[qubes-users] Re: Mounting directories across VMs (losetup/block device solution for directories)?

[alex . barinov]

I don't think you can achieve this by block device sharing unless you 
spread your directory structure across block devices exactly in a way you 
are going to share it with VMs - and even in that case you'll not be able 
to share with VM and sync with Dropbox at the same time (you didn't specify 
if that's required).

I suggest you explore the options of network shares using 
NFS/SAMBA/FTP/WebDAV/etc - together with passing just that network port to 
the target VM this can be a good solution.

On Wednesday, February 26, 2020 at 10:23:41 PM UTC+1, Johannes Graumann 
wrote:
>
> Hi, 
> I'm experimenting with creating a sys-dropbox vm that syncs with my 
> dropbox account. I would love to be able to then mount defined 
> subdirectories of the synced path to other vms (losetop/qvm-block- 
> style, which only works for files). 
> Is this possible? Where to find pointers? 
>
> Sincerely, Joh 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3a9ee4f4-0795-45b4-bfb9-4b674483a010%40googlegroups.com.

Re: [qubes-users] MAC Address Anonymization and NetworkManager Compatibility

['sf0IqXUyNLTP22nB3Lpt' via qubes-users]

Thanks to you both. I was mistaken in thinking I needed to set up MAC 
anonymizing in all NetVMs, but it seems like just the sys-net one is needed.

And for some reason I kept reading 1.16 as 1.1.6. Which was dumb of me but led 
to my confusion.

Thanks again for your help!


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Wednesday, February 26, 2020 6:36 AM, Chris Laprise  
wrote:

> On 2/26/20 1:12 AM, 'sf0IqXUyNLTP22nB3Lpt' via qubes-users wrote:
>
> > I have recently set up a vpn gateway qube according to the instructions
> > as listed here https://www.qubes-os.org/doc/vpn/. I have now gone to
> > set up the MAC Anonymization and have a question and a problem both.
> > Firstly the linked page wrote specifically not to include the network
> > manager. But at the same time the page on anonymizing the MAC address
> > says that you must begin by installing the network manager. Is this safe
> > to do?
>
> There are two main setup options in that VPN doc: The first one tells
> you to enable Network Manager in the VPN VM. The second one is
> script-based and tells you not to enable NM in the VPN VM.
>
> The "don't include NM" part refers only to setting up the VPN VM, which
> is separate from sys-net. In other words, the VPN instructions don't
> affect sys-net, so you can keep using NM (in sys-net) after you setup
> your VPN.
>
> > The second is that I only have NetworkManager 1.16.4. When I try to
> > update or reinstall with sudo dnf install NetworkManager I get
> > '
> > Last metadata expiration check: 0:21:07 ago on Wed Feb 26 00:45:32 2020.
> > Package NetworkManager-1:1.16.4-1.fc30.x86_64 is already installed.
> > Dependencies resolved.
> > Nothing to do.
> > Complete!
>
> Nothing wrong there. 1.16 is a much later version than the minimum 1.4.2
> listed in the doc.
>
> --
>
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/oEAwwDpxOv26iGX0xsiUXm4krgP4K1mimVNzbfr13bzx40pL5vW8FBMB1rsCxaiW3aul1qIa_lJ_PMGCc116UuDj5uEgh9fPCwvuXcKkOHA%3D%40protonmail.com.

[qubes-users] Mounting directories across VMs (losetup/block device solution for directories)?

[Johannes Graumann]

Hi,
I'm experimenting with creating a sys-dropbox vm that syncs with my
dropbox account. I would love to be able to then mount defined
subdirectories of the synced path to other vms (losetop/qvm-block-
style, which only works for files).
Is this possible? Where to find pointers?

Sincerely, Joh

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1cae22993ccdcf5a64c974b2d364a6a55de7ea8c.camel%40graumannschaft.org.

Re: [qubes-users] Re: Relative comparison of Qubes OS, and its multiple VM's versus Boxes.

[Chris Laprise]

I should have also linked this, which is a guide for devices:

https://www.qubes-os.org/doc/device-handling-security/#usb-security

Finally, reading the ITL blog from 2010 onward provides a lot of Qubes 
insight:


https://blog.invisiblethings.org/

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c983babf-5e28-e7a8-9a93-9ac1a4de5258%40posteo.net.

Re: [qubes-users] Re: Relative comparison of Qubes OS, and its multiple VM's versus Boxes.

[Chris Laprise]

On 2/26/20 2:24 PM, brendan.h...@gmail.com wrote:


On Wednesday, February 26, 2020 at 12:18:48 PM UTC, ggg...@gmail.com wrote:

Boxes being the Sandboxing software available in Linux.  It is my
hunch, that the VM's are taking advantage of some hardware feature
that insulates them that might be a security hole for Boxes.  I dunno?


