Installing Qubes OS

Posted on by Stijn

Qubes 4.0.1 Warning

Run these commands in a dom0 terminal immediately after the installation of Qubes OS 4.0.1 to upgrade all the Debian and Whonix TemplateVMs. This patches a vulnerability as explaned in QSB #46. https://www.qubes-os.org/news/2019/01/23/qsb-46/

$ sudo qubes-dom0-update –action=upgrade qubes-template-debian-9

$ sudo qubes-dom0-update –enablerepo=qubes-templates-community –action=upgrade qubes-template-whonix-gw-14

$ sudo qubes-dom0-update –enablerepo=qubes-templates-community –action=upgrade qubes-template-whonix-ws-14

Installation

Boot your device from the medium where you installed the Qubes OS image, usually a DVD or USB. Once everything necessary has loaded, the Qubes OS boot screen will appear. Use the arrow keys to select one of the options. Press the tab key to show options. Select “Test this media & install Qubes R4.0.1”. Press enter to continue.

Qubes boot screen

Select the language you want to use during the installation. Press the “Continue” button to proceed.

Qubes language selection

At this point the hardware will be tested to see if it is compatible with Qubes OS. If so, the installation will continue. If not, the following message will appear. Go to the system requirements page of the Qubes OS website to see what you are missing. Most likely IOMMU-virtualization hasn’t been activated in the BIOS. You need this to make full use of some of Qubes OS security features. https://www.qubes-os.org/doc/system-requirements/

Qubes unsupported hardware

If you reach the installation summary, Qubes OS will likely run on your system. Here you can configure what will be installed. It is necessary to pick an installation destination. The rest is optional. Let’s tweak the final installation anyway and select “Keyboard” to change keyboard layouts.

Qubes keyboard

The “plus” symbol button adds keyboards. The “minus” symbol button removes keyboards. The arrow buttons “^” and “˅” move the selected keyboard up or down the list. The “keyboard” symbol button shows the selected keyboard’s button layout. Press the “+” button. A screen appears where you can search for a keyboard layout. Search for the desired layout. The Colemak layout is recommended, as it is the fastest layout in the world. Press the “Cancel” button to go back without adding the layout. Press the “Add” button to add the layout. The layout at the top of the list will be used as the default layout. At the top right of the screen is an indicator of your selected layout. The field on the right lets you test the selected layout. Press the “Options” button to configure more options. Press the “Done” button at the top left to finish configuring the keyboard layouts. You can add as many layouts as you want. After installation you can switch between them and install or remove layouts.

Qubes keyboard layout

You are returned to the installation summary. Select “Language Support” to configure what languages will be available. Use the search field at the bottom to search for your desired language. The language will appear in the left field. The right field will show all the options. Mark the desired dialect. You can install as many languages as you want. After installation you can switch between them and install or remove languages. The more languages you add, the more space will be needed on your installation medium. Press the “Done” button at the top left to finish.

Qubes additional languages

You are returned to the installation summary. Press “Time & Date”. Use the dropdown menus to select your correct region and city, or click in the map and then tune your location with the dropdown menus. There should be no need to set the date and time at the bottom of the screen. This should be set by your system time. If there is internet access, the OS will update the time to your selected location after installation. Press the “Done” button at the top left to finish.

Qubes time and date

Back at the installation summary screen, the installation source should be set correctly. This guide assumes we are only using the DVD or USB from which we booted in the beginning. Press the “Software Selection” button. The “Base Environment” field on the left will show the Qubes OS. The standard installation delivers Qubes OS with the Xfce environment. Other environments will be available after installation. They may not be officially supported by the Qubes team so make you trust extra environments at least as much as you do the selections the Qubes team makes. The “Add-Ons” field on the right shows available add-ons. A Debian 9 and a Whonix template are available as standard. Select the ones you want. It is recommended to keep both templates. If you want a lighter system, unselect whichever you don’t want. After installation, more templates are available. This guide doesn’t cover other environments or other templates. Press the “Done” button at the top left to finish.

Qubes base environment

Select “Installation Destination” from the installation summary screen. Select where you want to install the OS. Make sure the destination has at least 32 GB of free space. It is recommended to install on an internal drive for speed. Hard disk drives are recommended when using encryption, instead of solid state drives. You can install on a USB device. The advantage is that it is portable. It will likely do worse in speed than an internal drive. To get decent performance, make sure it is at least a fast USB 3.0 compatible device. Under the “Partitioning” option, leave “Automatically configure partitioning” selected. Under “Encryption”, leave “Encrypt my data” selected. Qubes OS will do the partitioning with LVM and LUKS encryption. It will claim the entire storage device. Press the “Done” button at the top left to finish.

Qubes device selection

A window will appear where you can set the encryption passphrase. Make sure it is strong and keep it in a safe place. Make sure that the selected keyboard layout is the same one you will actually be using later when you have to enter the passphrase at boot. You can’t change the layout at that stage. Press the “Save Passphrase” button at the bottom right to finish.

Qubes disk encryption

The installation process can now begin. At the installation summary screen, press the “Begin Installation” button.

Qubes localization

As the installation proceeds, you will have the ability to set a root account and create a user account. Leave the root account settings at the default settings. The root account will be locked. Click on the “Create User” button. Set the name of the account in the “User name” field. Enter and confirm the password. Make sure it is strong and keep it safe. Press the “Done” button at the top left to finish.

Qubes user

Once the installation is complete, click on the “Reboot” button. If necessary, remove the installation media (DVD or USB). If you changed the BIOS settings, it will boot from the installation media again instead of the installation destination.

This is the first boot but we still have to configure a few items before we have a full installation. If the previous installation process was successful, the GRUB boot menu will appear during startup. Just leave it alone until it ask you to unlock your drive with the encryption passphrase we set earlier. Enter the phrase and press enter.

Qubes disk

At the initial setup screen, press the “Qubes OS” button under the “System” heading.

Qubes initial

By default the Qubes OS is set to create a few environments based on the Fedora or Whonix templates. It is recommended to leave the settings at their default values. A more ready-to-use system will be created. Advanced users can select “Do not configure anything”. This is only for advanced users who are confident that they know what they are doing. For example, there will be no network access from the start. These are the other options with a short explanation:

  • Create default system qubes: Use the default system qubes. These provide some of the core features of the Qubes OS, like network isolation (sys-net), a firewall (sys-firewall) and disposable qubes (default-DispVM). Leave checked.
  • Create default application qubes: Default application qubes are pre-configured environments for specific purposes, such as personal, work, untrusted and vault. Leave checked.
  • Create Whonix Gateway and Workstation qubes: To use the Whonix Gateway and Workstation, the sys-whonix and anon-whonix environment need to be created. Leave checked.
    • Enabling system and template updates over the Tor anonymity network using Whonix: This feature allows the use of Tor system-wide, rather than only for specific environments. Leave unchecked, unless your threat model requires it right away.
  • Create USB qube holding all USB controllers: This isolates the USB controller and manages USB devices through it. This is more secure. Leave checked.
    • Use sys-net qube for both networking and USB devices: If checked, only sys-net will be running, instead of sys-net and sys-usb. This saves memory. It also allows for easier use of USB networking devices (like 3G/LTE modems) directly in sys-net. If you want to use a USB 3.0 to Ethernet adapter, you’ll have to check it. Otherwise you’ll have to use a USB 2.0 to Ethernet adapter. It is recommended to isolate the USB controllers. Leave unchecked.
  • Do not configure anything: This is only for advanced users. Leave it unchecked.

Press the “Done” button at the top left to finish.

Qubes initial setup

The configuration will now be installed. This can take up to 15 minutes. Once finished, the user login screen will appear. Select the correct user and enter the password. Press enter or the “Log in” button to log in.

Qubes login

Qubes OS is now installed and ready for use. The initial desktop looks something like this:

Qubes initial desktop