Skip to content

Instantly share code, notes, and snippets.



Last active Jun 1, 2020
What would you like to do?
QubesOS TL;DR Setup

QubesOS TL;DR Setup


  1. UI enforcing GnuPG HSM with sig subkey installed
    • Examples: Yubikey, Ledger, Trezor
  2. Public key matching device in step #1 on flash drive
  3. TOTP/HTOP capable Personal HSM
    • Examples: Nitrokey, Librem Key
  4. PC with TPM verified coreboot-heads firmware installed
    • Examples: Nitropad, Insurgo PrivacyBeast, Librem 13/15
  5. Flash drive containing latest QubesOS image


  1. Enroll personal GnuPG public key into TPM via "OEM Factory Reset"

  2. Regenerate TOTP/HOTP secret in Librem Key

  3. Change user/admin pins of Librem Key

  4. Boot QubesOS installer and install with FDE + defaults.

  5. Reboot to OS

  6. Sign new QubesOS install and boot entry when asked with GnuPG HSM

  7. Boot into QubesOS

  8. (optional) Install desired WM/shell if not XFCE/bash


    [jdoe@dom0 ~]$ sudo qubes-dom0-update i3 i3-settings-qubes zsh
  9. Install critical packages for HSM use in Debian TemplateVM

    user@debian10:~$ sudo apt install scdaemon u2f-host
  10. Create a user in Debian TemplateVM

    user@debian10:~$ sudo useradd -m -G qubes -s /bin/bash jdoe
  11. Add new user to sudoers in TemplateVM

    user@debian10:~$ sudo vim /etc/sudoers
  12. Set user and preferred template as default in general use Qubes

    [jdoe@dom0 ~]$ sudo qvm-prefs --set personal default_user jdoe
    [jdoe@dom0 ~]$ sudo qvm-prefs --set personal template debian-10
    [jdoe@dom0 ~]$ sudo qvm-prefs --set work default_user jdoe
    [jdoe@dom0 ~]$ sudo qvm-prefs --set work template debian-10
  13. Customize Personal/Work Qubes to preference, and create more as desired

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.