KeepassXC 2.4.2 on fedora-30

UPDATE: 2.4.2 is in stable now, so this post is not needed anymore…

When QubesOS announced that fedora-30 now is supported by Qubes-OS, I went for it straight away and upgraded my fedora-29 template. All went smooth.

My fedora-web-plugin, told me that my keepassxc was outdated and I needed to download a newer version:

So, checking the versions in fedora showed that fedora-30 is not up to date, unlike fedora-31, so I needed to do an upgrade in testing. Testing was in “3 karma”, whatever that means, but it seemed to be tested fine, just not pushed to stable repository yet. :

So, instead of just downloading the package from keepassxc.org and miss any updates coming in the future, I decided to install from testing repository, and hope that the package will be sent to stable in the near future. I accept the risk that seems to be close non-existing, compared to trusting the stable/testing repo:

sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-99e252df7a
Do this in your qubes template, if the above install and usage of the app is successful. If you’re paranoid, you can test in a small appvm with network capture on, etc. 🙂

The above shows success and the version is as follows on fedora-30:

Enjoy your 2.4.2

And by the way, I actually got appreciation for my patreon support :). Please support it

Less than 10 days later we had the same issue, so contemplating on how it is possible to have 1 package using the “updates-testing” repository and the rest run stable (without having the below running in a cron job)

sudo dnf upgrade --enablerepo=updates-testing keepassxc

Windows 10 on Qubes OS 4.0

Sharing my experiences, installing Windows 10 Enterprise on Qubes 4.0, maybe spiced up with the infamous QWT(Qubes Windows Tools 4.0.1.3) installation(Spoiler alert: NOT Working!).

Following this guide, I will try to describe the issues I’ve been encountering accompanied with screenshots. The big issue is getting the Qubes Windows tools to install properly. All my installations have failed, so even though Invisible Things Lab has worked on QWT tirelessly for years, corporate clients, understandably, is more important than a few backers and the community. The backers are apparently not contributing enough, although I might believe that backer numbers would go through the roof, if the tools would work, flawlessly on windows 10. If you want to contribute to Qubes OS, please donate either once or continuously here. And if you have the skills and tools to make QWT v.4.0.2.0, then please create an indiegogo(or similar) crowdfunding campaign. I’m sure it will be backed.

https://www.qubes-os.org/doc/windows-template-customization/

But, let’s go and take som challenges. The first one is that fedora doesn’t support exFAT (crazy as it sounds, and I wrote about this before here), and debian does. That means I have to use a debian appVM to share the ISO file to the new Windows 10 VM. unless, there is another way.

mounting usb with my debian
We begin with creating the VM and starting it with the ISO attached
Here is via the qubes manager, browsing to the usb iso, in the VM settings tab. Actually the “block device” option seems neat, too. Very neat, indeed.
It takes quite a while to get this screen, depending on the circumstances of hardware and drivers. Be patient…
Goes without saying
Select here what your license key matches or continue with your favorite flavor if on a company network with a KMS setup.
Don’t use pirated software. It’s highly likely to be infected with malware.
Fresh install is #2
Select the disc you have created at first
Wait for the copy of windows install files
Almost there…
After reboot, the install continues.
As a danish person, using a completely messed up laptop, keyboardwise, I need more than 1 keyboard layout)
And the magic continues
and continues
Change the video and timeout settings, before booting again.
If not using a cloud account(who would want that?, type in stuff, that does not exist, to get the other option
Click on “set up Windows with a local account”
Type a password
and confirm it
Annoying waste of time.
answer annoying questions
do it again
again
and why can’t you select “none” ?
I need to craete an unattended install.
Enough with the annoyances, already
sigh….
Now, thing look promising
tadaaa, now we have a bare system with no updates and no QWT. Shut down and clone.
Install updates and activate windows! I had to download some updates manually and choose troubleshoot updates, since errors occurred. I really admire Microsoft on the troubles of updating their systems. I bet, with the Microsoft “contribution” to open source, the problems will start emerging in the linux community over time, also.
always adjust for performance on VM’s. Recommended settings are here
pagefile adjustments per instructions.
After installing all updates, reboot and clone the machine. Then we will be ready for Qubes Crash Tools for Windows.

So, due to the crash of windows 10 after installation of Qubes Windows Tools, it is recommended that you use freerdp, rdesktop or similar to connect to your Windows system, being able to copy/paste clipboard and files, etc. This is a workaround to use clipboard and filesharing, still.

Start the Windows appVM with the QWT for installation.
Doubleclick on it…
Accept the license
Allow chang
Everything but the troublesome selections are to be installed. That is the default settin
The install also demands the install of .NET framework.
The setup requires a restart, and after a restart everything works for a brief moment until next restart.

When the restart is performed, Qubes does a bunch of things, such as moving the user directory from C: to the newly created private drive of 2GB(E:). That fails horribly, btw:

So after installing qubes tools, the system won’t boot. Just like : https://github.com/QubesOS/qubes-issues/issues/4352.

Hopefully QWT will be released at some point.

Qubes OS – Joanna leaving the project, Marek taking the lead

For quite some time, actually since the announcement of Qubes Air, it seemed like Qubes OS has been in a bit of a standstill, strategically.

One of the most important projects in the world, security-wise, is now facing the unknown. Joanna has found other, more interesting grounds, for her to pursue.

It might be a great day or a sad day. Now Marek is taking over, it will be interesting to see if a guy who works a lot already, can take on yet another hat. Will strategic partnerships, fundraising, etc. drown in a developer tunnel-vision mindset?

Hope not. Please DONATE! to ensure vision and development.

Whonix-14 available in Qubes-OS

As advertised in qubes-users mailing list, the templates of whonix version 14 is now available and flawlessly installed on my Qubes 4.0, without much effort.

I had no issues, so after deleting all existing whonix templates and AppVM‘s, the steps to follow were:

sudo dnf remove qubes-template-whonix-ws

sudo dnf remove qubes-template-whonix-gw

sudo qubesctl state.sls qvm.anon-whonix

sudo qubesctl state.sls qvm.whonix-ws-dvm

And then use Chris Laprise’s script to update them:

./qubes4-multi-update whonix-gw-14 whonix-ws-14

I rarely use whonix, but nonetheless, I encourage anyone using it for good, to donate, supporting the project.

Kali on Qubes 4 (with katoolin)

To use the great benefits derived from Qubes VM’s, Micah Lee recommended the use of Katoolin, instead of HVM based Kali, I normally use, so let’s try it out:

Clone your fully updated debian-9:

In the “Basic” tab, resize the partition:

Enhance the memory size, if your setup allows it:

Start the terminal to run the commands described on the Qubes Katoolin setup page point 1-6:

When you come to point #6, and have to run

“sudo apt-get dist-upgrade”, don’t…..

I have tried both yes and no to “restarting services automatically”, but the terminal crashes and remains unresponsive. i cannot get in contact with the VM. The latest screenshot was:

It seems the install is running, since my fan speeds up and down continuously.

I tried following this tutorial, and found out that you can install some stuff from the menus, but you have to remove the sources before updating or it will crash. That means no software from Kali will be updated?

For now, I’m continuing to work with my Kali rolling standalone HVM.

10.137.0.23,255.0.0.0,10.137.0.6,10.139.1.1,10.139.1.2

Qubes 3.2 fedora-26 large icons and large fonts on Lenovo Yoga 2 Pro high resolution laptop

After updating my qubes installation, my fedora-26 acts up, with huge icons, possibly due to the extreme resolution of my Lenovo Yoga Pro 2.

To fix this install gnome-tweak-tool, and resize fonts and windows to something else and return back again. That will fix it.

First installation with huge fonts:

Resize fonts:

Resize windows:

Select quit and you’re done.

Looking beautiful again:

Fedora-27 didn’t have this problem, but is slow as hell compared to fedora-26, so guessing tweaking is required.

Update entire qubes installation with a script

Thank to Chris Laprise I have now a great update script for my Qubes installation.

I know it’s bad habit to pollute dom0, but I looked distrustfully 😉 through the code and it seems efficient and not in any way harmful.

First we get with git 😉

If you are like me, you don’t want your template to have git, but only install it every time you need it ;), do the following and fedora-26 is polite and helps you out:

In appVM/dispVM, etc.

