https://github.com/kennethrrosen/qubes-shadow-dvm

Simple dom0 bash script inspired by Unman's 'Really Disposable Qubes' scripts
https://github.com/kennethrrosen/qubes-shadow-dvm

Last synced: 3 months ago
JSON representation

Simple dom0 bash script inspired by Unman's 'Really Disposable Qubes' scripts

• Host: GitHub
• URL: https://github.com/kennethrrosen/qubes-shadow-dvm
• Owner: kennethrrosen
• License: gpl-3.0
• Created: 2023-05-08T19:15:24.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2023-11-10T12:29:33.000Z (12 months ago)
• Last Synced: 2024-07-10T23:28:46.712Z (4 months ago)
• Language: Shell
• Size: 30.3 KB
• Stars: 5
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-qubes-os - Shadow qube - The below script will create a Qube, launch the Tor browser, wait for the browser to close, then remove the qube and its RAM pool. (Templates)

README

        
# QubesOS Truly Disposable Qube for Secure Browsing

Inspired by Unman's [Really Disposable Qubes](https://github.com/unman/notes/blob/master/Really_Disposable_Qubes.md) scripts. Run in dom0. The below script will create a Qube, launch the Tor browser, wait for the browser to close, then remove the qube and its RAM pool. The qube is built in a new RAM-based storage pool and disappears once the script deletes the RAM disk.

As Unman notes: 

> None of this is forensically reliable, although it is better than using a standard pool. (Refer to this [issue](https://github.com/QubesOS/qubes-issues/issues/4972), particularly if you are using Xfce, and check the associated issues.) There's an effort to remove most of the log references, although the stupidity of journalctl means that you'll have to wipe the journal if you want to delete references there.

I've provided the script below for easy perusal; also included in the repo for an easy clone. You can also make a simple `dom0` script as well as add to your taskbar. Here's another varient that [sends logs to /dev/null]( https://forum.qubes-os.org/t/really-disposable-ram-based-qubes/21532).

### shadow-qube

```

#!/bin/sh

nohup bash /home/kennethrrosen/shadow_qube.sh >/dev/null 2>&1 &

```

### Bash script

```

#!/bin/bash

#A script to create, launch, and clean up a truly disposable QubesOS qube for secure browsing.

#Tor browser can be replaced with your browser or template of choice.

#Just check the variables or add your own.

#This script assumes you have a kicksecure TemplateVM

#Inspired by unman: https://github.com/unman/notes/Really_Disposable_Qubes.md

#

set -e

TMP_DIR="/home/user/tmp"

TMPFS_SIZE="5G"

QUBE_NAME="shadow"

NET_VM="sys-whonix"

TEMP="kicksecure-16"

BROWSER="torbrowser"

MEM="1000"

if qvm-check "${QUBE_NAME}" > /dev/null 2>&1; then

        echo "A qube named \"${QUBE_NAME}\" already exists. Exiting."

        exit 1

fi

sudo swapoff -a

mkdir -p "${TMP_DIR}"

sudo mount -t tmpfs -o size="${TMPFS_SIZE}" shadowy "${TMP_DIR}"

qvm-pool add -o revisions_to_keep=1 -o dir_path="${TMP_DIR}" shadowy file

qvm-create "${QUBE_NAME}" -P shadowy -t "${TEMP}" -l red --property netvm="${NET_VM}" --property memory="${MEM}"

qvm-run -a "${QUBE_NAME}" "${BROWSER}"

wait

qvm-kill "${QUBE_NAME}"

qvm-remove -f "${QUBE_NAME}"

qvm-pool rm shadowy

sudo umount shadowy

sudo rm -rf "${TMP_DIR}" \

        /var/log/libvirt/1ibx1/new.log \

        /var/log/libvirt/1ibx1/new.log.old \

        /var/log/qubes/vm-new.log \

        /var/log/qubes/guid.new.log \

        /var/log/qubes/guid.new.log.old \

        /var/log/qubes/qrexec.new.log \

        /var/log/qubes/qubesdb.new.log \

        /var/log/qubesdb.new.log \

        /var/log/guid/new.log \

        /var/log/qrexec.new.log \

        /var/log/pacat.new.log \

        /var/log/xen/console/guest-new.log

notify-send -t 5000 "${QUBE_NAME} qube" "${QUBE_NAME} qube remnants cleared."

```