[qubes-users] Encrypt disk after installation
For some reason despite the fact that during installation I selected the encryption checkbox and set a password but the partition where I installed Qubes OS was not encrypted. I found a command to encrypt on the same page of Qubes OS however it says that it overwrite all the information. I need to know how to encrypt my disk without reinstalling everything. Could you help me please? cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 1 --verify-passphrase luksFormat /dev/sda2 https://www.qubes-os.org/doc/custom-install/ Sent from ProtonMail mobile -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7nB9eByckB2PElYJX91w8-ncjVmJ1Cqq1UiUVWlAZvhgCnJIt8ANf3IKkJAwPcXjn_3UxHkqJfJXuvLiKcbSHi-cWo4JqgOB7nyk_jNPDBI%3D%40protonmail.com.
Re: [EXT] Re: [qubes-users] Using secondary storage
Ulrich Windl: > -the silly web front-end can't quote; top-posting would probably be > better, but... > Some systems (not fedora) have as "lsscsi" command that shows your devices > quite nicely IMHO. Posting your reply after a quoted portion has only been the standard on mailing lists for 30+ years; I'm sure those whiz kids at Google know best by making it difficult to do. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bea1f611-bf03-8ac8-3db2-359dded16684%40danwin1210.me.
Re: [qubes-users] How to setup Win10 HVM ?
A: > I want to install Windows 10 from a DVD in a new HVM and have begin following > this guide: https://www.qubes-os.org/doc/windows-vm/ > > It says: > > “Create a new Qube: > Name: Win10, Color: red > Standalone Qube not based on a template > Networking: sys-firewall (default) > Launch settings after creation: check > Click “OK”.” > > As I’m going to install Win 10 from a DVD, shall I then just follow the guide > and choose “Launch settings after creation” or shall I choose “Install from > device” ? > https://github.com/elliotkillick/qvm-create-windows-qube -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9cdd9b8e-6be5-9b3a-926f-88d1c30979f7%40danwin1210.me.
Re: [qubes-users] Using secondary storage
Do'h. I was using sbc (sierra bravo charlie) not sdc (sierra delta charlie). Used the fdisk and further confirmed that sdc was correct. Thanks! DG - Original Message - Per the doc, the example "Assum[es] the secondary hard disk is at /dev/sdb". This may not be true in your case. Determine the appropriate /dev for your secondary hard drive with "sudo fdisk -l | more" (the physical device you want will not have a number on the end; ones with numbers appended are partitions on the physical device), then adjust the command line accordingly. Welcome to GNU/Linux! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/205454040.61453.1581565837258.JavaMail.zimbra%40unseen.is.
Re: [qubes-users] Using secondary storage
Brendan, That was the issue - I was using sbc (sierra bravo charlie) not sdc (sierra delta charlie). It is the latter. After correcting the typo, subsequent commands per instructions worked without error until I got to adding the new pool with qvm-pool and the python script(s) had a fit with something. Probably a typo or lack of understanding, but I need to look at it in the AM with a fresher set of eyes. Copy/paste is still a bit tricky - but it's by design - otherwise I'd drop it in here. DG - Original Message - From: "brendan hoar" To: "qubes-users" Sent: Wednesday, February 12, 2020 8:23:43 PM Subject: [qubes-users] Using secondary storage I see reference to both /dev/sdc and /dev/sbc in your post. Which is it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36d150f9-ad00-4cfb-9643-2f713da3f108%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1126972345.61432.1581565751550.JavaMail.zimbra%40unseen.is.
[qubes-users] Using secondary storage
I see reference to both /dev/sdc and /dev/sbc in your post. Which is it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36d150f9-ad00-4cfb-9643-2f713da3f108%40googlegroups.com.
