doc.ohreally.nl


Qubes OS: Random notes and ideas

So, I just installed Qubes OS on my new laptop (a secondhand HP EliteBook 840 G1). Installed it for the second time, actually: installed it, played with it for 2 weeks, decided I had trouble getting used to the AZERTY keyboard, installed a QWERTY keyboard, discovered I could no longer decrypt my harddisk because of the new keyboard layout, and decided to reinstall the system, and not worry about the stuff I already had on the laptop; recreating my notes is probably less cumbersome than reinstalling the previous keyboard to backup my stuff.
And to avoid such a loss of notes in the future, I decided to put them on my website.
If you decide to read on, then please, respect the fact that these notes were not meant for you, but just as a reminder for me:


Now, go away, or shut up.


Table of contents:


X-less VMs

Even the so-called 'minimal' template (fedora-<version>-minimal) runs X. But many use cases are thinkable where X is not needed (file server, mail server, web server, Subversion server). So, we're going to invent a ServerVM.

This is actually quite simple:

  1. Create and install a new VM [Research which one is the least memory and CPU intensive; could be any Linux, or any BSD (but start with FreeBSD, because FreeBSD)].
  2. Configure (a)getty to autologin.
  3. Use xenconsole to connect to the VM instead of some graphical terminal emulator:
    [user@dom0 ~]$ qvm-prefs --get server-svn xid
    24
    [user@dom0 ~]$ /usr/lib/xen/bin/xenconsole 24
    

And to add this to the Start menu, I think there should be a file dom0:~/.local/share/qubes-appmenus/server-svn/apps/server-svn-console.desktop, which looks something like this:

[Desktop Entry]
Version=1.0
Type=Application
Terminal=true
X-Qubes-VmName=server-svn
Icon=/path/to/console/icon.png
Name=server-svn: Console
Comment=Use the command line
Categories=System;TerminalEmulator;ConsoleOnly;X-Qubes-VM;
Exec=/usr/lib/xen/bin/xenconsole `/usr/bin/qvm-prefs --get server-svn xid`

But I'm not sure whether backticks are allowed in the Exec line of a .desktop file.

UPDATE: the old Qubes/Signal documentation says something about the proper way to create menu entries.

SVN server

Based on the X-less server described above.

A VM that serves 1 or more SVN repos to the other VMs. See Setting up a Subversion server VM for details.

Back up in chunks

A wrapper around qvm-backup and qvm-backup-restore, to cut up a backup into a certain number of pieces, OR into pieces of a certain size (--chunks-nr=5 or --chunks-size=2M). This enables saving the pieces to different locations, disallowing restoration of the backup when pieces are missing. This would even facilitate storing a backup in a collection of pictures or other files, using steganography.
(Cool, how about a 3rd possible commandline parameter: --chunks-stego=${HOME}/Pictures/Holidays-Summer-2017/, which would calculate the size of the chunks based on the number of files in that directory, and then hide the chunks in those files?)

Re-thinking the --chunks-stego= parameter:

[user@dom0 ~]$ qoh-restore --chunks-stego=${HOME}/Pictures/Holidays-Summer-2017/ --chunks-stego=5:https://www.example.com/key.jpg
This would insert the remotely downloaded file as the 5th file in the list of files from which to extract steganographic data; obviously, without this file, the VM would be incomplete, and thus useless.

Re-re-thinking: steganography would not even be needed for this:

[user@dom0 ~]$ qoh-restore --chunks=${HOME}/Qubes-chunks/ChunkedVM/ --chunks=5:https://www.example.com/key.chunk
would be equally secure; using steganography would just hide it a bit better.

Or, let's just go crazy, and combine the two:

[user@dom0 ~]$ qoh-restore --chunks=${HOME}/Qubes-chunks/ChunkedVM/ --chunks-stego=5:https://www.gravatar.com/avatar/12345abcde

And then, there's 'crazy', and there's 'insane':

[user@dom0 ~]$ qoh-restore --chunks=1:file:///home/user/Stuff/3.chunk --chunks-stego=2:untrusted:/home/user/chunk1.jpg --chunks=3:http://www.example.com/remote.chunk

Which could, obviously, be combined with TOR and I2P and friends, to make it even more paranoid. To a level where it needs to be scripted, which would make it less secure. Unless we save the script remotely. And apply patches to the script before executing it. Which are stored remotely. Et cetera.

Open links in preferred browser

Expanding on a solution by Micah Lee.

A script which opens a Tor Browser in a Whonix disposable for *.onion links, another browser in a dedicated I2P VM for *.i2p links, etc. (case-switch or big if-loop).
This script (~/bin/qubes-browser) should be set as the default browser.
Very simple to implement; was actually already implemented on my AZERTY-Qubes system.

Possible enhancement on previous solution: allow the user to choose between a running Whonix DispVM, or a newly created Whonix DispVM. This will, however, require graphical intervention (zenity or the like).

This could even be expanded to a level where links to the bank's website would be opened in the bank's VM.
But: a user may choose to use a single VM for all bank transactions, or use 1 VM per bank (or even to use 1 VM for banks A, B and C, and another VM for banks X, Y and Z).

And on that same level, this could be used to open links to the personal websites (http://*/wp-admin/) in the personal domain, while opening all other links to the clearnet in the untrusted domain.

Add DispVMs to Start menu

When starting a DispVM using Start → Disposable: whonix-ws-dvm → whonix-ws-dvm: Tor Browser, it is quite hard to start a Konsole session in the same VM afterwards (selecting Start → Disposable: whonix-ws-dvm → whonix-ws-dvm: Konsole will start a new DispVM for this Konsole session).
It shouldn't be too hard to add a disp-12345 submenu to the Start menu, when a DispVM is started, displaying the apps available in that DispVM.

Restructure Start menu

Even in a default installation, the Start menu is too large (and thus confusing):

================================
| Run Program...               |
| Terminal Emulator            |
|------------------------------|
| System Tools               > |
|------------------------------|
| Create Qubes VM              |
| Disposable: fedora-25-dvm  > |
| Disposable: whonix-ws-dvm  > |
| Domain: anon-whonix        > |
| Domain: personal           > |
| Domain: untrusted          > |
| Domain: vault              > |=====================
| Domain: work ============= > || work: Files       |
| Service: sys-firewall      > || work: Firefox     |
| Service: sys-net           > || work: Terminal    |
| Service: sys-usb           > || work: VM Settings |
| Service: sys-whonix        > |=====================
| Template: debian-8         > |
| Template: fedora-25        > |
| Template: whonix-gw        > |
| Template: whonix-ws        > |
|------------------------------|
| Log Out                      |
================================

It shouldn't be too hard to change this to something like:

=======================
| Run Program...      |
| Terminal Emulator   |
|---------------------|
| System Tools      > |
|---------------------|
| Create Qubes VM     |
| Disposables       > |=================
| Domains ========= > ||    Domains    |
| Services          > ||---------------|
| Templates         > || anon-whonix > |
|---------------------|| personal    > |
| Log Out             || untrusted   > |
=======================| vault       > |===============
                       | work ====== > ||    work     |
                       =================|-------------|
                                        | Files       |
                                        | Firefox     |
                                        | Terminal    |
                                        | VM Settings |
                                        ===============

I think the menu is built from dom0:~/.local/share/qubes-appmenus/.

In a perfect world, the user gets to choose between the different layouts.

Last modified:
https://doc.ohreally.nl/qubes-general
Printed: