Commit a9c99108 authored by Clark's avatar Clark
Browse files

Beginning a migration to Qubes OS

parent 9b8f7423
# -*- org-confirm-babel-evaluate: nil -*-
#+TITLE: Workstation
#+TAGS: :blog:guides:nextcloud:desktop:debian:xfce:git:emacs:vmware:python:jupyter:
#+TITLE: Qubes OS Workstation
#+SUBTITLE: Distrust the Infrastructure
#+PROPERTY: header-args :cache yes
This post describes how to bootstrap a general purpose desktop machine running Debian 10.
This post describes how to bootstrap my laptop running Qubes OS, a reasonably secure operating system.
Qubes OS features strong isolation using the Xen Project hypervisor to deploy virtual machines (VMs) for everything. This allows a user to isolate some applications (run inside AppVMs) entirely from the network device, while permitting other AppVMs network access, for example. The network stack itself is hosted in a VM. The user could also create a ProxyVM to route network traffic through a VPN or Tor, which would be enforced on an AppVM basis.
A gentle introduction is provided [[][here]], with a lot of detailed docs [[][here]]. Follow is how /I/ bootstrapped my Lenovo P51 laptop with Qubes OS.
* TODO Digital signatures and key verification
I'll use a USB drive to flash the Qubes OS ISO image to my UEFI. This requires exposing my laptop to: 1) the Qubes OS ISO, and 2) the USB drive. I do not trust the [SanDisk] USB drive, since I did not write the firmware. Thus, I am accepting this risk.
To establish trust in the ISO image, I'm following the procedure documented [[][here]]. I'm installing Qubes OS, release 4.0.3.
First get the Qubes OS Master Signing Key using =gpg2=.
sudo gpg2 --fetch-keys
Edit the key and trust it ultimately, after verifying the signature. These steps are critical, as it serves to establish the root of trust for the entire OS. I recommend following the procedure provided in the official documentation, including validating the fingerprint against several sources (Qubes OS website, Github repo, Google forums). The commands necessary to ultimately trust the key are as follows.
sudo gpg2 --edit-key 0x36879494
gpg> fpr
gpg> trust
gpg> 5
gpg> y
Get the Release Signing Key and validate that the signature includes the Qubes Master Signing Key (trusted above).
sudo gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys && \
sudo gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
Download and verify the Qubes OS R4.0.3 ISO.
wget && \
wget && \
sudo gpg2 -v --verify Qubes-R4.0.3-x86_64.iso.asc Qubes-R4.0.3-x86_64.iso
Finally, write the ISO to the USB disk. In this case, my USB is mounted to =/dev/sda=. You may need to change this depending on how you mount your USB.
# First I format the disk and ensure all bits are zero
sudo dd if=/dev/zero of=/dev/sda status=progress
Then flash the ISO to the USB.
sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/sda status=progress
* Debian 10 Images
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment