Skip to content

Instantly share code, notes, and snippets.

Avatar

Santori Helix santorihelix

  • Utah
  • Joined Nov 14, 2020
View GitHub Profile
@santorihelix
santorihelix / qubes-split-ssh.md
Created Nov 21, 2020
Split SSH guide for Qubes.
View qubes-split-ssh.md

Qubes Split SSH

Split SSH implements a concept similar to having a smart card with your private SSH keys, except that the role of the “smart card” is played by another Qubes AppVM. This Qubes setup allows you to keep your SSH private keys in a vault VM (vault) while using an SSH Client VM (ssh-client) to access your remote server. This is done by using Qubes's [qrexec][qrexec] framework to connect a local SSH Agent socket from your SSH Client VM to the SSH Agent socket within the vault VM. This way the compromise of the domain you use to connect to your remote server does not allow the attacker to automatically also steal all your keys. (We should make a rather obvious comment here that the so-often-used passphrases on private keys are pretty meaningless because the attacker can easily set up a simple backdoor which would wait until the user enters the passphrase and steal the key then.)

![diagram](https://raw.githubusercontent.com/santorihelix/qubes-splitssh-diagram/b7fb707e860e0de17b759ef09e3

@santorihelix
santorihelix / monero-split-wallet.md
Last active Nov 21, 2020
How to isolate your monero daemon from your monero wallet with Qubes / Whonix.
View monero-split-wallet.md

Monero Wallet / Daemon Isolation with Qubes & Whonix

With Qubes + Whonix you can have a Monero wallet that is without networking and running on a virtually isolated system from the Monero daemon which has all of its traffic forced over Tor.

Qubes gives the flexibility to easily create separate VMs for different purposes. First you will create a Whonix workstation for the wallet with no networking. Next, another Whonix workstation for the @daemon which will use your Whonix gateway as it's NetVM. For communication between the wallet and daemon you can make use of Qubes qrexec.

This is safer than other approaches which route the wallets rpc over a Tor hidden service, or that use physical isolation but still have networking to connect to the daemon. In this way you don't need any network connection on the wallet, you preserve resources of the Tor network, and there is less latency.

1. [Creat

You can’t perform that action at this time.