Title: Introduction to Qubes OS when you do not know what it is
Author: Solène
Date: 03 August 2025
Tags: qubes security
Description: In this article, you will learn about major features of
the Qubes OS operating system and what makes it unique.
# Introduction
Qubes OS can appear as something weird and hard to figure for people
that never used it. By this article, I would like to help other
understanding what it is, and when it is useful.
HTML Qubes OS official project page
Two years ago, I wrote something that was mostly a list of Qubes OS
features, but this was not really helping readers to understand what is
Qubes OS except it does XYZ stuff.
While Qubes OS is often tagged as a security operating system, it only
offers a canvas to handling compartmentalized systems to work as a
whole.
Qubes OS gives its user the ability to do cyber risk management the way
they want, which is unique. A quick word about it if you are not
familiar with risk management: for instance, when running software at
different level, you should ask "can I trust this?", can you trust the
packager? The signing key? The original developer? The transitive
dependencies involved? It is not possible to entirely trust the whole
chain, so you might want to take actions like handling sensitive data
only when disconnected. Or you might want to ensure that if your web
browser is compromised, the data leak and damage will be reduced to a
minimum. This can go pretty far and is complementary to in-depth
defense or security hardening of operating systems.
HTML 2023-06-17 Why one would use Qubes OS?
In the article, I will pass on some features that I do not think are
interesting for introducing Qubes OS to people or that could be too
confusing, so no need to tell me I forgot to talk about XYZ feature :-)
# Meta operating system
I like to call Qubes OS a meta operating system, because it is not a
Linux / BSD / Windows based OS: its core is Xen (some kind of
virtualization enabled kernel). Not only it's Xen based, but by design
it is meant to run virtual machines, hence the name "meta operating
system" which is an OS meant to run many OSes make sense to me.
Qubes OS comes with a few virtual machines templates that are managed
by the development team:
* debian
* fedora
* whonix (debian based distribution hardened for privacy)
There are also community templates for arch linux, gentoo, alpine,
kali, kicksecure and certainly other you can find within the community.
Templates are not just templates, they are a ready to work,
one-click/command install systems that integrate well within Qubes OS.
It is time to explain how virtual machines interact together, as it is
what makes Qubes OS great compared to any Linux system running KVM.
A virtual machine is named a "qube", it is a set of information and
integration (template, firewall rules, resources, services, icons,
...).
# Virtual machines synergy and integration
The host system which has some kind of "admin" powers with regard to
virtualization is named dom0 in Xen jargon. On Qubes OS, dom0 is a
Fedora system (using a Xen kernel) with very few things installed, no
networking and no USB access. Those two devices classes are assigned
to two qubes, respectively named "sys-net" and "sys"usb". It is so to
reduce the surface attack of dom0.
When running a graphical program within a qube, it will show a
dedicated window in dom0 window manager, there are no big windows for
each virtual machine, so running programs feels like a unified
experience. The seamless windows feature works through a specific
graphics driver within the qube, official templates support it and
there is a Windows driver for it too.
Each qube has its own X11 server running, its own clipboard, kernel and
memory. There are features to copy the clipboard of one qube, and
transfer it to the clipboard of another qube. This can be configured
to prevent clipboards to be used where you should not. This is rather
practical if you store all your passwords in a qube, and you want to
copy/paste them.
There are also file copy capabilities between qubes, which goes through
Xen channels (some interconnection between Xen virtual machines
allowing to transfer data), so no network is involved for data
transfer. Data copy can also be configured, like one qube may be able
to receive files from any, but never allow file to be transferred out.
In operations involving RPC features like file copy, a GUI in dom0 is
shown to ask confirmation by the user (with a tiny delay to prevent
hitting Enter before being able to understand what was going on).
As mentioned above, USB devices are assigned to a qube named "sys-usb",
it provides a program to pass a device to a given qube (still through
Xen channels), so it is easy to dispatch devices where you need them.
# Networking
Qubes OS offer a tree like networking with sys-net (holding the
hardware networking devices) at the root and a sys-firewall qube below,
from there, you can attach qubes to sys-firewall to get network.
Firewall rules can be configured per qube, and will be applied on the
qube providing network to the one configured, this prevents the qube
from removing its own rules because it is done at a level higher in the
tree.
A tree like networking system also allow running multiple VPN in
parallel, and assign qubes to each VPNs as you need. In my case, when
I work for multiple clients they all have their own VPN, so I dedicate
them a qube connecting to their VPN, then I attach qubes I use to work
for this client to the according VPN. With the firewall rule set on
the VPN qube to prevent any connection except to the endpoint, I have
the guarantee that all traffic of that client work will go through
their VPN.
It is also possible to not use any network in a qube, so it is offline
and unable to connect to network.
Qubes OS come out of the box (except if you uncheck the box) with a
qube encapsulating all traffic network through Tor network
(incompatible traffic like UDP is discarded).
# Templates (in Qubes OS jargon)
I talked about templates earlier, in the sense of "ready to be
installed and used", but a "Template VM" in Qubes OS has a special
meaning. In order to make things manageable when you have a few dozen
qubes, like handling updates or installing software, Qubes OS
introduced Templates VMs.
A Template VM is a qube that you almost never use, except when you need
to install a software or make a system change within it. Qubes OS
updater will also make sure, from time to time, that installed packages
are up-to-date.
So, what are them if there are not used? They are templates for a type
of qubes named "AppVM". An AppVM is what you work the most with. It
is an instance of the template it is configured to use, always reset
from pristine state when starting, with a few directories persistent
across reboot for this AppVM. The directories are all in `/rw/` and
symlinked where useful: `/home` and `/usr/local/` by default. You can
have a single Template VM of Debian 13 and a dozen AppVM with each
their own data in it, if you want to install "vim", you do it in the
template and then all AppVM using Debian 13 Template VM will have "vim"
installed (after a reboot after the change). Note that is also work for
emacs :)
With this mechanism, it is easy to switch an AppVM from a Linux
distribution to another, just switch the qube template to use Fedora
instead of Debian, reboot, done. This is also useful when switching to
a new major release of the distribution in the template: Debian 13 is
bugged? Let's switch back to Debian 12 until it is fixed and continue
working (do not forget writing a bug report to Debian).
# Disposables templates
You learned about Templates VM and how a AppVM inherits all the
template, reset in fresh state every time. What about an AppVM that
could be run from its pristine state the same way? They did it, it is
called a disposable qube.
Basically, a disposable qube is a temporary copy of an AppVM with all
its storage discarded on shutdown. It is the default for the sys-usb
qube handling USB, if it gets infected by a device, it will be reset
from a fresh state next boot.
Disposables have many use case:
* running a command on non-trusted file, to view or try to convert it
to something more trustable (a PDF into BMP?)
* running a known to work system for a specific task, and be sure it
will work exactly the same every time, like when using a printer
* as a playground to try stuff in an environment identical to another
# Automatic snapshot
Last but not least, a pretty nice but hidden feature is the ability to
revert the storage of a qube to a previous state.
HTML Qubes OS documentation: volume backup and revert
qubes are using virtual storage that can stack multiple changes, from a
base image with different layers of changes over time stacked on top of
it. Once the number of revisions to keep is reached, the oldest layer
above the base image is merged. This is a simple mechanism that allows
to revert to any given checkpoint between the base image and the last
checkpoint.
Did you delete important files, and restoring a backup is way too much
effort? Revert the last volume. Did a package update break an
important software in a template? Revert the last volume.
Obviously, it comes as an extra storage cost, deleted files are only
freed from the storage once they do not exist in a checkpoint.
# Downsides of running Qubes OS
Qubes OS has some drawbacks:
* it is slower than running a vanilla system, because all
virtualization involved as a cost, most notably all 3D rendering is
done on CPU within qubes, which is terrible for eye candy effects or
video decoding. It is possible, with a lot of efforts, to assign
second GPU when you have one, to a single qube at a time, to use it,
but as the sentence already long enough is telling out loud, it is not
practical.
* it requires effort to get into as it is different from your usual
operating system, you will need to learn how to use it (this sounds
rather logical when using a tool)
* hardware compatibility is a bit limited due Xen kernel, there is
compatibility list curated by the community
HTML Qubes OS hardware compatibility list
# Conclusion
I tried to give a simple overview of major Qubes OS features. The goal
was not to make you reader an expert or be aware of every single
feature, but to allow you to understand what Qubes OS can offer.