Table of Contents
Security Posture
Devices
Workstation: Qubes OS
I daily drive Qubes OS and have done so for several years.
Qubes OS is a "reasonably secure operating system"1. This is, in my opinion, somewhat tongue-in-cheek as the operating system takes considerable measures to secure itself.
Qubes OS makes the assumption that pretty much everything on your computer is already compromised, and instead of trying to prevent that, it aims to isolate various components and processes from each other in as strong of means as possible. Today, that means it uses virtualization for isolation (based on Xen).
My personal configuration relies exclusively on minimal templates2, extremely specific templates (ideally opting for single-app virtual machines when possible), and indeed some hardening of those VMs, too (I will write about that later I'm sure).
Furthermore, I use Mirage OS3 unikernel based virtual machines for my firewalls.
Mobile: GrapheneOS
I use GrapheneOS4 on a Pixel 9.
GrapheneOS is well-known for being an extremely secure operating system, probably the best that a consumer can get.
I have some noteworthy settings:
- Auto-reboot is set to 4 hours
- Owner profile is used for installing/updating apps; never logged into anything
- Owner profile is strictly set to use Tor (Orbot)
- All apps are installed using Accrescent, Obtainium, or Aurora Store
Security key: Onlykey
The Onlykey5 is a hardware security key.
It's unique in that it offers a physical PIN entry, which prevents any kind of keylogging attempts on the device it's plugged into. Furthermore, it's tooling, firmware, and even builds are all open source.
The Onlykey offers SSH, GPG, and FIDO2/CTAP features, as well as a password manager, random number generation, and more.
The Onlykey generates a random nonce when it's bootstrapped, as well as a few root keys.6 Those keys are impossible to recover. Instead, the Onlykey uses those keys to deterministically derive any keys to be used by the user. In this way, the Onlykey can protect the root keys while offering infinite useable keys.
I have two Onlykeys: one for common use, and the other is a backup. The daily-use Onlykey is almost always physically attached to my person using a caribiner rated at 8kN
Key Management
I use various cryptographic keys for my online activities. Here, I will describe how I manage them, and keep them secure.
SSH keys
My SSH keys are strictly derived using my Onlykey. They are generated on-device, and never transmitted to the workstation.
Qubes Split SSH7 allows me to proxy SSH requests from "untrusted" VMs to "trusted" ones that hold my SSH programs and/or keys. In my case, the SSH VM actually only holds the Onlykey tools, and proxies them once more to the Onlykey device. Furthermore, the Onlykey is proxied from the USB VM8 to the Onlykey VM, which mitigates other connected USBs from somehow sniffing or spoofing any request
PGP keys
Currently, I use one main key:
pub rsa4096/0x38236DA94E2D50D2 2022-06-22 [SCE] [expires: 2025-07-30]
Key fingerprint = BC13 3D18 918E 89AE C68D 6476 3823 6DA9 4E2D 50D2
uid [ultimate] xyhhx <xyhhx@tuta.io>
uid [ultimate] xyhhx <xyhhx@disroot.org>
sub cv25519/0x75394D9973E3ADF6 2022-12-20 [E] [expires: 2025-07-30]
Key fingerprint = D576 FD20 9FA7 4EBC 7210 F974 7539 4D99 73E3 ADF6
sub ed25519/0x0960B11DB1AC1C5D 2022-12-20 [S] [expires: 2025-07-30]
Key fingerprint = 5003 32EA A571 6703 138D D141 0960 B11D B1AC 1C5D
sub ed25519/0xD91825EA09525261 2024-11-26 [A] [expires: 2025-07-30]
Key fingerprint = 7593 65CA 2A6C FF56 5429 0CF5 D918 25EA 0952 5261
note: obviously these expiration dates may not be up to date
Like with SSH, I use Qubes Split GPG9 to proxy GPG requests from "untrusted" VMs to "trusted" air-gapped VMs that hold my private keys.
I set very short expirations on my subkeys (1-3 months) and renew them frequently.
Soon, though, I will be adding another key to my roster. It will be generated on the Onlykey, and signed with the key mentioned above.
OpSec
Code Security
Code signing
All my Git commits are signed with the 0x0960B11DB1AC1C5D key. On all Git forges aside from Sourcehut (they don't support commit signing at all), I configure repos to reject unsigned commits.
Identity
Password Management
I use KeePassXC10 which is an offline password manager. It lives strictly in an air-gapped VM that has no other programs installed. I also secure my KeePassXC database with a keyfile and HMAC Challenge-Response via my Onlykey.
MFA
I enable MFA on all accounts that support it, with a preference to using my Onlykey as a Passkey or security key over TOTP.
Keyoxide
I make very heavy use of Keyoxide11 social proofs.
Keyoxide uses a simple but clever mechanism to prove profiles: simply add a notation on your key pointing to your profile, and likewise add a reference to your key fingerprint on the profile.
This bidirectional link is as confident as you are a user is updating both their key notations and their profiles' proofs. If you trust that, you can trust the proofs.
I keep my Keyoxide profile up to date, and make sure to add proofs when I create accounts on supported platforms.
Surveillance Capitalism
In an effort to mitigate unwanted surveillance, I keep my devices in faraday bags when I leave the house.
https://grapheneos.org "The GrapheneOS project website"
https://keepassxc.org "KeePassXC website"
https://keyoxide.org "They Keyoxide website"
https://github.com/mirage "Mirage OS Github Org"
https://docs.onlykey.io/security#about-onlykey-pin-profiles-key-derivation-and-encryption "Onlykey security documentation"
https://onlykey.io "The Onlykey website]"
https://www.qubes-os.org/doc/templates/minimal/ "Minimal Qubes OS templates documentation"
https://qubes-os.org "The Qubes OS project website"
https://www.qubes-os.org/doc/split-gpg/ "Qubes OS Split GPG documentation"
https://forum.qubes-os.org/t/split-ssh/19060 "Qube OS 'Split SSH' forum thread"
https://www.qubes-os.org/doc/usb-qubes/ "Qubes OS USB qubes documentation"