Qubes OS: How it works, and a demo of this VM-centric OS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

is cube's os super secure and super private or is it for the super paranoid well turn on your firewall and put on your tinfoil hat and let's see how this works hello it's dorian and thanks for tuning in to dot slash this is cube's os i've been using this for a year maybe more it's installed on hardware on my main laptop and i've been using it playing with it updating things and just playing around with it just to see what it's like to actually use it and i'm going to show you here how it actually works so you may be able to tell this is light dm and it's running xfce so i'm just gonna log in here now the installation since this is this part is based on fedora the installation uses anaconda and it is a very fedora-like installation now one issue with this if you want to try it is you can't run it in a virtual machine because it needs a lot of the cpu's virtualization technology that a vm just can't provide i've read that you can do some tricks with virtual machines that will expose some of the hardware but it seems complicated it it doesn't really work well it might work on some hardware not on others so i'm not even going to get into that this is it running on hardware so for those visual people i brought up a little image here and this is basically showing how the zen hypervisor is what runs the actual operating system and you have secure gui administration dom zero i call it domo whatever this is the desktop that you're actually gonna work from the zen hypervisor is not something you actually work on at all it's all run in the background the desktop that you're using is a virtual machine and then you're running other applications also in a virtual machine there's a more complicated uh picture here if you wanted to have a look and i'm just gonna actually use it and show you and hopefully it'll be a little less confusing that way so you'll notice this is running light dm and this is a virtual machine now of course i've customized this and themed it and whatnot to make it look how i want to look this isn't how it looks out of the box so this can be difficult to explain i will try my best so please don't uh give up on me if i lose you a bit i'm going to try to make it as clear as possible but as i mentioned before this is dom 0 this is what xfce is running in domo this is the management domain it is a virtual machine running on top of zen everything runs on top of zen everything is a virtual machine or a virtualized service now this looks like a bit much at first but if i open up the cube's manager this is all the virtual machines and the templates running in the system when you first install the system you get i think just a debian fedora and hunix template and vms this is something you can add on to afterwards i think you have the option to not install all the templates if you don't want to but basically what will happen is you'll end up with the default template like fedora 29 i know this is old i haven't updated it in a while so you have fedora 29 template and then you have personal which is based on the fedora 29 template this means anything that you do in this virtual machine is still based off of the template so you can see it's only 442 megabytes that's because i've installed or updated 442 megabytes worth of stuff but the template itself is actually four and a half gigs so no matter what changes you're making in the virtual machine you're not making any changes at all in the template the template never changes now i created a new template called debian 10 because it came with 9 and i wanted to create 10. so i basically cloned it and updated it to buster and then i created this from the debian 10 template you also see sysnet and cis firewall these are virtual machines that have access to the internet if i take a quick look in debian 10 the deb 10 sorry you could see here under networking it is the sysnet virtual machine so it is using the sysnet virtual machine to access the internet they don't access the internet directly now you can change that as well sysnet has less rules and more direct access to the internet and cis firewall of course has a firewall running on it but that's something that you can get into later once you have it all set up and you can tweak on your own for now i want to show you how these virtual machines work and how you would manage the templates and updates basically if you go and hit the applications menu button you can see all your templates all your vms it looks like a little bit of a mess but you can add shortcuts to your desktop or the launcher down here or whatever and it's something that you do get used to so you can see in dev 10 i have chromium files firefox spotify telegram terminal and thunderbird you can add remove whatever software that you want in here and then you just run it like you would run any other normal application so i'll just use my shortcuts down here and you'll see in the top right it says the domain is starting a little dot here is yellow and it will turn green saying that the virtual machine has started and then you'll get another notification that has started and then your application will start so this firefox application is running within the dev10 virtual machine now it appears to be running within dom 0 but it is not it's completely separate this is basically just forwarding the window to dom zero but everything works just like it would normally and you can go and do whatever you normally do on the internet and everything is running in this vm if i go and open up the file manager you'll see it does look a little weird because it is a norm application running within this window so you have the top bar here with the close minimize and maximize here so it's kind of weird that it duplicates it but that's just the way it works at least for gnome specific applications so now let's go ahead and let's open the work vm work file manager now these colors you can change to whatever you want it tints all the icons so that you can tell the difference depending on what window decorations you're using it might color the entire bar but with arc i think i'm using right now it it only decorates the icon which is a little more subtle and and it works for me so you can see now we're running dev 10 and work both these virtual machines are running they're both side by side here however if i go into these downloads you can see some things i downloaded before if i go into these downloads it's empty because this is two separate virtual machines two different directories two completely different file systems so now you can transfer things from one machine to the other you just right click on here copy to another app vm and then from here i would just select work okay and then you can see this folder here cube's incoming deb10 there's the file so if you have several files being sent from several machines it'll make a folder for where it came from and there's the same file and this transferring is all done outside the vms it's using the hypervisor to transfer these files they're not connecting directly to each other it's all proxied so now that's all fine um you can have your work firefox and your personal firefox two completely different things you can see one is orange one is pink or purple whatever color that is these are two completely separate virtual machines both running firefox they don't interact with each other at all so you can even see the bookmarks here are different so you can have one specifically for banking where anytime you do banking you just use that one virtual machine but you can also go one step further so if you go back here you can see we have this option here disposable fedora 29 dvm disposable virtual machine so i'll start up firefox in here and you'll see this 9898 is starting this didn't exist a second ago this is created on the fly so as soon as you open a disposable virtual machine it basically creates a new virtual machine based on the disposable virtual machine template and then starts up the application so now in here you can go and you can do your banking and you can do like whatever stuff that you want to do that you want to keep private and then when you're done close it up and give it a second and you'll see that as soon as the virtual machine realizes all the applications are closed it will automatically shut down on its own the other virtual machines don't do this you can see deb10 and work are still running but that virtual machine will close in a second there you go it's halted and it deleted itself so any trace of what you did in that vm is gone because the entire file system that was being created on the fly as well has also been deleted so one step further okay but if you pull out the hard drive you can recover the data yes but if you run something else to wipe the hard drive occasionally you can get rid of that as well or if you're using an ssd and it's trim enabled while it's pretty near impossible to get the data back from uh ssd that has trim enabled anyways and most do nowadays okay so now let's create a new virtual machine based on debian 10 and let's call it banking so name and label we'll call it banking and we'll make it uh blue based on for door 29 let's make it based on debian 10. networking uses the cis firewall and do that creates a new cube there you go banking done so now if you go here you have banking with all the default stuff that you would see in the debian 10 template so now if you want to customize it you can right click go to cube settings and you can go here to applications and you can see the selected applications that will show up in this menu and let's say you don't want any of these you only want chromium like that hit okay now when you go in here banking there's only chromium and the settings now if you want to customize it a little bit more you can go into advanced you can change how much memory and cpu it will use you want two cpus for how much ram you want usually the defaults are fine you can even change the kernel if you want you can also make this a disposable vm template so hit ok go here now you have a disposable banking template which means this will run in its own randomly created virtual machine and then when you shut it down it will shut down that virtual machine and delete it other things that you could do with the disposable virtual machines is in the file manager let's say you downloaded a file and you're not sure what's in it you might find a little suspicious or an email attachment well you can right click view and disposable vm and it will fire it up in that vm you can see here this has been created and it is booting up and it will open this folder in the virtual machine there you go so in here now you can have a look at what's in here in this file and then close it and then it will shut itself off and delete itself when it's done one thing you can do now that you created this as a disposable vm is you can go into another vm into the cube settings advanced and now the default disposable vm template you can now choose banking because in the banking settings you said that it is a disposable vm template so now that means in deb 10 downloads view and disposable vm now when it creates this disposable vm it is based on banking because that's what you set in here advanced for deb10 banking as the disposable vm so now you can see it open the compressed file you can have a look you can browse close it up and then it will shut down this random disposable machine and it will delete it from the system so you could basically run it this way all the time if you wanted to you can run your browser all the time as a disposable machine but now what about if you want bookmarks you want to have a certain setup so that when you open your disposable machine you don't have to start from scratch all the time well this disposable banking you can go in and turn that off now when you start it up it will be just a normal virtual machine you can add your bookmarks make your changes save it and then turn on the disposable vm template setting again now you've essentially locked it into how it's going to be so now what about updates well you can go into the terminal and you can run updates that's fine however remember any updates that you're doing in the virtual machine are only affecting this machine you're not affecting the template you should run the updates in the template and it will do that automatically for you but if it makes you feel any better you can also go into the template and open the terminal this way manually but now you're running the actual template as a virtual machine which is not recommended that you do but you can do it so then in here you can do sudo apt update and upgrade update the whole system in the template and then it will update any other virtual machines that are based on it if that makes sense however i'm just going to shut it down here wait until it's off you can see there's a little green down arrow and also this yellow icon here saying that you have an update this will pop up when your virtual machines have updates and you can see here debian 10 which is the template has an update so we're going to go next and you're going to see that it's going to fire up the management debian 10 down here and it's going to run all the updates so now what's happening here is similar to how you update dom 0. the updates don't go directly into the template they come from another vm the other vm will download the updates verify all the signatures and then transfer those updates to the template to be installed now that might sound a bit confusing it sounds like a lot of extra work but that prevents the templates or dom zero from being accidentally infected by a update or package that is invalid or has been tampered with you could do the same thing here if you run the dom zero terminal so this is the terminal 4 dom 0 for domain 0 dom whatever you want to call it and you're going to do sudo cubes dom 0 update now what this is doing you can see here it's using sys firewall as an update vm to download the updates now there currently are no updates so it went by pretty quick but basically what would happen is cis firewall right here would download all the updates first script runs it verifies all the signatures make sure all the packages are valid everything is good then transfers everything to dom 0 then it applies all the updates to dom0 so it's some extra steps for some extra security so now you can see here that the update is complete you can see go through all the individual files that it updated new and old summary succeeded three run time 80 seconds finish so now the debian 10 template has been updated which means you can see here this little arrow thing for the deb 10 vm it's asking you to restart this vm because remember this vm is based off of debian 10 which just got updated so in order for this to become up to date you just right click restart cube yes any if you're running any applications off of it they will shut down it will restart this virtual machine which is now based off of the updated debian 10. perfectly not confusing so now something i want to show you just to give you an example here the suru cubezodomo update genie this is also how you install things in dom zero so we're gonna do this look for updates but actually it's only gonna look for genie and now you can see it's a little hard to read there we go so now you can see everything in red here is coming from the update vm it's this firewall it downloaded these three packages it verified said it was saved in cache and now dom zero is saying okay yes now we can install these things so you say yes running transactions installing done so it's like a proxy install it takes another vm to download and verify first and then transfers to dom zero dom dom0 doesn't have access to the internet anyways directly it has to get it from somewhere else so now if we go to the applications menu system tools genie is right here and now this is running within dom zero this by the way is also where you'll find all your other stuff like display settings and etc etc as well as most importantly the cube manager itself so that is cube's os in a nutshell um i know there's a lot to it i kind of ran through a whole bunch of examples of how you do things luckily i had updates to perform so that worked well but can you run this as a everyday machine i guess so but do you need to that's all that's a question that only you can answer really if you go to the cubesos.org website they have tons of documentation how to do pretty much everything creating new templates um i think there's stuff on installing a windows vm if you wanted to for some reason as well as lots of weird different operations that you can do ways to customize things uh everything on hunix there's way way more to get into this is just a introductory scratching the surface of what it's all about and how you would use it it's definitely something to play with that's why i've kept it around for so long and the great thing is if you feel like something's been compromised or you forgot to use a disposable vm like you're banking something weird popped up if you're feeling paranoid you can always just go and delete the cube up but it won't let me because it's a deb tens uh disposable vm template so let's go change this to back to default and then now i can delete it banking type it just to confirm you want to delete it and now it's gone forever anything you ever did on it is gone forever just like as if it was a disposable virtual machine but yes as far as everything else telegram works fine spotify works fine chromium works fine youtube plays it plays videos i'm not going to show you a youtube video because i don't want to get in trouble with youtube one thing i will say with this system is you do want to make sure you're running a system that has enough ram for how many vms you're going to run they don't use a ton i think they're all set at four gigs yeah four gigs is the max so i'm running 16 gigs but again this is the max which means it won't run four gigs right off the bat it'll start with 400 or whatever you set this at and then same with the cpus if you're short on cores you only have four cores maybe set your machines to one i have eight cores so i'm not worried about running a whole bunch of vms at the same time i haven't run into any issues running more than four vms either because that just means they'll share the core so is this really ultra secure or is it just for the ultra paranoid it's kind of a little bit of both the system kind of assumes that you will get hacked this is uh not a hundred percent secure i think they call it the reasonably secure operating system and there's way more you can do once you start using the hoonix it automatically uses tor and all that stuff that is beyond what i want to get into because i find once you start using all this tor stuff all the websites start throwing captchas at you you get all kinds of problems with uh servers refusing your connection because it's from a known tour gateway but if that's the kind of level you want to run at well that's totally doable as well so you can do that on top of running disposable virtual machines that will delete themselves once you're done doing whatever you're doing but keep in mind folks this isn't designed for you to go out and do some nasty stuff some dark web who knows what you want to do use this power for good this is for privacy this is for um banking this is for i guess anything important that you don't want to leave any trace behind passwords maybe bitcoin stuff who knows just keep in mind that anything you do online can be seen and intercepted by someone or in some way especially if you're using google so just use duckduckgo or something else that you know isn't designed to gather your data but to be honest no matter what you're doing if you're connected to the internet you're only fooling yourself if you think that you're 100 secure and everything is 100 private and that no one is able to track you no matter what there's always a way there's so many companies out there that it's their job to scrape data to get information from you to find out who you are where you are so you can always do the best you can but don't assume you're safe and with that i remove my tinfoil hat i hope this wasn't terribly confusing i hope you liked the video if you did click on like don't forget to subscribe if you haven't already and click on the bell to get your notifications if you like my channel and my videos you can support it by heading over to patreon.com dorian dot slash and throwing me a couple bucks a month i would truly appreciate it thank you so much for watching and until next time bash on [Music] you

Info

Channel: DorianDotSlash

Views: 83,690

Rating: undefined out of 5

Keywords: qubes, cubes, qubesos, qubes-os, cubesos, vm, virtual machine, xen, qubes os, cubes os, qubes os on virtualbox, qubes os installation, qubes os install, installing qubes os, install qubes os, qubes os review, qubes os tutorial, qubes os 4, qubes os 4.0.2, qubes os 40, qubes os virtualbox

Id: YPAvoFsvSbg

Channel Id: undefined

Length: 25min 3sec (1503 seconds)

Published: Wed Oct 07 2020