Jekyll2023-08-01T11:31:22+00:00https://anonymousland.org/feed/information.xmlAnonymousland | InformationAnonymity, Privacy, Securitykicksecure-sys-dns2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/qubes/kicksecure-sys-dns<p>Setting up a hardened <code class="language-plaintext highlighter-rouge">sys-dns</code> to proxy DNS traffic through <code class="language-plaintext highlighter-rouge">dnscrypt</code></p>
<p><br /></p>
<h3 id="prerequisites">Prerequisites:</h3>
<p>Create a Debian minimal templated and setup <a href="./#debian-security">kicksecure</a>.</p>
<p>Install the required packages:</p>
<p><code class="language-plaintext highlighter-rouge">sudo apt install dnscrypt-proxy qubes-core-agent-networking</code></p>
<p>The <code class="language-plaintext highlighter-rouge">dnscrypt</code> settings are located at <code class="language-plaintext highlighter-rouge">/etc/dnscrypt-proxy/</code></p>
<p>Edit <code class="language-plaintext highlighter-rouge">/rw/config/rc.local</code> to:</p>
<p><br /></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#!/bin/sh
# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.
# Example for overriding the whole CUPS configuration:
# rm -rf /etc/cups
# ln -s /rw/config/cups /etc/cups
# systemctl --no-block restart cups
# allow redirects to localhost
/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1
/usr/sbin/iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT
# redirect dns-requests to localhost
/usr/sbin/iptables -t nat -F PR-QBS
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1
# set /etc/resolv.conf and start dnscrypt-proxy
echo "nameserver 127.0.0.1" > /etc/resolv.conf
/usr/bin/systemctl enable dnscrypt-proxy.service --now
</code></pre></div></div>
<p><br /></p>
<h3 id="setup">Setup:</h3>
<p>Create an AppVM <code class="language-plaintext highlighter-rouge">dvm-dnscrypt</code> based on the template created above with:</p>
<ul>
<li>NetVM: <code class="language-plaintext highlighter-rouge">sys-net</code></li>
<li>Autostart: <code class="language-plaintext highlighter-rouge">true</code></li>
<li>Provides Network: <code class="language-plaintext highlighter-rouge">true</code></li>
</ul>
<p><br /></p>
<p>Clone <code class="language-plaintext highlighter-rouge">dvm-dnscrypt</code>and create a <code class="language-plaintext highlighter-rouge">sys-dns</code> as a DispVM, ensuring the same settings as above are set.</p>
<p>Set your <code class="language-plaintext highlighter-rouge">sys-fireall</code> to connect to <code class="language-plaintext highlighter-rouge">sys-dns</code></p>
<p><br /></p>
<h3 id="sources">Sources</h3>
<ul>
<li><a href="https://forum.qubes-os.org/t/guide-how-to-setup-a-sys-dns-qube/13749">[guide] how-to setup a sys-dns qube</a></li>
</ul>Setting up a hardened sys-dns to proxy DNS traffic through dnscrypt Prerequisites: Create a Debian minimal templated and setup kicksecure. Install the required packages: sudo apt install dnscrypt-proxy qubes-core-agent-networking The dnscrypt settings are located at /etc/dnscrypt-proxy/ Edit /rw/config/rc.local to: #!/bin/sh # This script will be executed at every VM startup, you can place your own # custom commands here. This includes overriding some configuration in /etc, # starting services etc. # Example for overriding the whole CUPS configuration: # rm -rf /etc/cups # ln -s /rw/config/cups /etc/cups # systemctl --no-block restart cups # allow redirects to localhost /usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1 /usr/sbin/iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT /usr/sbin/iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT # redirect dns-requests to localhost /usr/sbin/iptables -t nat -F PR-QBS /usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1 /usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1 /usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1 /usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1 # set /etc/resolv.conf and start dnscrypt-proxy echo "nameserver 127.0.0.1" > /etc/resolv.conf /usr/bin/systemctl enable dnscrypt-proxy.service --now Setup: Create an AppVM dvm-dnscrypt based on the template created above with: NetVM: sys-net Autostart: true Provides Network: true Clone dvm-dnscryptand create a sys-dns as a DispVM, ensuring the same settings as above are set. Set your sys-fireall to connect to sys-dns Sources [guide] how-to setup a sys-dns qubedvm-zulucrypt2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/qubes/dvm-zulucrypt<p>Notes on how to setup a disposable zulucrypt instance for USB devices.</p>
