Qubes OS: A reasonably secure operating system

Original Article ↗ Hacker News Discussion ↗

Security Model and Threat Scenarios

  • Strong consensus that Qubes excels for interacting with untrusted content: browsers, documents, vendor tools, and zero‑click-style remote threats.
  • Qubes’ compartmentalization is likened to carrying many near–air‑gapped machines in one laptop, with per‑task VMs and net‑less VMs for risky documents.
  • Risk remains if Xen has a zero‑day; some believe this is likely given cloud usage, others counter that Xen’s smaller codebase and stats show many Xen bugs don’t affect Qubes’ model.
  • Anti‑evil‑maid (AEM) and firmware/boot tools like Heads are discussed; they help against physical attacks but add their own trust and usability issues.

Operational Security and “Blending In”

  • Several comments stress that security tools can increase suspicion in hostile environments.
  • Example: a Tor user caught because they were the only Tor user on a campus network.
  • Advice: in places like conflict zones or authoritarian states, avoid being the only person using Qubes/Tor/GrapheneOS or a Google‑silent Android device.

Performance, Hardware, and GPU Limitations

  • Frequent complaints about poor graphics performance, stuttering HD/Full HD video, jerky scrolling, and bad battery life due to software rendering and virtualization overhead.
  • Some argue modern CPUs can handle software decoding; others note that 1080p/4K and newer codecs strain even strong hardware, especially laptops.
  • GPU acceleration is intentionally disabled for security; passthrough and future “trusted VM GPU” options exist but are niche and complex.
  • Sleep/wake reliability and VM crashes are hardware‑dependent; community‑recommended laptops fare better but not universally.

Usability and Workflow

  • Many long‑term users describe compartmentalization itself as a productivity win, not just a security tax.
  • Seamless window integration, color‑coded borders, cross‑VM copy/paste and file transfer, templates, and ephemeral “disposable” VMs are praised.
  • Running mixed Fedora/Debian/Windows environments side by side, and being able to experiment in throwaway VMs, is seen as a major advantage.
  • Backup tooling is seen by some as too VM‑centric; they prefer doing per‑VM backups inside the guest.

Alternatives and Comparisons

  • For physical attacks, some prefer Macs with Secure Boot/FileVault or modern iPhones with hardware PIN throttling.
  • Others suggest Tails, traditional VMs/containers, Flatpaks, or multiple physical machines; but many argue these are either less secure or less usable than Qubes for the same threat level.
  • Immutable OS + better sandboxing is proposed, but current Linux MAC systems (SELinux/AppArmor) are viewed as too complex to configure to Qubes‑like isolation.

Adoption, Use Cases, and Audits

  • Thread consensus: Qubes is not for mainstream users; it targets high‑risk roles like investigative journalism or offensive/defensive security work.
  • Some report using it as a daily driver for years; others abandoned it due to travel, battery, graphics, or video‑call issues.
  • One commenter questions whether audits formally recognize Qubes as a secure environment; others reply that audits themselves are often weak, and emphasize Qubes’ open‑source, security‑professional pedigree.
  • Overall sentiment: unmatched for certain high‑stakes threat models, but with clear trade‑offs in convenience, hardware demands, and “standing out” risks.