after an unscheduled unbootabilitification of my laptop last week, i decided to install qubes. strictly speaking that won't prevent the problem – but i was looking for an excuse anyway.

i've tried to get into qubes before, but i've always ended up switching back. i think this time i'm actually going to stick with it – though, like literally everything all the time,

✨ i have opinions! ✨

background

in case your terrible allergy keeps you from looking at their site (or the clearnet edition if your browser isn't cool) or you just like your blogposts self-contained:

qubes is a "reasonably secure operating system". this is compared to windows, which is malware, macos, which is stealthier malware, or your average desktop linux, which defaults to being reasonably convenient instead. in truth, qubes is about as solid as it gets for a system you can actually run by yourself.

the thing that makes qubes stand out is its structure. most desktop operating systems offer a single unified environment. this is great for convenience: you have one clipboard to copy/paste, one(ish) filesystem for all your data, etc. it's also great for malware: there's only one clipboard to watch for secrets, one filesystem for all the data they want to steal, etc.

qubes adds an additional layer of segmentation: everything runs in vms. so for example, instead of one clipboard everything can easily touch, you have one clipboard per vm, and then a "global clipboard" to manually move things between vms. the same applies to your files, etc. – everything is segmented, and no vm can access any of the others except as permitted by you.

if you're familiar with vms, you're wondering: how can that be remotely nice to use? you may have spent some time wrangling shared folders or clipboards in virtualbox and be shuddering at doing that 24/7. don't worry! qubes makes it easier! there's a learning curve – i keep fucking up my copy/pastes – but it's much gentler than you may be worrying.

and… that's what this blogpost is about, so, let's get into it–

inconveniences

–with some miscellaneous complaining!

• as someone who's been working on a very visual project, it's irritatingly hard to share screenshots, and it seems to be totally impossible to do any screen recording. the former is a limitation of qubes: screenshots need to be taken from dom0, and dom0 is the top-level everything-controlling endgame of the system, so naturally it's hard to get data in or out of it! the latter is a limitation of xfce: no one's written a convenient gui screen-recording tool for it yet. (also, it's hard [on purpose] to install software on dom0.)
• managing every vm – dom0, templates, appvms, everything – in one uncategorized list is a pain in the butt. yes, you can use name prefixes, but i do not long for the days of 8.3 and i do not want them back! at least give me purely visual folders and some way to customize the application menu!
• along similar lines: i've already started having to maintain "trees" of templates. i like arch, so i have an archlinux template, then dev and chat templates, and if i want a package or .zshrc or whatever on all of them, i have to move it three times. formalizing the notion of a "tree" of templates via layered filesystems would be so useful.
• as mentioned i keep fucking up copy/pastes. i don't have any coherent feedback here, it's just inconvenient and this is the section of the blogpost where i complain about inconveniences.

dispvms

holy fuck, i love disposable vms. the idea is that when you want to do something "risky" – visiting an untrusted website, running untrusted software, whatever – you can spin up a new vm with one click. then when you close its last window, the whole thing gets shuts down and wiped off your system.

this is obviously useful for potentially-malicious data and code, but it's also so useful for me as a software dev, because my code could be buggy as hell, and throwing it in a dispvm is an easy way to test it without locking up my entire computer if i get into an infinite loop or memory leak! i haven't done any kernel dev on qubes yet, but i expect it to make that a hell of a lot simpler, too.

that said, i don't actually find myself using dispvms much – especially for my own code, moving an executable into a dispvm is just kinda annoying. besides that, i don't have a ton of untrusted software to run or sites to visit. i'm finding myself in the habit of using them for research but that's mostly because i think it's funny to boot up a full ephemeral vm just to google "javascript window on idle frame". look at me, the 1337357 of h4x0r2. (i suppose it also protects me since i don't have to trust every site i use for research, but that's not really at the forefront of my mind – i trust the browser sandbox quite a lot.)

there's one use i've only just started (as of this posting, yesterday) trying: dispvms for logging into more sensitive services. the template is extremely minimal, just the bare minimum for qubes to work and firefox, so the odds of the vm being compromised are quite low, certainly lower than my personal chat or dev boxes. i also have this dispvm set up with different networking, since e.g. my bank's website does not like tor. more on networking later!

credential management

one area where qubes is decidedly less magical is passwords. people on the qubes forums seem to have the same misconception as a lot of security nerds, that it's somehow more secure to assess websites with your eyes than allow your browser to definitively match domain names. it's not, but that's a topic for another blogpost, so for now let's leave it at "phishing can get anyone."

what qubes does explicitly support is "remote" ssh and "split" gpg keys. except i haven't started using that functionality yet, so, uh, i don't really have anything to say about it. split gpg keys look neat though!

updates

not a ton to say here, except that it rules. a couple of mouseclicks and i can upgrade every vm, though granted that you need to restart your vms for the updates to take effect. i shut down my computer every night so that's not a huge ask.

plus, it'll automatically check for and alert about updates! by default it waits for you to start a vm, then runs something in the background, but it'll boot a vm for you if it hasn't been checked in a few days. all told, very slick, and very good automation for the very important security task of

✨ patching your shit ✨

networking

what i have been using in excess is their networking wizardry. as best as i can tell, the default setup is pretty simple:

• sys-net owns the physical network adapter and keeps your wifi configs, vpns, etc. around
• sys-firewall is… a firewall, rejecting inbound connections and filtering outbound ones. this is what most of your vms connect to.
• sys-whonix is a gateway that routes all traffic over tor. this means that any vms behind it, even using normal browsers, will still be anonymized! neat.

my setup is a little more convoluted. first, instead of keeping my vpn and wifi configs directly in sys-net, i keep them in config data, then load them in with rc.local. this keeps sys-net and co totally stateless, which rules! it does mean i need to restart sys-net to connect to a new network, but even that could be worked around with a little effort.

then, i have a sys-vpn. this acts like sys-whonix, but pushing traffic through a vpn instead. you could also keep your vpn configs in sys-net, but that'd route sys-whonix through another network hop, and tor's already latent enough.

change 3 is very simple: i use sys-whonix as my default netvm and never route appvms through sys-firewall. this is because i have a fanatical hatred of my isp and categorically refuse to trust them with untunnelled traffic.

that said, my own neuroses aside, qubes' approach to networking has been so seamless and straightforward that i literally haven't had to worry about it. i just configure networkmanager with the appropriate connections and… it works. i'm not sure if this is qubes working some interface magic, built into networkmanager, or some combination thereof, but however they did it, it works incredibly well.

conclusion

technologically, nothing qubes does is that new. it's a slick wrapper around the xen hypervisor, sure, but it'd be entirely possible to set up all the same stuff on linux with qemu. it'd just be a pain in the ass.

qubes' magic isn't in any truly new tech, it's that they've already written all the fiddly little wrapper scripts and packaged them up in a reasonably nice ui, with conventions that make sense and integrate cleanly into other things.

so, instead of having to manually organize vms and queue updates and handle snapshots and arrange networks, instead of being driven to minimize the number and usage of vms to minimize the hassle, instead of weighing "is it really worth waiting five minutes just to open this pdf", you just… easily do the secure thing.

qubes calls itself "reasonably secure", but it really does is make security reasonably easy.

✨ and that's fucking awesome. ✨