|
||
[standalones](/doc/standalones-and-hvms/) for these so that it's easier to
|
||
quickly [install different pieces of software](/doc/how-to-install-software/)
|
||
without having to juggle rebooting both the template and an app qube. She
|
||
also sometimes finds it necessary (or just convenient) to make edits to
|
||
config files in the root filesystem, and she'd rather not have to worry about
|
||
losing those changes during an app qube reboot. She knows that she could use
|
||
[bind-dirs](/doc/bind-dirs/) to make those changes persistent, but sometimes
|
||
she doesn't want to get bogged down doing with all that and figures it
|
||
wouldn't be worth it just for this one qube. She's secretly glad that Qubes
|
||
OS doesn't judge her this and just gives her the freedom to do things however
|
||
she likes while keeping everything securely compartmentalized. At times like
|
||
these, she takes comfort in knowing that things can be messy and disorganized
|
||
*within* a qube while her overall digital life remains well-organized.
|
||
|
||
[![Alice's system: diagram 2](/attachment/doc/howto_use_qubes_alice_2.png)](/attachment/doc/howto_use_qubes_alice_2.png)
|
||
|
||
- **Several email qubes.** Since Alice is a command-line aficionado, she likes
|
||
to use a terminal-based email client, so both her work and personal email
|
||
qubes are based on a template with
|
||
[Mutt](https://forum.qubes-os.org/t/18989)
|
||
installed. The email qubes where she sends and receives PGP-signed and
|
||
encrypted email securely accesses the private keys in her PGP backend qube
|
||
(more on that below). To guard against malicious attachments, she configured
|
||
Mutt to open all attachment files in [disposable
|
||
qubes](/doc/how-to-use-disposables/).
|
||
|
||
- **Several qubes for communication tools,** like Signal, Slack, Zoom,
|
||
Telegram, IRC, and Discord. This is where she teleconferences and chats with
|
||
clients. She uses [USB passthrough](/doc/how-to-use-usb-devices/) to attach
|
||
her webcam to each qube as needed and detaches it afterward. Likewise, she
|
||
gives each qube access to her microphone while it's needed, then removes
|
||
access afterward. This way, she doesn't have to trust any given video chat
|
||
program's mute button and doesn't have to worry about being spied on when
|
||
she's not on a call. She also has a qube for social media platforms like
|
||
Twitter, Reddit, and Hacker News for networking and keeping up with new
|
||
developments (or so she claims; in reality, it's mostly for feuds over
|
||
programming language superiority, Vim vs. Emacs wars, and tabs vs. spaces
|
||
crusades).
|
||
|
||
- **A GPG backend vault.** Vaults are completely offline qubes that are
|
||
isolated from the network. This particular vault holds Alice's private keys
|
||
(e.g., for code signing and email) and is securely accessed by several other
|
||
"frontend" qubes via the [Split GPG](/doc/split-gpg/) system. Split GPG
|
||
allows only the frontend qubes that Alice explicitly authorizes to have the
|
||
ability to request PGP operations (e.g., signing and encryption) in the
|
||
backend vault. Even then, no qube ever has direct access to Alice's private
|
||
keys except the backend vault itself.
|
||
|
||
- **A password manager vault.** This is another completely offline,
|
||
network-isolated qube where Alice uses her offline password manager,
|
||
KeePassXC, to store all of her usernames and passwords. She uses the [secure
|
||
copy and paste](/doc/how-to-copy-and-paste-text/) system to quickly copy
|
||
credentials into other qubes whenever she needs to log into anything.
|
||
|
||
- **Personal qubes.** One of the things Alice loves the most about Qubes is
|
||
that she can use it for both work *and* personal stuff without having to
|
||
worry about cross-contamination. Accordingly, she has several qubes that
|
||
pertain to her personal life. For example, she has an offline vault that
|
||
holds her medical documents, test results, and vaccination records. She has
|
||
another offline vault for her government documents, birth certificate, scans
|
||
of her passport, and so on. She also has some personal social media accounts
|
||
in a separate qube for keeping up with family members and friends from
|
||
school.
|
||
|
||
When she finishes her work for a given client, Alice sends off her
|
||
deliverables, [backs up](/doc/how-to-back-up-restore-and-migrate/) the qubes
|
||
containing the work for that client, and deletes them from her system. If she
|
||
ever needs those qubes again or just wants to reference them, she can easily
|
||
restore them from her backup, and the internal state of each one will be
|
||
exactly as it was when she finished that project.
|
||
|
||
|
||
## Bob, the investigative journalist
|
||
|
||
As part of his research and reporting, Bob is frequently forced to interact
|
||
with suspicious files, often from anonymous sources. For example, he may
|
||
receive an email with an attachment that claims to be a tip about a story he's
|
||
working on. Of course, he knows that it could just as easily be malware
|
||
intended to infect his computer. Qubes OS is essential for Bob, since it allows
|
||
him to handle all this suspicious data securely, keeping it compartmentalized
|
||
so that it doesn't risk infecting the rest of his machine.
|
||
|
||
Bob isn't a super technical guy. He prefers to keep his tools simple so he can
|
||
focus on what's important to him: uncovering the truth, exposing the guilty,
|
||
exonerating the innocent, and shining light on the dark corners of society. His
|
||
mind doesn't naturally gravitate to the technical details of how his computer
|
||
works, but he's aware that people are getting hacked all the time and that the
|
||
nature of his work might make him a target. He wants to protect his sources,
|
||
his colleagues, his family, and himself; and he understands that computer
|
||
security is an important part of that. He has a Qubes laptop that he uses only
|
||
for work, which contains:
|
||
|
||
[![A diagram of Bob's system](/attachment/doc/howto_use_qubes_bob.png)](/attachment/doc/howto_use_qubes_bob.png)
|
||
|
||
- **One offline qube for writing.** It runs only LibreOffice Writer. This is
|
||
where Bob does all of his writing. This window is usually open side-by-side
|
||
with another window containing research or material from a source.
|
||
|
||
- **Multiple email qubes.** One is for receiving emails from the general
|
||
public. Another is for emailing his editor and colleagues. Both are based on
|
||
a [minimal template](/doc/templates/minimal/) with Thunderbird installed.
|
||
He's configured both to open all attachments in
|
||
[disposables](/doc/how-to-use-disposables/) that are offline in case an
|
||
attachment contains a beacon that tries to phone home.
|
||
|
||
- **Whonix qubes.** He has the standard `sys-whonix` service qube for providing
|
||
Torified network access, and he uses disposable `anon-workstation` app qubes
|
||
for using Tor Browser to do research on stories he's writing. Since the topic
|
||
is often of a sensitive nature and might implicate powerful individuals, it's
|
||
important that he be able to conduct this research with a degree of
|
||
anonymity. He doesn't want the subjects of his investigation to know that
|
||
he's looking into them. He also doesn't want his network requests being
|
||
traced back to his work or home IP addresses. Whonix helps with both of these
|
||
concerns. He also has another Whonix-based disposable template for receiving
|
||
tips anonymously via Tor, since some high-risk whistleblowers he's interacted
|
||
with have said that they can't take a chance with any other form of
|
||
communication.
|
||
|
||
- **Two qubes for
|
||
[Signal](https://forum.qubes-os.org/t/19073).**
|
||
Bob has two Signal app qubes (both on the same template in which the Signal
|
||
desktop app is installed). One is linked to his own mobile number for
|
||
communicating with co-workers and other known, trusted contacts. The other is
|
||
a public number that serves as an additional way for sources to reach him
|
||
confidentially. This is especially useful for individuals who don't use Tor
|
||
but for whom unencrypted communication could be dangerous.
|
||
|
||
- **Several data vaults.** When someone sends Bob material that turns out to be
|
||
useful, or when he comes across useful material while doing his own research,
|
||
he stores a copy in a completely offline, network-isolated vault qube. Most
|
||
of these files are PDFs and images, though some are audio files, videos, and
|
||
text files. Since most of them are from unknown or untrusted sources, Bob
|
||
isn't sure if it would be safe to put them all in the same vault, so he makes
|
||
different vaults (usually one for each story or topic) just in case. This has
|
||
the side benefit of helping to keep things organized.
|
||
|
||
- **A [VPN
|
||
qube](https://forum.qubes-os.org/t/19061)
|
||
and associated qubes for accessing work resources.** The servers at work can
|
||
only be accessed from the organization's network, so Bob has certain qubes
|
||
that are connected to a VPN qube so that he can upload his work and access
|
||
anything he needs on the local network when he's not physically there.
|
||
|
||
- **A password manager vault.** Bob stores all of his login credentials in the
|
||
default password manager that came with his offline vault qube. He [securely
|
||
copies and pastes](/doc/how-to-copy-and-paste-text/) them into other qubes as
|
||
needed.
|
||
|
||
A colleague helped Bob set up his Qubes system initially and showed him how to
|
||
use it. Since Bob's workflow is pretty consistent and straightforward, the way
|
||
his qubes are organized doesn't change much, and this is just fine by him. His
|
||
colleague told him to remember a few simple rules: Don't copy or move
|
||
[text](/doc/how-to-copy-and-paste-text/) or
|
||
[files](/doc/how-to-copy-and-move-files/) from less trusted to more trusted
|
||
qubes; [update](/doc/how-to-update/) your system when prompted; and make
|
||
regular [backups](/doc/how-to-back-up-restore-and-migrate/). Bob doesn't have
|
||
the need to try out new software or tweak any settings, so he can do everything
|
||
he needs to do on a daily basis without having to interact with the command
|
||
line.
|
||
|
||
|
||
## Carol, the investor
|
||
|
||
Carol works hard and lives below her means so that she can save money and
|
||
invest it for her future. She hopes to become financially independent and maybe
|
||
even retire early someday, and she's decided that her best bet for achieving
|
||
this is by investing for the long term and allow compounding to do its work.
|
||
However, after doing some research into her country's consumer financial
|
||
protection laws, she learned that there's no legal guarantee that customers
|
||
will be made whole in the event of theft or fraud. The various insurance and
|
||
protection organizations only guarantee recovery in the case of a financial
|
||
institution *failing*, which is quite different from an individual customer
|
||
being hacked. Moreover, even though many financial institutions have their own
|
||
cybercrime policies, rarely, if ever, do they explicitly guarantee
|
||
reimbursement in the event that a *customer* gets hacked (rather than the
|
||
institution itself).
|
||
|
||
<div class="alert alert-warning" role="alert">
|
||
<i class="fa fa-exclamation-circle"></i>
|
||
Carol looked into how thieves might actually try to steal her hard-earned
|
||
wealth and was surprised to learn that they have all sorts of ploys that she
|
||
had never even considered. For example, she had assumed that any theft would,
|
||
at the bare minimum, have to involve transferring money out of her account.
|
||
That seems like a safe assumption. But then she read about "pump and dump"
|
||
attacks, where thieves buy up some penny stock, hack into innocent people's
|
||
brokerage accounts, then use the victims' funds to buy that same penny stock,
|
||
"pumping" up its price so that the thieves can "dump" their shares on the
|
||
market, leaving the victims with worthless shares. No money is ever
|
||
transferred into or out of the victims' account; it's just used to buy and
|
||
sell securities. So, all the safeguards preventing new bank accounts from
|
||
being added or requiring extra approval for outbound transfers do nothing to
|
||
protect victims' funds in cases like these. And this is just one example!
|
||
Carol realized that she couldn't assume that existing safeguards against
|
||
specific, known attacks were enough. She had to think about security at a
|
||
more fundamental level and design it into her digital life from the ground
|
||
up.
|
||
</div>
|
||
|
||
After learning about all this, Carol decided that it was ultimately up to her
|
||
to take care of her own cybersecurity. She couldn't rely on anyone else to do
|
||
it for her. Sure, most people just use regular consumer tech and will probably
|
||
end up fine, but, she reminded herself, most people also don't have as much to
|
||
lose. It's not a risk that she was willing to take with her future, especially
|
||
knowing that there's probably no government bailout waiting for her and that
|
||
all the brokerage firms' vaguely reassuring marketing language about
|
||
cybersecurity isn't legally binding. So, Carol started reading more about
|
||
computer security and eventually stumbled upon Qubes OS after searching the web
|
||
for "most secure operating system." She read about how it's designed and why.
|
||
Although she didn't immediately understand all of the technical details, the
|
||
fundamental principle of [security-by-compartmentalization](/doc/architecture/)
|
||
made intuitive sense to her, and the more she learned about the technical
|
||
aspects, the more she realized that this is what she'd been looking for. Today,
|
||
her setup looks like this:
|
||
|
||
[![A diagram of Carol's system](/attachment/doc/howto_use_qubes_carol.png)](/attachment/doc/howto_use_qubes_carol.png)
|
||
|
||
- **One qube for each investment firm and bank.** Carol has a few different
|
||
retirement accounts, brokerage accounts, and bank accounts. She treats each
|
||
qube like a "secure terminal" for accessing only that one institution's
|
||
website. She makes her transactions and saves any statements and
|
||
confirmations she downloads in that qube. She uses the [Qubes
|
||
firewall](/doc/firewall/) to enable access only to that institution's website
|
||
in that qube so that she doesn't accidentally visit any others. Since most of
|
||
what she does involves using websites and PDFs, most of Carol's app qubes are
|
||
based on a [minimal template](/doc/templates/minimal/) with just a web
|
||
browser (which doubles as a PDF viewer) and a file manager installed.
|
||
|
||
- **One qube for all her credit card accounts.** Carol started to make a
|
||
separate qube for each credit card account but ultimately decided against it.
|
||
For one thing, the consumer protections for credit card fraud in her country
|
||
are much better than for losing assets to theft or fraud in a bank or
|
||
brokerage account, so the security risk isn't as high. Second, there's
|
||
actually not a whole lot that an attacker could do with access to her credit
|
||
cards' online accounts or her old credit card statements, since online access
|
||
to these generally doesn't allow spending or withdrawing any money. So, even
|
||
the worst case scenario here wouldn't be catastrophic, unlike with her bank
|
||
and brokerage accounts. Third, she's not too worried about any of her credit
|
||
card company websites being used to attack each other or her qube. (As long as
|
||
it's contained to a single qube, she's fine with that level of risk.) Last,
|
||
but not least: She has way too many credit cards! While Carol is very frugal,
|
||
she likes to collect the sign-up bonuses that are offered for opening new
|
||
cards, so she's accumulated quite a few of them. (However, she's always
|
||
careful to pay off her balance each month, so she never pays interest. She's
|
||
also pretty disciplined about only spending what she would have spent
|
||
*anyway* and not being tempted to spend more just to meet a spending
|
||
requirement or because she can.) At any rate, Carol has decided that the tiny
|
||
benefit she stands to gain from having a separate qube for every credit card
|
||
website wouldn't be worth the hassle of having to manage so many extra qubes.
|
||
|
||
- **A qube for credit monitoring, credit reports, and credit history
|
||
services.** Carol has worked hard to build up a good credit score, and she's
|
||
concerned about identity theft, so she has one qube dedicated to managing her
|
||
free credit monitoring services and downloading her free annual credit
|
||
reports.
|
||
|
||
- **Two qubes for taxes.** Carol has a [Windows
|
||
qube](https://github.com/Qubes-Community/Contents/blob/master/docs/os/windows/windows.md)
|
||
for running her Windows-only tax software. She also has an offline vault
|
||
where she stores all of her tax-related forms and documents, organized by
|
||
year.
|
||
|
||
- **A qube for financial planning and tracking.** Carol loves spreadsheets, so
|
||
this offline qube is where she maintains a master spreadsheet to track all of
|
||
her investments and her savings rate. She also keeps her budgeting
|
||
spreadsheet, insurance spreadsheet, and written investment policy statement
|
||
here. This qube is based on a template with some additional productivity
|
||
software, like LibreOffice and Gnumeric (so that Carol can run her own Monte
|
||
Carlo simulations).
|
||
|
||
- **Various email qubes.** Carol likes to have one email qube for her most
|
||
important financial accounts; a separate one for her credit cards accounts,
|
||
online shopping accounts, and insurance companies; and another one for
|
||
personal email. They're all based on the same template with Thunderbird
|
||
installed.
|
||
|
||
- **A password manager vault.** A network-isolated qube where Carol stores all
|
||
of her account usernames and passwords in KeePassXC. She uses the [Qubes
|
||
global clipboard](/doc/how-to-copy-and-paste-text/) to copy and paste them
|
||
into her other qubes when she needs to log into her accounts.
|
||
|
||
|
||
### Bonus: Carol explores new financial technology
|
||
|
||
The vast majority of Carol's assets are in broad-based, low-cost,
|
||
passively-managed indexed funds. Lately, however, she's started getting
|
||
interested in cryptocurrency. She's still committed to staying the course with
|
||
her tried-and-true investments, and she's always been skeptical of new asset
|
||
classes, especially those that don't generate cash flows or that often seem to
|
||
be associated with scams or wild speculation. However, she finds the ability to
|
||
self-custody a portion of her assets appealing from a long-term risk management
|
||
perspective, particularly as a hedge against certain types of political risk.
