Kicksecure ™

Download

Debian morph to Kicksecure (Hardware) Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) USB ISO (coming soon) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

About this Kicksecure-Qubes Security Page Contributor maintained wiki page.
Support Status	stable
Difficulty	easy
Contributor	torjunkie
Support	Support

List of actionable items can help to improve security on QubesOS.

Introduction[edit]

The following list of actionable items can help to improve security on the Qubes platform, and by extension Kicksecure-Qubes users. It is advised to regularly consult either Qubes forums or preferably the JavaScript-free option The Mail Archive.

Additional channels exist for the latest security news and advice.

Security Domain[edit]

GPG and Software Packages[edit]

• Always keep the system up-to-date in dom0, templates and standalones.
  • Prefer the Qubes Update tool or its command-line equivalent for updates. ^{[1] [2] [3]}
• Check gpg is enabled in config files (gpgcheck=1) if new Fedora repositories are installed.
• New repositories should be considered less trusted -- it is safest to keep them separate from Templates that feed more sensitive VMs.
• Safely import new signing keys by checking it is the same from multiple sources.
• Untrusted or unverifiable programs should be installed in Standalone VMs or less trusted, cloned templates.

Hardware / Hardware Settings[edit]

• Enable VT-d/IOMMU via BIOS to have DMA protection, ^[4] effective network isolation and the ability to assign PCIe devices to a HVM. Check it is running via dom0 (qubes-hcl-report). ^[5]
• Ensure Intel VT-x or AMD-V is available, since it is required for running HVM domains.
• Prepare and utilize a USB qube to protect against side-channel attacks. ^{[6] [7] [8]}
• Use a Nitrokey to enhance the security of Qubes user authentication, mitigate the risk of password snooping and to improve USB keyboard security.
• Prefer Intel Integrated Graphics Processing (IGP) units for greater system stability and security. ^[9]
• Ensure computer hardware meets all other Kicksecure-Qubes requirements for the best security, functionality and future compatibility with Qubes 4.X releases. ^{[7] [10]}
• To reduce the range of potential dom0 attacks, advanced users can consider:
  • Configuring (not an official instructions link) the experimental GUI domain; ^{[11] [12]} and/or
  • Setting up an AudioVM. ^{[13] [14]}

ISO and Qubes Version[edit]

• Verify the authenticity and integrity of the Qubes iso download. ^{[15] [16]}

Protecting User Data and Activities[edit]

• For maximum physical security of Qubes OS, select the disk encryption option during installation. ^[7]
  • If encrypted AppVMs are used, consider installation without a swap file in order to avoid situations in which sensitive information is left there.
• For critical user data, protect against unintentional leaks by setting an empty NetVM field (set to "none") for the corresponding qube.
  • To protect against "intentional sniffing", ^[17] pause or shut down all VMs except the target VM where sensitive operations are being performed (such as key generation). ^[18]
• Do not forget that any files or changes to an App Qube's /home, /usr/local and /rw/config directories will persist across reboots; any sensitive material should be stored safely in non-networked VMs.
• Observe the security context of colored windows borders in Qubes before running applications or manipulating data.
• If paying in cryptocurrencies:
  • Consider utilizing a “split” bitcoin wallet which creates an offline “cold storage” wallet and an online “watching only” wallet. A blanket recommendation is impossible regarding which wallet should be used; see Bitcoin, Bitcoin Core and Money for further information.
  • Consider using a hardware wallet which has better security than a software wallet.
• Avoid dual / multi-boot configurations in Qubes. The other OS could modify the unprotected /boot partition or firmware to maliciously compromise Qubes and/or spy on user activities.
• Be careful when running command line operations. Refer to a suitable resource first, then proceed.
• Use split-GPG for email to reduce the risk of key theft used for encryption / decryption and signing.
• Do not allow Kicksecure-Qubes or other VMs to completely "own" the full screen. ^[19]
• Disable previews (thumbnails) when using a file manager like Nautilus, as this is a known attack vector.
• If utilizing a SSD, consider setting up a periodic job in dom0 to trim the disk since this aids against local forensics. ^{[20] [21]}
• Use Disposabless if opening documents from external sources (such as mail attachments from unknown sources) as office and graphic formats can be infected with malware. Alternatively, they can be converted to other data formats in a Disposables before they are transferred to a productive environment; for example, using the Convert To Trusted PDF and Convert To Trusted Img functions in Qubes. ^[7]
• Utilize the Qubes U2F-Proxy (hardware token two factor authentication) for accessing sensitive websites in browsers. ^[7]
• If Windows AppVMs are in use, firewall rules should be specified that restrict access to the local network and possibly selected external addresses to block any transmission of telemetry data. Further, Windows should be installed as a combination of TemplateVM and dependent AppVMs and not as standalone VMs because this ensures a secure separation between system and user data. ^[7]
• For AppVMs containing sensitive information, consider encrypting the private volume. ^[7]
  • Windows AppVMs: use BitLocker or tools like VeraCrypt to encrypt device D:.
  • Linux-based AppVMs: use LUKS/dm-crypt encryption for the /rw directory (including /home and /usr/local).
  • Do not leave the system unattended while an encrypted AppVM is running.
• To minimize the profiling threat posed by speakers, advanced Qubes users can disable speaker output for AppVMs by default by either: ^[22]
  • Utilizing a simple daemon (qubes-callbackd) to react to Qubes OS events (VM started etc.) with configurable commands; or
  • Configuring hotkeys (via qubes-pactl) to mute/unmute dom0 and all AppVMs.
• Advanced users can consider:
  • Setting up Suricata as an advanced intrusion detection system (IDS) and intrusion prevention system (IPS); see footnotes. ^{[23] [24] [25]}
  • Pi-hole as an additional network-level advertisement and Internet tracking blocking application; see footnotes. ^{[26] [27] [28] [29]}