Re: [EXT] Re: [qubes-users] Using secondary storage
>>> "'awokd' via qubes-users" 02/12/20 10:02 PM >>> >>> donov...@unseen.is: > I am attempting to setup some secondary storage per > https://www.qubes-os.org/doc/secondary-storage/ and when I run " sudo > cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 > --verify-passphrase /dev/sdc" I get "Device /dev/sbc doesn't exist or access > denied". It's there in a dom0 terminal when I type "ls /dev/sb*" I am > assuming sba is the boot raid1 and sbb is the ROM drive. Per the doc, the example "Assum[es] the secondary hard disk is at /dev/sdb". This may not be true in your case. Determine the appropriate /dev for your secondary hard drive with "sudo fdisk -l | more" (the physical device you want will not have a number on the end; ones with numbers appended are partitions on the physical device), then adjust the command line accordingly. Welcome to GNU/Linux! -the silly web front-end can't quote; top-posting would probably be better, but... Some systems (not fedora) have as "lsscsi" command that shows your devices quite nicely IMHO. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9982e5ce-94a5-4b6e-8877-40b57b1c0976%40danwin1210.me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5E44914802A100037005%40gwsmtp.uni-regensburg.de.
Re: [qubes-users] Re: qvm-create-windows-qube 2.0
søn. 26. jan. 2020 kl. 23.12 skrev 'Elliot Killick' via qubes-users < qubes-users@googlegroups.com>: > > On 2020-01-26 12:37, Claudio Chinicz wrote: > > ׁHi Elliot, > > > > I've downloaded again and succeeded creating the HVM. > > > > I had a Windows 10 HVM I built manually just booting from the ISO and > where > > I did not succeed installing the QWT (boot after the QWT install would > > freeze). > > > > Would you recommend building a Template from this HVM? > > > > The big advantage I saw in this implementation was that I can > confortably > > run my applications with 2GB (minimum) vs 6GB in my previous HVM. > Another > > advantage of the QWT is that I can send files from Windows to any other > > PV/HPV VM using qrexec. > > > > What's intriguing me is that copy/paste between VMs is not working. When > I > > ctl+shift+C on my Windows VM I see the popup saying I can ctl+shift+V on > > another VM but when I do so nothing is pasted. Any ideas? > > > > Thank you very much for this scripts/Windows VM builder. > > > > Regards > > By freeze do you mean it stops on the part where QWT tries to create the > private disk? This is documented in the QWT Known Issues section of the > README. Just exit that window with the error message and the > installation will proceed as normal. Besides that for Windows 10/Windows > Server 2019, you should not have to interact with any window or part of > the installation. Sometimes, QWT may also just crash upon boot causing > Windows to crash. This doesn't happen often, however, it is also > documented in the README. This is more likely to happen if you installed > Windows manually as you said because unstable QWT features like Qubes > Memory Manager (qmemman) are enabled by default which we disable in the > qvm-create-windows-qube.sh script (Thanks to @brendanhoar for that one). > > Due to that bug in making the private disk required, it's not possible > to create templates for Windows 10/Windows Server 2019 anyway. > Otherwise, I would recommend for must users to build a template with the > software they want pre-installed and make AppVMs from that. > > Regarding copy/paste not working, it appears to work fine for others so > I would just suggest you restart the Windows qube or possibly make a new > one. If it's copying the data out correctly then there should be a > notification saying "Copied X bytes to the clipboard". > > You're welcome, Claudio! > > > Regards, > > Elliot > > > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/2de7254e-c22c-3275-cdfd-30cdacd86a67%40zohomail.eu > . I want to install Windows 10 from a DVD in a new HVM and have begun following this guide: https://www.qubes-os.org/doc/windows-vm/ It says: “Create a new Qube: Name: Win10, Color: red Standalone Qube not based on a template Networking: sys-firewall (default) Launch settings after creation: check Click “OK”.” As I’m going to install Win 10 from a DVD, shall I then just follow the guide and choose “Launch settings after creation” or shall I choose “Install from device” ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABRRaUF68oSjBZGJ_ywmceCfLY4TRYbBL5hJNCr7KaRcEC_2TQ%40mail.gmail.com.
Re: [qubes-users] Trouble Accessing Network Manage
Hi Steve, Sorry to take so long to get back to you. There was an insane project at work and I didn't have the time to look at this until now. This is really helpful! I now have the MAC addresses anonymized -- the two computers icon wouldn't show up until after I did the nmcli stuff you recommended and then only when I open a second networked qube. Which is weird but hey, it works now! Thanks again my friend! Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, February 7, 2020 8:29 AM, Steve Coleman wrote: > On 2020-02-07 02:43, 'e.sparks15' via qubes-users wrote: > > > *APL external email warning: *Verify sender > > qubes-users+bncbcy5z3pfy4frbqfk6tyqkgqewhij...@googlegroups.com before > > clicking links or attachments > > Hello! > > I am having trouble anonymizing my MAC address -- the documentation says > > that I need to go into the Network Manager in the tray on my sys-net > > Qube, but I can't find NM anywhere. I can access it via the terminal, > > and have been able to use [[sudo NetworkManager -V]] in both sys-net and > > dom0, so I know it's there, but I don't know how to access it. > > If it's of any help, when I check the version in dom0 it gives > > 1.4.6-1fc25, but in sys-net it gives 1.15.4-1fc30. Also, I added > > "network-manager" into the net-sys qube via the "Services" tab in that > > Qube's settings, but that didn't seem to change anything. > > Take a look for "nmcli" in sys-net which allows you to perform command > line operations on the NetworkManager service. > > There should also be a icon/control on your tasksbar that looks like two > computers. Right click that icon to get the menu and select "edit > connections". > > > I've looked through the FAQs, I've searched the web, and I've phoned a > > friend. I've looked over the documentation, too, but I'm sorry to say > > that it's beyond my ability to understand at this point*. I've played > > around with it on my own for a number hours, but I'm just out of my > > depth here. Any help would be greatly appreciated! > > Thanks so much! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a_3Ggnqeh5c-vxDbHHPl4OpGkcKSxFzE7hBFvp1YePaYhtCTZWD7dGetrDJpwsrNlW_IbDJaEvYqepa082hsVENdY7_ArMC2yJTJDhUxMKI%3D%40protonmail.com.
Re: [qubes-users] Using secondary storage
donov...@unseen.is: > I am attempting to setup some secondary storage per > https://www.qubes-os.org/doc/secondary-storage/ and when I run " sudo > cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 > --verify-passphrase /dev/sdc" I get "Device /dev/sbc doesn't exist or access > denied". It's there in a dom0 terminal when I type "ls /dev/sb*" I am > assuming sba is the boot raid1 and sbb is the ROM drive. Per the doc, the example "Assum[es] the secondary hard disk is at /dev/sdb". This may not be true in your case. Determine the appropriate /dev for your secondary hard drive with "sudo fdisk -l | more" (the physical device you want will not have a number on the end; ones with numbers appended are partitions on the physical device), then adjust the command line accordingly. Welcome to GNU/Linux! -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9982e5ce-94a5-4b6e-8877-40b57b1c0976%40danwin1210.me.
[qubes-users] Using secondary storage
I am attempting to setup some secondary storage per https://www.qubes-os.org/doc/secondary-storage/ and when I run " sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdc" I get "Device /dev/sbc doesn't exist or access denied". It's there in a dom0 terminal when I type "ls /dev/sb*" I am assuming sba is the boot raid1 and sbb is the ROM drive. My boot drive is an SSD RAID1 on an Intel embedded controller, standard stuff. The drive I want to add is attached to an embedded LSI SAS controller. I can attach the sbc device to a VM easy enough but it seems I am missing a step to make it dom0 aware. I am running an up-to-date Qubes 4.x installed on a SuperMicro serverboard, Xeon something or other (4-core, 3.4GHz) with 32GB RAM (retired ESXi host). I think it is booting with GRUB. FULL DISCLOSURE: I am a *nix newbie really. I've played with embedded *nix, built my share of ESXi boxes and what not, but not really dug into the nuts and bolts of it like I've have been since installing Qubes, which I think is fantastic for its purpose. I want to commit to Qubes as my primary box but I really need to understand it first, especially, ahem, disaster recovery. I have not run a Linux desktop for any significant length of time prior to this either - mostly M$ (since the IBM model 5150), a wee bit of OS/2 Warp (the best multi-node PCBoard BBS host evah!) and a brief fling with the Mac OS before they went to Intel chips. Yes, I could just go buy a bigger pair of SSDs and restore a backup to them, but then I won't really learn anything and I'll be a wee bit poorer for it. Thanks. DG -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1242880289.44777.1581540738832.JavaMail.zimbra%40unseen.is.
Re: [qubes-users] Is Qubes Split GPG safe?
On Wed, Feb 12, 2020 at 11:10:09AM -0800, Claudio Chinicz wrote: > But TB 79 will not support > Enigmail(https://wiki.mozilla.org/Thunderbird:OpenPGP:2020), so we'll "miss" > split gpg working with TB. > Any alternative with GUI like TB? These are quite popular and work with GnuPG (and therefore very likely also with split gpg): - KMail (KDE) - Evolution (Gnome) - Claws (GTK+) /Sven -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200212205016.GB971%40app-email-private. signature.asc Description: PGP signature
[qubes-users] How to setup Win10 HVM ?
I want to install Windows 10 from a DVD in a new HVM and have begin following this guide: https://www.qubes-os.org/doc/windows-vm/ It says: “Create a new Qube: Name: Win10, Color: red Standalone Qube not based on a template Networking: sys-firewall (default) Launch settings after creation: check Click “OK”.” As I’m going to install Win 10 from a DVD, shall I then just follow the guide and choose “Launch settings after creation” or shall I choose “Install from device” ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6e517b0e-43c7-4d2b-9ada-7c5e4a9fb8fe%40googlegroups.com.
[qubes-users] Re: How to use the USB modem HUAWEI E3372h to connect to the internet in Qubes OS 4.0.3 ?
The Huawei USB-modem E3372 connected to the router TP-LINK TL-MR3420 which is connected to the pc’s Intel Ethernet Card’s LAN-port works fine with Qubes OS 4.0.3. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/34f80237-b5d6-4289-bd92-e0facd8c5d15%40googlegroups.com.
[qubes-users] Does anyone have experience using TP-LINK TL-MR3420 together with Qubes OS (4.0.3) ?
The Huawei USB-modem E3372 connected to the router TP-LINK TL-MR3420 which is connected to the pc’s Intel Ethernet Card’s LAN-port works fine with Qubes OS 4.0.3. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/218cd40e-5777-4602-8d0f-43ff290fa509%40googlegroups.com.
Re: [qubes-users] Is Qubes Split GPG safe?
Hi, But TB 79 will not support Enigmail(https://wiki.mozilla.org/Thunderbird:OpenPGP:2020), so we'll "miss" split gpg working with TB. Any alternative with GUI like TB? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d801b381-28a3-4c24-b1f8-67b193ed5d94%40googlegroups.com.
Re: [qubes-users] Will Thunderbird 78 kill Qubes Split gpg?
Hi Sven, thanks for the explanation of how mail clients work. I've realized mutt is not for me, I need a GUI and I'll have to continue using TB or similar, regardless of split gpg. Best Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/99bb76f9-72a7-468d-81c6-9b3160193698%40googlegroups.com.
Re: [qubes-users] Is Qubes Split GPG safe?
Hi uman, thanks for clarifying the issue. Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d2eb0215-fe3f-4747-b2a1-dec7967a0420%40googlegroups.com.
[qubes-users] Re: Tor not connecting over DSL
On Wed, 12 Feb 2020 at 22:53, Anil wrote: > I have setup a DSL modem (D-Link ASL DSL-520B) with Qubes 4 latest release > on Dell XPS 13. I am able to connect to the Internet, but the Tor > connection does not complete. I have tried with the two default bridges > also. One time that it connected without any bridge, it took a long time to > connect, but Internet over Tor doesn't work. > > By the way, even with other internet connections, when I try to connect to > connect to Tor with the Connection Wizard, it always says Unknown Bootstrap > Tag and please report it. Does that indicate some problem? > > Regards, > > अनिल एकलव्य > (Anil Eklavya) > I have tried changing the DNS servers also, but that doesn't change the status. Regards, अनिल एकलव्य (Anil Eklavya) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAPfsu8umv1mn1O-QWVMt7hJfVfPS0%3Dzn3bTK%2BwaYXHS6%3DpWrA%40mail.gmail.com.
