Typical copy and paste is Ctrl+C and Ctrl+V, respectively. Common knowledge (though, if you didn’t know that - life changing).
The problem is copying between VMs or between the host and a VM. In QEMU and Virtualbox, this is solved by installing guest utilities into the VM, which allows the host and all of the guests to essentially share a common clipboard. The vulnerability herein lies if one machine is compromised (which is generally a wise security assumption). Then, a remote attacker need only grab the clipboard contents periodically and send it back to their machine. So, if using this solution - never copy passwords/keys/SSNs or anything sensitive. If so, you would be wise to assume that information is compromised.
OR, you could prevent clipboard sharing by disabling the setting and/or by uninstalling guest agent packages entirely. But then you couldn’t, for example, host your KeePassXC password manager in a non-networked VM and copy/paste login info from there to a browser in the host or another VM. You might see how this specific configuration offers a superior level of account security!
Qubes does not network the host OS (except for updates…via a secure proxy…yeah, basically not networked). Due to this unique architecture (which is functionally very difficult to achieve in a custom setup - trust me, I’ve tried), the host OS can be trusted in a unique way akin to any air-gapped machine. I refer to this as a virtual air-gap.
tl;dr
Part of this unique trust is a global clipboard API controlled by the host. This allows you to conveniently copy/paste between VMs. By default, the keypress sequence to differentiate local copy/paste (Ctrl+C and Ctrl+V) from global is Ctrl+Shift+C and Ctrl+Shift+V.
I would highly recommend you change this. Reason is, the default global copy/paste is identical to the default terminal copy/paste. Thus, to copy/paste in the terminal, you must right-click - which is incredibly noob-ish. To change this:
- Go to Menu → Settings Cog → Qubes Tools → Qubes Global Config.
- Go to the Clipboard tab on the left.
- You should then see the settings to change the shortcuts.
I like to use Win+C and Win+V, but there are a few other options.
The workflow, then, looks like this:
- Start out with global clipboard empty, with VM1 running KeePassXC and VM2 running Firefox. Both VMs have an empty clipboard.
- In VM1, Ctrl+C to copy a password
- Now - Global: empty, VM1: password (cleared after 10s by default), VM2: empty
- In VM1, Win+C, which tells VM1 to send it’s clipboard contents via a secure connection to the host.
- Now - Global: password, VM1: password, VM2: empty
- In VM2, Win+V, which tells VM2 to listen to receive something from the host and store that in its clipboard. Simultaneously, the host empties it’s clipboard and gives it to VM2.
- Now - Global: empty, VM1: password, VM2: password.
- Depending on your speed, KeePassXC will likely have cleared the clipboard by now
- Now - Global: empty, VM1 : empty, VM2: password
- Thus, you can Ctrl+V in VM2 to paste the password into Firefox and login.
I explained this with verbosity, but the mechanism becomes rudimentary with practice: click KeePassXC window and desired entry, Ctrl+C, Win+C, click browser window, Win+V, click password field, Ctrl+V. Practice, find the optimal workflow (e.g. in KeePassXC you can save the URL into an entry and then copy locally with Ctrl+U. Same for usernames, copied with Ctrl+B), and then never go back.