Template and Other VMs[edit]

• Never run applications in templates or dom0, except updating tools or editors for configuration purposes (running applications poses security risks).
• Avoid installing additional software in dom0. ^{[7] [30]}
• Templates should never be directly connected to the Internet such as sys-firewall. Instead, the dedicated NetVM should be specified as none.
  • Any template software installations should only use the dedicated update host, using the predefined proxyVM for updating (usually sys-whonix or sys-firewall). ^[7]
  • Install updates and patches for templates or dom0 as quickly as possible after they become available. If certain patches are deemed risky, then first clone the affected template/s and install the patches there to test them for full functionality. ^[7]
• Avoid installation of non-standard software in templates. ^[7]
  • Certain software like the Zoom client or the Google Chrome browser are not available as packages in the standard repositories of Linux distributions, and therefore must be downloaded as standalone packages and installed manually.
  • If this is necessary, do not connect a sensitive template to the Internet. Instead, download the software package/s into an AppVM and copy it to the template for installation, or create a less-trusted copy of the TemplateVM which is used for the application/s in question.
  • Do not install these packages into templates which affect security-critical service VMs like sys-net, sys-firewall and sys-usb.
• Do not configure Kicksecure as a Standalone VM. ^{[31] [32]}
• Consider creating separate, specialized minimal Templates for distinct App Qube clearnet activities (like browsing) to reduce the attack surface. ^{[33] [34]}
• Avoid configuring network traffic between two qubes for security reasons.
• The firewall VM for AppVMs must be configured to be as restrictive as possible, including which addresses an AppVM can connect to. This includes limited additional rules for incoming connections, if required. ^[7]
• For AppVMs that should not be given network access, the network VM must be specified as none. ^[7]
• Consider replacing passwordless root access with a dom0 user prompt. ^[35]
• Consider leveraging the non-persistence of Qubes' templates to fend off malware by locking-down, quarantining and checking the contents of /rw private storage. ^{[36] [37]}
  • vm-boot-protect-root: suitable for service VMs like sys-usb and sys-net, as well as App Qubes such as untrusted, personal, banking, vault and so. ^[38]
  • vm-boot-protect: suitable for virtually any Debian or Fedora VM, such as Kicksecure VMs, Standalone VMs and Disposable VMs.
  • Non-Linux VMs are currently unsupported for both modes.
• Consider split dm-crypt to isolate device-mapper based secondary storage encryption (not the root filesystem) and LUKS header processing to Disposables.
• Consider running sys-net, sys-firewall and sys-usb as Static Disposables.
• Consider setting dom0 and all Templates to update over Tor by configuring this option on Qubes' first boot. ^{[39] [40]}
• Prevent qubes which normally connect to clearnet from downloading repository metadata; see footnotes. ^{[41] [42]}
  • Disable the "Check for qube updates by default" option in Qube Manager Global settings: Qube Manager → System → Global settings → Uncheck Check for qube updates by default; and
  • Disable the qubes-update-check service for relevant Templates: Qubes Manager → Right-click Template → Qubes settings → Services → Uncheck qubes-update-check. ^[43]
• Disable cups in all Templates as well as in Standalones that have been created; see footnotes. ^{[44] [45]}
• If operating system templates are installed that are not officially supported such as Android or ReactOS, they should be treated as less trusted. No security-critical actions should be performed in them or associated AppVMs, such as file exchange with other VMs. ^[7]

Footnotes[edit]

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!