Re: [qubes-users] Is Qubes Split GPG safe?
> As was pointed out in qubes-issues, this isn't the private key - it's a > key pair that Enigmail creates for some purpose. It cant be used to > encrypt/decrypt messages that use *your* key-pair. > There is no problem here. I'm glad my understanding of the setup is still valid then. Would be nice for other people if you could link to that said issue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dff946f7-b461-02c4-9710-c09b0041185c%40riseup.net.
[qubes-users] Tor not connecting over DSL
I have setup a DSL modem (D-Link ASL DSL-520B) with Qubes 4 latest release on Dell XPS 13. I am able to connect to the Internet, but the Tor connection does not complete. I have tried with the two default bridges also. One time that it connected without any bridge, it took a long time to connect, but Internet over Tor doesn't work. By the way, even with other internet connections, when I try to connect to connect to Tor with the Connection Wizard, it always says Unknown Bootstrap Tag and please report it. Does that indicate some problem? Regards, अनिल एकलव्य (Anil Eklavya) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAPfsu9kYhRjEQWn9Q9xgQAedrvrtJSRtX52fn31C%3Dgur7tk-w%40mail.gmail.com.
Re: [qubes-users] Will Thunderbird 78 kill Qubes Split gpg?
On Tue, Feb 11, 2020 at 09:48:52PM -0800, Claudio Chinicz wrote: > Can you provide more details on mutt and how to implement its use with > Qubes (and TB I suppose)? Hi Claudio, modern email clients like Thunderbird combine serveral functions into one software package: - mail user agent (MUA) - mail transfer agent (MTA) speaks SMTP - mail retrieval agent (MRA) speaks POP or IMAP Actually, originally mail was nothing more than mailfiles transported from one machine to another via SMTP and stored in the local file system. That was at a time where all machines were stationary and constantly connected. Later we then had dedicated SMTP and POP/IMAP servers that would do the sending and receiving for you so your local machine wouldn't have to deal with retries (SMTP) and incoming mail would be stored somewhere until your machine came online. Those servers are called "smart hosts". - mutt is a MUA - postfix is a MTA - fetchmail is a MRA Here are some helpful pages: - https://www.qubes-os.org/doc/mutt - https://www.qubes-os.org/doc/postfix - https://www.qubes-os.org/doc/fetchmail But very little in this setup is Qubes specific, so there is a multitude of information when you search for mutt, postfix and fetchmail. In any case it is a replacement for Thunderbird/Enigmail (mutt works with GnuPG) and it's all happening in the terminal ... so no GUI. This is why I wrote it's "not a solution for the masses". Cheers, /Sven -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200212171921.GA971%40app-email-private. signature.asc Description: PGP signature
Re: [qubes-users] Re: failed Qubes 4.0.3 install on Dell Inspiron 14 5485
'aihey' via qubes-users: > Unfortunately this has not worked for me but thanks for your suggestion. > > Does anyone happen to know if the installation messages are saved somewhere? > I would like to find out what triggers the installation to freeze (it all > happens very quickly before it goes blank). > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, 11 February 2020 13:11, wrote: > >> My Dell is newer and simply doesn't have legacy boot. I know that the >> altered parameter is used during boot because it was the only thing I >> changed to make my installations turn from failures to successes. Looks like your Dell is a Ryzen with integrated AMD graphics, correct? Don't think the kernel included Qubes 4.0.3 has video drivers for it. To confirm, you could try to install in text mode and see if you get further. You should be able to switch to a terminal session (ctrl-alt-F2?) during install to see the temporary logs. If text mode does get further, you might need to build a custom ISO with the latest 5.x kernel to get the video drivers. There are also test builds of Qubes 4.1 you can try. Believe they include 5.x as well. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b1273a0d-453d-15d2-9f89-e57a2cdd47da%40danwin1210.me.
