Most people assume that QubeOS is already absolutely secure because Edward Snowden recommends it. Thats simply not the case (Mostly because it uses xen which is a mess of code). So how do we go about hardening it?
1st. Secure your VM's:
I would recommend removing default vm's (backup first) except sys-* vms for now.
Make new ones with either arch or debian. (or gentoo if ur crazy and using R4.1)
Hardening the templates:
If you choose to use debian install kicksecure, hardened-kernel, apparmor-profile-everything, and bubblewrap (or if sandbox-app-launcher is finished by the time youre reading this install that).
If you choose to use arch (or gentoo if youre using R4.1) then follow this:
1.5. Remove passwordless sudo
2nd. Secure your Firewall:
Install MirageOS qube firewall by following this guide: https://github.com/mirage/qubes-mirage-firewall
3rd. Keep up-to-date:
Updating and Upgrading QubeOS:
4th. General Security tips and advice:
Coreboot and Me_cleaner:
Before removing Intel ME or installing coreboot please read this:
Setup a VPN:
(Always use either a vpn or Tor cuz fuck your ISP :D )
Clipboard and File communications between VM's:
My personal advice would be if you can use a DispVM instead of normal VM's.
Guides for installing all kinds of TemplateVM's
Keep Up-To-Date with XSA and Canaries:
Understand the Architecture:
And for the love of God don't install QubeOS in a Type 2 Hypervisor.
QubeOS is a great Security-oriented and a privacy respecting OS. However it isnt no Silver Bullet. If you want your QubeOS installation to be Secure then be willing to put some sweat into it being secure.
P.S. You can find most information about QubeOS in the Docs because theyre pretty extensive and if you cannot then dont hesitate to ask the community.
To understand QubeOS limitations more please read: https://seclists.org/dailydave/2010/q3/29