Website: https://qubes-os.org
Table of contents:
->> Best Practices
->> Template Setup
- -> Debian
- -> Security
- -> Security
- -> Fedora
- -> Upgrading Fedora
- -> Whonix
- -> Customizations
- -> Guides
- -> Templates
- -> Wiki
Best Practices
-
All repositories should be routed over Tor and onionized
-
Each application should be installed in its own separate minimal template Qube (provided your system has applicable resources for such)
-
sys-usbshould be configured on a laptop -
Avoid using
sleepon a Qubes system -
Read all of the Qubes documentation
-
Frequently visit the Qubes forums
-
Consider creating a shutdown script / shortcut
-
Consider if you would benefit by creating backups of your Qubes system
-
Update frequently
-
Harden Qubes if applicable (Debian kicksecure, Fedora CORP hardened-malloc, etc.)
-
Setup a bios password along with a power-on password
-
Use an SSD for the Qubes system
Template Setup
Small notes for template setup
Proxying wget:
Edit /etc/wgetrc
Add:
use_proxy=yes
http_proxy=127.0.0.1:8082
https_proxy=127.0.0.1:8082
Debian
Running in Dom0:
sudo qubes-dom0-update qubes-template-debian-11-minimal
qvm-run --pass-io -u root template-debian-11-minimal 'apt instal qubes-core-agent-passwordless-root'
Running inside the template:
sudo apt update
Installing packages
sudo apt install qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git apt-transport-tor curl
Configuring git proxy
git config --global http.proxy http://127.0.0.1:8082/
Debian Security
sudo apt-get install grub2 qubes-kernel-vm-support
sudo apt-get -t bullseye-backports --no-install-recommends install linux-image-amd64 linux-headers-amd64
sudo grub-install /dev/xvda
Adding the Kicksecure repository:
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
Installing Kicksecure package:
kicksecure-qubes-cli and kicksecure-qubes-gui are available.
sudo apt install --no-install-recommends kicksecure-qubes-cli
Installing LKRG:
sudo apt install --no-install-recommends lkrg-dkms
Enabling Hardened Malloc:
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
Fedora
Running in Dom0:
sudo qubes-dom0-update qubes-template-fedora-37-minimal
qvm-run --pass-io -u root template-fedora-36-minimal 'apt instal qubes-core-agent-passwordless-root'
Running inside the template:
sudo dnf update
Installing packages
sudo dnf install qubes-core-agent-passwordless-root qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git
Configuring git proxy
git config --global http.proxy http://127.0.0.1:8082/
Upgrading Fedora
Running in Dom0:
qvm-clone fedora-36 fedora-37
truncate -s 5GB /var/tmp/template-upgrade-cache.img
qvm-run -a fedora-37 gnome-terminal
dev=$(sudo losetup -f --show /var/tmp/template-upgrade-cache.img)
qvm-block attach fedora-37 dom0:${dev##*/}
Running inside Fedora-37:
sudo mkfs.ext4 /dev/xvdi
sudo mount /dev/xvdi /mnt/removable
sudo dnf clean all
sudo dnf --releasever=37--setopt=cachedir=/mnt/removable --best --allowerasing distro-sync
Running inside Dom0:
qvm-shutdown fedora-37
sudo losetup -d $dev
rm /var/tmp/template-upgrade-cache.img
Whonix
Whonix-GW and Whonix-WS should be upgraded via:
upgrade-nonroot
Installing LKRG:
sudo apt install --no-install-recommends lkrg-dkms
Enabling Hardened Malloc:
echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload