After nearly three years of development, Invisible Things Labs has finally released Qubes 1.0, a Fedora 17-based Linux distribution that tries to be as secure as possible by isolating various applications in their own virtual machines using Xen. If one of the applications is compromised, the damage is isolated to the domain it’s running in.
While Qubes is based on Fedora, the fact that it runs the
Xen hypervisor and creates a couple of virtual machines means that it inevitably uses more resources. Indeed, Qubes requires a 64-bit processor, and the developers recommend 4GB of RAM, 20GB of disk space and a fast SSD. If your processor features Intel VT-d or AMD IOMMU technology, driver domains such as those for the network and USB devices are isolated, which makes for an even greater level of security.
Using Qubes means that you have to get to know some terminology. The KDM window already shows you the strange message ‘Welcome to dom0’. Dom0 is the privileged Xen domain, running the management stack and the graphical user interface, tying together all domains so it looks like their applications are running locally. After logging in, the KDE desktop shows the Qubes VM Manager, which lists the dom0 virtual machine, as well as two other virtual machines that securely manage your network connection: netvm and firewallvm. And when you open the Applications menu in the KDE start menu, you see a submenu for each domain that has been created during system configuration: banking, personal, untrusted and work.
Each domain has some starter icons in it for Thunderbird, the Nautilus file manager (why not Dolphin?), GNOME Terminal (why not Konsole?) and Firefox. If you install a new application, its shortcut is not automatically added, either: you have to add a shortcut manually by clicking on ‘Add more shortcuts…’ in the menu of a domain in the Applications menu.
When starting an application in a new domain, this takes a lot longer than usual, because Qubes has to start a new virtual machine first. If you subsequently start a second application in the same domain, the extra startup time disappears, because the VM already exists. Each AppVM gets 400MB RAM initially, so you’ll see that you need a lot of RAM when you partition your digital life in several domains…
When you have started an application in a domain, the application window will be decorated with its border and title bar in a specific colour, which is a nice way to show you in which domain you are working. There’s also a DisposableVM domain, which is perfect to start a Firefox session that deletes all your tracks after you exit the browser: the virtual machine exits together with Firefox.
By default, a copy/paste between applications in different VMs is not possible, but with Ctrl+Shift+C you mark a domain’s clipboard for a global copy, and with Ctrl+Shift+V you paste the contents of the previous clipboard to an application in the current domain. So, the full procedure becomes: Ctrl+C, Ctrl+Shift+C, navigating to the other application and then Ctrl+Shift+V and Ctrl+V. Qubes also has a way to securely copy files between domains, which is available in the Scripts menu when you right-click on a file. And when you insert a USB stick, Qubes doesn’t mount it automatically. Instead, you choose which AppVM gets access to the file system. Right-click on the AppVM of your choice in the Qubes VM Manager, choose
‘Attach/detach block devices’ and then click on the name of the USB stick. According to the documentation, the stick should then be visible in the Places panel in Nautilus. It was, but when we clicked on it on our test machine, Nautilus didn’t mount the disk. Fortunately we could mount the disk on the command line in a terminal from our chosen domain.
Qubes is definitely not suitable for everyone. You have to decide all the time which applications or which documents you open in which domain, so how you take advantage of the isolation of domains is totally up to you. However, in the hands of a security-conscious user, Qubes is a powerful and flexible instrument, and it certainly offers a refreshing approach to security.