I have been using Qubes OS off and on for the past month or so and wanted to share my experience with it so far. I’ve used it on a secondary laptop in the past, just to play around with it and learn the basics. This time, however, I bought a dedicated laptop for it with the intent of using it full-time for a segment of time. I chose a ThinkPad X230 as it is highly supported and recommended by the Qubes OS team for a variety of reasons, relatively inexpensive, highly modifiable, and parts for it are easy to come by.
If you aren’t familiar with Qubes OS, a quick and official description is “A Relatively Secure Operating System”. A more detailed description would be something along the lines of “A security focused Linux Distribution which utilizes the principle of ‘security through segmentation’ via the use of narrow-purpose VMs”. It’s based on Fedora Workstation (or whatever it is called now) and uses Xen for virtualization. If you want to read more about it, take a look at the official site https://www.qubes-os.org/, which has tons of great documentation and general information about the OS.
While the installation was relatively painless (not much more than a typical Fedora install), the hardware requirements should be noted. Due to Qubes’ goal of security and the use of virtualization, a few specific things need to be supported by the hardware it is running on. The following list is directly from the Qubes OS system requirements page. https://www.qubes-os.org/doc/system-requirements/
- 64-bit Intel or AMD processor (x86_64 aka x64 aka AMD64)
- Intel VT-x with EPT or AMD-V with RVI
- Intel VT-d or AMD-Vi (aka AMD IOMMU)
- 4 GB RAM
- 32 GiB disk space
The Qubes project also has some general recommendations, such as using a fast SSD. I would also add that having more RAM is not going to hurt.
As I had mentioned, I am using a ThinkPad X230 for my dedicated Qubes OS machine. It is an older laptop using some dated hardware, but still “modern” enough to get by. I don’t want to get too in-depth about the specs, but I’ll list out the important stuff here.
- Core i5-3210m (supports VT-x and VT-d)
- 12 GB RAM
- 160 GB SSD
- Intel graphics
While this isn’t an impressive machine by any means, it runs Qubes OS well. I did have an issue during installation where, after install, the laptop would reboot to a black screen. After a quick search, I found that this is a common and well known issue with Lenovo’s UEFI implementation and a quick and easy fix was documented on the Qubes OS site. While I have multiple gripes with the hardware itself (LCDs have come a long way since this was new, the keyboard may be third party as the keys keep falling off, the battery is third party and shuts off at ~20%), I do like having a TrackPoint and ThinkLight again.
Getting the OS itself tweaked and set up has been an ongoing thing, as I think is true with any OS. I’ve become accustomed to “night mode” in other OSes, so that was the first thing that needed remedied. Installing Redshift in Dom0 was the easy fix. While installing additional software in Dom0 probably isn’t the best for security/trust, it is provided by the default repos, so I trust it enough. Note that Redshift cannot call out to the Internet to find its geolocation due to the networking limitation of Dom0, so a manual config is required. To start this at login, I added a similar command in Dom0’s “Session and Startup” menu.
reshift-gtk -l -75.2509766:-0.071389
Next, I needed to set up my VPN connection which I used when out and about. For this, I copied the OpenVPN config file to the “sys-net” qube, then imported it into NetworkManager. It was a pretty painless setup, but could lead to compromise of that config file if the sys-net NetVM were compromised. A separate “vpn” ProxyVM is the best option for this and you can read more about that here: https://www.qubes-os.org/doc/vpn/.
I use Signal quite regularly as my main form of communication with friends and family. Since this would be only needed in one qube and utilized third-party repos, I opted to make a StandaloneVM for it. I created this dedicated VM based on the existing Debian template, then added the Signal repos per the provided documentation here: https://signal.org/download/
curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list sudo apt update && sudo apt install signal-desktop
After installation and configuration of Signal, I removed some of the applications I wouldn’t be using on that qube such as Firefox and KeePass. I didn’t want to accidentally open URLs in that qube, so there was no need for a web browser. Additionally, I limited RAM usage by decreasing the “Max memory” setting inside the “Qube Settings” for that qube. This was mostly just to play around with that setting, but I have not had any issues restricting the RAM to 1GB.
