-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On Thu, 31 Jan 2019 19:12:09 +0100 Zrubi <m...@zrubi.hu> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >On 1/31/19 3:32 PM, unman wrote: >> I know many people using Qubes 4 with 12GB and HDD, without >> issues. SSD is better, but not a must. > >Technically you are right. > >In practice, the user experience (HDD vs SSD) is not even comparable. >The price difference is is also not an issue, totally worth it. > >I would say: today, a newly built desktop PC without SSD is a bad >decision. Even if running a conventional OS. > Obviously, we are dealing with competing needs here. The overall need for security AND the need for "speed". Obviously, Qubes is a fairly resource intensive approach to security, which is acceptable as far as I'm concerned. I am still using Qubes 3.2 for now. I have a mixed machine...Lenovo T520 (coreboot...ME disabled...one of the last ones where this is easy), 160G SSD 2TB HDD, 16GB Ram. It works quite well. I'm about to move to Qubes 4... The SSD is encrypted and boot/main OS/dom0 drive, with the templates on the encrypted SSD but with some VM images kept on the HDD due to size. I have almost filled up the HDD, so I'm a bit of a disk hog. Even though the HDD is not itself encrypted, critical data is kept in encrypted containers on the appVM's with the key on a memory card. Scripts in Dom0 mount the block device of the memory card to an appVM, then call a script on the appVM to mount the block device and decrypt the container using the key, then mount the container locally and unmount the key device. All I do is remove the key card and stop the appVM's (or just unmount the encrypted containers) for the first level of "security"...when I'm away from my desk for a while, and don't trust the screen lock to be adequate (haha...does anyone trust it, even though they finally updated it for XFCE4?). A full shutdown then requires a valid decryption phrase just to boot up AND the key card to get to the important stuff...plus my machine is rarely out of my sight. It may seem a bit overkill to some, but since I work with HR data a lot and sometimes have local copies of sensitive information (I try not to, but sometimes tools on my machine make my work MUCH more efficient than just using what my client has available), The stories of a stolen laptop compromising PI data (Personal Identification...SSN's etc...) abound. I consider this a minimal security scheme primarily due to the information I have access to and the possibility...no matter how remote...of me being lax at the wrong time and someone walking off with my laptop. I also VPN to my home system where I run an openVPN server whenever I gather e-mails via pop access with my local client (especially the gmail ones, since gmail likes to block access from unknown ip's...which is a royal pain for a road warrior) or do certain other stuff. I have the VPN setup on my mail appVM and on sys-firewall, and can run it for just the e-mails or for everything (except tor) as desired. I plan to continue with this scheme when I go to Qubes 4, except I may also encrypt the HDD...I just need to find enough space to put everything in the meantime. :) Stuart -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEg3cTCwPFs8wewas+M1E7j4SmKVQFAlxTRyAACgkQM1E7j4Sm KVTOcQf/fodRbzgDBvCBx3Jde8RzyoZI8Eq9eBO+X5nsm+VQT1/dR4M5PRL/VO+t dECwen3uNJ6KWGFrZdGsSiV7+BrXhHUl9fb1Xpw+7IWSVsnVav+rPlWiw1pfju60 QlQVlx1lYyJPoTgxGm8yTSPCuEVz2wGG3/K2LANhVWVsHBzyXzT5474EPhQlVI0G zBZymmxqFWVMhWr8N1lyK6E6hbWjlrDV7IKCFGxV874lFhuZeJKJ2AkZTIoWaCuP PamOIhWEkGCHCv8so6XLLMPW7UwpbPRakJ41yGfUd/H0aZFdOks4P+wZoOrARz1j cK7UBH1T0v2r3uhv8+A8qxze8AoQCg== =F4qb -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190131130532.2fc14262%40gmail.com. For more options, visit https://groups.google.com/d/optout.