 |
Title: Why one would use Qubes OS? |
|
Author: Solène |
|
Date: 17 June 2023 |
|
Tags: security qubesos feedback |
|
Description: In this article, I'm sharing my feelings about Qubes OS, |
|
what it is and why I like it |
|
|
|
# Intro |
|
|
|
Hello, I've been talking a lot about Qubes OS lately but I never |
|
explained why I got hooked to its offer. It's time to tell why I like |
|
it. |
|
|
 |
Qubes OS official project website |
|
|
 |
Puffy asks Solene to babysit the girl. Solene presents her latest creation. (ar… |
|
Artwork by Prahou |
|
|
|
# Presentation |
|
|
|
Qubes OS is like a meta system emphasizing on security and privacy. |
|
You start on an almost empty XFCE interface on a system called dom0 |
|
(Xen hypervisor) with no network access: this is your desktop from |
|
which you will start virtual machines integrating into dom0 display in |
|
order to do what you need to do with your computer. |
|
|
|
Virtual Machines in Qubes OS are called qubes, most of the time, you |
|
want them to be using a template (Debian or Fedora for the official |
|
ones). If you install a program in the template, it will be available |
|
in a Qube using that template. When a Qube is set to only have a |
|
persistent /home directory, it's called an AppVM. In that case, any |
|
change done outside /home will be discarded upon reboot. |
|
|
|
By default, the system network devices are assigned to a special Qube |
|
named sys-net which is special in that it gets the physical network |
|
devices attached to the VM. sys-net purpose is to be disposable and |
|
provide network access to the outside to the VM named sys-firewall |
|
which will be doing some filtering. |
|
|
|
All your qubes using Internet will have to use sys-firewall as their |
|
network provider. A practical use case if you want to use a VPN but |
|
not globally is to create a sys-vpn Qube (pick the name you want), |
|
connect it to the Internet using sys-firewall, and now you can use |
|
sys-vpn as the network source for qubes that should use your VPN, it's |
|
really effective. |
|
|
|
If you need to use an USB device like a microphone and webcam in a |
|
Qube, you have a systray app to handle USB pass-through, from the |
|
special Qube sys-usb managing the physical USB controllers, to attach |
|
the USB device into a Qube. This allows you to plug anything USB into |
|
the computer, and if you need to analyze it, you can start a disposable |
|
VM and check what's in there. |
|
|
|
Qubes OS trust level architecture diagram |
|
|
|
## Pros |
|
|
|
* Efficient VM management due to the use of templates. |
|
* Efficient resource usage due to Xen (memory ballooning, |
|
para-virtualization). |
|
* Built for being secure. |
|
* Disposables VMs. |
|
* Builtin integration with Tor (using whonix). |
|
* Secure copy/paste between VMs. |
|
* Security (network is handled by a VM which gets the physical devices |
|
attached, hypervisor is not connected). |
|
* Practical approach: if you need to run a program you can't trust |
|
because you have too (this happens sometimes), you can do that in a |
|
disposable VM and not worry. |
|
* Easy update management + rollback ability in VMs. |
|
* Easy USB pass-through to VMs. |
|
* Easy file transfer between VMs. |
|
* Incredible VM windows integration into the host. |
|
* Qubes-rpc to setup things like split-ssh where the ssh key is stored |
|
in an offline VM, with user approval for each use. |
|
* Modular networking, I can make a VPN in a VPN and assign it to other |
|
VM but not all. |
|
* Easily extensible as all templates and VMs are managed by Salt Stack. |
|
|
|
## Cons |
|
|
|
* No GPU acceleration for rendering (no 3D programs, high CPU usage for |
|
video/conferencing). |
|
* Limited hardware support due to Xen. |
|
* Requires a powerful system (high CPU requirement + the more RAM the |
|
better). |
|
* Qubes OS could be a choice by default because there is no competitor |
|
(yet). |
|
* The project seems a bit understaffed. |
|
* Hard learning curve. |
|
* Limited templates offer: Fedora, Debian and whonix are officials. |
|
The community provides extra templates based on Gentoo, Kali or Cent OS |
|
8. |
|
* It's meant for a single person use only for a workstation. |
|
|
|
# My use case |
|
|
|
I tried Qubes OS early 2022, it felt very complicated and not efficient |
|
so I abandoned it only after a few hours. This year, I did want to try |
|
again for a longer time, reading documentation, trying to understand |
|
everything. |
|
|
|
The more I used it, the more I got hooked by the idea, and how clean it |
|
was. I basically don't really want to use a different workflow |
|
anymore, that's why I'm currently implementing OpenKuBSD to have a |
|
similar experience on OpenBSD (even if I don't plan to have as many |
|
features as Qubes OS). |
|
|
|
My workflow is the following, this doesn't mean it's the best one, but |
|
it fits my mindset and the way I want to separate things: |
|
|
|
* a Qube for web browsing with privacy plugins and Arkenfox user.js, |
|
this is what I use to browse websites in general |
|
* a Qube for communication: emails, XMPP and Matrix |
|
* a Qube for development which contains my projects source code |
|
* a Qube for each work client which contains their projects source code |
|
* an OpenBSD VM to do ports work (it's not as integrated as the other |
|
though) |
|
* a Qube without network for the KeePassXC databases (personal and |
|
per-client), SSH and GPG keys |
|
* a Qube using a VPN for some specific network tasks, it can be |
|
connected 24/7 without having all the programs going through the VPN |
|
(or without having to write complicated ip rules to use this route only |
|
in some case) |
|
* disposable VMs at hand to try things |
|
|
|
I've configured my system to use split-SSH and split-GPG, so some qubes |
|
can request the use of my SSH key in the dom0 GUI, and I have to |
|
manually accept that one-time authorization on each use. It may appear |
|
annoying, but at least it gives me a visual indicator that the key is |
|
requested, from which VM, and it's not automatically approved (I only |
|
have to press Enter though). |
|
|
|
I'm not afraid of mixing up client work with my personal projects due |
|
to different VM use. If I need to make experimentation, I can create a |
|
new Qube or use a disposable one, this won't affect my working systems. |
|
I always feel dirty and unsafe when I need to run a package manager |
|
like npm to build a program in a regular workstation... |
|
|
|
Sometimes I want to experiment a new program, but I have no idea if |
|
it's safe when installing it manually or with "curl | sudo bash". In a |
|
dispoable, I just don't care, everything is destroyed when I close its |
|
terminal, and it doesn't contain any information. |
|
|
|
What I really like is that when I say I'm using Qubes OS, for real I'm |
|
using Fedora, OpenBSD and NixOS in VMs, not "just" Qubes OS. |
|
|
|
However, Qubes OS is super bad for multimedia in general. I have a |
|
dual boot with a regular Linux if I want to watch videos or use 3D |
|
programs (like Stellarium or Blender). |
|
|
|
Qubes OS blog: how to organize your qubes: different users share their workflows |
|
|
|
# Why would you use Qubes OS? |
|
|
|
This is a question that seems to pop quite often on the project forum. |
|
It's hard to reply because Qubes OS has an important learning curve, |
|
it's picky with regard to hardware compatibility and requirements, and |
|
the pros/cons weight can differ greatly depending on your usage. |
|
|
|
When you want important data to be kept almost physically separated |
|
from running programs, it's useful. |
|
|
|
When you need to run programs you don't trust, it's useful. |
|
|
|
When you prefer to separate contexts to avoid mixing up files / |
|
clipboard, like sharing some personal data in your workplace Slack, |
|
this can be useful. |
|
|
|
When you want to use your computer without having to think about |
|
security and privacy, it's really not for you. |
|
|
|
When you want to play video games, use 3D programs, benefit from GPU |
|
hardware acceleration (for machine learning, video encoding/decoding), |
|
this won't work, although with a second GPU you could attach it to a |
|
VM, but it requires some time and dedication to get it working fine. |
|
|
|
# Security |
|
|
|
Qubes OS security model relies on a virtualization software (currently |
|
XEN), however they are known to regularly have security issues. It can |
|
be debated whether virtualization is secure or not. |
|
|
|
Qubes OS security advisory tracker |
|
|
|
# Conclusion |
|
|
|
I think Qubes OS has an unique offer with its compartmentalization |
|
paradigm. However, the required mindset and discipline to use it |
|
efficiently makes me warn that it's not for everyone, but more for a |
|
niche user base. |
|
|
|
The security achieved here is relatively higher than in other systems |
|
if used correctly, but it really hinders the system usability for many |
|
common tasks. What I like most is that Qubes OS gives you the tools to |
|
easily solve practical problems like having to run proprietary and |
|
untrusted software. |
