A few weeks ago I installed Qubes OS on my PC at work. The project’s self-description is as follows:
Qubes is a security-oriented, free and open-source operating system for personal computers that allows you to securely compartmentalize your digital life.
Essentially, under Qubes you run different virtual machines (VMs), which are more or less isolated from each other, for different purposes. For example, you can use a so-called vault VM (that has no network connection) with Split GPG to keep your GnuPG keys in a safer place than would usually be possible on a single OS (you do encrypt your e-mails, don’t you?). Qubes also includes Whonix, a desktop OS that itself is based on virtualization to provide an environment from which all network traffic is automatically routed through the Tor anonymization network. In case you do not know Tor yet, I recommend that you invest some time to learn about that project and its role for digital self-defense.
VMs in Qubes are started from so-called templates that cannot be modified from inside the VM. So if you install software inside a VM (or some malware does so), those changes will be reverted when you close the VM.
A major feature of Qubes is the so-called disposable VM (dispVM for short) mechanism. A dispVM can be started quickly from a fresh template to host a single, potentially dangerous application such as a media player or an office tool; once the application exits, the dispVM (including potential changes from the template) is destroyed. The dispVM functionality also includes services that convert untrusted PDF or image files to a trusted format which can be viewed safely in other VMs. Finally, from inside your “normal” VMs you can also start a dispVM application on a designated file of the “normal” VM; if you change the file’s contents inside the dispVM, the changed file version replaces the original version of the “normal” VM when the dispVM is destroyed. For example, you can open and edit doc
files saved from e-mail attachments (which are potentially dangerous) in LibreOffice inside a dispVM.
All of the above is pretty cool, and I use those features on a daily basis. By default, however, those feature are integrated into applications that I do not use, such as Thunderbird for e-mail or Nautilus as file manager. For my favorite work environment, namely GNU Emacs, some configuration is necessary.
For GnuPG in Emacs, you should really use EasyPG, which has been the default for some years. To make use of Split GPG in Qubes, you need to configure epg-gpg-program
to invoke a wrapper program that communicates with the vault VM:
(customize-set-variable 'epg-gpg-program "/usr/bin/qubes-gpg-client-wrapper")
The above configuration is sufficient if you compiled Emacs from the Git repository (March 2017, after bug#25947 was fixed). Otherwise, you need this:
(require 'epg-config) (customize-set-variable 'epg-gpg-program "/usr/bin/qubes-gpg-client-wrapper") (push (cons 'OpenPGP (epg-config--make-gpg-configuration epg-gpg-program)) epg--configurations)
If you rely on signatures for Emacs’ package
mechanism and if your Emacs is recent enough to have the variable package-gnupghome-dir
(April 2017), you need to customize that to nil:
(setq package-gnupghome-dir nil)
Otherwise, as a temporary fix you may want to modify the script qubes-gpg-client-wrapper
to ignore the unsupported option --homedir
(in the template VM, similarly to how keyserver-options
are removed with a comment on Torbirdy compatibility).
For an integration of dispVM functionality into Gnus and Dired, you may want to take a look at qubes.el. Briefly, that library provides functionality to browse URLs and open or convert files and e-mail attachments in various VMs, depending on user customization.
Here is my relevant snippet from ~/.emacs
:
(require 'qubes) (setq browse-url-browser-function 'qubes-browse) ;; Also allow to open PDF files in Disposable VMs. ;; Add the following line to ~/.mailcap: ;; application/*; qvm-open-in-dvm %s (require 'mailcap) (mailcap-parse-mailcaps) ;; Define key bindings to work on files in VMs. (add-hook 'dired-mode-hook (lambda () (define-key dired-mode-map "ö" 'jl-dired-copy-to-qvm) (define-key dired-mode-map "ä" 'jl-dired-open-in-dvm) (define-key dired-mode-map "ü" 'jl-dired-qvm-convert) )) (add-hook 'gnus-article-mode-hook (lambda () (define-key gnus-article-mode-map "ä" 'jl-gnus-article-view-part-in-dvm) (define-key gnus-summary-mode-map "ä" 'jl-gnus-article-view-part-in-dvm) (define-key gnus-mime-button-map "ü" 'jl-gnus-mime-qvm-convert-and-display) (define-key gnus-article-mode-map "ü" 'jl-gnus-article-view-trusted-part-via-qubes) (define-key gnus-summary-mode-map "ü" 'jl-gnus-article-view-trusted-part-via-qubes) ))
I chose umlauts for key bindings as dired
and Gnus
seem to have assigned bindings for most keys already. Feel free to adapt.