Exploring Qubes OS
Published by Beto Dealmeida on
Running a secure/private OS on an old laptop
I have an old Thinkpad laptop that I love. It's a T420, originally released in 2011, but I bought mine used probably around 2015. It's heavy, the keyboard feels good, and the battery still holds a charge. My favorite feature is the white LED at the top of the screen, pointing down to illuminate the keys when working in the dark. Recently I upgraded the memory to 16 GB (even though officially only 8 GB are supported), and I replaced a keyboard that could only type the numbers 5-6 (letters worked fine!). The disk is an old HDD with 500 GB that I'll probably replace with an SSD soon.
Last week I learned about Qubes OS. It's an operating system that relies heavily on virtualization (using Xen). The main UI runs a virtualized Linux, from which you can spawn more virtual machines. Each machine has different levels of trust. For example, you have an untrusted machine that is responsible to connecting to the network. A firewall machine then connects to it, giving filtered and protected network access to the other machines.
The idea is that you create separate machines for separate parts of your digital life. I have a "personal" machine, which currently I'm using to write my blog and work on its static site generator. By default these machines have no access to USB devices, and the installed software resets when they get restarted (data persists, though). You can easily create disposable machines, and even machines with Tor installed. This provides security and privacy.
I installed Qubes OS on my T420, and I've been enjoying it so far! I'm running i3
as the window manager on my main ("dom0") machine. A cool thing about the OS, regardless of the window manager, is that when you spawn an application on a virtual machine only the window pops up, and the color of the window decoration indicates the trust level. So I might have a red terminal, from an untrusted machine, running next to a yellow terminal, somewhat trusted. And the title of each window has as a prefix the machine name.
The system is a bit slow, requiring a lot of RAM if you're running multiple machines at the same time. Luckily you can stop machines that you're not using; the only downside is that it will be slower to run an application, since it has to start the machine first. My plan is to use the laptop mostly for simple applications, so it's not that a big of a problem. But I'm still considering upgrading the HDD to an SSD to see if I can get a little more performance from the laptop.
Edit: I found two 128 GB SSDs lying around; one of them was actually inside the T420! I re-installed Qubes OS on the fastest one, and I'm going to use the other one for backups.