Since DisposableVMs are, as the name implies, disposable, any changes made to them will disappear once they are powered off. I mostly use DisposableVMs for browsing random websites, so I wanted a few things configured in Firefox to avoid re-configuring it each time I start a new DisposableVM. To make persistent changes to Firefox in the DisposableVM template, I ran the following:
qvm-run -a fedora-30-dvm firefox
I changed the search engine to DuckDuckGo, removed the bookmarks bar, changed the home page (got rid of the recommendations and highlights sections), and installed a few extensions. After forgetting to shut down that qube and wondering why my changes didn’t stick, the DisposableVMs’ Firefox was configured as I like it.
The last major component I configured was a Kali Linux TemplateVM. I regularly use tools provided by Kali and there is great documentation for its setup here: https://www.qubes-os.org/doc/pentesting/kali/. I followed the “Kali Linux TemplateVM from a Debian template” to set up the Kali TemplateVM. At first, I had some issues with the installation of the “kali-linux-full” package and wasn’t able to get a working Kali qube running. It was late at night and I wanted sleep, so it scrapped it and tried again a couple weeks later. Following the exact steps again worked fine. My assumptions was either some dependencies were borked, or I was very sleepy. I now have a functioning Kali TemplateVM.
I’m sure there are some additional tweaks and minor config changes that have happened, but those were the major ones for me to be able to use Qubes OS as a primary OS. I played around with installing a couple games in an qube. I was able to get Stardew Valley (GOG release) and OpenRCT2 to run acceptably well. I was surprised they launched at all, to be honest. If I end up doing some strange/unique things later on, I’ll make another post about them.
Now, the beauty of Qubes OS is its compartmentalization feature which allows you to separate Qubes based on their purpose, trust level, or whatever really. The default qubes included with an install are the following:
I use a few more in my setup, but they somewhat follow this default layout. In addition to the default “personal” qube, where I have Firefox set up to my liking and I’m logged into my web accounts and whatnot, I also have the aforementioned Signal qube, a separate qube for managing my home network, and the qube I have installed a couple games in. These all fit under the “personal” trust level, so I have named them with the prefix “personal-“. If I used a mail client, like Thunderbird or Claws, I think I would have a separate qube for that as well and maybe some firewall rules to lock it down a tad bit more. I have a separate qube for managing a few servers, using a different window border color than the “personal” qubes. In the “vault” qube, I keep my KeePass database. By default, this qube has no network access and I don’t see a reason to enable it. Joanna Rutkowska, the creator/founder of Qubes OS has documented how she separates out her life using Qubes OS in this awesome blog post: https://theinvisiblethings.blogspot.com/2011/03/partitioning-my-digital-life-into.html.
This pretty much wraps up my experience so far with Qubes OS. I have been impressed with it the more and more I use it, however annoying my hardware’s quirks are. I do plan on changing around some of my organization of my qubes, maybe separating out my “personal” ones a bit more. Maybe create a dedicated “banking” qube, for example. I want to attempt creating firewall rules for some specific qubes, the Signal one as I had mentioned earlier and maybe the server management qube as well. If/when I do migrate to using it full time, I also need to configure and test backing up the system. Qubes OS does include a backup feature in Qube Manager, so I need to test and familiarize myself with its backup and restore process. Moving all my data to appropriate qubes will also be a process and needs a lot more thought put into it before doing so. As for the hardware issues, I would really like to try out a Purism Librem 13 or 15, but maybe I’ll get into that later. Regardless, I am going to continue using it part-time, and maybe full time while I’m traveling for work since the X230 is tiny.
Overall, I’m really impressed that Qubes OS works as well as it does, which shouldn’t be taken negatively. With all the “stuff” going on behind the scenes, it runs as smooth as any other Linux distro, at least in my experience. That alone is quite impressive. To anyone interested in the security features it employs or just interested in general, I highly recommend giving it a try.