Skip to content

xn0px90/awesome-qubes-os

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

468 Commits
.github
.github
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Awesome Qubes OS Track Awesome ListAwesome

A curated list of Awesome Qubes OS links

A security-focused desktop operating system that aims to provide security through isolation.

This list is a collection of tools, projects, images, and resources conforming to the Awesome Manifesto.

Contributions very welcome but first see Contributing.

Table of Contents

Qubes OS Websites

System Information & Requirements

  • Architecture - Qubes implements a security-by-compartmentalization approach.
  • Audio virtualization - VMs on Qubes OS have access to virtualized audio through the PulseAudio module.
  • Certified Hardware - We aim for these vendors to be as diverse as possible in terms of geography, cost, and availability.
  • Community-recommended hardware - Community-recommended computers.
  • Hardware compatibility list (HCL) - The HCL is a compilation of reports generated and submitted by users across various Qubes versions about their hardware’s compatibility with Qubes.
  • System Requirements - User documentation / Choyhe attacker doesn’t have access to all the software running in the other domains.
  • Security-critical code - A list of security-critical (i.e., trusted) code components in Qubes OS.
  • Storage pools - Qubes OS implements a security-by-isolation (or security-by-compartmentalization) approach by providing the ability to easily create many security domains.
  • Secondary storage - hese steps assume you have already created a separate volume group and thin pool (not thin volume) for your HDD.
  • Networking - In Qubes, the standard Xen networking is used, based on backend driver in the driver domain and frontend drivers in VMs.
  • Config files - These files are placed in /rw, which survives a VM restart. That way, they can be used to customize a single VM instead of all VMs based on the same template. The scripts here all run as root.
  • Disposable customization - A disposable can be based on any app qube.
  • How to install software in dom0 - How to install a specific package
  • How to make any file persistent (bind-dirs) - With bind-dirs any arbitrary files or folders can be made persistent in app qubes.
  • How to mount a Qubes partition from another OS - When a Qubes OS install is unbootable or booting it is otherwise undesirable, this process allows for the recovery of files stored within the system.
  • Installing contributed packages - This page is for users who wish to install contributed packages.
  • Managing qube kernels - By default, VMs kernels are provided by dom0.
  • Qubes service - Usage documentation is in the qvm-service man page.
  • RPC policies - This document explains the basics of RPC policies in Qubes.
  • Resize disk image - By default Qubes uses thin volumes for the disk images.
  • Standalones and HVMs - A standalone is a type of qube that is created by cloning a template. Unlike templates, however, standalones do not supply their root filesystems to other qubes.
  • Volume backup and revert - With Qubes, it is possible to revert one of a VM’s storage volumes to a previous state using the automatic snapshot that is normally saved every time a VM is shutdown.

