Qubes
Stacking secure Qubes
Enough with the waffle, we hear you cry. Fine, let’s get this Qubes thing installed and set up.
Qubes doesn’t trust USB mice and neither should you. Unless they’re yours and you need them for work.
e’ll assume you’re OK with downloading the Qubes ISO file (from www.qubes-os.org/ W downloads) and writing it to a USB stick. Before you do that, it’s worth checking your system meets Qubes’s hardware requirements (see box, as well as the more thorough www.qubes-os.org/doc/system-requirements). We’ll also assume you’re OK with booting the install medium. There’s no live environment to play around in, it just jumps straight into the installer. At the least you have to choose where and how to install Qubes (in the Installation Destination section), as well as create a user account. You might want to disable the Encrypt My Data option, if theft is not part of your threat model (or forgetting your passphrase is). The Xen hypervisor is then installed, and here you may break for tea.
All going well, you’re invited to reboot the system, then after entering the disk decryption passphrase, you are eventually greeted with… Yet more configurating. Now it is the turn of the individual qubes. By default, a combination of Fedora 40 and Whonix 17 are used for the initial qubes. You might want to change this – for example, switching out a Fedora qube for a Debian one, but we won’t. Note how paranoid Qubes is – USB keyboards and mice are not enabled by default. That doesn’t mean they won’t work, just that you have to give explicit permission if you use them. If you only have a USB keyboard, you may wish to tick the appropriate box here. We won’t cover the ins and outs of the LVM arrangement; the default works fine. Once the installation begins in earnest, we’d recommend a very large mug of tea. It takes a while to provision all of these VMs.