|
||
|
||
<div class="alert alert-danger" role="alert">
|
||
<i class="fa fa-exclamation-triangle"></i>
|
||
Some of Carol's friends warned her that cryptocurrency is extremely volatile
|
||
and that hacking and theft are common occurrences. Carol agreed and reassured
|
||
them that she's educated herself about the risks and will make sure she never
|
||
invests more than she can afford to lose.
|
||
</div>
|
||
|
||
Carol has added the following to her Qubes setup:
|
||
|
||
- **A standalone qube for running Bitcoin Core and an offline wallet vault.**
|
||
Carol finds the design and security properties of Bitcoin very interesting,
|
||
so she's experimenting with running a full node. She also created a
|
||
network-isolated vault in order to try running a copy of Bitcoin Core
|
||
completely offline as a "cold storage" wallet. She's still trying to figure
|
||
out how this compares to an actual hardware wallet, paper wallet, or
|
||
physically air-gapped machine, but she's figures they all have different
|
||
security properties. She also recently heard about using [Electrum as a
|
||
"split" wallet in
|
||
Qubes](https://forum.qubes-os.org/t/19017)
|
||
and is interested in exploring that further.
|
||
|
||
- **Whonix qubes.** Carol read somewhere that Bitcoin nodes should be run over
|
||
Tor for privacy and security. She found it very convenient that Whonix is
|
||
already integrated into Qubes, so she simply set her Bitcoin Core "full node"
|
||
qube to use `sys-whonix` as its networking qube.
|
||
|
||
- **Various qubes for DeFi and web3.** Carol has also started getting into DeFi
|
||
(decentralized finance) and web3 on Ethereum and other smart contract
|
||
blockchains, so a friend recommended that she get a Ledger hardware wallet.
|
||
She downloaded the Ledger Live software in an app qube and [set up her system
|
||
to recognize the
|
||
Ledger](https://www.kicksecure.com/wiki/Ledger_Hardware_Wallet). She can now
|
||
start her [USB qube](/doc/usb-qubes/), plug her Ledger into it into a USB
|
||
port, [use the Qubes Devices widget to attach it](/doc/how-to-use-devices/)
|
||
to her Ledger Live qube, and from there she can interact with the software.
|
||
She has a separate qube with the Metamask extension installed in a web
|
||
browser. She can also use the Qubes Devices widget to attach her Ledger to
|
||
this qube so she can use Metamask in conjunction with her Ledger to interact
|
||
with smart contracts and decentralized exchanges.
|
||
|
||
- **Various qubes for research and centralized exchanges.** Carol uses these
|
||
when she wants to check block explorer websites, coin listing and market cap
|
||
sites, aggregation tools, or just to see what the latest buzz is on Crypto
|
||
Twitter.
|
||
|
||
Carol makes sure to back up all of her qubes that contain important account
|
||
statements, confirmations, spreadsheets, cryptocurrency wallets, and her
|
||
password manager vault. If she has extra storage space, she'll also back up her
|
||
templates and even her Bitcoin full node qube, but she'll skip them if she
|
||
doesn't have time or space, since she knows she can always recreate them again
|
||
later and download what she needs from the Internet.
|
||
|
||
## John, the teacher
|
||
|
||
John is a teacher at a high school, teaching mathematics and history. He is used
|
||
to setting up his workstation but has not the time or inclination to dive deeper
|
||
into technical details. So he has installed Qubes in a rather simple way mainly
|
||
using the installation defaults and just adding a few well-documented features
|
||
like Split GPG.
|
||
|
||
[![Simple VM setup](/attachment/doc/Simple_Setup.png)](/attachment/doc/Simple_Setup.png)
|
||
|
||
- **One qube for surfing.** `untrusted` is just the standard qube coming with the Qubes
|
||
installation, based on the standard Fedora template, but with Thunderbird removed.
|
||
It is intended for surfing arbitrary locations and may be at risk from some websites.
|
||
Consequently, it does not keep any valuable data and has no facilities to view or
|
||
edit office documents.
|
||
|
||
- **One offline qube for writing.** `work` is the qube used to edit documents – even
|
||
MS office documents. It is based on an extended Fedora template containing additional
|
||
software like LibreOffice, GIMP, Wine, and some Windows applications. It has no netVM
|
||
and so the risk of an infected document contacting a hacker’s control server is minimized.
|
||
|
||
- **One qube for access to trusted servers.** `personal` is used to access only trusted
|
||
websites like home banking, and the firewall rules for this qube restrict it to these
|
||
locations. It is based on the same extended Fedora template. John uses this qube for
|
||
access to his mail server, too, but does not process any documents received by mail
|
||
in this qube. Any office documents from this qube are only opened in disposables in order
|
||
to reduce the risk of infection.
