The Guardian's engineering team recently shared their experience with Qubes OS, a security-focused desktop operating system. The engineering team configured the Qubes workstations utilizing SaltStack, the default management engine in the Qubes OS.
Philip McMahon, staff software engineer at The Guardian, detailed the engineering team's journey navigating the steep learning curve of Qubes OS in a blog post. Qubes OS is also being adopted by the Freedom of the Press Foundation to improve its SecureDrop whistleblower platform, making it more user-friendly and secure for journalists.
Qubes OS offers an alternative to separate air-gapped machines, utilizing offline virtual machines, or "Qubes," to handle sensitive messages. This approach allows for secure decryption and reading of downloaded messages within a familiar chat client interface on the same machine.
McMahon stated that the team’s goal with Qubes was to create an offline, Debian 11-based Virtual Machine(VM) that could be reset to a known state after each restart, removing any generated or downloaded data. This VM would have specific packages installed from both default and custom repositories, including a custom package from a private repository hosted on Amazon S3.
Additionally, they wanted to include a Nautilus extension and a configuration file containing sensitive information that couldn't be hard-coded into the system.
Salt configuration in Qubes begins with a .top
file.
# guardian.top base: dom0: - guardian-vms
The above top file instructs Salt to apply the guardian-vms
state on dom0. The .sls
state file contains the instructions for the previously mentioned guardian-vms
state.
# guardian-vms.sls create-guardian-template: qvm.vm: - name: guardian-template - clone: - source: debian-11 - label: black - prefs: - netvm: "" create-app: qvm.vm: - name: app - present: - template: guardian-template - label: green - prefs: - template: guardian-template - netvm: ""
The state file accomplishes two key tasks: it creates a template virtual machine named guardian-template
based on Debian 11, which operates offline. It also establishes an application virtual machine called guardian
based on this template, functioning offline.
The template VM acts as a base for the app VM, containing all the necessary software. Each time the app VM restarts, its file system (except for the home folder) reverts to the template VM's state, removing any malicious code and enhancing security. For a deeper dive into Template and App VMs, interested readers can check out the Qubes documentation.
Once the above offline VM app
is created, it can be useful for some basic tasks. Installing software for viewing, editing, and sanitizing files can be done directly through a terminal in the template VM using APT. However, integrating this into the Salt configuration requires creating a new state file.
# install-packages.sls install-packages: pkg.installed: - pkgs: - libreoffice - gedit - vlc
Additionally, there is a need to update the top file to instruct Qubes to apply the install-packages
state to the guardian-template
VM
# guardian.top base: dom0: - guardian-vms guardian-template: - install-packages
Following the blog post by The Guardian, several users on Hacker News engaged in discussion. HN user cangeroo inquired about the acceptance of Qubes OS and airgapping in professional settings, and the use of specialized security equipment and processes. They also expressed surprise at the frequency of crypto theft and questioned the availability and adoption of airgapped solutions.
HN readers also demonstrated a keen interest in the latest developments of Qubes OS, initiating discussions upon the release of versions 4.2.0 and 4.2.1.
McMahon's blog post also delves into other aspects of using Qubes OS, such as installing software not found in default repositories, avoiding network access on the template VM, utilizing disposable VMs, and customizing VMs to fit specific needs.
McMahon hopes his blog post will help others using Qubes OS and invites readers to reach out via email with any questions or feedback.