IFF Tool Showcase #9: Qubes OS

Qubes OS is a free and open source security-oriented operating system that implements security by compartmentalization. Its architecture is built to enable a user to define different security environments on her computer and visually manage their interaction with each other. While the most common operating systems like Windows, Mac or Linux are “monolithic”, which means that if an attacker manages to hack into the system, they will have access to the whole machine, Qubes OS greatly reduces this risk by isolating every domain (or qube) from each other, so that if one qube is compromised, the others – and the system – will remain unaffected.


Each qube can run applications from Debian, Fedora, Whonix, and even Windows. The visual interface to separate domains makes it very easy to manage multiple identities online: each virtual persona, pseudonym or activity can get its own dedicated qube, and Qubes integrates the Tor network so that users can easily create one or more domains with all the software they need for anonymizing their communications and online activities. Simultaneous and non-interacting VPN, Tor, and other proxy connections to the web can be set up, and one can easily route applications through these networks even if they weren’t built for it, such as Pidgin, Chromium, etc.

Separating and isolating social domains can be particularly important for high-risk individuals who could be targeted with surveillance malware. In case the attacker manages to compromise the user’s browser or email client, e.g. through a vulnerable plug-in in a browser or a malicious email attachment, the malware will only be able to access that particular qube and will not affect the whole system – and deleting the affected qube and creating a new, clean one is very easy. With Qubes OS, the user can easily open attachments by default in non-networked disposable domains, so if the attachment contains malware, it is deleted as soon as the PDF or Word document is closed and had no ability to “phone home”. In a similar way, Qubes OS by default can protect the user from USB and wifi-based attacks by isolating the USB and wifi stacks.

Qubes OS was first launched in 2012 and has a growing base of over 9,000 users. While it still requires a rather powerful computer, the Qubes team is concentrating its efforts on increasing usability and outreach, and a training prototype addressed at human rights defenders and activists will be presented within the Training & Best Practices track at the Internet Freedom Festival on Friday 4th March at 6pm.

Related Posts