Background: Boxes is simply a nice front end for KVM and QEMU, which is 
what most Linux virtualization solutions utilize.


Reasons that Qubes project initially chose Xen over KVM+QEMU (probably 
better explained on the Qubes website):
1. The hypervisor code baseis substantially smaller in the Xen case. 
Smaller generally means less security issues.

2. Xen came with better suited vt-d/IOMMU support at the time.
3. When parts of qemu are needed for certain virtualization scenarios, 
Xen supports sandboxing qemu into stub domains.
4. QEMU has been historically problematic when it comes to security 
issues, at least relative to Xen or even Xen w/ qemu in a stub domain.


Don't forget all the Qubes bits that make VMs work in concert: qrexec, 
vchan, etc. These form a specially hardened VM management system. The 
reason why Qubes Whonix exists, for example, is that other hypervisor 
OSes don't have this level of security.


Links on the subject:

https://www.qubes-os.org/faq/#how-does-qubes-os-compare-to-running-vms-in-a-conventional-os

https://www.qubes-os.org/doc/security-critical-code/



Also, as I have not gotten a computer to run Qubes OS, I notice that
the App VM seem to be loading a full featured version of a Linux
OS.  I am guessing that in reality you guys are using a smallish
Limited version of a Linux Distro.


Generally standard fedora and standard debian come as VM templates under 
Qubes, yes. With caveats, Qubes also provides slimmer versions of the 
template distros as well as optional downloads.


I was expecting to see some advice about how to uninstall the module
that runs the camera, and the microphone.   I know I rarely use
them, so it would seem like a good idea.   OR I guess, it is left to
the individual with the individual distro.


Assuming your camera is USB based (generally the case, even for internal 
camera devices).


Generally, the default installation:
1. Hides all USB devices from dom0, making them unusable.
2. Puts all USB devices into device sandbox called sys-usb (this part is 
optional, but useful if you want USB devices to work).
Generally, you can use command line or the devices widget to assign the 
devices, including the microphone, to a VM if you choose (some 
limitations on usbip support being broken for certain device types).


I was looking for a list of;  If you want to be secure,   "Never do
this."    Another check list, like a pilot uses before taking off,
that is what the proper procedure is for some of the types of things
one might routinely do with Qubes OS.


This would vary by threat model. Without a threat model, a general 
checklist would be impossible to provide.


Yes. Although the security faq linked above and additional security 
guides exist here:


https://www.qubes-os.org/doc/#security-guides

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8aaa21c2-df30-8e1b-216e-486c15fec229%40posteo.net.

Re: [qubes-users] SSD and safety.

[brendan . hoar]

PS - don't experiment with erasing drives on your daily driver. the drive 
is going to do what you asked it to do, no matter, say, whether you booted 
on that drive or not. POOF!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/184f53fc-996c-4658-8cb5-7092201c16a8%40googlegroups.com.

Re: [qubes-users] SSD and safety.

[brendan . hoar]

On Wednesday, February 26, 2020 at 3:37:27 PM UTC, Steve Coleman wrote:
>
> On 2/26/20, ggg...@gmail.com  > 
> wrote: 
>
> > I discovered there is no program to clear an SSD. 
>
> If you are using an Opal 2 compliant SSD and had created an encrypted 
> range before formatting your partition then all that data disappears 
> instantly when you reset the SSD. The one requirement is the SSD drive 
> must be functional in oder to reset it, and it won't matter much if 
> there are unuseable blocks or file corruption as all the bits on the 
> drive, good or bad, get flipped all at once. 
>
... 

> On the label of the Opal 2 SSD drive there would be a long hex PSID 
> number printed on it, and if you supply that # to the sedutil-cli 
> command: 
>
> # sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID MYPSID /dev/sdc 
>
> then everything previously stored on that drive becomes unrecoverable 

 
[Many users of Qubes aren't too keen on relying on the 
black-box/closed-source hardware encryption that comes on SED SSDs - can 
they trust it? They can't review the code/implementation. There have been 
in-depth analysis showing issues with both design as well as 
implementations with many devices. Their points are valid. However, I don't 
want to get into a long digression on the pros/cons.]

In addition to what Steve said about ranges or PSID revert, most tcg opal 
devices support utilizing the same hardware crypto engine for "CLASS 0" 
encryption, which allows use of the ATA PASSWORD as an alternate unlocking 
scheme. This generally allows suspend if, say, your laptop supports the ATA 
PASSWORD method. Flipside is that generally the complexity of the password 
data sent to the drive is < 90 bits no matter what you choose. Sometimes 
substantially less (depends upon BIOS).