Re: [qubes-users] Scary Systemd Security Report
February 12, 2020 6:09 AM, ronp...@riseup.net wrote: > On 2020-02-11 11:39, unman wrote: > >> On Tue, Feb 11, 2020 at 01:34:15AM -0800, ronp...@riseup.net wrote: >>> I've been reading a blog from the renowned Daniel Aleksandersen at >>> https://www.ctrl.blog/entry/systemd-service-hardening.html >>> >>> The output from a Debian-10 based Appvm looks a little scary!! Should I >>> be concerned? >>> >>> user@tmp3:~$ systemd-analyze security >>> UNIT EXPOSURE PREDICATE HAPPY >>> ModemManager.service 5.6 MEDIUM >>> NetworkManager.service 7.6 EXPOSED >>> avahi-daemon.service 9.5 UNSAFE >>> cron.service 9.5 UNSAFE >>> cups-browsed.service 9.5 UNSAFE >>> cups.service 9.5 UNSAFE >>> dbus.service 9.5 UNSAFE >>> dm-event.service 9.5 UNSAFE >>> emergency.service 9.5 UNSAFE >>> exim4.service 9.5 UNSAFE >>> getty@tty1.service 9.5 UNSAFE >>> haveged.service 5.6 MEDIUM >>> lvm2-lvmpolld.service 9.5 UNSAFE >>> polkit.service 9.5 UNSAFE >>> qubes-db.service 9.5 UNSAFE >>> qubes-firewall.service 9.5 UNSAFE >>> qubes-gui-agent.service 9.5 UNSAFE >>> qubes-meminfo-writer.service 9.5 UNSAFE >>> qubes-qrexec-agent.service 9.5 UNSAFE >>> qubes-sync-time.service 9.5 UNSAFE >>> qubes-updates-proxy.service 9.5 UNSAFE >>> rc-local.service 9.5 UNSAFE >>> >>> rescue.service 9.5 UNSAFE >>> rsyslog.service 9.5 UNSAFE >>> rtkit-daemon.service 6.9 MEDIUM >>> serial-getty@hvc0.service 9.5 UNSAFE >>> systemd-ask-password-console.service 9.3 UNSAFE >>> systemd-ask-password-wall.service 9.3 UNSAFE >>> systemd-fsckd.service 9.5 UNSAFE >>> systemd-initctl.service 9.3 UNSAFE >>> systemd-journald.service 4.3 OK >>> systemd-logind.service 4.1 OK >>> systemd-networkd.service 2.8 OK >>> systemd-timesyncd.service 2.0 OK >>> systemd-udevd.service 8.3 EXPOSED >>> tinyproxy.service 8.7 EXPOSED >>> udisks2.service 9.5 UNSAFE >>> user@1000.service 9.1 UNSAFE >>> wpa_supplicant.service 9.5 UNSAFE >>> xendriverdomain.service 9.5 UNSAFE >> >> It does look scary. >> The output from a Fedora based qube looks much the same.. >> You should run the analysis against each service and see where you think >> they could be hardened. Post back your conclusions here. >> Also, I see that you have many services that need not be there - some >> of these will be disabled by Qubes- some you do not need in every qube >> (cups-browsed, exim4, tinyproxy etc). >> You need to review what services you are running, and disable those you >> do not want. My list in an ordinary qube looks rather different from >> yours. Those are steps you should be taking in any case. >> Also, bear in mind that the analysis doesn't take in to account any >> security features in the programs themselves, or other mitigations. >> So you need to do a good deal more work before reaching any conclusions >> about your system. >> Look forward to hearing from you >> unman > > As I read it, your suggesting that the output is influence by User > preferences as opposed to default system settings? To test that theory, > I loaded a vanilla version of Qubes 4.0.3 onto a spare box and ran the > command systemd-analyze security against the virgin Debian-10 Template. > The output is identical to the one I originally posted. As you inferred, > the output from Fedora Template is similar. I'm curious how this compares to a vanilla (non-Qubes) Fedora or debian install. In general most packages' default service files use very few if any systemd security features on most distros. I think that's more of a DIY thing. > I'm not sure if you'll agree, but my conclusion from this experiment is > that the Qubes Team have some work to do in hardening Qubes? Like you > say,"I see that you have many services that need not be there"; so my > question is, why are they present in a vanilla version of Qubes? > My impression of the official Qubes developers' stance on this is "security by isolation," i.e. Xen is the only component they actually consider secure. This is the rationale for passwordless sudo for example. In practice, I can agree, it's difficult enough to develop and maintain an OS as sophisticated as Qubes in the first place, let alone if they had to also harden guest OSes at various levels. In principle, I say fair enough, I suppose it's not really Qubes' concern what goes on within VMs. Qubes just polices the border. You might be interested in Chris's Qubes hardening tools, however I don't know it uses the systemd security features at all so it may not improve systemd's report. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8984e8aec137542e44462