<p><br /></p>
<h3 id="prerequesites">Prerequesites:</h3>
<p>Setup a minimal <code class="language-plaintext highlighter-rouge">kicksecure</code> template based on <a href="./#debian-security">this guide</a>.</p>
<p>Install the <code class="language-plaintext highlighter-rouge">zulucrypt</code> package:</p>
<p><code class="language-plaintext highlighter-rouge">sudo apt install zulucrypt</code></p>
<p>If you wish use usb devices, add the <code class="language-plaintext highlighter-rouge">qubes-proxy-usb</code> package:</p>
<p><code class="language-plaintext highlighter-rouge">sudo apt install qubes-proxy-usb</code></p>
<p><br /></p>
<h3 id="setup">Setup</h3>
<ul>
<li>
<p>Create an <code class="language-plaintext highlighter-rouge">AppVM</code> titled <code class="language-plaintext highlighter-rouge">template-dvm-crypt</code> with the template created above.</p>
</li>
<li>
<p>Net Qube: <code class="language-plaintext highlighter-rouge">(none)</code></p>
</li>
<li>
<p>In <code class="language-plaintext highlighter-rouge">Advanced</code>, select <code class="language-plaintext highlighter-rouge">Disposable Template</code></p>
</li>
<li>
<p>In <code class="language-plaintext highlighter-rouge">Applications</code> select <code class="language-plaintext highlighter-rouge">zuluCrypt</code></p>
</li>
</ul>
<p><br /></p>
<p>After this, create a new <code class="language-plaintext highlighter-rouge">DisposableVM</code> titled <code class="language-plaintext highlighter-rouge">dvm-crypt</code> with the template as <code class="language-plaintext highlighter-rouge">template-dvm-crypt</code> and networking as <code class="language-plaintext highlighter-rouge">(none)</code>.</p>Notes on how to setup a disposable zulucrypt instance for USB devices. Prerequesites: Setup a minimal kicksecure template based on this guide. Install the zulucrypt package: sudo apt install zulucrypt If you wish use usb devices, add the qubes-proxy-usb package: sudo apt install qubes-proxy-usb Setup Create an AppVM titled template-dvm-crypt with the template created above. Net Qube: (none) In Advanced, select Disposable Template In Applications select zuluCrypt After this, create a new DisposableVM titled dvm-crypt with the template as template-dvm-crypt and networking as (none).Qubes OS2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/Qubes-OS<div style="text-align:center;">
A collection of Qubes OS-related information.
</div>
<p><br /></p>
<p>Website: <a href="https://qubes-os.org">https://qubes-os.org</a> <button type="button" class="btn btn-default btn-xs"><a href="http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/">Tor</a></button></p>
<p><br /></p>
<h4 id="table-of-contents">Table of contents:</h4>
<p>->> <a href="#best-practices">Best Practices</a> <br />
->> <a href="#template-setup">Template Setup</a> <br /></p>
<ul>
<li>-> <em><a href="#debian">Debian</a></em> <br />
<ul>
<li>-> <em><a href="#debian-security">Security</a></em> <br /></li>
</ul>
</li>
<li>-> <em><a href="#fedora">Fedora</a></em> <br /></li>
<li>-> <em><a href="#upgrading-fedora">Upgrading Fedora</a></em> <br /></li>
<li>-> <em><a href="#whonix">Whonix</a></em> <br /></li>
</ul>
<p>->> <a href="#links--resources">Links & Resources</a> <br /></p>
<ul>
<li>-> <em><a href="#customizations">Customizations</a></em> <br /></li>
<li>-> <em><a href="#guides">Guides</a></em> <br /></li>
<li>-> <em><a href="#templates">Templates</a></em> <br /></li>
<li>-> <em><a href="#wiki">Wiki</a></em> <br /></li>
</ul>
<p><br /></p>
<h3 id="best-practices">Best Practices</h3>
<ul>
<li>
<p>All repositories should be routed over Tor and <a href="https://anonymousland.org/#onionizing-repositories">onionized</a></p>
</li>
<li>
<p>Each application should be installed in its own separate minimal template Qube (provided your system has applicable resources for such)</p>
</li>
<li>
<p><code class="language-plaintext highlighter-rouge">sys-usb</code> should be configured on a laptop</p>
</li>
<li>
<p>Avoid using <code class="language-plaintext highlighter-rouge">sleep</code> on a Qubes system</p>
</li>
<li>
<p>Read all of the Qubes documentation</p>
</li>
<li>
<p>Frequently visit the Qubes forums</p>
</li>
<li>
<p>Consider creating a shutdown script / shortcut</p>
</li>
<li>
