Qubes OS | My Experience So FarCategory: else
A 6 Minute Read
24 Jul 2014
Image By Ian Brown
Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!
About three weeks ago I moved from Fedora 20 to QubesOS, and so far the best way to describe it is as a bumpy road that's surrounded by four foot thick concrete walls. If you've read all about Qubes already, skip on down to the next section.
If you're new to Qubes, it's an operating system with a very intense focus on security. The way that it works is that it runs a Xen hypervizor with multiple instances of Fedora 20 virtualized on top of it. In (more-so) plain English, it runs multiple instances of Fedora in virtual machines. What this allows you to do is to isolate the various components of your digital life, as a program running on one instance of Fedora won't have access to programs or files on another instance of Fedora (except for over the network, or through an unknown/unlikely Xen exploit). This also means that if one instance gets compromised, the damage will be limited to that instance.
Each of these instances within Qubes are called 'domains', and to the user the interaction between domains is almost seamless. That is to say that it looks like a regular desktop, but each window is color-coded according to which domain it is a part of. For example, two of my domains are called Email and Browsing. My Browsing domain runs Firefox, and nothing else, and is color-coded orange. My email domain runs Thunderbird, and is color coded blue. Because these are separated, if my browser gets compromised my email will be unaffected, and vice versa. This is because for all intents and purposes these are basically two different computers. You can run as many domains as you want. In fact, I have a total of eleven.
Each domain is based on a template version of Fedora. If you modify this template all the domains based on it will also see that change. The benefit to this is that a) it reduces disk space, and b) everything that is not in the home directory within a domain is wiped after the domain shuts down. This means that if you, or an attacker, somehow modifies a file that isn't in your home directory, that change will be completely wiped after you close the domain. Of course, if you want a domain to run on its own and have those changes persist you're able to do that too by simply checking the Standalone option when creating the domain.
Qubes also lets you do some fancy networking tricks, such as running a proxy that will route everything behind it through Tor. For example, my email domain forces all traffic through another Tor-proxy domain. On top of this, I have firewalled the email domain to block all traffic that isn't going to my mail server. The major benefit to running Tor this way is that it makes deanonymization attacks significantly more difficult, as all traffic, whether its Firefox, SSH, telnet, or Libreoffice, is routed through Tor.
Overall, the design of Qubes make it so that you can very finely tune your desktop set-up so that you hit 11 on the paranoia scale, which in my books is a good place to be.
What I've Liked So Far
There are three things about Qubes that I absolutely love, other than the overall security. The first is the Tor proxy I talked about earlier. Being able to route everything through Tor without worrying about Pidgin leaking data, or deanonymization exploits in the browser is fantastic and makes life so much more simple. The stream isolation policy that the Tor software for Qubes uses also separates streams based on each individual address you're connecting to. This means that you don't have to worry as much about your email-login correlating with your anonymous browsing session.
The second thing I've enjoyed is making air-gaps (computers that never connect to the internet). These are made by simply not assigning a network interface to a domain. Of course, this is more of a poor-man's air-gap and isn't as secure as a physical one, but for anyone who's not Glenn Greenwald it should be sufficient. The only way for the non-networked domain to be compromised is again by using a Xen 0day, something that no government agency will waste on anyone who's not Hamas. Its a great way to generate and store master PGP signing keys, important passwords, sensitive files, or whatever else you want to protect. Personally, I don't have a threat level nearly high enough to justify buying a second set of hardware to make a real, physical air-gap, but the convenience of throwing a non-networked domain on Qubes strikes a great balance for my own needs.
The last thing about Qubes that stands out to me is the ease of creating backups. Because each domain runs on top of a hypervizor, creating encrypted backups is dead simple. You just have to close the VM, open a menu, and within one minute it's chugging away, creating an exact copy of the entire domain. The icing on the cake here is that you can restore these domains on any computer running Qubes, regardless of hardware. This makes creating a clone between your laptop and desktop absolutely trivial. In fact, after setting up eleven domains on my desktop, it took me less than an hour to have a complete duplicate on my laptop as well.
The Not So Fun Stuff...
Qubes is still pretty early days, and definitely isn't all smiles and sunshine yet. There are a few bugs here and there, as well as some clunky components that just aren't possible to fix. In terms of bugs, perhaps the most annoying one is when domains don't start up properly. This was especially a problem on my laptop. Often it would take two to four restarts before the domain was actually functioning. This was especially annoying on my firewall domain, as any other domain that wants network access relies on it starting first. On my desktop this wasn't as much of an issue, simply because I leave it running 24/7, so once a domain was running properly, it stayed running properly. But on a laptop which gets shut down and rebooted multiple times a day this proved to be enough of an annoyance to make me reinstall Fedora. There were a few other small bugs here and there, but they weren't very significant.
The next issue I have with Qubes is the clunkiness of moving files, or the clipboard between domains. To be honest, this is a difficult thing to complain about, because if it was any less clunky it would cease to be secure, and there's no way to really fix this. But it's something that anyone considering running Qubes should know about. Moving files or clipboard items between domains takes two extra steps each time. This doesn't sound like much at first, but after a while it proves to be a bit of a thorn in the side. Again, I am still running Qubes on my desktop, where performing those extra steps is quick and easy with a full mouse and keyboard, but on a small laptop where you just want to get something done quickly, it just wasn't worth it for me.
But That's It
Despite those two complaints, one of which is unsolvable, I have to say Qubes has been a great experience thus far. The ability to finely-tune your desktop for the utmost security by isolation, to transparently route traffic through Tor, to create psuedo-air-gaps, and to easily perform backups and restore to different hardware, prove to be fantastic features. On a 2600k with 16GB RAM and an SSD, Qubes runs smoothly without the annoying delays you might expect from such heavy virtualization. Of course, you won't be running Steam on it, but for anyone who's interested in upping the security of their system, it's worth dipping your toes into. Give it a shot for a week and decide for yourself whether the convenience/security trade-off is worth it to you. Just note that Qubes should be run on bare metal, it won't work well, if at all, inside VirtualBox