Re: [qubes-users] Scary Systemd Security Report
On Tue, Feb 11, 2020 at 10:09:38PM -0800, ronp...@riseup.net wrote: > On 2020-02-11 11:39, unman wrote: > > On Tue, Feb 11, 2020 at 01:34:15AM -0800, ronp...@riseup.net wrote: > >> I've been reading a blog from the renowned Daniel Aleksandersen at > >> https://www.ctrl.blog/entry/systemd-service-hardening.html > >> > >> The output from a Debian-10 based Appvm looks a little scary!! Should I > >> be concerned? > >> > >> user@tmp3:~$ systemd-analyze security > >> UNIT EXPOSURE PREDICATE HAPPY > >> ModemManager.service 5.6 MEDIUM > >> xendriverdomain.service 9.5 UNSAFE > >> > > > > It does look scary. > > The output from a Fedora based qube looks much the same.. > > You should run the analysis against each service and see where you think > > they could be hardened. Post back your conclusions here. > > Also, I see that you have many services that need not be there - some > > of these will be disabled by Qubes- some you do not need in every qube > > (cups-browsed, exim4, tinyproxy etc). > > You need to review what services you are running, and disable those you > > do not want. My list in an ordinary qube looks rather different from > > yours. Those are steps you should be taking in any case. > > Also, bear in mind that the analysis doesn't take in to account any > > security features in the programs themselves, or other mitigations. > > So you need to do a good deal more work before reaching any conclusions > > about your system. > > Look forward to hearing from you > > unman > > As I read it, your suggesting that the output is influence by User > preferences as opposed to default system settings? To test that theory, > I loaded a vanilla version of Qubes 4.0.3 onto a spare box and ran the > command systemd-analyze security against the virgin Debian-10 Template. > The output is identical to the one I originally posted. As you inferred, > the output from Fedora Template is similar. > > I'm not sure if you'll agree, but my conclusion from this experiment is > that the Qubes Team have some work to do in hardening Qubes? Like you > say,"I see that you have many services that need not be there"; so my > question is, why are they present in a vanilla version of Qubes? > The vanilla templates serve all sorts of purposes, and they are (generally) configured so that you can just drop them in to act as sys-net, sys-usb etc. So there are a number of things that you probably don't want or need in an ordinary qube. This is a trade off to get maximum usability. There are many alternatives - using minimal templates; building your own; customising services on a per qube basis. But for ordinary users Qubes makes it as simple as possible to use the default templates. On the general issue, you're missing my point. Before you can decide whether you should be worried I'm suggesting you need to do some work. That's exactly what that blog post is about. Take one of those services, run an analysis and look at the results. Determine what's needed and what isn't. Look at any mitigations in the programs themselves, or generally within Qubes. Post your conclusions here, or in qubes-issues. You *are* a member of the Qubes Team. We all have work to do in hardening Qubes unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200212121720.GB22552%40thirdeyesecurity.org.
Re: [qubes-users] Is Qubes Split GPG safe?
On Sun, Feb 09, 2020 at 02:31:43PM +, unman wrote: > On Sun, Feb 09, 2020 at 01:49:00PM +, qubes-li...@riseup.net wrote: > > Claudio Chinicz wrote: > > > All the idea behind this is to keep your keys in a safe place (VM > > > without network), isolated from your application VM. > > > > > > I've installed the work-gpg (keys vault) and created a mail VM with > > > Thunderbird and Enigmail. > > > > > > While Enigmail cannot create new keys on the vault (I have to > > > manually import them), it allows me to download/copy the contents of > > > my keys (private). > > > > > > So, if my mail VM is compromised my keys may be stolen/used > > > regardless of my keys being kept in a vault! > > > > > > So, what's the purpose of split gpg? > > > > The private keys should never touch the online VM running thunderbird. > > The keys should be generated on the offline VM and the only way to > > perform operations that require the private key must be via the > > split GPG setup. > > > > If you generated the key on the online VM it is probably best to > > start with a new one if you would like to get the benefit of the split GPG > > setup of Qubes. > > > > I think you are missing the point. > What Claudio is reporting is a bug - you are right that the private keys > should never touch the onlineVM. You cant manually export them using > the qubes-split-gpg-wrapper, for example. > But if you use Enigmail with the split-gpg-wrapper, the private key ends > up in the onlineVM, and is therefore open to compromise. > This cant be right. > > unman > As was pointed out in qubes-issues, this isn't the private key - it's a key pair that Enigmail creates for some purpose. It cant be used to encrypt/decrypt messages that use *your* key-pair. There is no problem here. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200212115341.GA22552%40thirdeyesecurity.org.
[qubes-users] Re: split-mail setups
> > > mutt in a no-netvm mua-vault?
> > > with fetchmail-vms feeding it through qubesrpc-procmail?
> > > and separate vms for qubesrpc-msmtp for sending?
> > > or msmtp-vms mixed with the fetchmail-vms based on credentials-overlap?
> > however, I am afraid that you have already successfully placed a virus in
> > my head. That setup sounds like a challenge. Any documentation you could
> > link?
no real docs i am afraid. some notes/snippets.
in these examples, the no-net mua-vm is called priv-mua, the
combined fetchmail+msmtp vm is called priv-mta.
mta fetchmailrc:
mda "/usr/bin/qrexec-client-vm priv-mua baka.procmail"
mua baka.procmail: (giga-hacky fixup for mbox format/style)
perl -e '<>;unless($c++||/^From /){$a=localtime;print "From rpc
$a\n";}print;while(<>){print}' | procmail
mua procmailrc: (for forwarding recipes)
| /home/user/bin/smail
mua muttrc:
set sendmail="/home/user/bin/smail"
mua ~/bin/smail: (just a helper to isolate the qrexec from random cli args)
exec /usr/bin/qrexec-client-vm priv-mta baka.msmtp
mta baka.msmtp: (this needs a better way to signal/determine dests)
msmtp -d -t --read-envelope-from &> /tmp/_msmtp.debuglast
in case some part of the mailinglist chain decides to eat up special chars:
https://pastebin.com/raw/DfvRujvG
> I'd be more interested in a defense against the DoS vulnerability in
> Qubes users (aka xkcd nerd sniping)that dhorf appears to have discovered :)
there is one fundamental thing to realize about qubes-rpc:
think of it as a pipe that has its left/right side in different VMs.
so everything that can be phrased as a commandline involving pipes,
or involves commands with quasi-pipe options (rsync -e, openssh
ProxyCommand, fetchmail mda, ...) can be turned into a qubes
split-something easily.
actualy anything that involves a single TCP socket too, but you need
to add something like socat or systemd-socket as a helper...
or a service that has an inetd-mode (sshd -i) ...
> dhorf
also, how did you get that name?
it is triple-rot13 encrypted for extra privacy!
wait, it even looks like you broke the first two rounds already...
*panics*
> > > but, yes. not really a solution for the masses.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20200212102630.GT8973%40priv-mua.
