Creating Qubes and Throwing them Away!

One of my favorite things about Qubes-OS, is that I can test administrator changes to a Qube and if it fails or I mess it up, I can throw it all away and start over again fairly painlessly. I have made Qubes to test Perl environments, Python environments, linuxbrew, Go, Rust, etc. Today’s adventure was with “eCryptfs”. I have two old Linux boxes, that have been with me forever and I have really been worried about the data stored in them. I try to keep them up to date, but they do have old debris scattered in /bin, /usr/bin, etc. I should rebuild them from scratch on new hardware, and that’s my intention, but this is going to take a good solid weekend of my time. For now, I just want to sort of protect the home directories with eCryptfs. I also don’t want to mess up what I have.

So on my Qubes machine, I cloned the debian-9 template to debian-9-ecryptfs. In a dom0 terminal:

$ cvm-clone debian-9 debian-9-ecryptfs

I want a new template, since I will add the eCryptfs packages and I don’t want to pollute the stock debian-9 template.

Then I start a new terminal in the debian-9-ecryptfs template and apt-get “eCryptfs” based on a couple tutorials I have been reading. These tutorials are:

https://www.howtoforge.com/tutorial/how-to-encrypt-directories-with-ecryptfs-on-ubuntu-16-04/

https://wiki.debian.org/TransparentEncryptionForHomeFolder

http://tombuntu.com/index.php/2008/08/07/create-an-encrypted-private-directory-with-ecryptfs/

To install eCryptfs in the template:

# apt-get install ecryptfs-utils

Now I shutdown the template and create a new Qube based on the new template using the Qube Manager GUI. I let it default to my-new-qube.

Then I start “my-new-qube” and start playing with the tutorials, creating multiple different encrypted directories, mounting and un-mounting them until I think I have decent practice. Then I throw away “my-new-qube”.

To me, this is perfect, I can learn about eCryptfs without risking my old Debian machine or my Qubes-OS machine.

 

Advertisement

Qubes-OS 4, Creating usable minimal templates

My preferred Linux is currently Qubes-OS. One thing I do like is the minimal templates. You can create templates with just what you need in them and then create a Qube from them that doesn’t have a lot of extra pieces that you do not need. However creating a usable template from the released templates takes extra steps, that I kind of fumble around doing, so I will layout my process here.

• There is no way to clone or duplicate a template VM from the Qubes Manager, you have to do it from the dom0 command line. Note you do not need sudo:

[user@dom0 ~]$ qvm-clone fedora-27-minimal fedora-27-firefox

• First, the minimal template does not contain the Qubes password-less sudo and the policy kit. You need to start a shell for the template as root. Again, there is no GUI way to do this, you need to do this from a dom0 command line:

[user@dom0 ~]$ qvm-run -u root fedora-27-firefox xterm

• Now I can follow the recommendations from https://www.qubes-os.org/doc/templates/fedora-minimal/. In the fedora-27-firefox terminal we started from the command line:

bash-4.4# dnf install qubes-core-agent-passwordless-root polkit

• I check to make sure that the generalized qubes-core-agent is installed

bash-4.4# dnf install qubes-core-agent

• I install some of my preferred packages

bash-4.4# dnf install gnome-keyring less pciutils psmisc
bash-4.4# dnf install pulseaudio-qubes
bash-4.4# dnf install qubes-core-agent-networking

• Now I install the packages that I made the new template for

bash-4.4# dnf install firefox