|
||
|
||
- **One qube for preparing teaching material for his students.** `Windows` is the workhorse
|
||
used to execute anything needed for teaching. It is based on a Windows 7 template with QWT
|
||
installed as most of John’s students work with Windows PCs. In order to reduce the risks
|
||
for such an AppVM, and possible risks caused by it, its internet access is limited, again
|
||
by a firewall rule, to the servers providing material for teaching.
|
||
|
||
- **One qube for protected access to sensible websites.** `whonix` is just the standard
|
||
AppVM `anon-whonix` based on the `whonix-ws` coming with the Qubes installation. It is
|
||
used for all accesses over Tor and could as well be replaced by a disposable. John, who is
|
||
engaged in a project for helping mentally disabled people, uses this qube to avoid tracking
|
||
his access to the project’s server.
|
||
|
||
- **One offline qube for keeping the private PGP key.** `vault` is the key part of Split GPG,
|
||
just as described in the Qubes documentation, keeping the private PGP key.
|
||
|
||
- **One offline qube for permanent data storage.** `storage` finally is a qube based on the
|
||
standard Debian template and, having no applications and no network access, it is used
|
||
explicitly and only for permanent data storage, and it is the only qube whose data is regarded
|
||
as valuable and worth keeping. The Fedora-based qubes might even be configured as disposables, and,
|
||
if you are willing to accept the rather slow start of Windows, even the qube `Windows` might be
|
||
created as a disposable.
|
||
|
||
This is a rather simplistic design, intended to show that with a minimum effort a decent level
|
||
of security can be reached, and it is a first implementation showing how John can compartmentalize
|
||
his digital life, as described in the Qubes documentation. Once the templates are set up with
|
||
the necessary software like LibreOffice and
|
||
Split GPG is installed, setting up this structure takes only a few minutes, but it is much more
|
||
secure than, for instance, a Windows 10 installation based on the available hardening studies,
|
||
which are quite useless for a practical environment, especially for a user like John.
|
||
|
||
|
||
## Conclusion
|
||
|
||
The characters we've met today may be fictional, but they represent the needs
|
||
of real users like you. You may find that your own needs overlap with more than
|
||
one of them, in which case you may find it useful to model certain subsets of
|
||
your overall Qubes system on different examples. You probably also noticed that
|
||
there are commonalities among them. Most people need to use email, for example,
|
||
so most people will need at least one email qube and a suitable template to
|
||
base it on. But not everyone will need [Split GPG](/doc/split-gpg/), and not
|
||
everyone will want to use the same email client. On the other hand, almost
|
||
everyone will need a password manager, and it pretty much always makes sense to
|
||
keep it in an offline, network-isolated vault.
|
||
|
||
<div class="alert alert-info" role="alert">
|
||
<i class="fa fa-circle-info"></i>
|
||
As you gain experience with Qubes, you may find yourself disagreeing with
|
||
some of the decisions our fictional friends made. That's okay! There are many
|
||
different ways to organize a Qubes system, and the most important criterion
|
||
is that it serves the needs of its owner. Since everyone's needs are
|
||
different, it's perfectly normal to find yourself doing things a bit
|
||
differently. Nonetheless, there are some general principles that almost all
|
||
users find helpful, especially when they're first starting out.
|
||
</div>
|
||
|
||
As you're designing your own Qubes system, keep in mind some of the following
|
||
lessons from our case studies:
|
||
|
||
- **You'll probably change your mind as you go.** You'll realize that one qube
|
||
should really be split into two, or you'll realize that it doesn't really
|
||
make sense for two qubes to be separate and that they should instead be
|
||
merged into one. That's okay. Qubes OS supports your ability to adapt and
|
||
make changes as you go. Try to maintain a flexible mindset. Things will
|
||
eventually settle down, and you'll find your groove. Changes to the way you
|
||
organize your qubes will become less drastic and less frequent over time.
|
||
|
||
- **[Make frequent backups.](/doc/how-to-back-up-restore-and-migrate/)** Losing
|
||
data is never fun, whether it's from an accidental deletion, a system crash,
|
||
buggy software, or a hardware failure. By getting into the habit of making
|
||
frequent backups now, you'll save yourself from a lot of pain in the future.
