So if you work in the Security space or you are just paranoid about Security then you may have heard about the operating system called “QUBES-OS“. It has been under development for some time with various versions being released frequently. Well a while back version 3.0 was released. This bought some new enhancements and wanted features. As I was paying with on, I realized that there is probably quite a few of you that have never heard of it at all so I wanted to explain what it is.
So firstly what is Qubes?
On their website is states: “Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer.”
So what does that actually mean?
Once again their website states the following “Qubes allows you to separate the various parts of your digital life into securely isolated virtual machines (VMs). A VM is basically a simulated computer with its own OS which runs as software on your physical computer. You can think of a VM as a computer within a computer. This allows you to have, for example, one VM for visiting untrusted websites and a different VM for doing online banking. This way, if your untrusted browsing VM get compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about risky email attachments, Qubes can make it so that every attachment gets opened in its own single-use, disposable VM.
In general, Qubes takes an approach called security by isolation, which in this context means keeping the things you do on your computer securely isolated in different VMs so that one VM getting compromised won’t affect the others. This allows you to do everything on a single physical computer without having to worry about one successful cyber attack taking down your entire digital life in one fell swoop.“.
The image below explains it visually what the Qubes is doing. The image is from their website: https://www.qubes-os.org/attachment/wiki/QubesArchitecture/qubes-arch-diagram-1.png
If this is the first time you have heard of this, then surely you are intrigued. I was so I set about installing and playing a few versions ago. Since then changes have been made and I thought it was time to update my laptop to run version 3.0.
To begin use the following link to download the ISO image and either burn it to a USB or a DVD for installation. Even though you can set it up on a VM, due to it using Virtualization you would need to use something like VMWare, and tell it you are creating an ESXi Virtual Machine which would allow nested Virtualization.
I decided to use a Lenovo laptop and booted from a DVD. As soon as it starts you are presented with the installation wizard.
Click “Install Qubes” to continue, after which we choose the language.
Once the language is chosen, next it will validate your hardware and setup and requires you to configure the hard disk.
Clicking on the “System” link will allow you to choose the hard disk to use and also how you wish to partition it out. I used the defaults.
Once everything is set for the disk, you are then able to continue where you then set the “Disk Encryption” passphrase which is required each time you boot into the Operating System.
Finally, everything is checked and your screen should then look like this with the “Begin Installation” button available.
The installation can take some time depending on the specification of the hardware you are using. For this example, I created a Virtual Machine, with 4 cores and 8 GB RAM, with a 100GB of disk allocated to it, running on top of an iMac. It took sometime but wasn’t as long as it could have taken. Once it is completed you simply click the reboot button.
After rebooting, entering the “GRUB” menu and choosing Qubes or just leaving it to boot, you are then prompted with for the Encryption Password.
Next we need to complete the final configuration for the basic setup.
First we create a user account for access, notice there is no root, you should have seen the message at install saying it was disabled.
We then need to set the time zone.
Finally, the most important step, choosing what kind of setup with wish to have. This gives us three options, creating all the default Virtual Machines, that map to some standard zones like work and personal etc. You could just create the default core service Virtual Machines which will consist of a couple of Firewall Virtual Machines and that’s it.
For this example, I chose the second option.
Once it completed, I then rebooted so everything was clean and then logged back in.
Once loaded the “Qubes VM Manager” is displayed allowing some control as needed.
As you can see we now have three Virtual Machines, “dom0” is the core system, “sys-net” is the VM that controls network and internet access, and then “sys-firewall” that as the name states, is the core Firewall for all Virtual Machines.
So now the question is what can we do with it?
On the left you will also see a start menu icon that when clicked allows access to specific Virtual Machine programs or just simple starting of them. Accessing the menu right now displays the following:
If we click to expand the “DisposableVM” option, we have the ability to launch a secure internet browser.
Upon clicking the option, a Virtual Machine will be started and then the Browser will be presented. Notice the “disp2” Virtual Machine that just appeared.
Once the Virtual Machine is loaded and running in the background the Brower loads.
This specific browser is isolated from anything else and stores nothing. Now I could use the browser of a different Virtual Machine is I had one. So let’s create a new Virtual Machine.
To do this we need to click the icon in the Virtual Machine Manager for a new VM. A window loads and asked us form basic details. For using applications, we would define it as an “AppVM“, we could create a “Windows 7” Virtual Machine. Which we would actually create as an “HVM” type, in the next post we will do this.
I chose the following settings, with my label being green so I know which window is which.
Clicking the “OK” button will start the creation and running process.
Once complete you should see a new Virtual Machine listed called “user-internet“.
Now going back to the start menu, it should now be listed and we can access applications from, within the Virtual Machine.
Clicking the “Web Browser” link will then launch another browser session that does not cross with the other one. Again everything is isolated to it’s parent container.
As you can see we now have isolated Virtual Machines running, with other applications loaded form each. The ultimate security design, where everything is disconnected from each other. Lastly we can add other applications that are in the new “user-internet” Virtual Machine too. We simply choose the “Add more shortcuts” link.
Once clicked we get the list of all applications that are available. Notice we can add “LibreOffice” as an application.
All we have to do is select what we need, add it to the right and then the VM will refresh allowing these applications to be available from the men
Now clicking the menu link will open an isolated application from the LibreOffice suite.
Selecting the “Spreadsheet” option launches the application in isolation.
So as you can see this is not the easiest operating system to use, but is very secure as everything isolated from each other. Overall I love using it, and the real power comes when you create Virtual Machines, specifically for “Tor” and “Windows” applications. In the next post we will look at creating other Virtual Machines, such as a “Tor” and “Windows” one.