  • git clone https://github.com/tasket/Qubes-scripts.git

For now we only need the 1 script:

In dom0:

  • qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' > /path/to/file_name_in_dom0

Now we have it in dom0:

We can try it out on a fedora-26 template:

in  dom0:

  • ./qubes4-multi-update -l fedora-26

Boom, already updated, but you get the picture.

The following command updates only templates with available updates. That should suffice for generic usage.

  • ./qubes-multi-update -a -l -t

I found a small error when running an update on whonix-ws, but otherwise it runs beautifully.

UPDATE 2018-05-04:

When using Qubes 3.2 running the above command includes the standalone VM’s. Just so you know.

UPDATE 2018-12-28:

Chris has updated the script (ref: https://groups.google.com/d/msg/qubes-users/YKAp0_1MFfk/mTyQTM9JEgAJ)

Now I use with unattended and everything just rolls through, nicely:

  • ./qubes-multi-update -a -l -t -u

KeePassXC on Qubes

Until 1Password takes the Linux community seriously, KeepassXC is the preferred choice for me.

1Password offer a cloud based solution with only chrome-integration, almost like KeePassXC has for Firefox, Chrome, Vivaldi and Chromium, but Chrome wont be my preferred choice just yet. And also since Cloud solutions has a broader attack vector, there is no need to put the crown jewels on display, when sensitive hacks are almost happening daily on the internet.

If I get a trojan on my active computer, or buy a chinese keyboard, AND have my password database in the cloud, they can login and download it and harvest all my precious passwords without effort and without any fancy cracking efforts. Therefore if you enjoy cloud services, you might consider to use MFA to access the cloud (and hope your 2nd factor device is not pwned too 😉 Remember that SMS might be in clear text through airwaves that anybody might listen to or abuse in other ways.

Keeping an offline password manager is what I feel comfortable with, so that is what my current needs are.

And here, KeePassXC seems to be the best multiplatform solution around. And an important thing to remember is that if you have an offline password manager(or password manager installed in an “air-gapped” VM in Qubes, the risks of breaches are smaller even with bugs in the Password Manager software, since nothing directly enters a VM without network connection. So you need bugs in the underlying OS to get breached. Not impossible, but more rare in hypervisors with an offline vault than a traditional OS without.

Air-gapped VMs are also used as Split-GPG and Bitcoin wallets, so I guess its a bit more secure. Enhance your setup with a copy of your database on a PIN-enabled secure USB and sync it to your vault VM regularly.

P.S. Yubikey supports KeePassXC, but not as traditional 2FA

In Fedora 27 and later a newer and better version of KeePassXC is available. Remember to enable recommended security settings:

sudo yum install keepassxc

– Database settings – encryption – Argon2.

– General – Basic settings – Automatically save after every change.

– lock the database after use (time, immediately, etc)

If you use Qubes, you can have the password manager in the “vault” VM and ctrl-c, ctrl-shift-c in the vaultVM and ctrl-shift-v and ctrl-v in the destination VM to feel safer. You can also have a secure password file in vault and a less secure in another vm with internet access.

If safety is not the biggest issue for you and you use multiple computers, then install firefox addon, dropbox and sync selectively :

In Firefox addon:

yum install dropbox.rpm (otherwise dependencies are left out)

Point your KeePassXC to the synced folder .kdbx file.

Enable 2factor authentication to dropbox to prevent ease of access for bad people.

Configuring Cisco ASA VPN on Qubes 4.0 with openconnect

I have rewritten my VPN guide for Qubes 4.0, since my old post from 3.2, didn’t work out of the box and some supposed solutions on the web, didn’t sit well with me. The above link was too much hassle for me, so I chose to investigate how I can make a guide like the last one, just for Qubes 4.0.

Here it is, although the changes are few:

Create your vpn appVM, based on your preferred fedora template:

Add the ‘network-manager’  as a service :

Tur on the AppVM, and when the network icon appears, add the vpn connection:

Select the OpenConnect type:

Insert FQDN in the gateway section and save.

Start the VPN connection:

Type yur password and the connection will be established and your icon look like this: