While it requires a certain amount of risk acceptance, due to the fact you install software in Dom0, it might be healthier for you if you calm the blue light on your computer screen.
Since booting with the latest QubesOS 4.2.3 USB fails with blackened screen, I found this post suggesting booting with an older Qubes 4.1.2 USB, succeeding in installing Qubes OS.
When upgrading Qubes to 4.2.3, whonix templates fails since the older versions are not maintained, so you might have to delete them and recreate these afterwards.
When finishing the installation and upgrading dom0 for the final time, remember to put the above kernel parameters into the /etc/grub2.cfg. I believe this might be a struggle after every kernel update from here on 🙂
Suspend is not working either. Screen turns dark and nothing happens
Enjoy!
Update: recommend to exchange battery when dealing with an older laptop. Got 2+ hours instead of 30 minutes buying a cheap battery on amazon: Amazon 7xinbox battery
Suspending the laptop is not working. even closing the lid just turns screen black, even with every power management tool I know set on not doing anything. Also, after running for some time, sound turns awful and a reboot is needed, so I tried Ubuntu on this device and everything just works. I absolutely adore QubesOS on my Intel NUC, but this laptop is not a sensible choice for QubesOS. Other hardware is recommended, sadly. The support is non-existing.
Why evaluate yet another password manager, when so many exists and what are my requirements for a decent one?
First:
My password manager must be locally accessible
Why:
I don’t want to input my “Master” password to all my passwords directly on a frontend on the internet (That includes API’s, etc.) Frontends get compromised all the time and with E2E encryption, the actual decryption is on the frontend. That means that I would never trust a SaaS password manager solution. Risk acceptance declined (Accepting the risk!)
Next:
My password manager database must be synced across devices (minimum desktop/laptop + phone).
Why:
Because syncing is needed if I use more than one device (and most of us do!) and the synchronization is only performed on encrypted file, so no cloud provider can read it in clear text. And yes, my iPhone is in Lockdown mode, always, hopefully helping my device to be more protected than if not.
and finally:
My password manager needs a web browser plugin
Why:
I might have one database for low-risk passwords accessible via browser-plugin, and another high-risk passwords only in airgapped VM., depending on risk acceptance.
So with that out of the way, let us test Enpass to see what solution is up to par. It actually seems like this password manager is the only one meeting my requirements(?):
Installing Enpass
My taste in installation on Linux is using either the distribution’s own repositories(RedHat) or if you trust the supplier of the software more, their repositories(Enpass). If you fear supply chain attack, you might want to install a package and not update it, if you trust the source code and needs to review it, continuously. For me, the application needs to get updated when I update my other packages using an update app or via dnf update og apt update.
Add the repositories, install wget and the application using the instructions on the link above:
The above installation creates the executable in /opt/enpass/Enpass which is so correct it is not always included in path, so might only work when directly addressed or a symlink is created.
Start the app and select “Folder Sync” and select your Dropbox Folder, that is already being synced. If you want your password manager to sync itself, feel free to insert a dropbox account as per below “Dropbox” or any other file syncing service:
Set your master password, press continue and retype:
Confirm your Master password:
Then you get the possibility to install browser extensions, so press the install button, if you trust it to be safe.
This might have implications beyond my knowledge and if you are hit by a 0-day in your browser, the password database might be compromised by a browser plugin, I suspect. So evaluate your risk acceptance again. Remember: you can always copy / paste with clipboard between VM’s anyway(if you are using QubesOS with airgapped Password Manager VM):
And click “Get it” to install the extension:
Click “Continue to installation”:
Click “Add” if you trust Enpass with your browser data:
And your password manager plugin was added. Click Okay.
Then set Enpass as the default password manager or do it yourself. Choose deny or allow to your preference.
A great way to avoid re-using compromised passwords, even if not used by you, but by others, thereby also being used in password spraying attacks, etc. enable the “Check Compromised Passwords”:
Activate it using your email:
And type in the code sent to your email:
Conclusion:
It clicks my 3 boxes, so I might switch from my “KeePassXC / KeePassium” setup to this software if I trust the company over time.
Sometimes you can buy a license with a great discount for the first year. “International Womens Day”, had a 66% discount, so you might wanna wait to purchase at the right time.
high-risk passwords should be in an airgapped database.
low-risk passwords should be installed as shown above in a user-friendly database, syncing all passwords in cloud and avoiding direct master password input at cloud provider.
Enpass is an indian company and my year long experience with Password Manager Pro from ManageEngine, I would not trust the code quality to be top-notch regarding security (issues have been found and I bet there are hundreds more…. Link). But do a quick risk assessment on your setup. Your phone and desktop needs adequate protection. Can’t blame it on Enpass if you have easy access to your phone from evil APT’s. And Enpass might be quality code now…. ;).
There is a lot of risks related to a webpage and some of them might be high and others low, but knowing them and addressing them according to your risk acceptance, can be a good idea for both personal and commercial use.
Register domain with hidden PII [punktum.dk or hosting provider]
Test website configuration and mail [SikkerPåNettet.dk] (Ignore ridiculous IPv6 errors]
The above are the things I came up with, when registering a new personal domain and website. The more important/commercial the website is, consider DDoS protection, WAF, etc. provided by CloudFlare, Imperva or others.
If selfhosting, Install EDR on the servers use CIS Benchmarks and SELinux, rotate DKIM keys, periodically, etc.)
If your display is configured @ 3840 x 2160, then you might not be satisfied with the lack of 1.5 million pixels on the screen or the occasional blinking /blacking of the screen
Go to Dom0 and write:
cvt 3840 2560 30
xrandr –newmode <output after modeline >
xrandr –addmode DP-1 –mode 3840x2560_30.00
xrandr –output DP-1 –mode 3840x2560_30.00
If you are using HDMI-1 instead of DP-1 us that. Check with following command
unman has provided templates for Kali-enthusiasts to QubesOS (v. 4.1 only) and you need to enable the repository in /etc/qubes/repo-templates/qubes-templates.repo. The mentioned command using “enable-repo …” mentioned in the forum did not work for me, so I had to edit the 1 directly in the file 🙂
Edit the repo-file:
Install the template:
Then I created an AppVM based on the Kali template and vupti, everything works perfectly.
That is except for reverse shell 🙂
I had an issue with reverse shell’s not working on Qubes Kali AppVM, due to firewall restrictions even though I disabled the firewall following these instructions(Spoiler:NOT working in Qubes AppVM).
I got no SYN-ACK to my SYN’s, and with the firewall “disabled” I tried searching elsewhere for answers. It turned out that disabling the local firewall in Kali is not enough and I am afraid to mess up security by following the guides incorrectly.
To resolve the issue, clean out the firewall rules on the local AppVM (or template VM for persistance):
This can be done in a more optimal way opening up only for the specific endpoints/IP-range’s from TryHackMe, but this just gets your reverse shells working right now.
The other, safer way, that works (if there is no inbound firewall on target host), is to change the payload in metasploit from reverse_tcp to bind_tcp with a sample:
set PAYLOAD payload/linux/x86/meterpreter/bind_tcp