I don't recommend relying on that for all of your security. If you use it, 
use LUKS on top of it as well. There's no performance loss, it's 
transparent (the drive was always doing it anyway, you just chose to lock 
it).

My point, however, is that the ATA Password support under "TCG OPAL CLASS 
0" comes with a nice side-benefit

Generally, when utilizing TCG OPAL CLASS 0, when you send an ATA SECURE 
ERASE ENHANCED request to the drive, it actually simply rekeys the hardware 
crypto engine of the drive.

So, if you have non-zero data in a block, then use the ATA SECURE ERASE 
ENHANCED command and then read the block, it will be scrambled. Send the 
command again, it's scrambled a different way.

So, other than throwing the device into the Sun, my recommendation is 
always to:

1. Sample (non-zero) data (random block list) on the device.
2. Execute ATA SECURE ERASE ENHANCED.
3. Verify sampled data (same block list) is all scrambled.
4. Execute ATA SECURE ERASE ENHANCED again.
5. Verify sampled data (same block list) is all scrambled again.
6. TRIM the entire drive.
7. Verify sampled data (same block list) is all now zero'd data.
8. Execute ATA SCURE ERASE *NORMAL* (might erase additional data beyond 
user-readable data, depending upon manufacturer).

BTW, if ATA SECURE ERASE ENHANCED does not scramble the data, but the drive 
supports the ATA SANITIZE command, then use ATA SANITIZE CRYPTO instead, 
should do the same thing.

Brendan

PS - paranoid people might say "well, maybe the drive is keeping a list of 
all keys, hey they are small". Possible. Maybe a flash-thrashing "fill 
entire drive full of random data" step will help a bit, assuming you're 
worried about user data left behind and not targeted exfiltration into 
non-user-accesible flash by a nation-state agency, etc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/faff5ede-8399-4977-848f-54a3dc35af13%40googlegroups.com.

[qubes-users] Re: Relative comparison of Qubes OS, and its multiple VM's versus Boxes.

[brendan . hoar]

On Wednesday, February 26, 2020 at 12:18:48 PM UTC, ggg...@gmail.com wrote:
>
> Boxes being the Sandboxing software available in Linux.  It is my hunch, 
> that the VM's are taking advantage of some hardware feature that insulates 
> them that might be a security hole for Boxes.  I dunno?
>

Background: Boxes is simply a nice front end for KVM and QEMU, which is 
what most Linux virtualization solutions utilize.

Reasons that Qubes project initially chose Xen over KVM+QEMU (probably 
better explained on the Qubes website):
1. The hypervisor code baseis substantially smaller in the Xen case. 
Smaller generally means less security issues.
2. Xen came with better suited vt-d/IOMMU support at the time.
3. When parts of qemu are needed for certain virtualization scenarios, Xen 
supports sandboxing qemu into stub domains.
4. QEMU has been historically problematic when it comes to security issues, 
at least relative to Xen or even Xen w/ qemu in a stub domain.
 

> Also, as I have not gotten a computer to run Qubes OS, I notice that the 
> App VM seem to be loading a full featured version of a Linux OS.  I am 
> guessing that in reality you guys are using a smallish Limited version of a 
> Linux Distro.   
>

Generally standard fedora and standard debian come as VM templates under 
Qubes, yes. With caveats, Qubes also provides slimmer versions of the 
template distros as well as optional downloads.
 

> I was expecting to see some advice about how to uninstall the module that 
> runs the camera, and the microphone.   I know I rarely use them, so it 
> would seem like a good idea.   OR I guess, it is left to the individual 
> with the individual distro.  
>

Assuming your camera is USB based (generally the case, even for internal 
camera devices).

Generally, the default installation:
1. Hides all USB devices from dom0, making them unusable.
2. Puts all USB devices into device sandbox called sys-usb (this part is 
optional, but useful if you want USB devices to work).
 
Generally, you can use command line or the devices widget to assign the 
devices, including the microphone, to a VM if you choose (some limitations 
on usbip support being broken for certain device types).

I was looking for a list of;  If you want to be secure,   "Never do 
> this."Another check list, like a pilot uses before taking off, that is 
> what the proper procedure is for some of the types of things one might 
> routinely do with Qubes OS.  
>

This would vary by threat model. Without a threat model, a general 
checklist would be impossible to provide.
 

> About my hardware deficiency, wait for another month for me to be able to 
> upgrade RAM, and maybe buy a Programming device.   So please be patient 
> with questions that would be obvious if I was running Qubes OS already.
>

Good luck! 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef997e2a-b27c-43fd-ae2b-21c3317f3173%40googlegroups.com.

Re: [qubes-users] ANN: Wyng beta, a fast incremental backup tool

[Chris Laprise]

On 2/26/20 7:38 AM, Bernhard wrote:

'Wyng' is a backup program I've been working on for a while that can
quickly backup "thin LVM" storage, the kind Qubes uses by default:

Link  https://github.com/tasket/wyng-backup  


I like your other scripts, so I had a look. That seems so damn complex
at first glance! Maybe you want to improve your "readme" by some simple
examples of "mise en oeuvre": assume I have a qubes machine and a
backup-harddrive in my hand. What would be the steps to do?  Can you
stock your backup in a luks-container?  Since you use "streams" can
(can't?) there be a -whatever cipher- in the middle of your stream
treatment?
I did not get these informations from your text within reasonable time.
Maybe I am stupid, but maybe I am not alone with that :)



Under Requirements & Setup there is a brief example of initializing a 
Wyng archive and adding a volume.


I don't yet have a walk through specifically for Qubes, but I have a 
draft howto that is geared toward a regular Linux system:


https://github.com/tasket/wyng-backup/wiki/Using-Wyng-for-incredibly-fast-incremental-backups-from-LVM

Deciding how to use it in dom0 depends on several factors, such as 
whether you need to add encryption to the archive (Wyng v0.2 does not 
encrypt data). The Readme suggests a general method for Qubes that sets 
up a net-accessible encrypted container, but you can also simply mount a 
LUKS volume from sys-usb local storage (i.e. attach a sys-usb partition 
to dom0, then in dom0 format/use it as a LUKS volume).


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a74a3ba7-bf5c-318b-9b3e-3711f75e9ecf%40posteo.net.

Re: [qubes-users] How to setup Win10 HVM ?

[A E]

tir. 25. feb. 2020 kl. 18.05 skrev A E :

> tir. 25. feb. 2020 kl. 14.09 skrev A E :
>
>> tir. 25. feb. 2020 kl. 13.16 skrev A E :
>>
>>> tir. 25. feb. 2020 kl. 13.02 skrev A :
>>>
 A way to download Windows 10 Pro manually and install it.

 I haven’t managed to download Windows 10 Pro by using the file
 “download-windows.sh”. So instead I downloaded Windows 10 Pro manually and
 ran the script afterwards.

 You can follow these steps to do it the same way as I did it:

 1)  Open the “Qube Settings” for the domain “windows-mgmt”. Under
 “Network”, choose “default” one and click on “Apply”.

 2)  Open the domains Firefox browser and search the web for “how to
 download windows 10”.
   One of the first results is a link to a Microsoft webpage from
 which it is possible to download the file in the local language.
   The file gets downloaded to the download folder in the domain.

 3)  Open the “Qube Settings” for the domain “windows-mgmt”. Under
 “Network”, choose “(none)” and click on “Apply”.

 4)  Move or copy the file to this destination:
 /Documents/qvm-create-windows-qube/windows-media/isos

 5)  Open the terminal in dom0 and execute the following script
 (remember to write the name of the iso file you downloaded in step 2
 instead of “filename”):

 ./qvm-create-windows-qube.sh -n sys-whonix -oyw -i filename.iso -a
 win10x64-pro.xml anon-win10

 Info: anon-win10 will be the name of the domain. I don’t know if it is
 possible to change the domain name without spoiling anything.

 Do not close the terminal before it says the installation was complete
 (successfully) !

 Let the terminal do the job, it restarts the qube and so on when it is
 necessary.

 When I got into Windows there appeared three message boxes. One saying
 that the pc has to be restarted. A second one saying that drive D has to be
 formatted. And the third one saying something about a private drive as far
 as I recall.

 I started to click OK, I think on the third messaged, and then Windows
 immediately closed and restarted and seemed to run fine afterwards.

 And in the terminal it said the installation was completed successfully.

 --
 You received this message because you are subscribed to a topic in the
 Google Groups "qubes-users" group.
 To unsubscribe from this topic, visit
 https://groups.google.com/d/topic/qubes-users/78DgmWxZf80/unsubscribe.
 To unsubscribe from this group and all its topics, send an email to
 qubes-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/qubes-users/f940ca5c-0099-4dff-8930-f6801440511d%40googlegroups.com
 .

>>>
>>> Afterwards, I have mistakenly closed the window with Windows 10 in it.
>>> And now I can’t figure out how to make the window visible again...
>>>
>>> I have tried to click on different icons in the menu of the domain
>>> ananon-win10 in the qube menu - also the one called “Start”. A message pops
>>> up saying that the domain is started, but I can’t see a window where
>>> Windows 10 is starting up.
>>>
>>> Can someone tell me how to make the window visible again ?
>>>
>>
>>
>> Arh, to make it appear again, just execute this script in dom0: qvm-features
>>  gui 1 .
>>
>> Write the name of the domain (for example “anon-win10”), instead of 
>> 
>> .
>>
>>
>>
>
> To change the size of the window, change the screen resolution in Windows.
>
> For now, it doesn’t seem possible to get the window to cover the whole
> screen except the Qubes menu.
>


How to install Microsoft Office365 in a Win10 HVM that is created by using
the script: ./qvm-create-windows-qube.sh -n sys-whonix -oyw -i filename.iso
-a win10x64-pro.xml anon-win10 ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABRRaUEtpJLKhkT5nYXuGdV4HHXX-WDJTYD%3D0d4LAgaSkSikEQ%40mail.gmail.com.

Re: [qubes-users] Re: qvm-create-windows-qube 2.0

[A E]

tir. 25. feb. 2020 kl. 14.08 skrev A E :

> tir. 25. feb. 2020 kl. 13.31 skrev A E :
>
>> tir. 25. feb. 2020 kl. 13.26 skrev A E :
>>
>>> man. 24. feb. 2020 kl. 20.13 skrev A E :
>>>
 man. 24. feb. 2020 kl. 14.12 skrev A E :

> ons. 19. feb. 2020 kl. 15.51 skrev A E :
>
>> tor. 13. feb. 2020 kl. 00.24 skrev M E :
>>
>>> søn. 26. jan. 2020 kl. 23.12 skrev 'Elliot Killick' via qubes-users <
>>> qubes-users@googlegroups.com>:
>>>

 On 2020-01-26 12:37, Claudio Chinicz wrote:
 > ׁHi Elliot,
 >
 > I've downloaded again and succeeded creating the HVM.
 >
 > I had a Windows 10 HVM I built manually just booting from the ISO
 and where
 > I did not succeed installing the QWT (boot after the QWT install
 would
 > freeze).
 >
 > Would you recommend building a Template from this HVM?
 >
 > The big advantage I saw in this implementation was that I can
 confortably
 > run my applications with 2GB (minimum) vs 6GB in my previous HVM.
 Another
 > advantage of the QWT is that I can send files from Windows to any
 other
 > PV/HPV VM using qrexec.
 >
 > What's intriguing me is that copy/paste between VMs is not
 working. When I
 > ctl+shift+C on my Windows VM I see the popup saying I can
 ctl+shift+V on
 > another VM but when I do so nothing is pasted. Any ideas?
 >
 > Thank you very much for this scripts/Windows VM builder.
 >
 > Regards

 By freeze do you mean it stops on the part where QWT tries to
 create the
 private disk? This is documented in the QWT Known Issues section of
 the
 README. Just exit that window with the error message and the
 installation will proceed as normal. Besides that for Windows
 10/Windows
 Server 2019, you should not have to interact with any window or
 part of
 the installation. Sometimes, QWT may also just crash upon boot
 causing
 Windows to crash. This doesn't happen often, however, it is also
 documented in the README. This is more likely to happen if you
 installed
 Windows manually as you said because unstable QWT features like
 Qubes
 Memory Manager (qmemman) are enabled by default which we disable in
 the
 qvm-create-windows-qube.sh script (Thanks to @brendanhoar for that
 one).

 Due to that bug in making the private disk required, it's not
 possible
 to create templates for Windows 10/Windows Server 2019 anyway.
 Otherwise, I would recommend for must users to build a template
 with the
 software they want pre-installed and make AppVMs from that.

 Regarding copy/paste not working, it appears to work fine for
 others so
 I would just suggest you restart the Windows qube or possibly make
 a new
 one. If it's copying the data out correctly then there should be a
 notification saying "Copied X bytes to the clipboard".

 You're welcome, Claudio!


 Regards,

 Elliot



 --
 You received this message because you are subscribed to the Google
 Groups "qubes-users" group.
 To unsubscribe from this group and stop receiving emails from it,
 send an email to qubes-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/qubes-users/2de7254e-c22c-3275-cdfd-30cdacd86a67%40zohomail.eu
 .
>>>
>>>
>>>
>>> I want to install Windows 10 from a DVD in a new HVM and have begun
>>> following this guide: https://www.qubes-os.org/doc/windows-vm/
>>>
>>> It says:
>>>
>>> “Create a new Qube:
>>> Name: Win10, Color: red
>>> Standalone Qube not based on a template
>>> Networking: sys-firewall (default)
>>> Launch settings after creation: check
>>> Click “OK”.”
>>>
>>> As I’m going to install Win 10 from a DVD, shall I then just follow
>>> the guide and choose “Launch settings after creation” or shall I choose
>>> “Install from device” ?
>>>
>>
>>
>> I have made a Windows domain and downloaded and installed Windows 7
>> and Qubes Windows Tools by executing this script in dom0 according to 
>> this
>> guide (link: https://github.com/elliotkillick/qvm-create-windows-qube
>>  ):
>>
>> chmod +x install.sh && ./install.sh
>>
>> And now I would like to know how to get further.
>>
>> I have made a thread here about making a Win10 HVM, so you are
>> welcome to answer there instead (I have just made this post in attempt to
>> get a 

Re: [qubes-users] Error attemtping to reinstall Debian 10 templateVM

[donovang]

- On Feb 25, 2020, at 4:06 PM,  donov...@unseen.is wrote:

> - On Feb 25, 2020, at 3:46 PM, Chris Laprise tas...@posteo.net wrote:
> 
>> On 2/25/20 4:12 PM, donov...@unseen.is wrote:
>>> Specifically, I issue the "|$ sudo qubes-dom0-update
>>> qubes-template-debian-10"and I get red lettering and "error could not
>>> delete old database at
>>> /var/lib/qubes/dom0-updates/home/user/.rpmold." where  changes
>>> if I repeat the command and that error appears. Other times I get red
>>> lettering without that specific error and (via sys-whonix) it downloads
>>> the info it needs and then I get "No Match for argument
>>> qubes-template-debian-10 nothing to download".
>>> |
>>> |
>>> |
>>> |If I try "|$ sudo qubes-dom0-update qubes-template-debian-9"||- same
>>> thing "No Match for argument qubes-template-debian-9 nothing to download".|
>> 
>> Hi donovan,
>> 
>> Those qubes-dom0-update commands should work. However, dnf occasionally
>> forgets about packages bc of problems in its cache. To clear dnf caches,
>> run this in dom0:
>> 
>> sudo qubes-dom0-update --action="clean all"
>> being "no such domain 'Debian-10'"
>> Then re-run your template install:
>> 
>> sudo qubes-dom0-update qubes-template-debian-10
>> 
>> --
>> Chris Laprise, tas...@posteo.net
>> https://github.com/tasket
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> 
> Chris,
> 
> Thanks for quick reply. Ran the above command aaand oops:
> 
> ERROR: yum version installed in VM host does not support --downloadonly option
> ERROR: only 'install' and 'upgrade' actions supported (clean all not)
> 
> DG
> 

Some progress. 

Using "sudo qubes-dom0-update --clean" did the trick for cleaning the dnf cache.

Using "sudo qubes-dom0-update --action=reinstall qubes-template-debian-10" got 
my reinstall done. It squawked about there being "no such domain 'debian-10'", 
but it ran through the reinstall fine.

Now I need to figure out how to clean up the primary drive a bit as I think I 
used a lot more drive space than can be accounted for by the install. However, 
I have Debian now, so I can build my production VM! Lots to learn. Turned off 
my Windows box and dove into the deep end. 

DG

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1622729412.22121.1582737152987.JavaMail.zimbra%40unseen.is.

Re: [qubes-users] New TemplateVMs Signatures/Master Signing Key

[dhorf-hfref . 4a288f10]

On Wed, Feb 26, 2020 at 03:47:34PM +, 'Yiyi50' via qubes-users wrote:
> If you download a new TemplateVM inside an existing Qubes system,
> using "sudo qubes-dom0-update qubes-template-debian-xx" does that
> download have a signature file that needs to be verified with the
> Qubes Master Signing key? And if yes, how do I do that? If the Master
> Signing Key isn't in Dom0, but the mirror image is downloaded within
> Dom0, how can I verify it?

there should be no need for manual verification.
all qubes rpm pkgs should be signed and checked. 
the usual "how to check/verify an rpm signature" should apply
if you really want to check "by hand". 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200226164730.GA8973%40priv-mua.

[qubes-users] New TemplateVMs Signatures/Master Signing Key

['Yiyi50' via qubes-users]

If you download a new TemplateVM inside an existing Qubes system, using "sudo 
qubes-dom0-update qubes-template-debian-xx" does that download have a signature 
file that needs to be verified with the Qubes Master Signing key? And if yes, 
how do I do that? If the Master Signing Key isn't in Dom0, but the mirror image 
is downloaded within Dom0, how can I verify it?

Please note: I'm only started with Qubes/Linux recently and don't really know 
my way around. I'm coming from Windows/OSX. I hope this isn't a deal breaker 
for you.

Sent from ProtonMail mobile

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/yoj3-Cl6rWZzDIa1Ap08ur_pvVoJlOIhK0jQyVetiQAJZBBzSK_gF5g9nsWeYRltyVLebVeT3YUhvYvCfHGFfkh0vTa1E9MvHN1D9ehY_VY%3D%40protonmail.com.

Re: [qubes-users] SSD and safety.

[Steve Coleman]

On 2/26/20, ggg...@gmail.com  wrote:

> I discovered there is no program to clear an SSD.

If you are using an Opal 2 compliant SSD and had created an encrypted
range before formatting your partition then all that data disappears
instantly when you reset the SSD. The one requirement is the SSD drive
must be functional in oder to reset it, and it won't matter much if
there are unuseable blocks or file corruption as all the bits on the
drive, good or bad, get flipped all at once.

Any used, free space, or damaged memory blocks get reset right along
with the user data.  The entropy values stored internally on that
drive get reset so even someone having the prior password can still
not regenerate the same encryption key to unlock the drive. All memory
blocks that ever had your data will be meaningless 1's and 0's.

On the label of the Opal 2 SSD drive there would be a long hex PSID
number printed on it, and if you supply that # to the sedutil-cli
command:

# sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID MYPSID /dev/sdc

then everything previously stored on that drive becomes unrecoverable
in an instant. If you think you need a non-recoverable "panic-button"
then the above command will do nicely. Nobody, not even you, is ever
going to see that data again. If you also used software based
encryption on top of that partition then you can be doublly sure that
your personal information can never be recovered.

If you install the "Pre-Boot Authentication" (PBA) to unlock the
encrypted drive during the initial boot cycle then you have the
additional advantage that the boot partition locking range can even be
made read-only while the data is at rest. When doing this even an
Evil-Maid system admin won't be messing with your system. Just
remember to make it writable again before trying to apply any updates
to your boot partition.

Note: With enabling these SED capabilities on your primary drive you
will likely be giving up laptop "suspend" capability. If you
absolutely need to protect your data then this is a fair trade-off
since the suspended memory image would be far too dangerous to leave
laying around anyway.  A hot-plug attack is the achillies heel to an
Opal drive, so powering down is important anyway.

https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive
https://github.com/Drive-Trust-Alliance/sedutil/tree/master/LinuxPBA
http://chrisarges.net/2018/02/16/using-sed-encryption-on-disks.html

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ5FDnj0v3gJFwoaw816PN%2BFkv5nSVF5mmyK4%3D2pS_vYz0r1yw%40mail.gmail.com.

Re: [qubes-users] ANN: Wyng beta, a fast incremental backup tool

[Bernhard]

'Wyng' is a backup program I've been working on for a while that can
quickly backup "thin LVM" storage, the kind Qubes uses by default:

Link  https://github.com/tasket/wyng-backup  


I like your other scripts, so I had a look. That seems so damn complex
at first glance! Maybe you want to improve your "readme" by some simple
examples of "mise en oeuvre": assume I have a qubes machine and a
backup-harddrive in my hand. What would be the steps to do?  Can you
stock your backup in a luks-container?  Since you use "streams" can
(can't?) there be a -whatever cipher- in the middle of your stream
treatment?
I did not get these informations from your text within reasonable time.
Maybe I am stupid, but maybe I am not alone with that :)

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6cca1a41-186a-ad5c-e420-520ad85b2cc5%40web.de.

[qubes-users] Relative comparison of Qubes OS, and its multiple VM's versus Boxes.

[ggg397]

Boxes being the Sandboxing software available in Linux.  It is my hunch, 
that the VM's are taking advantage of some hardware feature that insulates 
them that might be a security hole for Boxes.  I dunno?

Also, as I have not gotten a computer to run Qubes OS, I notice that the 
App VM seem to be loading a full featured version of a Linux OS.  I am 
guessing that in reality you guys are using a smallish Limited version of a 
Linux Distro.   

I was expecting to see some advice about how to uninstall the module that 
runs the camera, and the microphone.   I know I rarely use them, so it 
would seem like a good idea.   OR I guess, it is left to the individual 
with the individual distro.  

I was looking for a list of;  If you want to be secure,   "Never do 
this."Another check list, like a pilot uses before taking off, that is 
what the proper procedure is for some of the types of things one might 
routinely do with Qubes OS.  

About my hardware deficiency, wait for another month for me to be able to 
upgrade RAM, and maybe buy a Programming device.   So please be patient 
with questions that would be obvious if I was running Qubes OS already.

Thanks for replies.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92b463ff-efdd-43dd-a77a-72e593096379%40googlegroups.com.

[qubes-users] SSD and safety.

[ggg397]

Some months back I was going to send a computer in repair.  I discovered 
there is no program to clear an SSD.   

Some years ago I was reading about how an SSD did wear leveling, and 
recovered from errors.  The article claimed that often the SSD came with 
more memory than was listed.  If, in the course of normal operations if 
found a bad section, it would somehow mark that area for "Do Not See or 
Use" and use the extra, secret memory space to do the work that was for the 
disabled section.

I am guessing it is just that in normal operations for Qubes OS, such 
trivia does not matter.  Don't let the evil power groups get their hands on 
the SSD.   Then the potential loss of data is pretty small.   Unless the 
SSD firmware can be tricked out in some way.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/17be83bf-042b-41eb-8f1d-c9b2774928c1%40googlegroups.com.

[qubes-users] Safety of using external USB mouse?

[ggg397]

I have noticed it is not recommended that we use an external USB Keyboard 
because it might have been - well not safe.   

I am not sure about using an USB Mouse, and whether that answer is for 
Qubes OS only, or just that the USB mouse never has firmware?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/95f6afee-3215-4402-b0bc-718ff3643f3e%40googlegroups.com.

Re: [qubes-users] MAC Address Anonymization and NetworkManager Compatibility

[Chris Laprise]

On 2/26/20 1:12 AM, 'sf0IqXUyNLTP22nB3Lpt' via qubes-users wrote:
I have recently set up a vpn gateway qube according to the instructions 
as listed here . I have now gone to 
set up the MAC Anonymization and have a question and a problem both.


Firstly the linked page wrote specifically not to include the network 
manager. But at the same time the page on anonymizing the MAC address 
says that you must begin by installing the network manager. Is this safe 
to do?


There are two main setup options in that VPN doc: The first one tells 
you to enable Network Manager in the VPN VM. The second one is 
script-based and tells you not to enable NM in the VPN VM.


The "don't include NM" part refers only to setting up the VPN VM, which 
is separate from sys-net. In other words, the VPN instructions don't 
affect sys-net, so you can keep using NM (in sys-net) after you setup 
your VPN.




The second is that I only have NetworkManager 1.16.4. When I try to 
update or reinstall with sudo dnf install NetworkManager I get

'
Last metadata expiration check: 0:21:07 ago on Wed Feb 26 00:45:32 2020.
Package NetworkManager-1:1.16.4-1.fc30.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!


Nothing wrong there. 1.16 is a much later version than the minimum 1.4.2 
listed in the doc.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c457e2f1-ea72-e651-b210-41820aaf5da8%40posteo.net.

Re: [qubes-users] MAC Address Anonymization and NetworkManager Compatibility

[David Hobach]

On 2/26/20 7:12 AM, 'sf0IqXUyNLTP22nB3Lpt' via qubes-users wrote:

I have recently set up a vpn gateway qube according to the instructions as 
listed [here](https://www.qubes-os.org/doc/vpn/). I have now gone to set up the 
MAC Anonymization and have a question and a problem both.

Firstly the linked page wrote specifically not to include the network manager. 
But at the same time the page on anonymizing the MAC address says that you must 
begin by installing the network manager. Is this safe to do?


The doc is here: https://www.qubes-os.org/doc/anonymizing-your-mac-address/

Your VPN client should reside in a different VM (a proxy VM named e.g. 
sys-vpn) than NetworkManager (sys-net).


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a10fbe9e-6fbc-9227-2d53-c07fdde70f3c%40hackingthe.net.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [EXT] [qubes-users] checking allocated disk space

[pixel fairy]

On Tuesday, February 18, 2020 at 11:52:46 PM UTC-8, Ulrich Windl wrote:
>
> >>> pixel fairy > schrieb am 18.02.2020 
> um 06:04 in Nachricht 
> <13889_1582002262_5E4B7056_13889_59_1_2104823c-c9c1-4fc9-aa9c-090863f09825@googl
>  
>
> groups.com>: 
> > trying to see how much space is allocated, not actually used in all the 
> > qubes. is there an easy command for this? something like qvm-volume info 
> > but for all the qubes? 
>
> What about "PFree" in output of "pvs"? 
>
>
not what i was looking for either. cant just add up all of lvs because of 
different kinds of ephemeral volumes. heres a script to just add up all the 
-root (for template) and -private volumes. 

#!/usr/bin/env python3

import subprocess

# older python doesnt have capture_output in subprocess.run
output = subprocess.check_output(['sudo','lvs'], universal_newlines=True)
lines = output.split('\n')

allocated = 0.0

for line in lines:
l = line.split()

# headers and the empty line at the end
if len(l) < 3:
continue

name = l[0]
size = l[3]

# we only care about vm- volumes
if name[:2] != "vm":
continue

# we only care about persistent volumes, -root and -private
if name[-5:] != "-root" and name[-8:] != "-private":
continue

# lop of the g at the end. check for G in case lvs output changes
if size[-1] != 'g' and size[-1] != 'G':
print(name,size,"size is not in gigs. rewrite script")
exit(1)

size = float(size[:-1])
allocated += size

print("{:7.2f} {}".format(size,name))

print("{:7.2f} total".format(allocated))





-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a0d6ae2c-388a-43e9-ab4d-8763c81a3ece%40googlegroups.com.