Downloading, Installing, Upgrading, and Building

How-to guides

Templates

  • archlinux-minimal template - This is a community guide, not an official guide.
  • audio-qubes - An audio qube acts as a secure handler for potentially malicious audio devices, preventing them from coming into contact with dom0
  • Building a TemplateVM for a new OS - If you don’t like using one of the existing templates because of specific administration, package management or other building needs, you can build a TemplateVM for your distribution of choice.
  • Debian templates - The Debian template is an officially supported template in Qubes OS.
  • Auto Minimal Debian Template Creation - This page summarizes how to automate debian-minimal based template creation.
  • Fedora templates - The Fedora template is the default template in Qubes OS.
  • NetBSD templates - Createa NetBSD template
  • Linux HVMs - Fixing Linux distro HVMs
  • Manually Verifying Hashes of Installed Files - This guide explains how to manually verifying hashes of installed files.
  • Minimal templates - The minimal templates are lightweight versions of their standard template counterparts.
  • Multimedia template - Configuring a “Multimedia” TemplateVM
  • Pentesting: Parrot - Parrot Security is a Debian-based OS with over 600 tools for hacking, pentesting and software development. It is free, open source, secure, portable and customizable for various environments and devices
  • Pentesting: BlackArch - BlackArch Linux is an Arch Linux-based distribution for penetration testers and security researchers.
  • Pentesting: Kali - How to create a Kali Linux VM.
  • Pentesting: PTF - "The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing.
  • Windows Qubes - Like any other unmodified OSes, Windows can be installed in Qubes as an HVM domain.
  • Qvm-Create-Windows-Qube - Qvm-Create-Windows-Qube is a tool for quickly and conveniently installing fresh new Windows qubes with Qubes Windows Tools (QWT) drivers automatically.
  • Prestium OS - Prestium OS is a Tails OS-like live linux distro.
  • Tails OS - Tails stands for The Amnesic Incognito Live System. It is a live operating system that aims to preserve your privacy and anonymit.
  • Templates - In Getting Started, we covered the distinction in Qubes OS between where you install your software and where you run your software.
  • Template implementation - Describes template implementation.
  • Template manager - A template manager application.
  • Android VM options - There are multiple “android on PC” type distributions that one could try in a VM. Here are the 3!
  • Waydroid template - This guide is for setting up minimal Waydroid template.
  • Shadow qube - The below script will create a Qube, launch the Tor browser, wait for the browser to close, then remove the qube and its RAM pool.
  • Ubuntu 2022.4 minimal - Ubuntu 22.04 (Jammy Jellyfish) Releasesis an open-source software platform that runs everywhere from the PC to the server and the cloud.
  • Ubuntu 2024.4 minimal - Ubuntu 24.04.1 (Noble Numbat) ReleasesUbuntu is an open-source software platform that runs everywhere from the PC to the server and the cloud.
  • USB Qubes - A USB qube acts as a secure handler for potentially malicious USB devices, preventing them from coming into contact with dom0 (which could otherwise be fatal to the security of the whole system). I
  • Xfce templates - If you would like to use Xfce (more lightweight compared to GNOME desktop environment) Linux distribution in your Qubes, you can install one of the available Xfce templates for Fedora, CentOS or Gentoo.
  • GuixOS HVM - Install Guix OS in a standalone HVM
  • Zoom Disp VM - Running Zoom in a DispVM.
  • PrestiumOS HVM - Prestium OS is a Tails OS-like live linux distro.
  • PiHole Cloudflared - PiHole Cloudflared in QubesOS with NextDNS (DNS over Https).
  • Fedora template in-place upgrade - How to upgrade a Fedora template in-place.

VM-Hardening

  • Kicksecure - The following list of actionable items can help to improve security on the Qubes platform, and by extension Kicksecure ™ for Qubes users.
  • Kicksecure for DISP-sys* - How to create disposable sys-usb, sys-net, sys-firewall off a debian-11 minimal template with Kicksecure and other hardening features for DISP-sys*.
  • Qcrypt -qcrypt is a multilayer encryption tool for Qubes OS.
  • Qubes-VM-hardening - Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-down, quarantine and check contents of /rw private storage that affect the execution environment.
  • Anonymizing your MAC Address - Although the MAC address is not the only metadata broadcast by network hardware, changing your hardware's default MAC Address could be an important step in protecting privacy.
  • Anti Evil Maid (AEM) - A user who frequently travels with a Qubes laptop holding sensitive data may be at a much higher risk of Evil Maid attacks than a home user with a stationary Qubes desktop.
  • Data leaks - Firewalling in Qubes is not intended to be a leak-prevention mechanism.
  • Device handling security - Any additional ability a VM gains is additional attack surface.
  • Dom0 secure updates - Updating dom0
  • Easily NAT qubes port to external network - A script to ease the work of doing a NAT to expose a qube port to the physical network interface.
  • Install Qubes OS with boot partition and a detached LUKS header on USB - The encrypted disk will look like an unused/empty unpartitioned disk.
  • Firewall - Every Qube in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies.
  • nft Firewall - This is an example for a TCP redirection, for UDP you would have to replace tcp by udp.
  • Passwordless root access in Qubes - In Qubes VMs there is no point in isolating the root account from the user account.
  • Reducing the fingerprint of the text-based web browser w3m - You can reduce the amount of information w3m gives about itself and the environment it is running in (and, by extension, you).
  • Running Tails in Qubes - Tails stands for The Amnesic Incognito Live System.
  • SaltStack (management software)
  • Custom preferences for Brave browser in disposable qube - The initial_preferences json file can be used to configure the preferences that will be used by default in newly created profiles.
  • Signal - It uses end-to-end encryption to secure all communications.
  • Split GPG - Split GPG implements a concept similar to having a smart card with your private GPG keys, except that the role of the “smart card” is played by another Qubes app Qube.
  • Split SSH - Split SSH implements a concept similar to having a smart card with your private SSH keys, except that the role of the “smart card” is played by another Qubes AppVM.
  • Split dm-crypt - Instead of directly attaching an encrypted LUKS1 partition from a source VM such as sys-usb to a destination VM and decrypting it there.
  • U2F proxy - The Qubes U2F Proxy is a secure proxy intended to make use of U2F two-factor authentication devices with web browsers without exposing the browser to the full USB stack, not unlike the USB keyboard and mouse proxies implemented in Qubes.
  • Using Multi-Factor Authentication with Qubes - This page concerns multi-factor authentication for logging into external services, not for logging into Qubes itself.
  • Using OnlyKey with Qubes OS - The following setup instructions walk through the process of configuring dom0 and a USB qube so that OnlyKey will function as a keyboard and be able to communicate with the OnlyKey app (required for TOTP).
  • Qrexec: secure communication across domains - The qrexec framework is used by core Qubes components to implement communication between domains.
  • Qrexec: Qubes RPC internals - The qrexec framework consists of a number of processes communicating with each other using a common IPC protocol, described in detail below.
  • Qrexec: socket-based services - The qrexec allows implementing services not only as executable files, but also as Unix sockets.
  • Qubes memory manager (qmemman) - Provides automatic balancing of memory across participating PV and HVM domains, based on their memory demand
  • TUFF - We can think of a software update system as “secure” if:
  • YubiKey - Most use cases for the YubiKey can be achieved exactly as described by the manufacturer or other instructions found online.
  • Hardening sys-net - This guide works no matter whether or not you chose disposable sys-net or not. no nonsense guide, Lets get in!
  • Nix in a Qubes OS AppVM - How to install Nix in an AppVm.
  • No file indexing - Disable file indexing in disposable qubes
  • Qubes Shutdown Idle Script - This is a simple script that watches the current qube for idleness and, if it's idle for more than 15 minutes (timeout time is defined in qubesidle.idleness_monitor), shuts it down.
  • qubes-ssh-agent - This is an alternative approach to the existing qubes split-ssh.

Customization

  • AwesomeWM (window manager) - This is an rpm package for awesomewm with the patches for Qubes.
  • Brightness-Ajustment - Easy brightness adjustment
  • Bash completion - How to install bash completion for Qubes OS commands.
  • Custom icons - Place the custom folder icons ~/.local/share/icons is a persistent place to place the custom folder icons and so is /usr/share/icons.
  • DPI scaling - Qubes OS passes on dom0’s screen resolution to VMs (this can be seen in the output of xrandr) but doesn’t pass on dom0’s dpi value.
  • i3 (window manager) - i3 is part of the stable repository (as of Qubes R3.1) and can be installed by using the dom0 update mechanism.
  • KDE (desktop environment) - KDE was the default desktop environment in Qubes
  • Qubes-GUI-Rust - Rust libraries for the Qubes OS GUI Protocol
  • Suckless dwm - How to install dwm in Qubes OS.
  • QubesOS Autostart Menu - Speed up system boot process with a custom launch script
  • Qubes-Scripts - Collection of custom scripts for Qubes OS.
  • Playback performance - This guide will show you how to install the mpv player and use it with maximum performance.
  • qubes-salt-video-playback - Qubes SaltStack configuration of Videos Playback VM
  • sys-VPN notification setup - Get VPN stats as a desktop notification
  • Wayland agent - This is a GUI agent for Qubes OS that supports the [Wayland] display server protocol. Compared to X11, Wayland is vastly simpler and aims to ensure every frame is perfect.
  • Sys-gui Customization - Minimal Fedora and Alternate Desktop Environments / Window Managers (DE/WMs)
  • Tiling XFCE - Titled windows in XFCE with shortcut keys.
  • DPI scaling - Qubes OS passes on dom0’s screen resolution to VMs (this can be seen in the output of xrandr) but doesn’t pass on dom0’s dpi value.
  • Dark Theme - The following text describes how to change the default light theme to a dark theme.
  • Rxvt Terminal - rxvt-unicode is an advanced and efficient vt102 emulator.
  • CPU monitor per VMs - Individual VM monitoring.
  • Custom App entries for the Q Menu - App menu shortcut troubleshooting.
  • xfce dark mode - Xfce global dark mode in Qubes

GPU

ML, LLM & AI

Troubleshooting

Clearnet & Anonymous Networking

DNS

  • dnscrypt-proxy - Run dnscrypt-proxy inside of sys-net to encrypt and secure dns-requests.

Wireguard

  • Mullvad VPN (Fedora38 + WG) - Privacy-first VPN provider's guide for Qubes OS. This guide bears an optimal method for setting up a WG ProxyVM (i.e sys-vpn); you may substitute out Mullvad's WG configuration files in place of your own.
  • Wireguard setup - This guide assumes you are using a VPN service that has wireguard support.

OpenVPN

VLESS

  • VLESS obfuscation VPN - The protocol mimics a long-running https session of Chrome and is hard to detect by DPI systems.

Tor

Anonymity

  • i2p-Whonix - Temporary way to run i2p on Qubes-Whonix.
  • ipfs - A peer-to-peer hypermedia protocol to make the web faster, safer, and more open.
  • LocalSend -Free, open-source app that allows you to securely share files and messages with nearby devices over your local network without needing an internet connection. Basically, a platform neutral “airdrop”.
  • Lokinet - Lokinet is the reference implementation of LLARP (low latency anonymous routing protocol), a layer 3 onion routing protocol.
  • Really disposable ram based qubes - You can use your QubesOS 𝚜𝚝𝚊𝚝𝚎𝚕𝚎𝚜𝚜 just like TailsOS, with persistent storage for VMs. That is pretty simple! It takes 6Gb of extra 𝚁𝙰𝙼 (for store root filesystem files).
  • Whonix - Qubes-Whonix ™ is the seamless combination of Qubes OS and Whonix™ for advanced security and anonymity.
  • How to bypass the GFW on Qubes OS when you’re in China - The purpose of this article is to provide several feasible ways to bypass the GFW for you to choose.
  • Tailscale Setup - How to create template and install Tailscale.

Crypto

  • Split Bitcoin Wallet - A "split" bitcoin wallet is a strategy of protecting your bitcoin by having your wallet split into an offline "cold storage" wallet and an online "watching only" wallet.
  • Split Monero Wallet - With Qubes + Whonix you can have a Monero wallet that is without networking and running on a virtually isolated system from the Monero daemon which has all of its traffic forced over Tor.
  • Awesome-DeSci - A curated list of awesome Decentralized Science (DeSci) resources, projects, articles and more.
  • Ultimate Guide on Using Trezor on Qubes - his guide explains how to use Trezor cryptocurrency hardware wallets on Qubes OS.

Kernels

  • eBPF - eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel.
  • Rump - Rump kernels enable you to build the software stack you need without forcing you to reinvent the wheels.

Microkernels

  • OpenXT - OpenXT is an open-source development toolkit for hardware-assisted security research and appliance integration.
  • Qubes-linux-kernel - Qubes package for Linux kernel.
  • seL4 - seL4 is a high-assurance, high-performance operating system microkernel.

Unikernels

  • Awesome-Unikernels - Secure, lightweight and high performance approach to application delivery.
  • ClickOS - Efficient network function virtualization platform, optimized for Xen and developed by NEC.
  • Clive - Research project from Rey Juan Carlos University (Madrid), developed in Go.
  • HaLVM - Port of Glasgow Haskell compiler producing Xen optimized unikernels.
  • Mini-OS - Reference kernel distributed with Xen.
  • Qubes-Mirage-Firewall - A unikernel that can run as a Qubes OS ProxyVM, replacing sys-firewall.
  • Unikraft - Unikraft powers the next-generation of cloud native applications by enabling you to radically customize and build custom OS/kernels, unlocking best-in-class performance, security primitives and efficiency savings.
  • Unik - A platform for automating unikernel & MicroVM compilation and deployment.

Unikernel-like

  • Drawbridge - Research prototype platform from Microsoft.
  • Graphene - Library OS optimized for Intel SGX.

Qubes OS Server

Exploitation Tools

  • Awesome-Fuzzing - A curated list of references to awesome Fuzzing for security testing. Additionally there is a collection of freely available academic papers, tools and so on.
  • AFL++ - AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc.
  • Bonzai - It's like a modular, multicall BusyBox builder for Go with built in completion and embedded documentation support.
  • CodeQL - Discover vulnerabilities across a codebase with CodeQL.
  • Joern - Joern is a platform for analyzing source code, bytecode, and binary executables. It generates code property graphs (CPGs), a graph representation of code for cross-language code analysis.
  • Hyperdbg - HyperDbg Debugger is an open-source, community-driven, hypervisor-assisted, user-mode, and kernel-mode Windows debugger with a focus on using modern hardware technologies. It is a debugger designed for analyzing, fuzzing, and reversing.
  • LeechCore - The LeechCore Memory Acquisition Library focuses on Physical Memory Acquisition using various hardware and software based methods.
    • LeechCore-Plugins - This repository contains various plugins for LeechCore - Physical Memory Acquisition Library.
  • Libvmi - LibVMI is a C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.
  • Lldb - LLDB is a next generation, high-performance debugger.
  • Memflow - memflow is a library that enables introspection of various machines (hardware, virtual machines, memory dumps) in a generic fashion.
  • Capstone - Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
  • Coredump - Access Microsoft Windows Coredump files.
  • Kvm - KVM memflow connector.
  • Pcileech - Access pcileech interface.
  • sys-mitm - A man-in-the-middle Qube for your traffic analysis needs.
  • Qemu_procfs - Access QEMU Physical memory.
  • Unicorn - Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
  • MemProcFS - MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.
    • MemProcFS-Plugins - This repository contains various non-core plugins for MemProcFS - The Memory Process File System.
  • Microlibvmi - A cross-platform unified Virtual Machine Introspection API library.
  • Radare2 - Libre Reversing Framework for Unix Geeks.
  • Volatility3 - Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples.

Xen Exploitation

Web articles

Optics and Extra Info

Qubes OS Summit - 3mdeb Summit videos

Xen project summit 2024 videos

UX - User Experience

  • UX Bessie - Qubes OS AppMenu Design Direction. Part of 2020/21 MOSS funded UX work.
  • UX Jackie - Qubes OS AppMenu Design Direction. Part of 2020/21 MOSS funded UX work.

Extra Info

Training and Materials

Companies using Qubes OS

  • Qubes Partners - The Qubes Project relies greatly on the generous support of the organizations, companies, and individuals who have become Qubes Partners.

Social media

The Qubes OS Project has a presence on the following social media platforms:

  • ClubHouse - Qubes OS Clubhouse Room
  • Discord - Qubes OS discord invite link
  • Dread - Dark Net QubesOS .onion forum room.
  • Facebook - Qubes OS facebook page
  • Forum - Qubes OS Discorse Forum
  • LinkedIn - Qubes OS linkedin account
  • Mastodon - Qubes OS Mastodon channel
  • Matrix Discord Bridge - Qubes OS Discord General Room Bridge
  • Matrix:Qubes OS - General Qubes OS matrix room
  • Reddit Qubes OS - General Qubes OS Reddit room.
  • Reddit hacking_qubes_os - Reddit room dedicated to hacking Qubes OS
  • Reddit hack_with_qubes_os - Reddit room dedicated to hacking with Qubes OS
  • Twitter - Qubes OS Twitter account
  • #xen channel on irc.oftc.net via traditional IRC clients.
  • #qubes channel on irc.libera.chat via traditional IRC clients.
  • #qubes-os channel on irc.anonops.com via traditional IRC clients.

Qubes OS Legends

Releases

Adventure Further

:|: ADVENTURE FURTHER :|: HACK ALL THE THINGS :|: TRUST NOTHING :|: WITH <3! ~X

Contributing

Contribution guidelines can be found here.

License

Creative Commons License

This work is licensed under a Creative Commons Attribution 1.0 Generic.

About

A curated list of awesome qubes os links

Resources

Readme

License

CC0-1.0 license
Activity

Stars

96 stars

Watchers

10 watching

Forks

9 forks
Report repository

Releases

No releases published

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 5