We can all agree that connectivity is one of the most critical parts of computing.
It’s not just about getting online and exchanging data. The various apps on our computers connect with one another, too, often in ways we don’t necessarily see.
Your email client connects to your OS to provide you with notifications when you get a new message. And your web browser connects to your word processor via your clipboard to let you copy and paste text.
But that connectivity, as convenient as it is, can also be a vector for danger.
A website could run a background script that goes beyond your browser, infecting your system with malware. Or an email could contain nasty code that’s executed when you open the message, giving a hacker access to your files.
With traditional OSes, these risks are controlled by using extra software like firewalls and antivirus programs. But these are resource-intensive, occasionally expensive and ineffective against certain types of attacks.
Qubes OS takes a different approach to the problem: a totally different operating system that emphasizes “security by isolation.”
But what does that mean — both in theory and in practice?
Let’s learn a little more about this intriguing OS and see what makes Qubes so unique.
What Is Qubes OS?
Based on Fedora, a popular Linux distro, Qubes is a security-oriented OS that’s endorsed by everyone from tech reporter Micah Lee to Edward Snowden.
Qubes began in 2012 as a project by Poland-based Invisible Things Lab. Creator Joanna Rutkowska wanted to design an OS that balanced high security with ease of use.
The solution she came up with was security by isolation. By isolating programs from one another and limiting their permissions, the vast majority of attacks could be prevented.
But configuring these so-called virtualization environments can be complicated and time-consuming. So Qubes OS was designed to integrate virtualization into the system from the get-go.
You don’t need any specialized knowledge or techniques to install and use Qubes. And while it’s got a bit of a learning curve if you’re used to Windows or macOS, it’s more intuitive than you might expect.
What Makes Qubes OS Different?
Qubes is based on Linux and, in many ways, provides a similar user experience. But under the hood, it couldn’t be more different — everything from the core architecture to the desktop environment is totally unique to Qubes.
Rule Your Own Domains
In a traditional OS, your programs run alongside one another in the same space. They use the same resources and can interact with one another — they’re separate, but not isolated.
But in Qubes, that all changes. You divide your main desktop into different domains, or qubes.
Each qube is isolated from all others qubes— programs running in one qube can’t interact with another. That’s because each one is actually a separate virtual machine that runs seamlessly alongside the others.
You can customize each qube’s permissions and hardware access. If you download an app but aren’t sure if it’s trustworthy, you can open it in a new qube without network access to prevent it from using the internet.
By managing your qubes, you can enjoy added security where you need it most. And you can perform less-secure tasks in an isolated qube where they can’t affect anything else.
For instance, there are three default qubes: work, personal and untrusted.
Your work qube could contain a browser window that you use only for business websites and your work documents. In other words, things you know for a fact to be secure — and also highly important and confidential.
But when you’re done with work, you can open your browser in your untrusted qube and surf the web. If you happen to download a malicious file or visit a sketchy website, any damage that occurs won’t leave the qube.
This means that you can keep your most important apps and files safe by isolating them in their own qube.
And you can use other qubes for other, more risky purposes without fear of your entire system being compromised.
Best of all, all of your qubes share the same desktop environment. All of your windows appear alongside one another, just like a traditional OS.
Each qube has its own color, and all windows within the qube sport that color as a border. This lets you maintain your productivity flow while easily differentiating between your qubes.
Persistent and Disposable Qubes
Qubes can be persistent or disposable. Persistent qubes retain things like web histories and bookmarks, while disposable qubes and anything in them disappear forever once exited.
For example, you could configure Qubes to open all email attachments in their own disposable qubes.
That way, if you open a malicious one, it can’t do any damage as it’s completely isolated. And it’ll be gone forever as soon as you close the qube.
You could also use a disposable qube for extra security when doing online banking. No other software, including malware, can touch your banking session, and there will be no evidence of it once you’re done.
And for the strongest security, you could run each program in its own disposable qube. This would prevent any interaction between apps and erase all history of your digital activities automatically.
With Qubes, your programs and windows can be separated into different domains.
But behind the scenes, your hardware is divided into qubes, too.
Your network adapter and USB controller are two of the most vulnerable pieces of hardware in your computer. All kinds of malicious traffic can pass through your network adapter, and USB devices can be laden with malware as well.
So Qubes isolates these pieces of hardware into their own qubes. This allows the OS to securely manage them and allow other programs to access them only when needed.
Other hardware, like the keyboard and mouse, and the desktop window manager are confined to their own qube as well: Dom0. This administrative qube is highly secure, lacking network access and strictly regulating access to its functions.
Unlike typical VM software, which must be installed on a preexisting OS, Qubes is installed directly onto your hard drive. This is known as bare-metal installation.
Because VM software like VirtualBox runs on top of an OS, if the OS is compromised, the VM effectively is as well.
But Qubes has no underlying OS — the virtualization is the OS.
This means that to access the system, an attacker would need to compromise Qubes itself. And since Qubes is designed to be highly secure, that’s a far more difficult task than, say, exploiting a Windows vulnerability (of which there are thousands).
Can My Computer Run Qubes OS?
Qubes is a versatile OS that can run on many different computers. An extensive list of compatible hardware is available on the Qubes website.
But Qubes’ complex, unique architecture can sometimes cause issues with certain hardware. Nvidia GPUs, for instance, often require troubleshooting in order to work with Qubes.
In general, you’ll need at least 4GB of RAM and 32GB of hard drive space to install Qubes. Virtual machines are fairly resource-intensive, so if you plan to use many qubes, more RAM may be needed.
Intel and AMD CPUs are both supported, though you’ll need to make sure yours supports Intel VT-x or AMD-V. These are virtualization technologies that aren’t included on all CPUs — if in doubt, check the hardware compatibility list.
Can I Use a VPN with Qubes OS?
You can, indeed, use a VPN with Qubes — and you should. Qubes prevents many kinds of malware attacks, but it can’t protect your internet traffic once it leaves your computer.
For that, you’ll need a VPN. A VPN does for internet traffic what Qubes does for your system: locks it down and keeps it as secure as possible.
It will encrypt your traffic so your ISP or other snoops can’t read it. And it’ll let you tunnel it to the location of your choice, hiding your IP address and reducing your trackability.
However, installing a VPN on Qubes is a lot different from installing one on a traditional OS.
Qubes’ compartmentalization prevents typical VPN clients from working properly. Since qubes can’t interact with one another, your VPN client wouldn’t be able to protect all of your qubes.
You can find a setup guide for your VPN on the Qubes wiki, which details VPN configuration using NetworkManager. There’s also a method for configuration using the command-line, which is more technical but allows you to use VPN kill switches and other advanced features.
When choosing a VPN for Qubes, make sure to verify that the provider offers OpenVPN configuration files. You’ll need them to set up your VPN on Qubes; the apps provided by the VPN won’t work.
Summary: Like an office divided into cubicles, Qubes OS divides your desktop into secure qubes. Isolate your apps based on security needs and relax knowing that you’re protected against many types of malware attacks.