Qubes Features That Made Me Stick Despite The Initial Pain

Initially, I switched from Windows to Debian, used it for about two weeks, and then jumped head-first into Qubes. I had watched every explainer video, read every introductory article, and still felt clueless and lost. I understood nothing. Paradoxically, the more confused I became, the greater my curiosity grew.

At first, I dual-booted Qubes. The installation was surprisingly straightforward, but I quickly found myself lost again: What on earth is a “template”? Why do installed packages disappear after rebooting? Passwordless-root? This must be a huge security issue!

It took me roughly two more weeks of hands-on experimentation (and a lot of frustration) before Qubes’ unique concepts finally clicked. I’ve since seen many newcomers follow the same arc. Qubes is simply too different. There’s no one-paragraph explanation thats sufficient for Qubes. If you’re feeling overwhelmed by the available resources, welcome to the club. Nevertheless, I still want to recommend a few sources, as the initial struggle is part of the learning progress. Ordered by preference:

• Solene’s Qubes Introduction
• Micah Lee’s Qubes Introduction
• Official Qubes Intro
• Wikipedia article

Qubes isn’t something you can fully grasp just by reading articles or watching videos; practical experience is essential. Rather than yet another introductory “What is Qubes?” post, I want to highlight four lesser-known features that convinced me to continue using it, hoping that you too get that “Huh?” feeling that increases your curiosity. This post won’t dive into technical explanations or tutorials, my primary goal is to inspire you to download the ISO and explore Qubes firsthand. (Note: Installing Qubes in a VM isn’t officially supported and requires significant workarounds; I recommended avoiding this method if possible)

Minimal Templates

Think of minimal templates as stripped-down operating systems. Out of the box, standard Fedora and Debian templates (the default OSes in Qubes), come with browsers, text editors, networking tools, and a gigabyte of unnecessary “just in case” libraries. Redundancy translates directly into increased attack surfaces, and we obviously dont want this.

Minimal templates eliminate this problem. They ship with only what the hypervisor absolutely requires and what is needed to enable basic usage, which means: no browser, no editor, no bloat. Want a VM dedicated as a password manager-only vault? Clone a minimal Fedora or Debian template, install your password manager (which gets installed via a proxy, so there are still no network packages installed by default) and every VM derived from it remains completely isolated and secure from external threats.

Unikernels (Security by Subtraction)

Unikernels are taking minimalism to the extreme. A unikernel is an application baked into a specialized Linux kernel, there is no user space, no package manager, the whole application is inside the Linux kernel.

Mirage Firewall is Qubes’ flagship example. It serves a single function, boots in under a second, and uses less than 30 MB of RAM. Fewer lines of code mean fewer potential vulnerabilites. There’s also a lesser-known OpenVPN unikernel, and there is an open issue exploring unikernelizing the VM that controls your USB devices.

Disposable VMs

Disposable VMs are essentially the Qubes’ equivalent to Tails. Launch a disposable VM, open that suspicious PDF you just downloaded, and do whatever you want. Once the VM shuts down, all data vanishes completely. Although not yet entirely secure against advanced forensics threats, as disposable VMs are not running entirely in RAM, they provide robust protection against virtually all types of dangers.

Really disposable VMs running only in RAM are still possible, if you need this protection against forensics threats, look here

Saltstack integration

While backups are still essentials, declarative rebuilds offer a superior approach. Saltstack allows you to define your workstations as code:

create-dev-qube:
  qvm.clone:
    - name: tpl-dev
    - source: debian-12-minimal
    - class: TemplateVM

dev-set-tpl-prefs:
  qvm.prefs:
    - name: tpl-dev
    - label: red
    - audiovm: ''
    - netvm: ''
    - vcpus: 4
    - memory: 8000

dev-install-tpl-packages:
  pkg.installed:
    - refresh: True
    - install_recommends: False
    - skip_suggestions: True
    - pkgs:
      - neovim
      - git
      - openssh-client
      - tmux

Simply copy these YAML files onto an USB stick, reinstall Qubes, restore the files to their proper loations, and execute a few commands. You will see the complete restoration of your environments, including VMs, packages installed in VMs, dotfiles, etc. If you prefer Ansible over Saltstack, you’re lucky: first-class Ansible support is in open testing.

Conclusion

This overview is not exhaustive. I deliberately skipped more complex features - like qrexec services, split ssh, split gpg, whonix, etc.

Qubes may not be your forever OS. But the mindset is, so keep the habit it teaches: compartmentalize tasks.