Practical Security and Privacy Guide.

Security and Privacy guide on Software, Communications, Hardware etc.

This isn't really a guide. More of explaining how I store my files.

1st. NAS Everything I upload to my NAS is encrypted using cryptomator.

2nd. USB. Everything is stored in 2 usbs (2nd one is backup in case one dies). Encrypted using veracrypt serpent-twofish-aes encryption and whirpool hashing. Everything important is stored in a hidden partition.

3rd. SDCard

I make an encrypted container in my SDCard for my phone using aes encryption and whirpool hashing for stuff like keepass databases. I set it to automatically close in 30min

Notes

I dont store important data on my PC, laptop or phone. Everything is in SDCards or USBs.

Most things I do are an overkill..But thats the fun shit!

Dont use telegram, wire, silence and such: https://madaidans-insecurities.github.io/messengers.html

Use signal, matrix, briar: Signal: Centralised but amazing security and privacy. Requires a phone number. Use for more personal communications.

Matrix: Decentralised, foss, e2ee but unstable af. Use as a replacement for things like discord, whatsapp, slack and such

Briar: E2EE, Uses Tor, p2p. Secure and Private but is a pain to use. Use for secret communications like riots, protests etc.

Most people assume that QubeOS is already absolutely secure because Edward Snowden recommends it. Thats simply not the case (Mostly because it uses xen which is a mess of code). So how do we go about hardening it?

1st. Secure your VM's:

I would recommend removing default vm's (backup first) except sys-* vms for now.

Make new ones with either arch or debian. (or gentoo if ur crazy and using R4.1)

Hardening the templates: If you choose to use debian install kicksecure, hardened-kernel, apparmor-profile-everything, and bubblewrap (or if sandbox-app-launcher is finished by the time youre reading this install that).

If you choose to use arch (or gentoo if youre using R4.1) then follow this: https://madaidans-insecurities.github.io/guides/linux-hardening.html

1.5. Remove passwordless sudo https://www.qubes-os.org/doc/vm-sudo/

2nd. Secure your Firewall:

Install MirageOS qube firewall by following this guide: https://github.com/mirage/qubes-mirage-firewall

3rd. Keep up-to-date: Updating and Upgrading QubeOS: https://www.qubes-os.org/doc/upgrade/ https://www.qubes-os.org/doc/updating-qubes-os/

4th. General Security tips and advice: Coreboot and Me_cleaner:

Before removing Intel ME or installing coreboot please read this: https://www.qubes-os.org/doc/anti-evil-maid/

Yubikey Authentication: https://www.qubes-os.org/doc/yubi-key/

Setup a VPN: https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md (Always use either a vpn or Tor cuz fuck your ISP :D )

Clipboard and File communications between VM's: https://www.qubes-os.org/doc/copy-paste/ https://www.qubes-os.org/doc/copying-files/ https://www.qubes-os.org/doc/copy-from-dom0/

DispVMs: https://www.qubes-os.org/doc/disposablevm/ My personal advice would be if you can use a DispVM instead of normal VM's.

TemplateVM's: https://www.qubes-os.org/doc/templates/ Guides for installing all kinds of TemplateVM's

Keep Up-To-Date with XSA and Canaries: https://www.qubes-os.org/security/xsa/ https://www.qubes-os.org/security/canaries/

Understand the Architecture: https://www.qubes-os.org/doc/architecture/

USB Qube: https://www.qubes-os.org/doc/usb-qubes/

And for the love of God don't install QubeOS in a Type 2 Hypervisor.

Summary: QubeOS is a great Security-oriented and a privacy respecting OS. However it isnt no Silver Bullet. If you want your QubeOS installation to be Secure then be willing to put some sweat into it being secure. P.S. You can find most information about QubeOS in the Docs because theyre pretty extensive and if you cannot then dont hesitate to ask the community. To understand QubeOS limitations more please read: https://seclists.org/dailydave/2010/q3/29