Kicksecure for Qubes
Kicksecure for Qubes OS.
Distribution Morphing[edit]
What is distro morphing? See Distribution Morphing.
In dom0
.
1. Install debian-12
as per Qubes Debian Template documentation which is unspecific to Kicksecure.
2. Clone Template debian-12
into template kicksecure-17
.
3. Start the kicksecure-17
Template.
Inside the kicksecure-17
Template.
1. Follow the instructions Install Kicksecure inside Debian, choose meta package kicksecure-qubes-cli
or kicksecure-qubes-gui
.
2. Shutdown the Template.
3. Done.
Distribution morphing of Debian into Kicksecure is complete.
4. Change Template.
Optional: The user may change the Template for any App Qube from Debian to Kicksecure as per the usual Qubes way.
5. Create new app Qubes.
Optional: The user may create new App Qubes based on the kicksecure-17
Template as per the usual Qubes way.
Template[edit]
There is no ready-made template yet.
Future: This wiki page will be updated once available.
Information for developers:
- qubes-template-kicksecure
- build Kicksecure Qubes Template #9573
- Dev/Qubes
- Please contribute to Kicksecure and Qubes OS by creating and maintaining a
kicksecure-17
Qubes Template.
Support Status[edit]
How stable is this? Should be very stable. This is because Qubes-Whonix is based on Kicksecure.
The lead developer of Kicksecure is also a user of Qubes and using Kicksecure in Qubes.
Service VMs[edit]
Kicksecure in Qubes service VMs such as sys-net
, sys-firewall
, sys-usb
are functional. This is classified as unsupported to avoid complex support requests for issues not caused by Kicksecure being directed at Kicksecure support. [1]
If using in-VM kernel:
it's problematic for VMs with PCI devices (especially when using Debian kernel, due to old wifi drivers, but there are also other factors like significantly slower boot time in HVM mode).https://github.com/QubesOS/qubes-issues/issues/9570#issuecomment-2468812870
ISO[edit]
Using the Kicksecure ISO is not the recommended way to install Kicksecure on Qubes. Instead, until a Template is available, Distribution Morphing is the recommended installation method.
If the user wishes to use the ISO for any reason (such as testing, development, comparison, or curiosity), the following steps apply.
Note: You need to download the Kicksecure ISO into a separate AppVM/Qube that will be used to install Kicksecure from (in the example below, the ISO has been downloaded in "debian-personal").
1. Create a new qube, following the instructions in the image.
2. Remove "Install system from device" because we want to modify the VM before installing Kicksecure on it, then press "OK" to create the Kicksecure qube/VM.
3. Enter Kicksecure qube settings.
4. Preferably, change system storage to 20 GB, then press "Advanced".
5. Disable "Include in memory balancing", then increase "Initial memory" to preferably 4 GB. Press "Apply" to adjust the edited settings, then press "Boot qube from CD-ROM" to choose the Kicksecure ISO.
6. Choose the qube where you have downloaded the Kicksecure ISO, then press "..." to browse for the ISO path.
7. Choose Kicksecure ISO.
8. Make sure everything is correctly chosen, then press "OK".
9. Kicksecure is booted and ready to be installed. Kicksecure supports offline installation, so there's no need for network configuration before installation.
10. Done
Networking[edit]
If you want to use the internet before or after installation, you need to go through the following steps:
1. Right-click on the Network Manager taskbar icon, then choose "Edit connections..."
2. Choose "Wired connection 1", then press the settings (gear) icon.
3. Choose "IPv4 settings", then under "Method", select "Manual", and press "Add".
4. Fill in the blanks with the "Net qube" info, except for the subnet mask, which should be set as 255.255.255.0 instead of 255 at the end [2]. If the network still doesn't work, try changing the gateway to 10.137.0.1 [3].
5. After filling in the blanks, press "Save." The Network Manager gear should update itself with the newly added information.
6. Done
See also:
- Qubes HVM: How to auto detect the network settings (IP, gateway) from inside the VM?
- Qube (VM) Recovery.
ISO Troubleshooting[edit]
If the user sees the following:
Figure: virtual console login screen
Then increase RAM according to instructions in chapter #ISO.
Qubes Persistence[edit]
Qubes (non-)persistence is a Qubes default and unspecific to Kicksecure.
Table: Qubes Inheritance and Persistence
Inheritance [4] | Persistence [5] | |
---|---|---|
Template [6] [7] | n/a | Everything |
App Qubes [8] | /etc/skel/ to /home/
|
/rw/ (includes /home/ and bind-dirs )
|
Disposable Template [9] [10] | /etc/skel/ to /home/
|
/rw/ (includes /home/ , /usr/local and bind-dirs )
|
Disposable [11] [12] | /rw/ (includes /home/ , /usr/local and bind-dirs )
|
Nothing |
Qubes Template Modifications[edit]
If a Qubes template has been modified, to make changes in App Qubes based on that Template take effect, it is required to shut down the Template and restart the App Qubes based on that Template. This is a Qubes default and unspecific to Kicksecure.
To apply changes made to a Template:
1. Make the required modification to the Template.
2. Shut down the Template.
3. Shut down the App Qube based on the modified Template.
4. Start the App Qube based on the modified Template.
5. Done.
These steps ensure that all changes made to the Template are properly propagated to the App Qubes.
Footnotes[edit]
- ↑ https://forums.kicksecure.com/t/kicksecure-for-sys-qubes-and-sys-vpn/442
- ↑ https://github.com/QubesOS/qubes-issues/issues/4189
- ↑ https://github.com/QubesOS/qubes-issues/issues/7412
- ↑ Upon creation.
- ↑ Following shutdown.
- ↑ https://www.qubes-os.org/doc/templates/
- ↑ The former name was Template.
- ↑ The former name was AppVM or TemplateBasedVM.
- ↑ https://github.com/QubesOS/qubes-issues/issues/4175
- ↑ Former names included Disposables Template, DVM Template, and DVM.
- ↑ https://www.qubes-os.org/doc/glossary/#disposable
- ↑ Former names included Disposables and DispVM.
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!