Qubes OS First Steps

A first few steps on Qubes OS based on my setup. You might find something useful here too.

Please note that I am not an expert user, and the steps listed here may or may not compromise your security. Always consult the reference manual (relevant sections linked below) for further reading.

4k Display Setup

DPI scaling

Dom0

Start menu -> System Tools -> Settings Manager Appearance -> Fonts

Set Custom DPI setting to the desired value. In my case, 192 (twice the original of 96.) Press enter to confirm.

In my case, the resulting desktop looks messy. Log out and back in to address this. Xfce does not seem to handle DPI changes on the fly very well.

DomUs

The following changes are applied directly to template VMs so that they can be inherited by all derived VMs.

VMs without gnome settings daemon

Add/modify the following setting with the appropriate DPI value (e.g. 192) in each of the template VM’s Xresource file (/etc/X11/Xresources for Fedora, /etc/X11/Xresources/x11-common for Debian and Whonix):

Xft.dpi: 192

VMs with gnome settings daemon

Query the default scaling values:

gsettings get org.gnome.desktop.interface scaling-factor
gsettings get org.gnome.desktop.interface text-scaling-factor

Experiment with different values for these settings. On my setup, I just double both (note that scaling-factor must be an integer):

gsettings set org.gnome.desktop.interface scaling-factor 2
gsettings set org.gnome.desktop.interface text-scaling-factor 2.0

To persist these settings, open /etc/dconf/db/local.d/dpi:

[org/gnome/desktop/interface]
scaling-factor=uint32 2
text-scaling-factor=2.0

Applying changes

Finally, to apply the changes made to the template VMs so that the derived VMs can pick them up, I stopped the derived VMs (say, personal) as well as the template (fedora-32), then restarted the derived VM.

Attaching LUKS-encrypted USB devices

Reference

In the usbVM (or dom0 if you don’t have a usbVM, although exposing the dom0 to USB devices is not as secure, decrypt the device:

sudo cryptsetup open /dev/xvdi myusb

The name myusb is an arbitrary name to map the device as. This is used in the close command below.

As soon as the device is decrypted, you should get a notification on the dom0, and the unencrypted storage device should show up under the Qubes Devices widget. Use the widget to attach the storage device to the desired target VM.

When you are done, detach the storage device from the target VM using the Qubes Devices widget. Finally, close the device by running cryptsetup again on the usbVM (or dom0):

sudo cryptsetup close myusb

UsbVM vs dom0

Handling USB devices from a usbVM is a better option than exposing the dom0 directly to those devices. A malicious USB device can compromise the dom0 and make it Game Over.

If you had a USB keyboard plugged in during the Qubes OS installation, creation of a USB qube during installation is disabled. If you can’t trust your USB devices, creating one such Qube is recommended (careful not to lock yourself out your keyboard.)

Further reading:

USB Qubes Device Handling Security USB Devices Block Devices

Getting the Librem Key to work

At this point, it doesn’t seem like you can get away without a USB qube. So we need to set that up first.

Create a USB qube

Create a USB qube:

sudo qubesctl state.sls qvm.sys-usb

If you have a USB keyboard, give yourself access to the keyboard during login:

sudo qubesctl state.sls qvm.usb-keyboard

NOTE: Failure to run the above command in a USB keyboard setup will lock you out of the system!

Finally, start the sys-usb Qube from the Qube Manager. This is only required during the session in which you run the above commands; subsequent boots will start the sys-usb Qube automatically.

Note that you will temporarily lose access to USB devices while sys-usb is booting.

If you have the Librem Key plugged into the device at this point, you should see it available under the Qubes Devices widget.

For more details, see USB Qubes.

Install required software

I will be exposing my Librem Key to my vault Qube, so we need to give that access to the device.

The vault Qube in my installation is based on the fedora-32 template. Open a terminal on the template and run (Reference):

sudo dnf install pcsc-tools opensc pcsc-lite

Then shut down the template to apply the changes. Also shut down the vault Qube if you had it running at this point. You must shut down the vault and the template it is based on for the changes to take effect.

Try it out

Boot the vault Qube and open a terminal. Use the Qubes Devices widget to attach the Librem Key to the vault Qube. On the terminal, run the following command to confirm the card is detected:

gpg --card-status