Qubes OS Evaluation Notes

on Chris Martin's Blog

Last weekend I tried out Qubes OS (4.0 RC3).

I was drawn to it by the promise of having both work and personal activities on the same hardware (yet still compartmentalized), i.e. not carrying two laptops around anymore; also by the security benefit of separating activities into "high-trust" and "low-trust" execution environments with different access to network and hardware, while still hopefully having an integrated, usable system.

I decided to start with 7 domains as follows:

| Name          | Color  | Purpose                          | Notes/Restrictions               |
|---------------+--------+----------------------------------+----------------------------------+
| untrusted     | Orange | Insensitive browsing/experiments |                                  |
| projects      | Gray   | Software projects                | Persistent VM for dev work       |
| web           | Green  | Credentialed internet use etc.   | Browse with usual caution        |
| work          | Yellow | Work for employer                |                                  |
| work-vault    | Black  | Work secrets and sensitive files | Net access only for syncing      |
| private       | Blue   | Comms apps, notes, photos        | Cautious browsing only as needed |
| vault         | Black  | Secrets, keys, sensitive files   | No net access, minimal software? |

The Good

Overall I was impressed by how nice the UI was, given the goals of the project. The extended desktop metaphor, with border colors indicating domain, does work. The "app launcher" has an extra layer to navigate through ("Which domain would you like that in?") but this was OK. I already use XFCE at work so that didn't require adjustment.

  • Copy-paste and file transfer between domains works as advertised
  • I got rid of the default Fedora 25 AppVMs and used Debian 9 instead
  • Attaching PCI and USB devices to a domain works (including laptop integrated camera/mic), and WebRTC videoconferencing seems to work fine
  • You do need a lot of RAM; a domain with one browser tab open uses about 3.5 GB on default settings
  • Hardware support for my Thinkpad T450s was great (all the ports worked, even better than the HCL promised)

The Less Good

I put the project away for a week and came back to it this morning. Decided to not move forward and migrate my whole life to Qubes.

  • Wasn't looking forward to managing editor and browser configuration across 3+ domains. I make a lot of tweaks to my browser to make it more secure, private, and productive. Could try to sync this state across domains but this opens a path for data and code to move between trust levels, negating some of the benefit of Qubes.
  • It would take all weekend to migrate my personal and work environments into 7 domains, tweak preferences, etc.
  • The one broken USB thing I found: my dmcrypt+LUKS-encrypted external HDD wasn't recognized by a Debian 9 AppVM for some reason. Didn't spend long troubleshooting, may not have been a USB issue.
  • No hardware accelerated graphics, which makes things like Ctrl+drag in Google Maps satellite view laggy.
  • Burden of doing regular updates in more places (dom0, template VMs, and restarting AppVMs), which could ultimately make my environment less secure if I fall behind.

Conclusion

Right now, I don't really have activities sensitive enough to make this additional complexity of running a Qubes system worthwhile. (e.g.: work for my employer isn't especially sensitive, and most of the code that I write is released publicly anyhow).

I'm still glad that I tried Qubes. I'm glad it is there for those who need it, which could be any or all of us someday.


Comments

Thanks for sharing Chris. I've been meaning to try it out. Maybe somebody will solve some of the usability issues as the community grows.