Objective: Help users configure Qubes OS after installation, covering basic settings and creating their first qubes.

Introduction

Welcome to Qubes OS! This next guide will help you navigate the initial setup after installation, customize your environment for daily use, and understand the essential security features. We'll also provide a step-by-step example of setting up a Monero Wallet to demonstrate how to work effectively within Qubes OS. If you've not indstalled Qubes yet, get out of here and go back a few steps preparing your machine for Qubes OS.

Initial System Configuration

After installing Qubes OS and rebooting, you'll encounter the Qubes First-Run Wizard. This wizard assists in setting up critical aspects of your system.

Step 1: Create a User Account

  • Username: Choose a username for your primary account.
  • Password: Set a strong, unique password. This password grants you administrative privileges within the system.

Step 2: Configure Networking

  • Sys-net: This is the network domain that handles all networking hardware. Ensure your network adapters (Wi-Fi, Ethernet) are correctly assigned.
  • Sys-firewall: Acts as a firewall between your qubes and the outside network. It's connected to sys-net by default.
  • Sys-whonix: If you wish to route your internet traffic through the Tor network for anonymity, enable this option.
  • Anon-whonix: A workspace qube pre-configured for anonymous activities.

Step 4: Configure Updates

  • Dom0 Updates: Enable updates for dom0, the administrative domain of Qubes OS. Keeping it updated is crucial for security.
  • TemplateVM Updates: Ensure that updates are enabled for your TemplateVMs (e.g., Fedora, Debian).

Step 5: USB Device Handling (Optional)

  • Sys-usb: Create a separate qube to manage USB devices securely. This isolation protects your system from potential USB-based attacks.

Step 6: Finish Setup

Review your settings and click Finish to complete the initial configuration.

Setting Up Default Qubes and Customizing for Daily Use

Qubes OS comes with several default qubes designed for different purposes:

  • Personal: For everyday personal activities.
  • Work: For professional tasks.
  • Untrusted: For opening untrusted files or browsing less secure websites.
  • Vault: An offline qube for storing sensitive information like passwords or encryption keys.

Ultimately you really need to find the Qubes Manager section, you can access it somewhere in the top right of the mini icons part of the screen. Things will be a lot clearer when you can see all of your Qubes from this kind of birds eye view.

Customizing Existing Qubes

You can tailor these qubes to suit your needs:

  • Rename Qubes: Right-click on a qube in Qube Manager and select Rename.
  • Change Icons: Customize icons for easier identification.
  • Adjust Resources: Modify CPU and RAM allocation in the qube settings.

Creating a New Qube for Monero Wallet

Let's set up a dedicated qube for your Monero Wallet to enhance security.

Step 1: Create the Qube

  1. Open Qube Manager: Click on the Qubes icon and select Qube Manager.
  2. Create a New Qube:
    • Click Create Qube.
    • Name: Enter monero-wallet.
    • Type: Choose AppVM.
    • Template: Select a TemplateVM (e.g., fedora-34 or debian-11).
    • Networking: For anonymity, select sys-whonix.

Step 2: Install Monero Wallet

Since AppVMs are based on TemplateVMs, you need to install the Monero Wallet in the TemplateVM.

  1. Start the TemplateVM:
    • Open a terminal.
    • Run qvm-start fedora-34 (replace with your TemplateVM's name).
  2. Update the TemplateVM:
    • In the terminal, execute sudo dnf update for Fedora or sudo apt update && sudo apt upgrade for Debian.
  3. Download Monero Wallet: 
    wget https://downloads.getmonero.org/gui/monero-gui-linux-x64-v0.18.3.4.tar.bz2
    • or a browser within the TemplateVM.
  4. Verify the Download:
  5. Install the Wallet:
    • Extract the downloaded package.
    • Move it to /opt/monero or a preferred directory.

Step 3: Configure the Monero Wallet Qube

  1. Access the Wallet in AppVM:
    • Start the monero-wallet qube.
    • The installed wallet should now be accessible since it's installed in the TemplateVM.
  2. Create Application Shortcut:
    • In Qube Manager, right-click monero-wallet and select Qube Settings.
    • Go to the Applications tab.
    • Add Monero Wallet to the list of applications, you should see to panes, you can essentially shift all of the relevant app you want to use from that Qube over to right.

Essential Security and Usability Settings to Consider

Firewall Rules

  • Per-Qube Firewall: Limit network access for each qube.
    • In Qube Manager, right-click a qube and select Qube Settings.
    • Go to the Firewall tab to configure rules.
  • Block Unnecessary Traffic: Deny all outbound traffic except for essential services. Go ahead and find out which ports Monero is using and you'll know which ones to allow & deny.

Updates and Patching

  • Regular Updates: Frequently update dom0 and all TemplateVMs.
  • Update VMs Automatically: Enable automatic updates in the Qubes Update tool.

Qube Backups

  • Regular Backups: Use the Qubes Backup tool found in the system menu. You don't have to go mad with it be if you're installing something new you're not quite sure about yet do a backup first. Or even better, use a burner DispVM which automatically destories itself after you shut it down.
  • Encrypted Backups: Always encrypt backups with a strong password.
  • External Storage: Store backups on external media disconnected from the system when not in use.

Disposable Qubes

  • Purpose: Ideal for opening untrusted files or browsing risky websites.
  • Configuration:
    • In Qube Manager, create a new qube and check Disposable VM.
    • Set it as the default DisposableVM in Global Settings.

Lock Screen and Screen Saver

  • Enable Screen Lock: Configure your screen saver to require a password on resume.
  • Shortcut: Use Ctrl+Alt+L to lock the screen quickly.
  • Disclaimer: If your computer was on, in the state, you could still be subject to a cold boot attack.

Understanding the Qubes OS Security Model

Qubes OS uses Security by Compartmentalization, isolating different environments to minimize the risk of security breaches.

Key Components

  • Dom0: The most trusted domain controlling the user interface and hardware.
    • Usage: Do not use dom0 for internet activities.
  • AppVMs (Qubes): Virtual machines for running applications.
    • Isolation: Each qube is isolated from others.
  • TemplateVMs: Provide the root filesystem for AppVMs.
    • Software Installation: Install applications here to make them available in AppVMs.
  • ServiceVMs (Sys-net, Sys-firewall, Sys-usb): Handle specific system services.

Best Practices

  • Least Privilege: Grant qubes only the permissions they need.
  • Separate Activities: Use different qubes for different tasks (e.g., banking, email).
  • Regular Monitoring: Keep an eye on the resources and behavior of your qubes.
  • Avoid Direct Attachments: Do not attach untrusted USB devices directly to sensitive qubes.

Additional Example: Running a Monero Node (Daemon)

For advanced users interested in running a Monero node:

Step 1: Create a Dedicated Qube

  • Name: monero-node
  • Type: AppVM
  • Template: Use a minimal template for reduced attack surface.
  • Networking: Connect directly to sys-net or sys-whonix for privacy, by using sys-whonix is forces all of your out going traffic through a Transparent Proxy, and protects your DNS requests also. It tends to lockdown most UDP.

Step 2: Increase Storage

  • By default, qubes have limited storage.
  • Adjust Disk Size:
    • In Qube Manager, right-click monero-node and select Qube Settings.
    • Go to the Advanced tab and increase the Private storage max size.

Step 3: Install the Monero Daemon

  • Download and Verify:
    • Use the same method as installing the wallet.
  • Configure the Node:
    • Edit the configuration file to set parameters like network ports and data directories.
  • Running the Node:
    • Start the daemon in the background.
    • Monitor logs to ensure it's syncing correctly.

Security Considerations

  • Resource Usage: Running a node is resource-intensive.
  • Isolation: Keep the node in its own qube to prevent interference with other activities.
  • Firewall Rules: Open necessary ports and restrict others.

Conclusion

You've now set up Qubes OS, customized your environment, and understood the basics of its security model. By compartmentalizing your activities into different qubes and following security best practices, you can significantly reduce the risk of security breaches. Remember to keep your system updated and stay informed about the latest security recommendations.

Additional Resources