💾 Archived View for gemini.mcgillij.dev › qubes-installation.gmi captured on 2023-11-04 at 11:20:06. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
:author:
mcgillij
:category:
Linux
:date:
2021-09-16 22:49
:tags:
Linux, Qubes, Virtualisation, VM, Fedora, Debian, Whonix, #100DaysToOffload
:slug:
qubes-installation
:summary:
Brief overview of Qubes and the installation process.
:cover_image:
qubes.png
What is
(Reasonably secure OS).
A virtualisation masterpiece built around
and Fedora. A security focused Polish lady named Joanna Rutkowska founded / created the idea for Qubes. Focusing on security through isolation using virtualisation.
Building an OS where every application and even OS layer cannot be trusted, and thus can be replaced with alternate or disposible VM layers each with varying degree’s of security(paranoia) applied to them.
Qubes also allows classification of the security contexts (via color coding of security levels). So that you can easily determine if a VM/Application is related to your “work” or insecure/disposable or personal etc.
This enable use-cases that would otherwise be very hard to configure on a stand-alone Linux installation.
Allowing for instance running certain applications over a Tor network stack, while keeping all your internet banking separate. While being able to separate all your “work” and personal information in separate VM’s that could be running totally different versions of Linux or Windows. While hard to verbally describe. It’s simple to visualize the separation of concerns.
[image: image of 3 security contexts]
In this example, the word processor runs in the “work” domain, which has been assigned the “blue” label. It is fully isolated from other domains, such as the “untrusted” domain (assigned the “red” label – “Watch out!”, “Danger!”) used for random Web browsing, news reading, as well as from the “work-web” domain (assigned the “yellow” label), which is used for work-related Web browsing that is not security critical. Apps from different domains run in different AppVMs and have different X servers, filesystems, etc.## Pre-requisites
For Qubes to work properly, you will need an Intel CPU with VT-x or AMD CPU with SVM along with IOMMU support allowing for physical device pass through to your virtual machines.
To check your CPU flags for SVM:
cat /proc/cpuinfo |grep svm
Let’s go over the installation steps, it’s essentially like installing any other Linux distro. With a bit of post setup configuration thrown in for good measure.
[image: qubes language selection]
Selecting the default language / keyboard layout.
[image: qubes installation summary]
From the installation summary page you can modify your installation and setup your full disk encryption (except boot) using the hard drive partitioning selection to continue the installation.
[image: qubes harddrive partitioning]
From here you can encrypt and choose your partitioning scheme along with encryption pass-phrase.
[image: qubes creating user during installation]
You are prompted to create your user account during the actual installation process.
[image: qubes installation complete]
That’s it reboot, and onto the post-install configuration steps.
[image: qubes post install configuration / setup]
From here a bit of house keeping for how you actually want your system to run / startup. And you will be thrown into the desktop environment afterwards.
Once installed and configured, you will be greeted with a relatively tame XFCE desktop environment, with a menu that’s been pre-populated with all the Qubes goodies / Template VM’s and Qubes manager.
The Qubes manager allows the management of all the VM’s through Dom0’s virtual machine manager.
Here’s what the menu looks like basically just allowing launching all sorts of Virtual machines, which you will later be able to configure as separate environments for each of the application contexts that you will be running. There is a fair bit of work in using Qubes. However the benefits are literally security. So sometimes things are worth the bit of extra effort.
![[image: qubes separations]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes_partition_data_flow.jpg&t=638346936060000000&raw=False){kind=link}
![[image: image of 3 security contexts]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes_example.png&t=638346936060000000&raw=False){kind=link}
![[image: qubes language selection]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes1.png&t=638346936060000000&raw=False){kind=link}
![[image: qubes installation summary]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes2.png&t=638346936060000000&raw=False){kind=link}
![[image: qubes harddrive partitioning]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes3.png&t=638346936060000000&raw=False){kind=link}
![[image: qubes creating user during installation]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes4.png&t=638346936060000000&raw=False){kind=link}
![[image: qubes installation complete]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes5.png&t=638346936060000000&raw=False){kind=link}
![[image: qubes post install configuration / setup]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes6.png&t=638346936060000000&raw=False){kind=link}
![[image: qubes manager]](/kennedy.gemi.dev/archive/cached?url=gemini%3a%2f%2fgemini.mcgillij.dev%2fimages%2fqubes7.png&t=638346936060000000&raw=False){kind=link}