<p>Consider if you would benefit by creating backups of your Qubes system</p>
</li>
<li>
<p>Update frequently</p>
</li>
<li>
<p>Harden Qubes if applicable (Debian kicksecure, Fedora CORP hardened-malloc, etc.)</p>
</li>
<li>
<p>Setup a bios password along with a power-on password</p>
</li>
<li>
<p>Use an SSD for the Qubes system</p>
</li>
</ul>
<p><br /></p>
<h3 id="template-setup">Template Setup</h3>
<p>Small notes for template setup</p>
<p>Proxying <code class="language-plaintext highlighter-rouge">wget</code>:</p>
<p>Edit <code class="language-plaintext highlighter-rouge">/etc/wgetrc</code></p>
<p>Add:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use_proxy=yes
http_proxy=127.0.0.1:8082
https_proxy=127.0.0.1:8082
</code></pre></div></div>
<p><br /></p>
<h4 id="debian">Debian</h4>
<p>Running in Dom0:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo qubes-dom0-update qubes-template-debian-11-minimal
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qvm-run --pass-io -u root template-debian-11-minimal 'apt instal qubes-core-agent-passwordless-root'
</code></pre></div></div>
<p>Running inside the template:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt update
</code></pre></div></div>
<p>Installing packages</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git apt-transport-tor curl
</code></pre></div></div>
<p>Configuring git proxy</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git config --global http.proxy http://127.0.0.1:8082/
</code></pre></div></div>
<p><br /></p>
<h4 id="debian-security">Debian Security</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get install grub2 qubes-kernel-vm-support
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get -t bullseye-backports --no-install-recommends install linux-image-amd64 linux-headers-amd64
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo grub-install /dev/xvda
</code></pre></div></div>
<p>Adding the Kicksecure repository:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
</code></pre></div></div>
<p>Installing Kicksecure package:</p>
<p><code class="language-plaintext highlighter-rouge">kicksecure-qubes-cli</code> and <code class="language-plaintext highlighter-rouge">kicksecure-qubes-gui</code> are available.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install --no-install-recommends kicksecure-qubes-cli
</code></pre></div></div>
<p>Installing LKRG:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install --no-install-recommends lkrg-dkms
</code></pre></div></div>
<p>Enabling Hardened Malloc:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
</code></pre></div></div>
<p><br /></p>
<h4 id="fedora">Fedora</h4>
<p>Running in Dom0:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo qubes-dom0-update qubes-template-fedora-37-minimal
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qvm-run --pass-io -u root template-fedora-36-minimal 'apt instal qubes-core-agent-passwordless-root'
</code></pre></div></div>
<p>Running inside the template:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo dnf update
</code></pre></div></div>
<p>Installing packages</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo dnf install qubes-core-agent-passwordless-root qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git
</code></pre></div></div>
<p>Configuring git proxy</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git config --global http.proxy http://127.0.0.1:8082/
</code></pre></div></div>
<p><br /></p>
<h4 id="upgrading-fedora">Upgrading Fedora</h4>
<p>Running in Dom0:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qvm-clone fedora-36 fedora-37
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>truncate -s 5GB /var/tmp/template-upgrade-cache.img
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qvm-run -a fedora-37 gnome-terminal
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dev=$(sudo losetup -f --show /var/tmp/template-upgrade-cache.img)
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qvm-block attach fedora-37 dom0:${dev##*/}
</code></pre></div></div>
<p>Running inside Fedora-37:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo mkfs.ext4 /dev/xvdi
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo mount /dev/xvdi /mnt/removable
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo dnf clean all
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo dnf --releasever=37--setopt=cachedir=/mnt/removable --best --allowerasing distro-sync
