Discussion in 'privacy technology' started by driekus, Sep 18, 2015.
Simply put - she is the best!
Thank you , I was just about to edit my post when I saw your reply.
This from the qubes website -
"Note: We don’t recommend installing Qubes in a virtual machine! It will likely not work. Please don’t send emails asking about it."
Yes , the Live USB version has always appeared to be behind the latest main stable release .
Also , they recommend a minimum of 32 GB USB stick to run it on !
Thanks, giving it an outing on a Q6600 8G desktop machine with multi-monitors and a basic ATI card. All functions working smoothly so far, no problems with the ATI card. When I get an idle moment, I'm gearing myself up to test the anti-evil maid since there's a TPM chip.
It's rather galling that the Q6600 is still a credible 4-core processor (after all these years, I loved it on release in Q1 07), and illustrates Intel's price larceny on anything above 4 cores - which is a real pain for the desktop machine I'd ideally want for Qubes.
Edward Snowden says he uses Qubes OS. https://twitter.com/Snowden/status/781493632293605376
Yeah, because of all the VM's. Standard it comes with Fedora dom0 adminVM, Fedora TemplateVM, Debian TemplateVM, and dual Whonix TemplateVM's. (Though you can unselect at installation.)
Yeah, it's a shame from Intel. Also, still too many 2-core mobile CPUs.
Sadly, it's not going to change on the desktop anytime soon since they're fanatical about protecting their mainstream server business, it's not just milking the cash cow. The only mitigating factor is the availability of cheap xeon server pulls.
The 2-core mobile CPUs are in a way worse since they're marketed under the i5 and i7 banner. You have to go out of your way to get a 4 core laptop & pay your dues. We can but hope the mobile/tablet octacore cpus shake that up a bit. Still, Qubes does run on a 2-core laptop i5 with 8G, but not what I want.
Ive looked on the Qubes site, checked the documentation link there, done google searches, and even checked the wikipedia page, but apparently Im overlooking this piece of information (or its a really dumb question): what filesystems are available for the installation of Qubes? Also, what methods are available for encryption? One google result seemed to suggest it uses EXT4, and im assuming thus that I can use dm-crypt (though prolly not luks right?) for encryption?
Since this isnt actually a Linux distro but rather a Xen hypervisor, I am completely clueless as to how filesystems/encryption are/is handled. Id love to use LUKS and btrfs (since I could simply add a subvolume for Qubes on my existing Arch/Debian btrfs partition), but thats probably impossible.
I take it you've seen?:
Does Qubes use full disk encryption (FDE)?
Yes, of course! Full disk encryption is enabled by default. Specifically, we use LUKS/dm-crypt. You can even manually configure your encryption parameters, if you like!
I'm pretty sure the Dom0 Fedora uses Ext4 LVM and it will ask you about boot encryption on installation; but the answer on the filesystem, for each of the templates depends on what we're talking about, and I think you could set them up how you want if you're prepared to build/adapt your own template - they're just a guest running under Xen ultimately, with memory transfer mediated by Qubes. After all, with a Window 7 template, that's going to be ntfs.
You can run Qubes on a separate USB3 drive selected on boot on many systems if you wanted to check that out.
If you havent noticed by other posts I always do homework before I post stuff. I honestly have no idea how I missed the links you gave- its all right there...
In terms of the info you gave, perfect. Im familiar with LUKS and ext4, the desktop environments (KDE or XFCE), Fedora and Debian (have had both installed- still have debian), etc. I should have no issues once I set aside time for the install..
Thanks for the links/info
You're welcome, very happy to share experiences/improve my own knowledge here....!
The addition of Debian to the templates previously was fantastic, that's what I tend to use most. I quite like Fedora, but life is short...
Just a quick report on a budget Qubes Desktop build with VT-d and TPM, on Qubes 3-2. This might be of interest to those who may have some of the parts, and where this isn't a full production machine, but allows very credible Qubes performance and testing.
It's a 4-core 115W Q6600 cpu from way back, and 8G ddr2 Ram.
DQ35JO Intel Motherboard (no PS/2 keyboard and mouse though)
Ati Radeon HD 5440 (an older gpu, silent about 20W, with hdmi)
Aukey 4 port usb3 pci-e x1 card (for testing Usb assignments)
The q6600 goes for around $15, while the mobo is around $20. Main constraint is 8G RAM - for a full production desktop, I'd base it on an 8 core xeon server pull and much more RAM.
HCL reports all working with VT-d and TPM, and no issues with graphics card. Dual desktop works fine. I'll try a more modern gpu asap. I had to upgrade the Bios to 1143.2010 to get VT-d to work.
Usb isolation and Anti-Evil-Maid on the TPM, to be done.
Using a static password on Yubikey for disk encryption password works fine, I'll be testing the OTP on PAM for user login.
Due to issues with AMT vulnerabilities described below, boards based on Q45 might be better, but something to be aware of anyway.
Qubes Security Bulletin #27
Coldkernel on Qubes pt.1
Secure Desktops with Qubes: Extra Protection
Qubes-Whonix DisposableVM documentation created
Happy New Year to everyone!
Lots of time has passed since I first tried out Qubes. Over the holidays I had enough time to get my head around the latest Qubes release. I decided to not update from the previous version and do a clean install instead. I even created all templates and apps from scratch (not entirely true, I used the templates from the repositories).
To be honest, I had so much fun that I became a little obsessed with Qubes. Since version 3 I liked Qubes very much but I think it's becoming better and better.
My understanding of a lot of processes involved has improved over the last 3 years.
I now use fedora, debian, archlinux and whonix apps. I have a Windows7 HVM for a few programmes I like.
I use a USB-qube for two USB-3.0 ports, so external drives don't have access to dom0.
I set up an offline bitcoin wallet + watching wallet but I forgot most about bitcoins because I used them three years ago the last time.
I set up different VPN-Gateways for apps and whonix. I use Tor over VPN in whonix which seems to be working fine but I have to learn more about whonix in order to use it on a daily basis.
I also use multi-factor authentication with qubes. Works great with several accounts.
My to do list:
Almost every guide from the docs that wasn't mentioned above ;-) especially split gpg, anonymizing MAC address and maybe YubiKey user authentication.
What about the other enthusiasts here?
Edit: What's your take on antivirus on Windows VMs? I activated Microsoft Essentials but I wonder if that's really necessary...
Maybe I will deactivate NetVM on Windows because I only needed it for installing and updating.
Thanks for your update, I share your enthusiasm; I'm still away away from taking the plunge into production, as I'll continue to do ad hoc similar stuff with a normal VM setup for a while yet, but its on my wishlist. I think the restrictiveness of the environment is actually a strength and a discipline, and a separate machine is suitable for more ad hoc stuff anyway. I'm intending to implement the Yubikey login as I already do this for Windows anyway, and I already use a static password (with decoration) in a Yubikey slot for the FDE.
Regarding AV on Windows VMs, my take is no, depending on your use case. I'd be browsing and mailing from linux VMs of various kinds, so the Windows VM is only for installing applications which would pass AV scanning anyway. And much of the time, I'd not need the Windows VM connected in any case (apart from installing or updating as you note). Given that use case, I don't see that AV will give you that much, and clearly, it has risks and costs of its own.
After my first steps with Qubes 1 on a laptop that wasn't suited for Qubes and myself being totally clueless about how everything worked I bought a used laptop exactly for that purpose. I still switch systems via hdd caddy pretty regularly for different purposes like streaming media or the occasional game. I librebooted another used laptop that I bought for very little money. What began as a means of tinkering around with something I thought I would break became sort of a hobby and is in daily use for a pretty long time now, without major problems. So I use different devices as well. But not too many. With VMs it is easy to use lots of them. That's what I like.
Thanks for your input. Yes, browsing and mailing is meant for Linux, I don't plan on using the Windows VM for that. I guess I will deactivate AV and networking.
The Qubes OS website is now available hidden service:
Repos as well, see here how to point VM's to them:
Only 8,33% of Xen Security Advisories has affected Qubes so far:
Reminder that v3.1 has reached EOL:
Qubes Security Bulletin #29
Compromise recovery on Qubes OS
Qubes Security Bulletin #30
Qubes Security Bulletin #31
Recommended Fedora 25 TemplateVM Upgrade for Qubes 3.2
Qubes OS 4.0-rc1 has been released!
Qubes Security Bulletin #32
Also note that Kernel 4.9 has recently reached stable repositories, which is nice for better hardware compatibility.
Separate names with a comma.