A couple of best practices I would suggest include:
1) Clone your templates(maybe multiple cloned templates) and never install or use your original templates (This will help keep them secure and if you screw up on a clone you can always delete it and start a new clone from the original template)
2) Think about how you want to divide your different digital lifestyle/compartments e.g. email, banking, personal, work, passwords, etc...
3) What software do you need to install(if any)? Depending on your needs and uses e.g. LibreOffice, plugins, other Linux software? Install those on your cloned templates
Maintanence:
1) Keep your templates updated (and Dom0 updated)...this should be done right after an install
2) Backup your data and system weekly/daily (depending on your need)
Other security setups:
Set up a VPN
Explore minimal templates
Review BIOs
TPM
Look at your firewall and restrict IPs based on the Appvms use
Customize your DVM (disposable VMs)
Welcome and good luck! I never used Linux and I fumble thru fine after a little practice. Don't be scared to post a question after searching if you get stuck.
Keep your plugins, if any updated
...back up your data prior to updating dom) and your templates. I got burned on that a while ago.
In terms of cloning the templateVMs should I be using the clone to create appVMs then?
1) Original Fedora Template = I avoid using it
2) Clone of "Original Fedora Template" = Vault AppVM
3) Cloned Template with Libre Office installed = Personal VM & for another disposable VM for printing and opening email attachments (multiple disposable VMs available in 4.0)
4) Cloned Template configured for VPN = VPN AppVMs
If one screws up due to my doing, borked update, suspicion of malware I delete the clone and rebuild it from my Original Template. I highly recommend backing up your data VMs prior to updates (I can't stress this enough!). When I first started I screwed up a lot and was constantly reinstalling Qubes.
Similar cloning for Debian...I tend to use Debian where I can. The logic is the more software you install in a template the more vulnerable the template becomes...
I use the GUI but also picked up some commands for the terminal. I didn't know Linux but figured I would start with Qubes as I needed the security ASAP(I didn't have a choice).
Here are some basic commands I might use in a terminal:
Debian - To install Nautilus
su
apt-get install nautilus
Debian - To install OpenVPN
su
apt-get install openvpn
Debian - To install GNOME (Including Libre Office):
sudo tasksel
select GNOME (with space bar)
Fedora (Install Libre Office):
Sudo dnf install libreoffice
Update Dom0 in terminal:
sudo qubes-dom0-update
I again thank all on this mailing list who have helped me directly and indirectly. I also recommend to donate if you can to keep Qubes going...its good stuff! Kudos to the development team and all those writing code...thank you!
Similar to Stuart to avoid a borked update which happens(although rarely these days) I:
1) Back up my data prior to an update
2) I only update my original templates after updating the clones, if the clones update OK I then update my original template
0) After install, clone the baseline templates, then re-point all the non-standalone VMs to the clones. Update the clones regularly. This avoids the catch-22 of having your network broken on all your templates. If a clone breaks, you can easily remove it, reclone the baseline, and update the new clone to where you need it sans the breaking package(s).*
1) Backup your templates and Qubes.
2) Test restore your backups onto a new Qubes installation once after the first backup and at least twice a year. Certainly before repaving your primary machine with a new install.
3) Backup extremely important files (your source code, legal documents, etc.) to appropriate storage elsewhere. E.g. github/etc. for public source code, (secure) removable media or trusted secure online services (e.g. spideroak) for legal docs.
4) Keep a list of all modifications you have made to each template, any standalone VMs or to dom0 in your vault or in online storage: e.g. all rpms/debs added to baseline template, kernal version or option changes, pulled/built packages, configuration changes, etc. This will reduce your annoyance level when you decided to/are forced to rebuild the system from installation media and new templates and keep finding gaps when you are attempting to work.
5) Keep dom0 customizations to a minimum. There are no templates to save you.
6) Update dom0 sparingly, only after making backups, only as needed. There are no templates to save you.
* at some point we'll need to talk about how to keep the Qubes menu clean with all these clones around. :)
B
Most my trusted vms use standard templates. I use both debian and fedora. one for less trusted trusted, one for more trusted trusted.
Having alot of templates is a real resource hog and a pain to update. I feel its more important to compartmentalize with appvms rather then get caught up in having multiple templates. Unless you are going to be installing alot of software or testing with them.
When I backup. I don't backup templates.
and If I have to restore my system. The only thing I'm restoring is the appvms. I will manually reinstall Qubes and re clone two or three extra templates I need, and manually reinstall the software I need in them.
I have not used paranoid mode to restore appvms yet. But when the time comes I will be looking into it.
My recommendations, incorporating some other previous recommendations.0) After install, clone the baseline templates, then re-point all the non-standalone VMs to the clones. Update the clones regularly.
...
4) Keep a list of all modifications you have made to each template, any standalone VMs or to dom0 in your vault or in online storage: e.g. all rpms/debs added to baseline template, kernal version or option changes, pulled/built packages, configuration changes, etc. This will reduce your annoyance level when you decided to/are forced to rebuild the system from installation media and new templates and keep finding gaps when you are attempting to work.
regarding the topic how to clean up the Qubes Menu if you use lots of templates, maybe my "poor man's" show/hide-script can help.
I am using this to hide templates or AppVMs which I don't use very often or which I only use as base templates.
(All my AppVMs use custom build templates, which are based on a fedora/debian minimal template)
> Brendan:
> > Maybe a toggle-style menu item or two at the top of the Q menu:
> > - Show (Hide) Template VMs
> > - Show (Hide) Non-included VMs (using your checkbox approach)
Unman:
> I remember when there was just such an option available, and a toggle at
> the top of the Manager to show/hide . It was lost in the transition to
> the Qube Manager.
> Put in a feature request on github for this. No: there's already one
> there:
> https://github.com/QubesOs/qubes-issues/issues/4005
Usage:
qubes-app-menu hide <name-of-vm/template>
... this will move all menu files from the AppMenuFolder (~/.local/share/applications) to a "save location" and therefor the menu will not show those entries.
qubes-app-menu unhide <name-of-vm/template>
... will copy the files back and there for the entries will be shown in the qubes menu
If you launch the script without arguments it will show how it works, and if any entries have been hidden.
Feel free to improve, as you might guess, I am not very skilled in scripting ;-)
Attention: the script will not do any error checking, if you use an AppVM name, which doesn't exist.
--- 8< --- --- --- --- 8< --- --- ---
!/bin/bash
# name : qubes-app-menu
# purpose: Hiddes menus from the qubes menu for AppVMs
# Usage : qubes-app-menu hide|unhide <AppVM>
# Link : https://github.com/one7two99/my-qubes/blob/master/dom0/qubes-app-menu
cmd=$1
HiddenAppMenuFolder=~/hidden-dom0-applications
AppMenuFolder=~/.local/share/applications
#check if $2 is set
if [[ -n "$2" ]]; then
AppVM=$2
else
cmd=0
fi
case "$cmd" in
'hide')
mkdir -p $HiddenAppMenuFolder/$AppVM
mv $AppMenuFolder/$AppVM-* $HiddenAppMenuFolder/$AppVM
echo "Apps for $2 hidden from Qubes Menu" && echo
#notify-send --urgency low --icon image --expire-time=5000 "$0" "Apps for $2 hidden from Qubes Menu"
;;
'unhide')
mv $HiddenAppMenuFolder/$AppVM/* $AppMenuFolder
rmdir $HiddenAppMenuFolder/$AppVM/
echo "Apps for $2 viewable in Qubes Menu" && echo
#notify-send --urgency low --icon image --expire-time=5000 "$0" "Apps for $2 viewable in Qubes Menu"
;;
*)
echo
echo "Usage: qubes-app-menu hide|unhide <APPVM>"
echo
echo " hide <APPVM> : Hide the app menu entries for an AppVM"
echo " unhide <APPVM> : Show the app menu entries for an AppVM"
echo
echo "Currently hidden AppMenus:"
cd $HiddenAppMenuFolder && ls -1
echo
;;
esac