Linux operating systems (known as “distributions” or “distros”) have constant releases and updates, with some more substantial than others. Updates usually bring minor fixes and tweaks, but occasionally new distro releases or iterations can yield major changes.
However, many Linux distributions (distros) are niche OSes. For instance, Kali Linux is an ethical hacking and penetration testing Linux distro. There are server Linux operating systems, media center Linux distros, and more.
However, Qubes OS focuses on security. Its tagline reads: “A reasonably secure operating system.”
Meet Qubes OS:
Although Qubes OS is a security-centric Linux operating system, let’s see how it’s different. While a traditional Linux system is considered secured when beefed up with robust firewall and antivirus software Qubes takes a different approach. Rather than relying on traditional protection measures, Qubes OS employs virtualization. Therefore it fosters security via isolation. The isolation method focuses on limiting software and hardware interactions.
Various virtual machines (VMs) separate and compartmentalize its environment. By default, there a few VMs available. You can create your own as well. Virtualization manifests on two fronts: software and hardware. Therefore hardware controllers are separated into domains such as USB controller domains. But software gets segmented into domains with varying trust levels.
For example, you may have a work domain for the most trusted applications and a random domain for the least trusted domains. Each of these domains operates on a separate VM
But unlike running an operating system within a virtual machine, Qubes uses virtualization to isolate applications. For instance, your web browser remains in a different environment than your file browser. That way if a vulnerability gets exploited and executes commands on your system, the attack is contained.
Using Qubes OS may appear more complex than it is. That’s mostly due to its security through isolation set up. Nevertheless, running applications in virtual machines isn’t as difficult as it sounds. The simplicity of Qubes OS is remarkable. At first glance, Qubes appears like a standard desktop environment. In appearance, it’s no more complex than a Linux operating system like Ubuntu.
For instance, you can view two different instances of the same web browser side by side, they can run on different security domains. One may be your work browser, whereas the other is your untrusted browser. Visit the same website in both browsers running side by side, log into one, and you won’t be logged in on the other browser. That’s because they’re in separate domains, on separate VMs.
Even file browsers remain completely separate. But using Qubes OS doesn’t feel like using virtual machines. Because Qubes OS integrates all virtual machines into a single desktop environment, everything appears seamless. However, there are means to share between domains. For example, if you have a file saved in your personal domain, you can copy it to your work domain.
Even the clipboard is domain separated. If you copy text in a text document on your work domain and click into a document on a personal domain, the text is relegated to the original domain. Still, as with files, you can use Ctrl + Shift + V to copy clipboard data between domains. Different colored borders differentiate your separate domains helping you easily identify applications.
In addition to dedicated domains, you can create disposable domains. These differ from dedicated domains. Disposable domains are created for a single task, and once that’s complete they’re totally gone. If you open an instance of a web browser in a disposable VM, you can do whatever you want: bookmark sites, add them to your favorites, and save cookies. Once you close that browser, everything from that session is gone. Opening another web browser in that disposable VM will show nothing saved from your previous session.
From any domain, there’s a right-click option to open a document in a disposable VM. Therefore, if you download a file in a work or personal domain, you can right-click and open that file in a disposable domain. Notably, this is an excellent means to avoid contaminating a domain. If you download a PDF from an untrusted source (not recommended), you can save it in your work domain and execute it in a disposable domain.
App Installs and Updates
Opening a terminal in an application domain, such as your work domain, downloads and installs software as usual. However, using a domain specific terminal limits that application to that domain. Moreover, installing an application within a specific domain doesn’t save. When you restart that domain, that program is absent. To install and save an application, you must install it in the template. This is a neat touch. For example, if you want to try an application, you can try it within a specific domain. Then a VM reboot clears that application.
Appearance and Perceived Performance
Appearance and performance are where Qubes OS really shines. Using an application, you would have almost no idea that you’re using an app in a domain. Pull up a work and personal web browser side by side and the only indication that they’re running in separate VMs is the colored border around each and label that says the domain name. I really appreciate the simplicity of Qubes OS. While it’s complex in its customization options, Qubes OS is very intuitive.
Okay, now the question you’re probably asking: why should you use Qubes OS? Can’t you achieve all of this virtualization using the likes of VirtualBox, VMware, and Parallels?
Unfortunately, that approach is pretty cumbersome. To upgrade applications within those separate domains is pretty task-intensive. You would have to, for instance, update the web browser in each unique virtual machine.
Enter Qubes OS. What makes Qubes OS fantastic for compartmentalization is its ability to spin up VMs and run applications within separate virtual machines in one desktop environment. But Qubes integrates everything into one desktop environment. Spinning up new VMs is incredibly manageable. Within domains, you can choose which applications appear in that domain, select various templates, and work with totally isolated environments in one desktop.
Because Qubes OS is VM-centric, you’ll need a pretty beefy computer. While you may be able to run Qubes OS on less powerful hardware, it’s not recommended. Virtual machines remain hardware and resource intensive.