in howto linux security QUBES ~ read.

QUBES OS - KNOW-HOW

Idea of that entry is to gather all needed informations for person who is considering installation of QUBES. It is a big project, so it is clear that devs can't react on all issues immediately and make easy step by step tutorial for everybody.
I planed to write that some time ago, but I wasn't able to gather all needed information and find time to write it down.

Qubes is OS for people who cares about security https://www.qubes-os.org/intro/. I installed it on my ThinkPad E560 in December. From my point of view it was really good decision as templates give me more flexibility than single OS. Last month I installed it also for my wife on her x220. I had few issues with windows 7 vm but now it works flawlessly. There are many opinions and reviews of that system around the network. You can make a google run to find one that will be best for You. Like for example:

You can find many useful information in docs section:
https://www.qubes-os.org/doc/

Hardware Compatibility List (HCL)

https://www.qubes-os.org/hcl/ It shows You which notebooks and workstations/servers are compatible with QUBES. You should also check qubes-users google group as it could be there, but not linked to main website yet.

Disks

For QUBES install You should use SSD disk, but in case that You have small ssd and bigger magnetic disk - You would like to consider that method.
https://www.qubes-os.org/doc/secondary-storage/

Templates

There is a list of distros that are prepared for QUBES to be used as templates (fedora-23, fedora-24, fedora-24-minimal, debian-8, whonix, xenial, archlinux). An other that needs few modifications like blackarch.
After installation of QUBES it is important to install fedora-24-template and set is as default instead of fedora-23. Probably that step won't be needed with new installer.
Some hints about templates: https://www.qubes-os.org/doc/software-update-vm/
In case You will make bigger changes in Your template (like removing apps) You should use qvm-trim-template template-name to shrink it to actual size.

HVMS

In case that You would like to install other distro You can install it as hardware VM. https://www.qubes-os.org/doc/hvm/ install fedora 24-template and chnage as default

Installing Windows 7

https://www.qubes-os.org/doc/windows-appvms/ In QUBES You can install Windows 7 and use Your apps in seamless gui. It works well but there are few tricks that You need to know to avoid issues during installation.
First You need to prepare iso with updates included to avoid downloading all updates (issues with disk space etc): https://www.howtogeek.com/255540/the-last-windows-7-iso-youll-ever-need-how-to-slipstream-the-convenience-rollup/

Important:

  • Working install process is described on github. Last time I had an issue with custom config (not able to boot), so I temporary changed config for all HVMs /usr/share/qubes/vm-template-hvm.xml to fix it.
  • Before installation of qubes-windows-tools You should run:
    qvm-prefs -s win_vm_name qrexec_timeout 300 as decribed here by Eva Star.
  • Instead of installing newest qubes-windows-tools You should use older version (new one is too buggy) sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools-3.2.1-3

Fullscreen

Default settings prevent any vm from using fullscreen mode, but You can change it if it is needed for some reason. https://www.qubes-os.org/doc/full-screen-mode/

Screenshots

Really useful tool for screen-shots that allow You for example to make a screen-shot and upload it to one of Your AppVms. https://github.com/evadogstar/qvm-screenshot-tool

Ubuntu Xenial template

Ubuntu template can't be included because of restrictions connected with that distro, but You can build it as template for QUBES. Easy tutorial made by reddit user free_dom0.

Signal in QUBES

If You use Signal You can have it in QUBES too: https://www.qubes-os.org/doc/signal/

Alternative firewall

Interesting idea if You would like to have light firewall replacement that use only 32 mb of ram. http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/