Automated Qubes OS configuration system for secure, isolated work environments. Deploy a complete qube topology with one command.
TPCF Perimeter 3 (Community Sandbox) - Open contribution, community governance, no corporate control.
Qubes SDP automates the creation and configuration of a secure Qubes OS environment optimized for:
- Investigative Journalism - Source protection and secure communications
- Software Development - Isolated development with secure key management
- Research - Data collection and analysis with privacy
- Teaching - Safe handling of student materials
- Security Testing - Isolated penetration testing environments
./qubes-setup.sh
# Creates work, vault, anon, and untrusted qubes in seconds- Air-gapped vault for sensitive data (NO network)
- Restrictive firewalls (default deny, explicit allow)
- Disposable VMs for risky content
- Split-GPG/SSH for key isolation
- Minimal templates to reduce attack surface
- Simple Script - Standalone bash script, no configuration needed
- Advanced Script - Full customization via config file
- Salt Stack - Declarative infrastructure as code
- Interactive Wizard - Guided setup process
Pre-configured for common workflows:
- journalist - Work + vault + anon + untrusted, split-GPG
- developer - Work + vault + untrusted, split-SSH, dev tools
- researcher - All qubes + VPN
- teacher - Work + vault + untrusted + USB
- pentester - All qubes, high memory, security tools
- Status Dashboard - Real-time monitoring
- Firewall Analyzer - Security assessment
- Template Manager - Update and maintain templates
- Backup Validator - Verify backup integrity
- Policy Generator - Create qrexec policies
- Recovery Tool - Disaster recovery wizard
- Comprehensive wiki with guides and tutorials
- Troubleshooting for common issues
- Security best practices
- API reference
- Example configurations
This project adheres to the Rhodium Standard Repository framework:
- ✅ Comprehensive Documentation - README, QUICKSTART, Wiki, CONTRIBUTING, SECURITY
- ✅ Governance - CODE_OF_CONDUCT, MAINTAINERS, TPCF Perimeter 3
- ✅ Build Systems - justfile, Makefile, Nix flake, CI/CD
- ✅ Security - RFC 9116 security.txt, vulnerability disclosure, automated tests
- ✅ Emotional Safety - Palimpsest license, reversibility, learning culture
- ✅ Offline-First - Air-gapped operation capability
- ✅ Reproducibility - Nix flake for deterministic builds
- ✅ .well-known/ - security.txt, ai.txt, humans.txt
Verify compliance: bash scripts/rsr-verify.sh
- Qubes OS 4.1 or later
- 8GB RAM minimum (16GB recommended)
- 50GB free disk space
- Download in a qube (NOT dom0):
git clone https://github.com/yourusername/qubes-sdp.git
cd qubes-sdp- Transfer to dom0:
# In dom0:
qvm-run --pass-io <qube-name> 'cat /path/to/qubes-sdp/qubes-setup.sh' > qubes-setup.sh
chmod +x qubes-setup.sh- Run setup:
./qubes-setup.shSee QUICKSTART.md for detailed instructions.
# Create basic topology (work, vault, anon, untrusted)
./qubes-setup.sh
# Dry-run to see what will be created
./qubes-setup.sh --dry-run
# Validate existing setup
./qubes-setup.sh --validate# Use configuration file
cp examples/journalist-config.conf qubes-config.conf
vi qubes-config.conf
./qubes-setup-advanced.sh
# Interactive wizard
./qubes-setup-advanced.sh --interactive
# Use specific preset
make -f Makefile.qubes setup-preset-journalist# Run setup
make -f Makefile.qubes setup
# Show status
make -f Makefile.qubes status
# Create backup
make -f Makefile.qubes backup
# Update templates
make -f Makefile.qubes template-update
# Health check
make -f Makefile.qubes health-check# Copy to Salt directory
sudo cp -r qubes-salt/*.sls /srv/salt/
# Apply states
sudo qubesctl state.apply qubes-sdp┌─────────────┐
│ work │ General work environment
│ (green) │ • 2GB RAM
│ network │ • Firewall: HTTP/HTTPS/DNS only
└─────────────┘ • Template: fedora-40-minimal
┌─────────────┐
│ vault │ Sensitive data storage
│ (black) │ • 1GB RAM
│ AIR-GAPPED │ • NO NETWORK (critical!)
└─────────────┘ • Split-GPG/SSH backend
┌─────────────┐
│ anon │ Anonymous communications
│ (purple) │ • 1GB RAM
│ Tor/Whonix │ • Routes through sys-whonix
└─────────────┘ • Anonymous research
┌─────────────┐
│ untrusted │ Risky content handler
│ (red) │ • 1GB RAM
│ DispVM │ • Disposable VMs
└─────────────┘ • Risky downloads/files
- QUICKSTART.md - Get started in 5 minutes
- Wiki - Comprehensive documentation
- Tools README - Utility tool documentation
- Examples - Example configurations
- work - Daily work environment with restricted network
- vault - Air-gapped storage for sensitive data
- anon - Anonymous communications via Tor
- untrusted - Disposable environment for risky content
- vpn - VPN proxy qube
- sys-usb - USB device management
- Firewall rules (default deny + explicit allow)
- Qrexec policies (file copy, clipboard, GPG, SSH)
- Split-GPG setup (keys in vault, use from work)
- Split-SSH setup (SSH keys in vault)
- Automated backups (configurable schedule)
- ✅ Air-gapped vault (absolutely no network)
- ✅ Default-deny firewall rules
- ✅ Minimal templates (reduced attack surface)
- ✅ DisposableVMs for untrusted content
- ✅ Split-GPG/SSH (keys never leave vault)
- ✅ Qrexec policy enforcement
- ✅ Encrypted backups
- ✅ Comprehensive logging
- ✅ Validation and health checks
- Qubes OS 4.1+
- 8GB RAM
- 50GB disk space
- Qubes OS 4.2
- 16GB+ RAM
- 100GB+ disk space
- SSD for better performance
By default uses fedora-40-minimal. Supports:
- fedora-40-minimal
- fedora-39-minimal
- debian-12-minimal
- debian-11-minimal
Auto-installs missing templates if configured.
This is a TPCF Perimeter 3 (Community Sandbox) project - all contributions welcome!
We value:
- 🤝 Open contribution - Everyone can participate
- 🧪 Experimentation - Mistakes are learning opportunities
- 🔄 Reversibility - All changes can be undone
- 💚 Emotional safety - No shaming or gatekeeping
Get started:
- Read CODE_OF_CONDUCT.md - Our community standards
- Read CONTRIBUTING.md - How to contribute
- Check MAINTAINERS.md - Governance model
- Fork, create a feature branch, test thoroughly, submit PR
New contributors: We're beginner-friendly! Ask questions, experiment safely with dry-run modes, and learn as you go.
- Documentation: Check the Wiki
- Issues: Report bugs via GitHub Issues
- Questions: See FAQ
- Qubes OS: Visit Qubes Documentation
# Run all tests
make -f Makefile.qubes test
# Run specific tests
bash tests/unit-tests.sh
bash tests/integration-tests.sh
bash tests/security-tests.sh- Web-based configuration UI
- Additional topology presets
- Automated security auditing
- Performance optimization
- Multi-language support
- Video tutorials
Dual Licensed: Choose either license at your option:
- MIT License - For maximum compatibility and permissive use
- Palimpsest License v0.8 - MIT + emotional safety guarantees
The Palimpsest license extends MIT with principles of:
- Reversibility - All changes easily undoable
- Psychological safety - No shame, blame, or weaponizing errors
- Learning culture - Experimentation encouraged
- Transparent costs - Clear consequences before actions
- Inclusive design - Accommodates diverse backgrounds and abilities
See LICENSE for full text and details.
Why dual license? Use MIT if you only need a permissive open source license. Choose Palimpsest if you want emotional safety guarantees for contributors and users.
This software is provided "as is" without warranty. Always review scripts before running in dom0. Test in a safe environment first.
- Qubes OS team for the excellent security platform
- Community contributors
- Security researchers and testers
- Qubes OS - Security-focused operating system
- Whonix - Anonymous operating system
- Split-GPG - Qubes GPG isolation
Created and maintained by the Qubes SDP community.
🔐 Security: Report vulnerabilities privately via GitHub Security Advisories or email security@qubes-sdp.org - See SECURITY.md and .well-known/security.txt
📧 Contact:
- General questions: contribute@qubes-sdp.org
- Code of Conduct: conduct@qubes-sdp.org
- Security: security@qubes-sdp.org
🌐 Community:
- Governance: MAINTAINERS.md
- Code of Conduct: CODE_OF_CONDUCT.md
- Contributing: CONTRIBUTING.md