GnuPG2 in thunderbird with Enigmail on Qubes 3.2

Let’s start generating some keys that do not expire. We can always revoke them, if neccessary instead. No need for expiration, if they are kept secure. All of this activity should be performed in ‘vault’, so the below is just for educational remembrance. Remember to create a revocation key that you put somewhere safe, just in case your machine get’s stolen or breached:

[user@untrusted ~]$ gpg2 –full-generate-key

Enter the passphrase for the keys, when done typing infomation.

The following is just for showing that we need to move the mouse, etc. to generate random data. It’s over, literally, in a second.

Get the fingerprint of the key:

[user@untrusted ~]$ gpg2 –fingerprint

So now we have a private and a public key stored in ~/.gnupg/

Be sure to ulpad to keyservers, if you are to use it to communicate with strangers.(searchable):

$ gpg2 –keyserver keys.gnupg.net –send <keyid>

Also maybe send to pgp.mit.edu and subkeys.pgp.net or whomever seems sensible.

Remember to generate the revoke certificate, just in case 🙂

$ gpg2 –output revoke.asc –gen-revoke  <keyname>

And if the stuff gets stolen, breached or whatever, you can revoke it locally with an import:

$ gpg2 –import revoke.asc

And remote revoke it by doing the following on all keyservers you submitted to

$ gpg2 –keyserver hkp://pgp.mit.edu –revoke <keyid>

We can use gpg2 to encrypt, sign and decrypt messages, but if we wan’t to use enigmail in thunderbird, we need to do the following:

Start thunderbird:

[user@untrusted ~]$ thunderbird

After setting up the mail account, configure the enigmail plugin, if we are comfortable using that:

Select the fast and easy setup…

It looks in the users .gnupg directory and asks if it’s ok, and I guess, yes.

Now, we can start signing and encryping messages 🙂

#deletefacebook is step 1 in privacy

Please #deletefacebook

If this story has any meaning to you, a deletion of your facebook profile is the way to go. You an download your data for a preview and to get shocked or comforted, and the link to salvation is here .

My old deacivated facebook was 18mb, including 2 videos of approximately 9,8MB, so not a big deal. But some private conversations, was there, of course.

And now off to instagram, twitter, etc. Off the grid it is the only way to go, unless we have other PAID services to use, so WE are not the product. This breach of confidence is a bit too much.

And if people talk about BigBrother, and are angry about their government  watching them, but freely gives everything they do to Google, youtube, facebook et al, ignore them.  They must be stupid.

exFAT on sys-usb on Qubes-OS 3.2 (Sony RX100V picture offloading)

Red Hat does NOT support exFAT, due to Microsoft license restrictions(rumor says), so therefore SDXC cards above 32GB is a nogo.

Debian has support though, so change your sys-usb template to run on debian(greyed out in picture, because machine is running):

You have to reselect the terminal in the tab “Applications”, since the app and location isn’t the same. But then you can mount the device properly:

Voilá:

Then copy the files(or move or whatever) to the machine of your choice to manipulate or store them for viewing and backup:

And wait for it to finish …

Here they are:

If you moved them, you don’t have to clean your memory card, but I just wan’t to be sure all formats are ok, before deleting anything ;

Qubes 3.2 – Dom0 updates broken

The following error, updating dom0 :

  • tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory
    tar: Error is not recoverable: exiting now
    Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates

Seems to be fixed with the following commands in the template used by your updateVM (my case whonix-gw, which is gateway for sys-whonix updateVM:

sudo mkdir /var/lib/qubes/dom0-updates
sudo chown user:user /var/lib/qubes/dom0-updates

Restarting the updateVM is needed for the VM to reload with the correct setup.

Reference: https://github.com/QubesOS/qubes-issues/issues/3620

Connecting to Cisco ASA VPN on Qubes 3.2 with openconnect

OpenConnect on Qubes 3.2. Using a vpn ProxyVM to connect to Cisco ASA VPN .

Create a new vpn ProxyVM using fedora-26 template:

Due to a bug in software from Fedora 25 and later, you have to install a ‘NetworkManager-openconnect-gnome’ package, (which is not in the template by default) or you will get an error creating the VPN Connection in vpn:

So install the package:

Create the Openconnect connection without errors:

Configure the site:

Type your username and password, when connecting, and you’re good to go.  This also supports 2FA.

When starting the ProxyVM, the extra network icon appears in the upper right corner and you can use it to connect. Very neat, indeed.

VMware Horizon View Client on Qubes 3.2

Start the selected TemplateVM (I selected fedora-26, since it’s default in Qubes). Clone it if you want.

A prerequisite is the Libxxs shared object, but here was provided a solution for installing it i Fedora.

So, since this is a prerequisite for the VMware Horizon View client, install it now:

Answering yes to any questions.

Start the terminal in  and copy the download link from a browser (I try to minimize the use of direct internet access in templates). Download the client.

make the file executable and Install the client(remember sudo ;):

Obviously select yes:

Choose whatever your heart desires:

Await the copying of files…

 Choose scan to see if everything is in order:

Chose close and start the client:

Begin configuring your environment:

Assign USB-disk to VM in Qubes4.0RC4

Qubes has a new graphical feature that enables you to attach a USB device to your VM and then mount it on the VM

The above “work” was already selected and ready for unmounting. Lets go to the VM and list the added disk and mount it:

If in doubt which disk is which, deattach it in Qubes Manager and fdisk -l again to see what’s missing.