QubesOS TL;DR Setup

qubes_tldr.md

QubesOS TL;DR Setup

Requirements

1. UI enforcing GnuPG HSM with sig subkey installed
   • Examples: Yubikey, Ledger, Trezor
2. Public key matching device in step #1 on flash drive
3. TOTP/HTOP capable Personal HSM
   • Examples: Nitrokey, Librem Key
4. PC with TPM verified coreboot-heads firmware installed
   • Examples: Nitropad, Insurgo PrivacyBeast, Librem 13/15
5. Flash drive containing latest QubesOS image

Setup

1. Enroll personal GnuPG public key into TPM via "OEM Factory Reset"

2. Regenerate TOTP/HOTP secret in Librem Key

3. Change user/admin pins of Librem Key

4. Boot QubesOS installer and install with FDE + defaults.

5. Reboot to OS

6. Sign new QubesOS install and boot entry when asked with GnuPG HSM

7. Boot into QubesOS

8. (optional) Install desired WM/shell if not XFCE/bash

   Example:

   [jdoe@dom0 ~]$ sudo qubes-dom0-update i3 i3-settings-qubes zsh
   

9. Install critical packages for HSM use in Debian TemplateVM

   user@debian10:~$ sudo apt install scdaemon u2f-host
   

10. Create a user in Debian TemplateVM

    user@debian10:~$ sudo useradd -m -G qubes -s /bin/bash jdoe
    

11. Add new user to sudoers in TemplateVM

    user@debian10:~$ sudo vim /etc/sudoers
    

12. Set user and preferred template as default in general use Qubes

    [jdoe@dom0 ~]$ sudo qvm-prefs --set personal default_user jdoe
    [jdoe@dom0 ~]$ sudo qvm-prefs --set personal template debian-10
    [jdoe@dom0 ~]$ sudo qvm-prefs --set work default_user jdoe
    [jdoe@dom0 ~]$ sudo qvm-prefs --set work template debian-10
    

13. Customize Personal/Work Qubes to preference, and create more as desired