</code></pre></div></div>
<p>Running inside Dom0:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qvm-shutdown fedora-37
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo losetup -d $dev
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>rm /var/tmp/template-upgrade-cache.img
</code></pre></div></div>
<p><br /></p>
<h4 id="whonix">Whonix</h4>
<p>Whonix-GW and Whonix-WS should be upgraded via:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>upgrade-nonroot
</code></pre></div></div>
<p>Installing LKRG:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install --no-install-recommends lkrg-dkms
</code></pre></div></div>
<p>Enabling Hardened Malloc:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload
</code></pre></div></div>
<p><br /></p>
<h3 id="links--resources">Links & Resources</h3>
<ul>
<li>
<p><a href="https://github.com/NobodySpecial256/qpowerkill">qpowerkill</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/qubes-for-organizational-security-auditing-talk-notes/199">Qubes for security auditing</a></p>
</li>
<li>
<p><a href="https://roscidus.com/blog/blog/2021/03/07/qubes-lite-with-kvm-and-wayland/">Qubes-lite with KVM and Wayland</a></p>
</li>
</ul>
<p><br /></p>
<h4 id="customizations">Customizations</h4>
<ul>
<li>
<p><a href="https://forum.qubes-os.org/t/qubes-os-wallpapers/2819">Wallpapers</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/kde-changing-the-way-you-use-qubes/4730">KDE</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/guide-xfce-global-dark-mode-in-qubes-4-0-4-1/10757">XFCE Global Dark Mode</a></p>
</li>
</ul>
<p><br /></p>
<h4 id="guides">Guides</h4>
<ul>
<li>
<p><a href="https://forum.qubes-os.org/t/guide-how-to-setup-a-sys-dns-qube/13749">Creating sys-dns</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/tutorial-how-to-use-kloak-with-usb-keyboards/14134">Using Kloak</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/advanced-browser-fingerprinting/12379">Advanced Browser Fingerprinting</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/monero-wallet-daemon-isolation-with-qubes-whonix/1121">Monero Wallet Isolation</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/fom-s-giant-list-of-qubes-os-workarounds-tweaks-and-shenanigans/15162">Fom’s giant list of Qubes OS workarounds, tweaks and shenanigans</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/fully-ephemeral-dispvms/12030">Fully ephemeral dispvms</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674">Opening all files in disposable qube</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/guide-kicksecure-for-disp-sys/13324">Kicksecure Guide</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/qubes-os-installation-detached-encrypted-boot-and-header/6205">Qubes OS installation encrypted boot and header</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/how-to-set-up-the-trezor-bridge-in-4-1/11103">Trezor Bridge in 4.1</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/guide-split-protonmail-offline-send-receive-qubes-pm-bridge-vm/11096">split-ProtonMail</a></p>
</li>
<li>
<p><a href="https://forum.qubes-os.org/t/how-to-create-an-android-qube/8467">How to create an Android Qube</a></p>
</li>
</ul>
<p><br /></p>
<h4 id="templates">Templates</h4>
<ul>
<li>
<p><a href="https://github.com/elliotkillick/qvm-create-windows-qube">Windows</a></p>
</li>
<li>
<p><a href="https://www.qubes-os.org/doc/templates/minimal/">Minimal</a></p>
</li>
</ul>
<p><br /></p>
<h4 id="wiki">Wiki</h4>
<ul>
<li>
<p><a href="https://www.kicksecure.com/wiki/Hardened-kernel">Hardened-Kernel</a> <button type="button" class="btn btn-default btn-xs"><a href="http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Hardened-kernel">Tor</a></button></p>
</li>
<li>
<p><a href="https://www.whonix.org/wiki/VM_Fingerprinting">VM Fingerprinting</a> <button type="button" class="btn btn-default btn-xs"><a href="http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/VM_Fingerprinting">Tor</a></button></p>
</li>
</ul>A collection of Qubes OS-related information. Website: https://qubes-os.org Tor Table of contents: ->> Best Practices ->> Template Setup -> Debian -> Security -> Fedora -> Upgrading Fedora -> Whonix ->> Links & Resources -> Customizations -> Guides -> Templates -> Wiki Best Practices All repositories should be routed over Tor and onionized Each application should be installed in its own separate minimal template Qube (provided your system has applicable resources for such) sys-usb should be configured on a laptop Avoid using sleep on a Qubes system Read all of the Qubes documentation Frequently visit the Qubes forums Consider creating a shutdown script / shortcut Consider if you would benefit by creating backups of your Qubes system Update frequently Harden Qubes if applicable (Debian kicksecure, Fedora CORP hardened-malloc, etc.) Setup a bios password along with a power-on password Use an SSD for the Qubes system Template Setup Small notes for template setup Proxying wget: Edit /etc/wgetrc Add: use_proxy=yes http_proxy=127.0.0.1:8082 https_proxy=127.0.0.1:8082 Debian Running in Dom0: sudo qubes-dom0-update qubes-template-debian-11-minimal qvm-run --pass-io -u root template-debian-11-minimal 'apt instal qubes-core-agent-passwordless-root' Running inside the template: sudo apt update Installing packages sudo apt install qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git apt-transport-tor curl Configuring git proxy git config --global http.proxy http://127.0.0.1:8082/ Debian Security sudo apt-get install grub2 qubes-kernel-vm-support sudo apt-get -t bullseye-backports --no-install-recommends install linux-image-amd64 linux-headers-amd64 sudo grub-install /dev/xvda Adding the Kicksecure repository: curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output ~/derivative.asc https://www.kicksecure.com/derivative.asc sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list Installing Kicksecure package: kicksecure-qubes-cli and kicksecure-qubes-gui are available. sudo apt install --no-install-recommends kicksecure-qubes-cli Installing LKRG: sudo apt install --no-install-recommends lkrg-dkms Enabling Hardened Malloc: echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload Fedora Running in Dom0: sudo qubes-dom0-update qubes-template-fedora-37-minimal qvm-run --pass-io -u root template-fedora-36-minimal 'apt instal qubes-core-agent-passwordless-root' Running inside the template: sudo dnf update Installing packages sudo dnf install qubes-core-agent-passwordless-root qubes-core-agent-dom0-updates qubes-usb-proxy qubes-gpg-split qubes-core-agent-networking git Configuring git proxy git config --global http.proxy http://127.0.0.1:8082/ Upgrading Fedora Running in Dom0: qvm-clone fedora-36 fedora-37 truncate -s 5GB /var/tmp/template-upgrade-cache.img qvm-run -a fedora-37 gnome-terminal dev=$(sudo losetup -f --show /var/tmp/template-upgrade-cache.img) qvm-block attach fedora-37 dom0:${dev##*/} Running inside Fedora-37: sudo mkfs.ext4 /dev/xvdi sudo mount /dev/xvdi /mnt/removable sudo dnf clean all sudo dnf --releasever=37--setopt=cachedir=/mnt/removable --best --allowerasing distro-sync Running inside Dom0: qvm-shutdown fedora-37 sudo losetup -d $dev rm /var/tmp/template-upgrade-cache.img Whonix Whonix-GW and Whonix-WS should be upgraded via: upgrade-nonroot Installing LKRG: sudo apt install --no-install-recommends lkrg-dkms Enabling Hardened Malloc: echo "/usr/lib/libhardened_malloc.so/libhardened_malloc.so" | sudo tee /etc/ld.so.preload Links & Resources qpowerkill Qubes for security auditing Qubes-lite with KVM and Wayland Customizations Wallpapers KDE XFCE Global Dark Mode Guides Creating sys-dns Using Kloak Advanced Browser Fingerprinting Monero Wallet Isolation Fom’s giant list of Qubes OS workarounds, tweaks and shenanigans Fully ephemeral dispvms Opening all files in disposable qube Kicksecure Guide Qubes OS installation encrypted boot and header Trezor Bridge in 4.1 split-ProtonMail How to create an Android Qube Templates Windows Minimal Wiki Hardened-Kernel Tor VM Fingerprinting TorMatrix2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/Matrix<p>For <a href="https://matrix.org">Matrix</a>.</p>
<h3 id="clients">Clients</h3>
<p>For a more comprehensive list, view <a href="https://matrix.org/clients/">Matrix Clients</a></p>
<ul>
<li>
<p><a href="https://element.io">Element</a></p>
</li>
<li>
<p><a href="https://schildi.chat">SchildiChat</a></p>
</li>
</ul>
<p><br /></p>
<h3 id="servers">Servers</h3>
<ul>
<li><a href="https://joinmatrix.org/servers">JoinMatrix</a></li>
</ul>For Matrix. Clients For a more comprehensive list, view Matrix Clients Element SchildiChat Servers JoinMatrixInformation2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/Information<div style="text-align:center;">
<p>
A collection of links, articles, resources and more.
</p>
</div>
<p><br /></p>
<h4 id="table-of-contents">Table of contents:</h4>
<p>->> <a href="#main-collection">Main Collection</a> <br /></p>
<ul>
<li>-> <em><a href="#news">News</a></em> <br /></li>
<li>-> <em><a href="#articles">Articles</a></em> <br /></li>
<li>-> <em><a href="#communities">Communities</a></em> <br /></li>
<li>-> <em><a href="#products">Products</a></em> <br /></li>
<li>-> <em><a href="#projects">Projects</a></em> <br /></li>
<li>-> <em><a href="#research">Research</a></em> <br /></li>
<li>-> <em><a href="#random">Random</a></em> <br /></li>
</ul>
<p><br /></p>
<h1 id="main-collection">Main Collection</h1>
<p><br /></p>
<h2 id="news">News</h2>
<p>For news</p>
<ul>
<li>
<p><a href="https://www.wired.com/story/corellium-nso-group-darkmatter-apple-lawsuit/">A Leak Details Apple’s Secret Dirt on a Trusted Security Startup</a></p>
</li>
<li>
<p><a href="https://www.vice.com/en/article/y3pnkw/us-military-bought-mass-monitoring-augury-team-cymru-browsing-email-data">US Military Bought Mass Monitoring Team</a></p>
</li>
<li>
<p><a href="https://arstechnica.com/information-technology/2022/09/chinas-leading-ai-image-generator-nixes-political-content-surprising-no-one/">China AI image generator</a></p>
</li>
<li>
<p><a href="https://www.technologyreview.com/2022/08/16/1057894/hackers-linked-to-china-have-been-targeting-human-rights-groups-for-years/">China targeting human rights</a></p>
</li>
</ul>
<p><br /></p>
<h2 id="articles">Articles</h2>
<p>Articles and stories related to technology, security or privacy</p>
<ul>
<li>
<p><a href="https://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/">Roomba AI Data Privacy</a></p>
</li>
<li>
<p><a href="https://www.newscientist.com/article/2334048-your-smartphone-could-recognise-you-just-by-the-way-you-hold-it/">Your smartphone could recognize you by the way you hold it</a></p>
</li>
<li>
<p><a href="https://www.protocol.com/enterprise/emotion-ai-school-intel-edutech">Intel thinks AI knows what students think and feel</a></p>
</li>
<li>
<p><a href="https://fingerprint.com/blog/browser-anti-fingerprinting-techniques/">Anti-fingerprinting techniques</a></p>
</li>
<li>
<p><a href="https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car">Who is collecting data from your car</a></p>
</li>
<li>
<p><a href="https://www.wired.com/video/watch/hacking-police-body-cameras">Hacking Police Body Cameras</a></p>
</li>
</ul>
<p><br /></p>
<h2 id="communities">Communities</h2>
<p>A place for related various communities & media</p>
<ul>
<li>
<p><a href="https://hackliberty.org">Hackliberty</a> <button type="button" class="btn btn-default btn-xs"><a href="http://xj2i2lkzecitg6cq5ca3vrhlzq4evgz6qr2i4s7b4y57ktuaohff4vyd.onion">Tor</a></button></p>
</li>
<li>
<p><a href="https://privacyguides.org">PrivacyGuides</a> <button type="button" class="btn btn-default btn-xs"><a href="http://eter4u55b667kuo72ntpm7ut54sa2mxmr22iqgzns4jw7boeox3qgyid.onion">Tor</a></button></p>
</li>
<li>
<p><a href="https://privsec.dev">Privsec</a></p>
</li>
<li>
<p><a href="https://privacy.do">Privacy.do</a></p>
</li>
</ul>
<p><br /></p>
<h2 id="products">Products</h2>
<p>Items you can buy
<em>(These are not affiliated or sometimes even recommended for some cases.
This is simply a list.
Do your own research).</em></p>
<ul>
<li>
<p><a href="https://reflectables.com">Reflectables</a></p>
</li>
<li>
<p><a href="https://www.urmesurveillance.com/">URME Surveillance</a></p>
</li>
<li>
<p><a href="https://ominoushum.com/lock/">Unpickable</a></p>
</li>
</ul>
<p><br /></p>
<h2 id="projects">Projects</h2>
<p>A list of interesting projects</p>
<ul>
<li>
<p><a href="https://0xacab.org/optout/into-the-crypt">Into the crypt</a> <button type="button" class="btn btn-default btn-xs"><a href="http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/optout/into-the-crypt">Tor</a></button></p>
</li>
<li>
<p><a href="https://git.cuvoodoo.info/kingkevin/board/src/branch/hdmi_firewall/README.md">HDMI Firewall</a></p>
</li>
<li>
<p><a href="https://github.com/dfd-tud/deda">DEDA</a></p>
</li>
</ul>
<p><br /></p>
<h2 id="research">Research</h2>
<p>For research-based articles</p>
<ul>
<li>
<p><a href="https://arxiv.org/pdf/2210.07321.pdf">Machine Generated Text: A Comprehensive Survey of Threat Models and Detection Methods</a></p>
</li>
<li>
<p><a href="https://nebuchadnezzar-megolm.github.io/">Practically-exploitable Cryptographic Vulnerabilities in Matrix</a></p>
</li>
<li>
<p><a href="https://www.academia.edu/43534914/Memetic_Warfare_The_Future_of_War">Memetic Warfare</a></p>
</li>
<li>
<p><a href="https://mega-awry.io/">Mega.nz Encryption</a></p>
</li>
</ul>
<p><br /></p>
<h2 id="random">Random</h2>
<p>For anything that does not meet the above category</p>
<ul>
<li>
<p><a href="https://notospypixels.com/">No to Spy Pixels</a></p>
</li>
<li>
<p><a href="https://wiki.jameskitt616.one/en/bugout-handbook">Prepper Handbook</a></p>
</li>
<li>
<p><a href="https://foliophotonics.com/">Next Generation Data Storage</a></p>
</li>
<li>
<p><a href="https://www.gp-digital.org/world-map-of-encryption/">World Map of Encryption</a></p>
</li>
<li>
<p><a href="https://sive.rs/1s">Logic Sentences</a></p>
</li>
</ul>A collection of links, articles, resources and more. Table of contents: ->> Main Collection -> News -> Articles -> Communities -> Products -> Projects -> Research -> Random Main Collection News For news A Leak Details Apple’s Secret Dirt on a Trusted Security Startup US Military Bought Mass Monitoring Team China AI image generator China targeting human rights Articles Articles and stories related to technology, security or privacy Roomba AI Data Privacy Your smartphone could recognize you by the way you hold it Intel thinks AI knows what students think and feel Anti-fingerprinting techniques Who is collecting data from your car Hacking Police Body Cameras Communities A place for related various communities & media Hackliberty Tor PrivacyGuides Tor Privsec Privacy.do Products Items you can buy (These are not affiliated or sometimes even recommended for some cases. This is simply a list. Do your own research). Reflectables URME Surveillance Unpickable Projects A list of interesting projects Into the crypt Tor HDMI Firewall DEDA Research For research-based articles Machine Generated Text: A Comprehensive Survey of Threat Models and Detection Methods Practically-exploitable Cryptographic Vulnerabilities in Matrix Memetic Warfare Mega.nz Encryption Random For anything that does not meet the above category No to Spy Pixels Prepper Handbook Next Generation Data Storage World Map of Encryption Logic SentencesGrapheneOS2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/GrapheneOS<div style="text-align:center;">
A collection of GrapheneOS-related information.
</div>
<p><br /></p>
<p>Website: <a href="https://grapheneos.org">https://grapheneos.org</a></p>
<p><br /></p>
<h3 id="links--resources">Links & Resources</h3>
<ul>
<li>
<p><a href="https://grapheneos.org/install/">Official Installation</a></p>
</li>
<li>
<p><a href="https://www.privacyguides.org/android/grapheneos-vs-calyxos/">GrapheneOS vs CalyxOS</a></p>
</li>
<li>
<p><a href="https://invidious.namazso.eu/watch?v=yTeAFoQnQPo">Here’s How They Built The Most Secure Phone On The Planet</a></p>
</li>
<li>
<p><a href="https://invidious.snopyta.org/watch?v=WkQ_OCzuLNg">Exclusive Interview With A GrapheneOS Developer</a></p>
</li>
<li>
<p><a href="https://y.com.sb/watch?v=8FDIef7tVFg">My Phone Is Anonymous Now</a></p>
</li>
<li>
<p><a href="https://invidious.projectsegfau.lt/watch?v=Wd4Pa03LvLk">Why phones are more secure than desktops</a></p>
</li>
</ul>
<p><br /></p>
<h4 id="guides">Guides</h4>
<ul>
<li>
<p><a href="https://privsec.dev/os/android-tips/">Android Tips</a></p>
</li>
<li>
<p><a href="https://discuss.grapheneos.org/d/104-general-usage-short-how-tos-and-quick-tips">General usage short how-to’s and quick tips</a></p>
</li>
</ul>
<p><br /></p>A collection of GrapheneOS-related information. Website: https://grapheneos.org Links & Resources Official Installation GrapheneOS vs CalyxOS Here’s How They Built The Most Secure Phone On The Planet Exclusive Interview With A GrapheneOS Developer My Phone Is Anonymous Now Why phones are more secure than desktops Guides Android Tips General usage short how-to’s and quick tipsF-Droid2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/F-Droid<div style="text-align:center;">
A collection of F-Droid-related information.
</div>
<p><br /></p>
<p>Website: <a href="https://f-droid.org">https://f-droid.org</a></p>
<p><br /></p>
<h4 id="applications">Applications</h4>
<ul>
<li>
<p><a href="https://f-droid.org/packages/host.stjin.anonaddy/">AnonAddy</a></p>
</li>
<li>
<p><a href="https://f-droid.org/en/packages/im.vector.app/">Element</a></p>
</li>
<li>
<p><a href="https://f-droid.org/en/packages/de.spiritcroc.riotx/">SchildiChat</a></p>
</li>
<li>
<p><a href="https://f-droid.org/packages/org.briarproject.briar.android/">Briar</a></p>
</li>
<li>
<p><a href="https://f-droid.org/packages/io.simplelogin.android.fdroid/">SimpleLogin</a></p>
</li>
<li>
<p><a href="https://f-droid.org/packages/de.tutao.tutanota/">Tutanota</a></p>
</li>
<li>
<p><a href="https://f-droid.org/packages/me.lucky.wasted/">Wasted</a></p>
</li>
</ul>
<p><br /></p>
<h3 id="repositories">Repositories</h3>
<ul>
<li>
<p><a href="https://mobileapp.bitwarden.com/fdroid/repo?fingerprint=BC54EA6FD1CD5175BCCCC47C561C5726E1C3ED7E686B6DB4B18BAC843A3EFE6C">Bitwarden</a></p>
</li>
<li>
<p><a href="https://briarproject.org/fdroid/repo?fingerprint=1FB874BEE7276D28ECB2C9B06E8A122EC4BCB4008161436CE474C257CBF49BD6">BriarProject</a></p>
</li>
<li>
<p><a href="https://guardianproject.info/fdroid/">GuardianProject</a></p>
</li>
<li>
<p><a href="https://f-droid.i2p.io/repo/?fingerprint=22658CC69F48D63F63C3D64E2041C81714E2749F3F6E5445C825297A00DDC5B6">I2P</a></p>
</li>
<li>
<p><a href="https://apt.izzysoft.de/fdroid/repo?fingerprint=3BF0D6ABFEAE2F401707B6D966BE743BF0EEE49C2561B9BA39073711F628937A">IzzyonDroid</a></p>
</li>
<li>
<p><a href="https://molly.im/fdroid/repo/?fingerprint=3B7E93B1FE32C6E35A93D6DDFC5AFBEB1239A7C6EA6AF20FF33ED53CDC38B04A">Molly</a></p>
</li>
<li>
<p><a href="https://archive.newpipe.net/fdroid/repo?fingerprint=E2402C78F9B97C6C89E97DB914A2751FDA1D02FE2039CC0897A462BDB57E7501">NewPipe</a></p>
</li>
<li>
<p><a href="https://fdroid.getsession.org/fdroid/repo?fingerprint=DB0E5297EB65CC22D6BD93C869943BDCFCB6A07DC69A48A0DD8C7BA698EC04E6">Session</a></p>
</li>
</ul>
<p><br /></p>A collection of F-Droid-related information. Website: https://f-droid.org Applications AnonAddy Element SchildiChat Briar SimpleLogin Tutanota Wasted Repositories Bitwarden BriarProject GuardianProject I2P IzzyonDroid Molly NewPipe SessionCollections2023-08-01T11:31:22+00:002023-08-01T11:31:22+00:00https://anonymousland.org/Collections<div style="text-align:center;">
<p>Various pages on miscellaneous information and topics.</p>
</div>
<p><br /></p>
<h2 id="information"><a href="./information">Information</a></h2>
<p>A collection of links, articles, resources and more.</p>
<p><br /></p>
<hr />
<h2 id="qubes-os"><a href="./qubes">Qubes OS</a></h2>
<p>A collection of QubesOS related content.</p>
<p><br /></p>
<p><a href="./qubes/dvm-zulucrypt">dvm-zulucrypt</a> - Notes on how to setup a disposable zulucrypt instance for USB devices.</p>
<p><a href="./qubes/kicksecure-sys-dns">kicksecure-sys-dns</a> - Notes on how to setup a hardened dnscrypt proxy</p>Various pages on miscellaneous information and topics. Information A collection of links, articles, resources and more. Qubes OS A collection of QubesOS related content. dvm-zulucrypt - Notes on how to setup a disposable zulucrypt instance for USB devices. kicksecure-sys-dns - Notes on how to setup a hardened dnscrypt proxy