A journey into Qubes OS

In this article, Ketan describes his journey into Qubes OS: A reasonably secure operating system.

Qubes OS: A reasonably secure operating system

I was doing some reading into digital security, privacy and hygiene and I stumbled across Qubes OS, marketed as “a reasonably secure operating system”. It’s not necessarily that I had anything specific to hide or protect, it’s more that I didn’t have anything to say. The first thing I questioned was how I currently leaked the most information. It was safe to say, it was my every day laptop. So I decided to see if I could go about changing that. And down the rabbit hole I went.

Here’s how my journey looked.

Intel gathering

Any successful project starts off with research into whether what I’m thinking of doing will be of any benefit to me. What I’m weighing up here is:
1. What I’m getting
2. What I’m not getting
3. What it’s going to cost me

To get this information, I spent a lot of time watching videos, reading and digesting. I built up a bit of a mental game plan along the way, visualising what my steps would be.

With Qubes OS here’s my analysis of what I’m getting:
– Additional security through segregation of functions and duties. I can set up a virtual machine (VM) for work, a VM for personal matters, a VM for Bitcoin related tasks and even a disposable VM that wipes itself after I use it.
– Additional privacy through a VM specifically with Tor only access (through Whonix)
– Security benefits of a fully open source operating system and BIOS

Here’s what I’m not getting:
– Convenience – I’m not expecting Qubes OS to ‘just work’ out of the box every time. It’s going to take a bit of explicit access granting for things such as USB devices, microphones and other hardware and general tinkering on my part to get things working.
– Familiarity – this operating system isn’t something I’m generally accustomed to. Hopefully over time, that can change and it becomes more intuitive. I’ll have to keep learning as I go rather than just being able to get the job done first go.

Here’s what it’s going to cost me:
– $300AUD (for hardware)
– Hours of my time to learn (which doesn’t bother me too much because I see it as a worthwhile investment of my time and I enjoy it)


Reading through the Hardware related documentation on the Qubes OS website, I decided to purchase a refurbished Lenovo ThinkPad X230 off eBay. It comes with an i5 3320M processor, 8GB RAM and a 128GB SSD. All up $257AUD delivered. The reason I purchased the X230 is because it was the recommended and tested unit by the Qubes OS developers.

When I’m buying hardware, I try not to buy anything too obscure that will end up trying to fit a square peg into a round hole. I tend to purchase items that have good support, reviews and a community behind it with lots of documentation for help and troubleshooting. Based on my reading, I found the X230 to be the premiere candidate.


Doing a bit of further research I found that I’d need ensure IOMMU-based virtualization was enabled in the BIOS. When I received my X230, I turned it on, pressed F1 during boot and went straight into the BIOS to enable it in the configuration screen.

Enabling virtualisation in the ThinkPad BIOS in preparation for Qubes OS installation

I noticed the BIOS was pretty old and out of date as well. Since the laptop came with Windows 7 loaded, I downloaded an updated (but not latest) BIOS from the Lenovo website and installed it. It was fairly simple.

I went further down the rabbit hole and found that if I was going to do this properly, I’d need to install an open source BIOS. This required flashing ‘coreboot’ onto the machine, which meant opening up the laptop with a screwdriver, putting a clip on a computer chip (or two) and loading software onto it from a Raspberry Pi 3. Now I really felt like hackerman.jpg. Reading further, I found a flavour of coreboot specifically designed for the Lenovo ThinkPad X230 called skulls. The GitHub repository had great, easy to digest instructions for what is, on face value, a rather intimidating process.

More Hardware

Thankfully, I had a fully functioning Raspberry Pi 3 lying around that I could take advantage of. But what I didn’t have was an 8 Pin SOIC Clip so I bought that ($40AUD) along with some short female to female jumper cables ($5) to connect the pins on the clip to the pins on the Raspberry Pi 3.

I prepared my Raspberry Pi 3 with the latest version of Raspbian, followed the instructions on the skulls Github repository to modify the RPi3 as required and cloned the skulls repo onto the RPi3.

Loading Linux onto the ThinkPad X230

To install skulls, I needed to have Linux installed on the X230 laptop. As I mentioned, the laptop came preloaded with Windows 7, which made great for updating the existing BIOS, but not so much flashing coreboot. I created a bootable Ubuntu USB, inserted it into my laptop and installed it pretty seamlessly, overwriting Windows 7.

Installing skulls on the ThinkPad X230

I cloned the GitHub repository onto the X230 and ran the provided script to ensure my system was ready for flashing. It was! But I wasn’t done yet.

Preparing the hardware for flashing is where it gets pretty intense. I had to make sure the wires are in the correct position and the clip was properly secured. You don’t want to brick the device. The moment of truth – it worked first go! I flashed the bottom chip first – this neutered the Intel Management Engine. Then I flashed the top chip – this installed coreboot. Success! No mucking around.

The blue clip is placed onto the BIOS chip on the computer being flashed. Double check wires and connections!

Installing Qubes OS

So now I was ready to install Qubes OS onto my machine. I flashed a USB drive with the Qubes OS R4.0.3 iso file. Big file – 4.5GB. Inserted it into my laptop and pressed ESC now (no more F1, got rid of that!) and booted from the USB device.

The installation took a while, reading through all the options and the installation guide on the Qubes OS website. It went relatively smoothly with no major hiccups.

Trying it out

So this is where I played around a lot, experimenting with all the features Qubes had on offer. I have to say, I was thoroughly impressed. I enjoyed the Tor only connections, the disposable VM’s, the Debian 10 and Fedora 30 templates for daily use.

On first glance, it’s an advanced operating system with plenty to explore. I really liked that you could deploy a template and run it as a virtual machine. You could clone and delete VM’s at will, hiring and firing what you need for the objective you want to achieve.

Networks, USB drives, drivers all worked well with very little issue. It appeared to be quite a stable operating system as well. I experienced no fatal errors or crashes. The Qubes OS project appears far advanced in its journey, definitely not in its infancy.

The community at #qubes on freenode irc are helpful and fielded any questions I had. There’s plenty of support documentation on the website to refer to as well.

The not so great

QubesOS, by design, requires a lot of granting access to hardware, network and software on initial configuration. It was very tiring and cumbersome. I spent a lot of time in settings, rather than getting the job done. By the time I solved my issue, I forgot the task at hand. This was expected. Had I stuck with it for longer, I could’ve got it. I was getting a reasonable handle on it within just a few hours. Qubes is a feature rich operating system and can get overwhelming.

A major drawback is memory usage. QubesOS is an insane resource hog. I could upgrade my RAM from 8GB to 16GB to solve that. However, after a certain point, there’s no more juice left in the tank to open more VM’s.

The frustration was the amount of time spent figuring out how to install basic applications on my templates and then assigning it through to each Qube I need it for so it shows up in the Application Menu. Dealing with specific networking related issues like ZeroTier was quite frustrating. Lots of Qubes cloned, then subsequently deleted because I messed up. It’s a heavy load of configuration to get anything done.

As for Bitcoin related software, it can be tough to install on Linux at the best of times, putting it on Qubes added a whole new level of complexity. Just getting Electrum Wallet started from the application menu was a mission.

For me personally, I’m not a journalist or someone with a high profile that I need this level of robustness to my processes. At some point, I do value convenience to get my tasks done. If this is your first rodeo into Linux, Qubes OS just isn’t the place to start. This software is made by experts, for experts who have been on the circuit for some time.

The Verdict and Takeaways

In short, for me, the juice was not worth the squeeze. To be fair though, I don’t think I stuck with it for long enough.

The initial goal I had was to improve my privacy. I think I achieved this in two ways.
1. Installing coreboot, neutering Intel ME on the X230 laptop
2. Reverting the machine back to Debian instead of Ubuntu or MacOS after deciding Qubes wasn’t for me

It was a great learning experience into the nuances of security and privacy. I can definitely take away some of the concepts and apply them in Debian. Segregating information through VMs and using Tor more often would be those key takeaways. But for me, this is just not something I need in my day to day life. I can appreciate why others would need this though. I don’t discourage anyone from trying it out.

I’ll definitely be back some day to give it another shot. But today is not that day.