Advanced Plus Security Stenographer's Security Config 2022

Last updated
Nov 11, 2022
Use case
Educational use
Desktop OS
Other operating system
Device encryption
Login unlock
    • FIDO2-compliant key (USB/NFC)
OS updates
Automatic updates
WiFi network security
Router firewall: ON
Firmware: up-to-date
Malware protection
- SELinux in Fedora 36 based application VMs
- Networking is handled by Debian VM, provides uplink to Firewall VMs.
- Firewall VMs connect application VMs to a virtual network and have a set of VPNs that can be used
- Whonix VMs provide connectivity over TOR
Firewall protection
Custom security info
Customized IPTables
Periodic scanners
N/A, not required in Qubes OS due to application VM templating.
Malware samples
I actively participate and aware of the risks.
Default browser / extensions
Libre Wolf from an untrusted application VM
Password manager
Keepass XC, local only in its own isolated VM.
Security keys
Maintenance tools
Qube Manager - lists all "qubes" (VMs) and gives tools for managing them and applications.
Personal backup
External SSD encrypted with Veracrypt
Backup frequency
Automatic
Recovery backup
Nuke and pave, redeploy with Ansible Playbooks.
Recovery plan integrity
Many successful results with my recovery plan
Risk factors
    • Browsing to popular websites
    • Browsing to unknown / untrusted / shady sites
    • Browsing the dark web
    • Sharing and receiving files and torrents
    • Coding and development
    • Downloading malware samples
Feedback response

Moderate feedback appreciated. If applicable, looking to make some major or minor changes.

Stenographers

Level 1
Thread author
Nov 11, 2022
36
My secure computing configuration. Running Qubes OS, a type 1 hypervisor as a desktop with a focus on security. Qubes uses the Xen hypervisor, but is modular and in the future it will be possible to swap that out for other virtualization solutions.

Qubes OS is a "reasonably secure operating system." It takes the different software components of a computer, and splits them into different virtual machines. The desktop is able to pull in windows from these different "Qubes" and present them together with color coordinated borders. The desktop is one virtual machine, with no network access. The firewall is another virtual machine, who's uplink is yet another virtual machine which handles networking. Applications are then installed on different virtual machines you can duplicate etc. Application VMs are isolated from each other and have no privileges on the system VMs.

For the application VMs, Qubes OS uses something called templates. When you boot up an application VM, it boots off of a static template which doesn't change unless you go into the template VM and make changes. This means you can have an untrusted VM for general web browsing, and when you close it and open it again it boots off that known clean template. This is done because Qubes OS assumes that your VMs will be compromised, and therefor presents mitigating controls.

Running Qubes OS is the most secure OS I have found as of yet. I've made several attempts to break into it from a Kali VM on my server, and had no success. However I'm not very talented at red teaming, so it could be due to lack of skill rather than it being very secure.

To log in I use a Yubikey and long password. The disk is encrypted with LUCKs. Sensitive files are stored in a hidden partition on an SD card using Veracrypt. My most sensitive files are stored in that hidden partition, in image files using stenography. The hidden partition is undetectable by conventional forensics tools. There are 2 passwords, one that takes you to the non-hidden "dummy" partition with fake sensitive info. The other password unlocks the hidden partition. This is in case I am ever forced to reveal my encryption password, I can just give the fake one.

Looking for tips on how I can improve this setup or if anyone has any suggestions.

One cool thing you can do with Qubes OS is install any OS as a Qube, even Windows (although I don't do that.) One of my Qubes is Kali for example, which I use to poke at the other Qubes to simulate a Qube being compromised.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
936
My secure computing configuration. Running Qubes OS, a type 1 hypervisor as a desktop with a focus on security. Qubes uses the Xen hypervisor, but is modular and in the future it will be possible to swap that out for other virtualization solutions.

Qubes OS is a "reasonably secure operating system." It takes the different software components of a computer, and splits them into different virtual machines. The desktop is able to pull in windows from these different "Qubes" and present them together with color coordinated borders. The desktop is one virtual machine, with no network access. The firewall is another virtual machine, who's uplink is yet another virtual machine which handles networking. Applications are then installed on different virtual machines you can duplicate etc. Application VMs are isolated from each other and have no privileges on the system VMs.

For the application VMs, Qubes OS uses something called templates. When you boot up an application VM, it boots off of a static template which doesn't change unless you go into the template VM and make changes. This means you can have an untrusted VM for general web browsing, and when you close it and open it again it boots off that known clean template. This is done because Qubes OS assumes that your VMs will be compromised, and therefor presents mitigating controls.

Running Qubes OS is the most secure OS I have found as of yet. I've made several attempts to break into it from a Kali VM on my server, and had no success. However I'm not very talented at red teaming, so it could be due to lack of skill rather than it being very secure.

To log in I use a Yubikey and long password. The disk is encrypted with LUCKs. Sensitive files are stored in a hidden partition on an SD card using Veracrypt. My most sensitive files are stored in that hidden partition, in image files using stenography. The hidden partition is undetectable by conventional forensics tools. There are 2 passwords, one that takes you to the non-hidden "dummy" partition with fake sensitive info. The other password unlocks the hidden partition. This is in case I am ever forced to reveal my encryption password, I can just give the fake one.

Looking for tips on how I can improve this setup or if anyone has any suggestions.

One cool thing you can do with Qubes OS is install any OS as a Qube, even Windows (although I don't do that.) One of my Qubes is Kali for example, which I use to poke at the other Qubes to simulate a Qube being compromised.
Thats a pretty good summary of what I understand Qubes OS to be. I've only run it a few times from a USB stick to have a quick look around and get an idea of what it can do. I plan to get into it more in the near future and had a vague idea of doing something along these lines, but haven't finished thinking it through yet, your comments may well help me on that, thanks. So, personally, I appreciate this post as an introduction to how to get it running well and on what it can do. I like the idea of running Kali as one of your Qubes.
 
  • Like
Reactions: Stenographers

Stenographers

Level 1
Thread author
Nov 11, 2022
36
Thats a pretty good summary of what I understand Qubes OS to be. I've only run it a few times from a USB stick to have a quick look around and get an idea of what it can do. I plan to get into it more in the near future and had a vague idea of doing something along these lines, but haven't finished thinking it through yet, your comments may well help me on that, thanks. So, personally, I appreciate this post as an introduction to how to get it running well and on what it can do. I like the idea of running Kali as one of your Qubes.
Thanks! If you have any questions let me know. I'm not the most skilled with Qubes, you'll find more knowledgeable people online easily, but I'm happy to help however I can!
 
  • Like
Reactions: Stopspying

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top