Using a 'quasi'-disposable VM for UpdateVM in Qubes

In Qubes, the dom0 is updated via an 'UpdateVM' which is responsible for downloading any new packages (since dom0 has no direct network access of its own).

Typically the UpdateVM is your sys-firewall or any other VM you've chosen (it's configurable under Global Settings via the Qubes Manager, or with qubes-prefs from command-line).


Migrating a Vagrant VM into Qubes as StandaloneVM

I had a Vagrant VM on my other laptop that I wanted to convert into a Qubes AppVM (StandaloneVM).

The disk was lazy allocated 40GB but only using about 1.3GB within the guest.

The underlying disk of the Vagrant VM was a .vmdk. A lot of guides online talk about compacting VDIs, but I had to convert my VMDK first, I couldn't compact it directly.

Here's how I got it into Qubes.


Yubikey 2FA on Qubes redux - adding a backup key

Previously I wrote about adding Yubikey 2FA authentication in Qubes (not for using Yubikey on remote sites, but on 2FA of your Qubes system itself), explaining a couple of the differences in my technique compared to the official docs (e.g I don't believe in backdooring with a password in absence of your Yubikey, especially since with a usbVM, that VM can read the password as you type it!


Verifying your key/identity on Keybase.io with Qubes and Split GPG

You are using Qubes with Split-GPG, but you want to verify your GPG key at Keybase.io, via the command-line with bash and curl (you're not storing the key on Keybase's servers).

The verification command is a curl request but includes calls to the gpg command-line client. You have two problems:

1) Your GPG VM is not connected to the network (for good reason)
2) Another VM that is connected to the network, can't use the gpg command.


Batch updating TemplateVMs in Qubes 3.0

If you are a Qubes user like me, you probably have a number of TemplateVMs which your App/USB/ProxyVMs are based off of (e.g, you aren't using the same template for all VMs, as you would otherwise develop a fair bit of irrelevant bloat across them all).

If so, you've probably discovered that keeping all those templates up to date with security updates is rather cumbersome when doing so manually.


Yubikey in Challenge Response mode with Qubes

EDIT: this is still worth/necessary reading, but see an April 2016 update where I describe further improvements, including supporting a backup key in case you've lost your first.

I bought a new Yubikey for use with Qubes, but I had some issues with the challenge-response instructions in the documentation.

That is:


'So, what is it you exactly do?' - Part three, security

This article is third in a series of long, windy answers to the inevitable 'but what exactly do you do as a sysadmin consultant?' question. I started writing this because it's hard to give a sufficient short answer.


Subscribe to RSS - qubes