Is Qubes OS really secure? What about Windows security in 2025?

krystalesgande

Psyonico
That's exactly what i thought. My main concern is security. I don't care about privacy nor anonymity. If Windows is that secure, then i have no reason to keep using Qubes OS. I really got surprised when i saw that kicksecure/whonix is not trustworty, since i liked so much both projects. However, i need to have sure before uninstalling Qubes and installing Windows, so i will wait to see what others people will talk here in this thread. Hope to see some high quality discussions here.

DeletedUser405

krystalesgande The dom0 of Qubes OS is just an old version of Fedora — bloated and lacking modern hardening flags by default. That seems like a questionable design decision

It is not connected to any network, which is why the Qubes team hasn't debloated it yet because there wouldn't be much point in their opinion (although they are discussing it)

https://www.qubes-os.org/doc/dom0-secure-updates/#secure-update-mechanism-we-use-in-qubes-starting-from-beta-2

krystalesgande what's the real difference between running Xen on your OS of choice vs. running Xen through Qubes OS?

dom0 is more trustworthy as it does not connect to any networks. Also, there are USB qubes, network qubes, and firewall qubes that help with isolation.

krystalesgande Why didn’t the developers choose a better base for dom0, like an atomic/immutable OS such as openSUSE MicroOS or Fedora Silverblue?

I don't believe Silverblue existed when Qubes was first made, also see my point about it not directly connecting to the internet

krystalesgande wouldn’t that be more secure than Qubes OS?

I wouldn't think so, because dom0 has no network access. You can also just use Windows in QubesOS.

If you want the most secure option when it comes to desktop operating systems, consider GrapheneOS desktop mode and its Linux VMs

ryrona

krystalesgande In this sense, Qubes OS relies heavily on the security of Xen rather than its own host OS. So the question becomes: what's the real difference between running Xen on your OS of choice vs. running Xen through Qubes OS?

I think you might have a big misunderstanding here. Xen is a hypervisor. It doesn't run on top of a host OS. Xen is the base. Dom0 as well as and all qubes run on top of Xen. It is the other way around. So yes, QubesOS does rely heavily on the security of Xen, the hypervisor, since that is the actual base that provides all security and isolation. What runs in dom0 doesn't actually matter that much more than what runs in any qube.

krystalesgande If you use Windows 11 Enterprise, properly harden it, and run Hyper-V to manage your VMs, wouldn’t that be more secure than Qubes OS?

QubesOS offers many advantages in security over doing this with Windows. In QubesOS, you are not supposed to do anything in dom0, and that is a key to ensuring the security. Even network drivers and USB drivers run in separate VMs from dom0. But on Windows you would still have a core OS that you use and where network drivers and USB drivers run in, even if you enable all hardening, including running WIndows on top of their hypervisor.

krystalesgande The Qubes OS dom0 is based on an outdated and relatively unprotected/unstable Fedora base.

This doesn't really matter much. The important things are that Xen is up-to-date, CPU microcode is up-to-date, and firmware is up-to-date, and all these things QubesOS are keeping updated and are tracking all fixed security vulnerabilities for. Dom0 is basically just an offline qube that provides the actual disk storage for other qubes to use, the LUKS unlocking, the graphical user interface, and dom0 assisted dialogs and proxying between qubes. There is almost no attack surface, as dom0 isn't touching network or connected external devices at all in any sense.

krystalesgande So, for what reason do so many people trust Qubes OS in environments where security is the top priority? Why should I use it myself? Is there any specific justification? Just to be clear: I'm talking strictly about security — not privacy, not anonymity. Only protection against cyber threats, black hat hackers, and similar risks.

I guess for most people there aren't that much security difference between running VMs inside a properly hardened Windows system and running QubesOS. They should be fairly equivalent. Windows is a no-go for me however, due to their spying that cannot be disabled without an enterprise license, and the fact Windows is not open source, so neither me nor anyone else can patch out unwanted things or add on security or privacy improvements.

I still do believe QubesOS protects better against poorly coded Wifi and USB drivers than Windows does. So that would be a security benefit with QubesOS, and one I value a lot after the Wifi vulnerability in the Linux kernel from a few years ago where anyone within radio distance from you could trivially hack you and get full root access, without even knowing your Wifi password. Nothing says Windows doesn't have similar vulnerabilities. So the fact QubesOS goes out of the way to stop the whole attack vector is fairly important I believe.

ryrona

Psyonico You bring up some valid points.

I recently looked into switching to SecureBlue and their website has an interesting quote that I'll paraphrase..

SecureBlue is for people whose first priority is using Linux and whose second priority is security.

It kind of sounds like QubesOS is in a similar boat.

From my limited understanding, when it comes to security, Windows > desktop Linux. When it comes to privacy, desktop Linux > Windows.

Actually, the security in Windows is abysmal, similar to desktop Linux. The fact that Windows is marginally better doesn't matter much, they are both terrible. SecureBlue is doing a really serious job in trying to improve the situation for desktop Linux. In many ways I would say SecureBlue already way surpass Windows security, but I would expect SecureBlue to way surpass Windows on all fronts within a few years, especially thanks to the work also done by Fedora team.

Likely what SecureBlue is referring to with their quote is not Windows, but MacOS and ChromeOS, both of which have way better security.

It is also not fair to throw in QubesOS among desktop Linuxes. From a security point of view, QubesOS is pretty much its own operating system, and does not rely on Linux security much at all, but instead Xen security and their own improvements. QubesOS is actually secure, if used right. For some threat models, like mine, QubesOS is simply the most secure, even more secure than mobile operating systems like GrapheneOS. I would never do anything privacy sensitive on a desktop Linux system however. Not even SecureBlue is anywhere near the level where I would start feeling comfortable using it.

elih

krystalesgande Hyper-V has had far fewer CVEs and VM escapes than Xen in recent years.

The vast majority of Xen CVEs do not affect Qubes OS (read thru the Qubes Security Bulletins to verify), so I suspect that Qubes OS security would fare well in a rigorous comparison to Windows. Is such a comparison even possible given that Windows is not open-source? It strikes me as very odd that Hyper-V is an "optional" type-1 hypervisor feature available only in Pro and Enterprise editions of Windows, which suggests that the quality of the Windows security model depends on the quality of one's IT team.

krystalesgande The Qubes OS dom0 is based on an outdated and relatively unprotected/unstable Fedora base.

The Qubes reasoning is along the lines of "if dom0 is pwned, then no amount of OS hardening in dom0 is going to help". Employing older versions of Fedora removes the need to constantly expose dom0 to the update process. Secureblue would be a nice upgrade to dom0, but would require Wayland support. Hardened templates (eg, openBSD) are available for qubes, such as sys-net, which have access to the network or peripheral stacks. This kind of hardening further reduces the risk of VM escapes, making the choice of dom0 even less relevant.

wuseman

krystalesgande Hyper-V has had far fewer CVEs and VM escapes than Xen in recent years.

I think something often forgotten with this is that the OS running inside of the VM plays a part too.

If you’re running Microsoft Edge in Application Guard on Windows 11 then it’s an incredibly locked down VM. The only thing allowed to run is Edge and that’s it. Getting out is almost impossible.

The closest thing you’re going to get in Qubes is if you run Secureblue in a VM and even that likely has a higher attack surface.

Personally I would still use the latter since it’s infinitely more usable but the former is probably the most secure in practice since the attack surface is lower.

de0u

wuseman If you’re running Microsoft Edge in Application Guard on Windows 11 then it’s an incredibly locked down VM.

I'm not at all a Windows expert, but I've read that Microsoft is getting rid of Application Guard? Is the replacement known?

krystalesgande

I will respond here, since some arguments of all are pretty similar.
1- "The security of dom0 doesn't matter"
I don't agree with that. The Qubes OS depends so much in the security of Xen. If Xen gets compromised, then it's over. Qubes OS does not offer additional protection against vm escapes. That's why i don't understand what's the difference between running Xen on Qubes vs. your OS of choice.
"But dom0 has no internet access. They have a dedicated vm for usb, network, etc." That's don't justify. The fact that dom0 has no internet access, is good to protect you from attacks directly to dom0, trying to "skip" the need to do a vm escape and land on your VMs. That just does not protect you against a compromised vm/vm escapes. You could create a dedicated vm for usb and network with another hypervisor, another environment. Very easily too.
Using some better base for dom0, like Fedora Silver Blue or Secure Blue, would add more security features and more stability to the system. 2 important things in a environment where security is the top priority.

2- "Dom0 doesn't have internet access"
Again, that's doesn't matter. If Xen gets compromised, the fact that dom0 has no access to the internet would not reduce the impact of the attack.

I'm talking strictly about security here. In that sense, Hyper-V is, arguably, more secure than Xen, since Hyper-V had far fewer CVEs and vulnerability's than Xen (Even Xen on Qubes OS have more CVEs and vulnerabilities documented than Hyper-V, just look at QSB's.). If an attacker could compromise the Hyper-V and realize a VM escape, he will have a hardened Windows, which contains many advanced security features that could, in theory, reduce the impact of the attack, such as UWF, which turns the entire Windows environment in a read-only system, immutable. Firmware and Kernel protection, and so on. With Qubes OS, the attacker would land in a dom0 with a old version of Fedora and many old/vulnerable packages. Even the sys* vms are insecure, since they all are based, as default, in debian-12-xfce or Fedora-41-xfce. You could use OpenBSD as sys-net, but that's not officially supported and is pretty buggy. And since that requires a loop with the sys-firewall, we don't know exacly if that really cause gains of security. What i trying to say is: Qubes OS's security really makes that difference to justify its use? Because Qubes OS is a system very, very limited. The hardware specs are high. The desktop experience is limited. No 3D aceleration, complex to use, etc. Qubes OS is unusable almost like OpenBSD for Desktop. I don't think the difference between security of Qubes OS vs Windows is high to justify the use of Qubes. I really don't know people, even the one's that care much about security, that use Qubes OS or recommend his use. The unique that i saw is Edward Snowden. Even people that are in a dangerous situations, like malware analysis, red team, don't rely on Qubes OS. Why? 90% of the users base of Qubes OS are just paranoid people with no actual knowledge on how security works.

Also, another thing that i would like to add: It's important to notice that Qubes OS is not suitable for anonymity and privacy, even if some people use him with this purpose in mind. The fingerprinting of the VMs are high. The NetVM scheme exposes detailed information about your network use in your local network and to your ISP. While Whonix is trying hard to mitigate that, he is not succeeding very well in that. So, if someone says that he uses Qubes OS because it's open source and cause they prioritize anonymity, then he is using it for the wrong reason, i guess. Many Qubes OS developers already said that they focus was never privacy nor anonymity. We have inumerous problems of anonymity and privacy. The fingerprint of Qubes OS is high. The use of Qubes OS is obviously. We have Fedora Phone Home, Qubes having all information of your hardware, some codes of Qubes OS that's not Open Source (yes, Qubes OS is not fully open source and they say this on their docs) and so on.

ryrona

krystalesgande 1- "The security of dom0 doesn't matter"
I don't agree with that. The Qubes OS depends so much in the security of Xen. If Xen gets compromised, then it's over.

You are still misunderstanding how it all works. Dom0 is not Xen. Xen is separate. The security of dom0 does not matter that much. The security of Xen on the other hand is super critical, and QubesOS is tracking and fixing all security issues discovered with Xen and all components Xen security relies on such as CPU microcode very promptly.

krystalesgande If an attacker could compromise the Hyper-V and realize a VM escape, he will have a hardened Windows, which contains many advanced security features that could, in theory, reduce the impact of the attack, such as UWF, which turns the entire Windows environment in a read-only system, immutable.

No, that again does not make any sense. There is nothing more to hack after you have hacked the hypervisor or escaped its guardrails. At that point you have reached the core and have access to everything, including read-write access to arbitrary memory in all running VMs. No hardening Windows or any other OS running on top of the hypervisor has will matter at all at that point, because at that point, the attacker will be the hypervisor.

krystalesgande Also, another thing that i would like to add: It's important to notice that Qubes OS is not suitable for anonymity and privacy, even if some people use him with this purpose in mind. The fingerprinting of the VMs are high. The NetVM scheme exposes detailed information about your network use in your local network and to your ISP.

This is not true. I am auditing QubesOS too, not just GrapheneOS. Both systems leak very little data by default, way less than most operating systems do. If configured right, both are practically silent, except for the minimal network traffic needed for network communication to work at all.

Yes, an app running inside a VM can fingerprint quite a bit. But not anywhere near as much as an app running on GrapheneOS, or any regular operating system. QubesOS could do better, yes, but there aren't any other operating systems that are doing better, so the critique here is not fair.

krystalesgande Many Qubes OS developers already said that they focus was never privacy nor anonymity.

This is also not true. Privacy and anonymity are both recognized goals by the QubesOS team, most clearly seen by the inclusion of Whonix by default.

krystalesgande Qubes having all information of your hardware

No they don't. They don't collect any such information at all. QubesOS itself does not contain any telemetry.

krystalesgande some codes of Qubes OS that's not Open Source (yes, Qubes OS is not fully open source and they say this on their docs)

Yet, you are complaining about that on GrapheneOS forums, despite GrapheneOS including way more proprietary closed-source code than QubesOS does.

Lilac6044

de0u There is no direct replacement, but rather a number of additional security features to replace it.
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-windows-defender-application-guard

wuseman

de0u
Application Guard is being deprecated, so it still works and it still uses basically a more locked down Windows Sandbox.

The alternative is to use Windows Sandbox, either with Edge or a portable browser. I've used it with both Tor Browser and Mullvad Browser and it works great.

de0u

Lilac6044 There is no direct replacement, but rather a number of additional security features to replace it.

How good is the effectiveness of the replacement? I have read people expressing doubts.

Lilac6044

de0u Yeah, harder question to answer than the one before... Windows recommends using Windows Sandbox instead, this isolates the entire environment however, rather than just the browser. So likely as effective, but no direct browser integration with Edge can make it a little clunkier.

xxxborisxxx

ryrona GrapheneOS including way more proprietary closed-source code than

Could you please say more about this?

What GrapheneOS code is proprietary?

argante

@ryrona did a great job of describing everything about Qubes OS. I'll just add that you can build your own images. Here's a cool example.

I don't want to repeat what others have written. Yes, secureblue is probably the best choice for someone who doesn't want to use MacOS and wants more privacy in addition to security.

I'll add to the discussion that it's possible to build a solution similar to Qubes OS on Windows. Qubes OS was started by Joanna Rutkowska and Rafal Wojtczuk (both from Poland). Wojtczuk later moved to Bromium, where they built a solution similar to Qubes (based on uXen), but for Windows. Bromium was acquired by HP, and today this solution can be found in the Wolf Security suite. It's inexpensive, so I recommend it.

A particularly interesting solution is BrChomium, where the main process is the AppVM manager, and each tab with a website runs in a separate lightweight virtual machine. I haven't seen anyone else build such strong isolation for browser tabs (even Qubes OS doesn't have anything similar).

If someone is ambitious, the package includes various console tools and you can write your own solutions in Lua for other applications that you want to isolate.

Of course, if you're using Windows, you should only use LTSC. I also recommend replacing the default drive with one certified for government agencies, military, Department of Defense, NATO etc. These are slower and more expensive, but significantly more secure. The drive should have standalone hardware encryption (SED) and PBA. This provides protection when the machine is turned off, but offers no protection once it's running and unlocked (even if you haven't logged in or the laptop is in sleep mode - you shouldn't listen to what the manufacturer says). Therefore, a second layer of encryption is needed.

