@WhoNext Hello, I will post new information if it becomes available.
Yes, I all my sys-vms are disposable and I try to make all virtual machines which by their very nature allow it - disposable.
I’m no expert, and I think Qubes is perfectly secure, but I’m not a proponent of putting all reliability on Qubes and Xen. I don’t have any serious enemies, it’s more like a hobby for me. Kicksecure in this case is like the cherry on the cake. I think it’s better to try to prevent DispVM infection than to rely on the fact that it’s only disposable. Kicksecure is the future of security for Linux and maybe even Unix systems, while Whonix is the last resort for free speech and anonymity.
Kicksecure is completely free and by installing it you don’t sacrifice anything except a bit of disk space, ~200 mb per template and you might need to add quite some RAM to your AppVM or sys-vms for 50 or 100 mb, but I haven’t had to.
I’ve been using Kicksecure’s minimal templates for quite some time and it works fine. If you are worried about Kicksecure causing any problems or increasing the attack surface then you have nothing to worry about, the only problem I encountered was with Snapd, but this is not a problem specific to Kicksecure, it was a problem with qubes-snapd-helper itself because you had to uninstall and reinstall snapd and qubes-snapd-helper in the AppVM of your Snap template, but Kicksecure for some reason would not let me do apt update and apt install, although the internet connection was working fine and I could do wget and scurl. As for the attack surface, based on the information on the forums it doesn’t increase with the installation of Kicksecure or it increases a bit but I don’t really understand it, but anyway even so Kicksecure increases security a lot more.
/////////////////////
To create Kicksecure based on Debian-11 follow these steps:
-
Install a Debian template or clone an existing one and rename it to kicksecure-16:
[user@dom0 ~]$ qvm-template install debian-11
[user@dom0 ~]$ qvm-clone debian-11 kicksecure-16
-
Install Kicksecure on kicksecure-16 tempalate following the instructions linked to Qubes at Install Kicksecure ™ inside Debian.
-
Complete the template and reassign it for your sys-vms or the one-off template on which the sys-vms are based to kicksecure-16, restart your computer or templates. Done.
[user@dom0 ~]$ qvm-shutdown --wait kicksecure-16-minimal
// If you don’t use disposable sys-vms then:
[user@dom0 ~]$ qvm-prefs sys-usb template kicksecure-16
[user@dom0 ~]$ qvm-prefs sys-net template kicksecure-16
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksecure-16
// WARNING If your sys-vms are not single-use then this can break them, follow the instructions on how to create single-use sys-vms: Disposable customization | Qubes OS
// For disposable sys-vms:
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm
[user@dom0 ~]$ qvm-prefs kicksec-16-dvm template_for_dispvms true
[user@dom0 ~]$ qvm-prefs sys-usb template kicksec-16-dvm
[user@dom0 ~]$ qvm-prefs sys-net template kicksec-16-dvm
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksec-16-dvm
///////////////////
To create Kicksecure based on Debian-11-Minimal follow these steps:
-
Install the Debian Minimal template or clone an existing one and rename it to kicksecure-16-minimal:
[user@dom0 ~]$ qvm-template install debian-11-minimal
[user@dom0 ~]$ qvm-clone debian-11-minimal kicksecure-16-minimal
-
Install Kicksecure on kicksecure-16-minimal following the instructions linked to Qubes at Install Kicksecure ™ inside Debian.
-
Complete the template and clone it for each of your sys-vms:
[user@dom0 ~]$ qvm-shutdown --wait kicksecure-16-minimal
[user@dom0 ~]$ qvm-clone kicksecure-16-minimal kicksec-16-min-net
[user@dom0 ~]$ qvm-clone kicksecure-16-minimal kicksec-16-min-usb
[user@dom0 ~]$ qvm-clone kicksecure-16-minimal kicksec-16-min-fw
-
Install the required packages for the minimal templates:
[user@dom0 ~]$ qvm-run --pass-io -u root kicksec-16-min-net “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-network-manager gnome-keyring firmware-iwlwifi -y && poweroff”
[user@dom0 ~]$ qvm-run --pass-io -u root kicksec-16-min-usb “apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agentnautilus nautilus zenity gnome-keyring policykit-1 libblockdev-crypto2 ntfs-3g -y && poweroff”
[user@dom0 ~]$ qvm-run --pass-io -u root kicksec-16-min-fw “apt install --no-install-recommends qubes-core-agent-networking qubes-core-agent-dom0-updates -y && poweroff”
- Reassign the template for your sys-vms or the one-time template on which the sys-vms are based to kicksecure 16 minimal, restart your computer or templates. Done.
// If you do not use disposable sys-vms then:
[user@dom0 ~]$ qvm-prefs sys-net template kicksec-16-min-net
[user@dom0 ~]$ qvm-prefs sys-usb template kicksec-16-min-usb
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksec-16-min-fw
// WARNING If your sys-vms are not single-use then this can break them, follow the instructions on how to create single-use sys-vms: Disposable customization | Qubes OS
// For disposable sys-vms:
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm-net
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm-usb
[user@dom0 ~]$ qvm-create --class AppVM --label red kicksec-16-dvm-fw
[user@dom0 ~]$ qvm-prefs kicksec-16-dvm-net template_for_dispvms true
[user@dom0 ~]$ qvm-prefs kicksec-16-dvm-usb template_for_dispvms true
[user@dom0 ~]$ qvm-prefs kicksec-16-dvm-fw template_for_dispvms true
[user@dom0 ~]$ qvm-prefs sys-usb template kicksec-16-dvm-net
[user@dom0 ~]$ qvm-prefs sys-net template kicksec-16-dvm-usb
[user@dom0 ~]$ qvm-prefs sys-firewall template kicksec-16-dvm-fw
///////////////////
It may be too cumbersome and complicated, but most of these functions can be done very easily with the Qube Manager
@Patrick maybe this would work for the wiki, but I don’t know how to edit it.