|
||
Many people never take backups seriously until they suffer catastrophic data
|
||
loss. That's human nature. If you've experienced that before, then you know
|
||
the pain. Resolve now never to let it happen again. If you've never
|
||
experienced it, count yourself lucky and try to learn from the hard-won
|
||
experience of others. Keeping good backups also allows you to be a bit more
|
||
free with reorganizations. You can delete qubes that you think you won't need
|
||
anymore without having to worry that you might need them again someday, since
|
||
you know you can always restore them from a backup.
|
||
|
||
- **Think about which programs you want to run and where you want to store
|
||
data.** In some cases, it makes sense to run programs and store data in the
|
||
same qube, for example, if the data is generated by that program. In other
|
||
cases, it makes sense to have qubes that are exclusively for storing data
|
||
(e.g., offline data storage vaults) and other qubes that are exclusively for
|
||
running programs (e.g., web browser-only qubes). Remember that when you make
|
||
backups, it's only essential to back up data that can't be replaced. This can
|
||
allow you to achieve minimal backups that are quite small compared to the
|
||
total size of your installation. Templates, service qubes, and qubes that are
|
||
used exclusively for running programs and that contain no data don't
|
||
necessarily have to be backed up as long as you're confident that you can
|
||
recreate them if needed. This is why it's a good practice to keep notes on
|
||
which packages you installed in which templates and which customizations and
|
||
configurations you made. Then you can refer to your notes the next time you
|
||
need to recreate those qubes. Of course, backing up everything is not a bad
|
||
idea either. It may require a bit more time and disk space upfront, but for
|
||
some people, it can be just as important as backing up their irreplaceable
|
||
data. If your system is mission-critical, and you can't afford more than a
|
||
certain amount of downtime, then by all means, back everything up!
|
||
|
||
- **Introspect on your own behavior.** For example, if you find yourself
|
||
wanting to find some way to get two qubes to share the same storage space,
|
||
then this is probably a sign that those two qubes shouldn't be separate in
|
||
the first place. Sharing storage with each other largely breaks down the
|
||
secure wall between them, making the separation somewhat pointless. But you
|
||
probably had a good reason for wanting to make them two separate qubes
|
||
instead of one to begin with. What exactly was that reason? If it has to do
|
||
with security, then why are you okay with them freely sharing data that could
|
||
allow one to infect the other? If you're sure sharing the data wouldn't cause
|
||
one to infect the other, then what's the security rationale for keeping them
|
||
separate? By critically examining your own thought process in this way, you
|
||
can uncover inconsistencies and contradictions that allow you to better
|
||
refine your system, resulting in a more logical organization that serves your
|
||
needs better and better over time.
|
||
|
||
- **Don't assume that just because *you* can't find a way to attack your
|
||
system, an adversary wouldn't be able to.** When you're thinking about
|
||
whether it's a good idea to combine different activities or data in a single
|
||
qube, for example, you might think, "Well, I can't really see how these pose
|
||
a risk to each other." The problem is that we often miss attack vectors that
|
||
sophisticated adversaries spot and can use against us. After all, most people
|
||
don't think that using a conventional monolithic operating system is risky,
|
||
when in reality their entire digital life can be taken down in one fell
|
||
swoop. That's why a good rule of thumb is: When in doubt, compartmentalize.
|
||
|
||
- **But remember that compartmentalization --- like everything else --- can be
|
||
taken to an extreme.** The appropriate amount depends on your temperament,
|
||
time, patience, experience, risk tolerance, and expertise. In short, there
|
||
can be such a thing as *too much* compartmentalization! You also have to be
|
||
able to actually *use* your computer efficiently to do the things you need to
|
||
do. For example, if you immediately try to jump into doing everything in
|
||
[disposables](/doc/how-to-use-disposables/) and find yourself constantly
|
||
losing work (e.g., because you forget to transfer it out before the
|
||
disposable self-destructs), then that's a big problem! Your extra
|
||
self-imposed security measures are interfering with the very thing they're
|
||
designed to protect. At times like these, take a deep breath and remember
|
||
that you've already reaped the vast majority of the security benefit simply
|
||
by using Qubes OS in the first place and performing basic
|
||
compartmentalization (e.g., no random web browsing in templates). Each
|
||
further step of hardening and compartmentalization beyond that represents an
|
||
incremental gain with diminishing marginal utility. Try not to allow the
|
||
perfect to be the enemy of the good!
|