BitLocker should not be used. This is because if BitLocker detects a drive with Opal, it will rely on that solution (this means no second layer of encryption). Therefore, for a second layer of protection, use VeraCrypt. BitLocker also uses TPM, but the bus isn't protected. Therefore, fTPM is preferable – it implements TPM as CPU firmware. Only then can we no longer talk about a standalone TPM chip. It's a waste of time and simply use VeraCrypt.

The final layer of protection should be, for example, Cigent Zero Trust Access. This solution is for government agencies and the military, but it's also available for individual use (it's a bit tricky, but possible).

ryrona

argante BitLocker should not be used. This is because if BitLocker detects a drive with Opal, it will rely on that solution (this means no second layer of encryption).

Actually, BitLocker too only does device encryption by default, similar to the on-disk solutions you mentioned. I know Enterprise editions of Windows support enabling credential based encryption for BitLocker, but it must be enabled by installing separate policies. Yeah, just use VeraCrypt with a strong passphrase instead. The on-disk encryption may sound redundant if one use VeraCrypt, but it actually enables one important feature, the ability to securely cryptographically destroy all data, similar to when one do a factory reset in GrapheneOS. VeraCrypt has no support for that. I think many regular consumer SSDs and NVMEs have support for such transparent encryption with secure wiping today though, since it is defined in both standards. Both NVMEs I own have support for that, one is professional grade, one is consumer grade.

Oggyo

argante BitLocker should not be used. This is because if BitLocker detects a drive with Opal, it will rely on that solution (this means no second layer of encryption).

Not anymore. There is a specific policy (Configure use of hardware-based encryption for operating system drives) which can be set to Disabled.

But I believe with the recent Windows (Pro and above) versions it uses software encryption by default:

If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.

If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted.

If you do not configure this policy setting, BitLocker will use software-based encryption irrespective of hardware-based encryption availability.

Source - Local Group Policy Editor (built-in Windows 11 Pro).

ryrona

xxxborisxxx What GrapheneOS code is proprietary?

Everything they copy from the stock OS firmware images. I don't know the details, but it includes multiple libraries (.so files), drivers and hardware abstraction layers. My understanding is that they also copy Trusty (the secure environment) from stock OS, not compiling it themselves.

I know "adevtool" and "vendor_state" is related to this. During the build process, you can see all the files it extracts from the stock OS firmware images it downloads, and besides a lot of configuration files and firmware components, it includes quite a bit of executable code that will be run in the context of GrapheneOS itself.

https://github.com/orgs/GrapheneOS/repositories?q=adevtool

I guess the GrapheneOS developers can give a more exact answer what it is they copy, and what of it that is closed-source and what of it they theoretically could have compiled themselves if infrastructure for it existed.

argante

ryrona Actually, BitLocker too only does device encryption by default, similar to the on-disk solutions you mentioned.

That's true, and that's exactly what I meant. The problem is that SDE only provides security when the laptop is turned off. If it's unlocked (PBA phase), it doesn't matter whether we log in or the laptop is in sleep mode - if someone has physical access to the laptop, they can trivially access unencrypted data. BitLocker with Opal therefore only gives the false feeling that the data is encrypted. VeraCrypt is vulnerable to cold boot attacks, but RAM is typically soldered to the motherboard these days, making this type of attack much more difficult.

newbie24689

IMHO, ZEN is the magic sauce of Qubes. IIRC, there are users running Hardened Gentoo, and GrapheneOS on Qubes - either would dramatically increase security over standard distributions. This would require a lot of technical expertise on the part of the user.

It's been a year since I worked with Windows.

My QOS Thinkpad is growing old (as am I), and I'm now inclined toward replacing my QOS Thinkpad and GOS P6P with a GOS P10PXL (to be frequently used in desktop mode) or a GOS P10PFOLD.

With this setup, I would keep my data and processing NOT on the phone, but "hidden" in the cloud as much as practical (so that if the phone is snatched, or border-crossing-confiscated from me, there is no info to be recovered.)
(If GOS offers a GOS phone, I'll plan on getting that to support GOS.)