Qubes OS First Steps
A first few steps on Qubes OS based on my setup. You might find something useful here too.
Please note that I am not an expert user, and the steps listed here may or may not compromise your security. Always consult the reference manual (relevant sections linked below) for further reading.
4k Display Setup
Start menu -> System Tools -> Settings Manager Appearance -> Fonts
Custom DPI setting to the desired value. In my case,
192 (twice the original of 96.) Press enter to confirm.
In my case, the resulting desktop looks messy. Log out and back in to address this. Xfce does not seem to handle DPI changes on the fly very well.
The following changes are applied directly to template VMs so that they can be inherited by all derived VMs.
VMs without gnome settings daemon
Add/modify the following setting with the appropriate DPI value
192) in each of the template VM’s Xresource file
/etc/X11/Xresources for Fedora,
/etc/X11/Xresources/x11-common for Debian and Whonix):
VMs with gnome settings daemon
Query the default scaling values:
gsettings get org.gnome.desktop.interface scaling-factor gsettings get org.gnome.desktop.interface text-scaling-factor
Experiment with different values for these settings. On my setup, I
just double both (note that
scaling-factor must be an
gsettings set org.gnome.desktop.interface scaling-factor 2 gsettings set org.gnome.desktop.interface text-scaling-factor 2.0
To persist these settings, open
[org/gnome/desktop/interface] scaling-factor=uint32 2 text-scaling-factor=2.0
Finally, to apply the changes made to the template VMs so that the
derived VMs can pick them up, I stopped the derived VMs (say,
personal) as well as the template (
then restarted the derived VM.
Attaching LUKS-encrypted USB devices
In the usbVM (or dom0 if you don’t have a usbVM, although exposing the dom0 to USB devices is not as secure, decrypt the device:
sudo cryptsetup open /dev/xvdi myusb
myusb is an arbitrary name to map the device
as. This is used in the
close command below.
As soon as the device is decrypted, you should get a notification on
the dom0, and the unencrypted storage device should show up under the
Qubes Devices widget. Use the widget to attach the storage
device to the desired target VM.
When you are done, detach the storage device from the target VM using
Qubes Devices widget. Finally, close the device by
cryptsetup again on the usbVM (or dom0):
sudo cryptsetup close myusb
UsbVM vs dom0
Handling USB devices from a usbVM is a better option than exposing the dom0 directly to those devices. A malicious USB device can compromise the dom0 and make it Game Over.
If you had a USB keyboard plugged in during the Qubes OS installation, creation of a USB qube during installation is disabled. If you can’t trust your USB devices, creating one such Qube is recommended (careful not to lock yourself out your keyboard.)
Getting the Librem Key to work
At this point, it doesn’t seem like you can get away without a USB qube. So we need to set that up first.
Create a USB qube
Create a USB qube:
sudo qubesctl state.sls qvm.sys-usb
If you have a USB keyboard, give yourself access to the keyboard during login:
sudo qubesctl state.sls qvm.usb-keyboard
NOTE: Failure to run the above command in a USB keyboard setup will lock you out of the system!
Finally, start the
sys-usb Qube from the
Qube Manager. This is only required during the session in
which you run the above commands; subsequent boots will start the
sys-usb Qube automatically.
Note that you will temporarily lose access to USB devices while
sys-usb is booting.
If you have the Librem Key plugged into the device at this point, you
should see it available under the
Qubes Devices widget.
For more details, see USB Qubes.
Install required software
I will be exposing my Librem Key to my
vault Qube, so we
need to give that access to the device.
vault Qube in my installation is based on the
fedora-32 template. Open a terminal on the template and run
sudo dnf install pcsc-tools opensc pcsc-lite
Then shut down the template to apply the changes. Also shut down the
vault Qube if you had it running at this point. You must
shut down the
vault and the template it is based
on for the changes to take effect.
Try it out
vault Qube and open a terminal. Use the
Qubes Devices widget to attach the Librem Key to the
vault Qube. On the terminal, run the following command to
confirm the card is detected: