Qubes - Template vs App vs Disposable vs Standalone

Do not take my word; check the documentation yourself ~

These are beginner-friendly-sort-of (as much as anything in Qubes can be) references. For an advanced source, which I find helpful, check ~

The Qubes architecture brings some innovative solutions to VM OS security and efficiency unlike anything I have seen before.

(Aside - if you have advanced experience with other virtualization solutions like QEMU/KVM, VMware, Virtualbox, etc. and have figured out how to build the VM filesytem inheritance system mentioned in the above Developer documentation in one of those other solutions - please send me a PM).

When you are unfamiliar with this unique and “advanced” architecture, however, the differences in the terminology can be daunting. What is a Template/App/Disposable/Standalone and what are the differences? Well, there are many differences, and getting used to them takes time. But I want to address specifically the concepts of filesystems and inheritance. This helps make installing software and generally managing files more clear.

The following is an oversimplification for educational purposes. Although, this simplification is reflected in the “Create new qube” dialogue box in Qubes. Still, some of the following explanations are not entirely accurate, for simplicity. See the aforementioned documentation if you want an in-depth analysis.

Every qube file system can be divided into two parts - the root and the home ~

  • root, or / - all of the files for the qube with the exception of the contents of /home

  • home, or ~ or /home/<your_username> - all of your personal files and many local user configs, like ~/.config and ~/.local

A generalization of the two:

  • When you install software with sudo apt install or sudo dnf install, this software is placed in various places places around the root

  • When you create/edit documents, write code, or save funny memes to your computer, you place these files in the home

Next relevant prerequisite is the distinction of persistent and volatile (spoiler alert - they mirror their real world meanings) ~

  • When it is said that a filesystem is persistent, what is meant is that - at boot or at shutdown, when adding or removing software, when tweaking or leaving things untouched - the filesystem and its files exist, and continue to exist, somewhere on the physical hard drive. Think of it like normal VMs and OSes.

  • When a filesystem is volatile, or often called ephemeral, what is meant is that - after shutting down the VM - the filesystem and its files are removed from the physical hard drive. Think of it like live-booting an OS, esp. like Tails.

This brings us to Templates/Apps/Disposables/Standalones, all of which are types of qubes that mostly determines its functionality (esp. in regards to each one’s filesystem). Keep in mind the distinction of root and home and remember that it is relevant to every qube.

  • Templates - when you first install Qubes OS, you typically get 4 of these: Debian, Fedora, and Whonix GW/WS. Think of Templates likened to the traditional sense of VMs you get from other hypervisors like Virtualbox. Qubes installs them “from scratch”, sort of, and adds/removes software to make the base image you receive when you first install the OS. The root and home of these qubes are persistent. This means that any changes are as permanent as normal VMs. If you install malware in a Template, it stays there even after shutting it down. Specifically, the home is just for convenience (you will probably never use it) and is unique to the Template. No other qubes ever access it. The root, on the other hand, is stored in a separate read-only format that is used as a template (hence the name) for all subsequent qubes based on it.

  • Apps - these are what you do persistent work in that doesn’t require a persistent root. Hence, App qubes have a persistent home and a volatile root. If you put files/malware in your /home folder, they persist even after shutdown. If you install software/malware elswhere in the filesystem, it is wiped at shutdown. To achieve this, Qubes keeps a filesystem image of just the /home folder, and keeps a unique image for each App qube. When booting an App qube, Qubes takes the current read-only image of the root from the App qube’s Template qube and mounts the App qube’s read/write home image into it (alongside a volatile image of all changes you make to the root for that session, which is wiped at shutdown) to create a “snapshot.” At shutdown of the App qube, the home changes remain in its image, the read-only root remains unchanged, and the volatile changes image is discarded.

  • Standalones - personally, I have only used these one time. My use case was a situation (running a website) where I needed persistent root (to run a webserver with configs in /etc and pages in /var/www). Standalones have both persistent root and persistent home, but not in the same way as a Template. The home is identical to the function of App qubes. The root is taken from a Template at the time of qube creation but in a read/write form and then persists thereafter as a separate filesystem image. This is helpful if you need to do one thing in one qube with full persistence. Otherwise, keep in mind that all files/malware persist on Standalones and do not affect other qube images since they are the basis for no other qubes (they are not templates). Accordingly, malware in a Template root is more impactful than in a Standalone root.

  • Disposables - these, in my opinion, are the workhorses. Install software for testing, open suspicious email attachments for isolation, login to the forum to make laboriously lengthy posts. The use cases are endless, and the benefits are clear. Disposables have both a volatile root and a volatile home. This makes them like App qubes except everything is wiped at shutdown. This is a huge security feature! All malware, all misconfiguration, all testing - gone (exceptions being network or USB exploits, obviously, but Qubes has its own solutions for those as well). That all said, Disposables can be daunting to modify or design from scratch. Disposables start as App qubes called “<whatever_name>-dvm” and are referred to as DVMs. These are App qubes, but they function like Templates. When you start an application in a Disposable, it generates a random number from 0 to 9999 and then creates a qube called “dispXXXX”. This qube is comprised of the Template’s read-only root, the DVM’s home in a read-only image, and a separate volatile image of any changes made for that session. Closing the application you opened tells Qubes to unmount the Template and DVM images and discard the volatile changes image.

Some conclusions: install software in Templates (but be aware that bad software will corrupt all qubes based on the Template - Templates are ultimately trusted), use Standalones for specific workflows that require root persistence and Apps for workflows that don’t, and do everything else in Disposables. You can install software in Standalones when necessary, and in Apps if doing so in /home. Everywhere where software can be installed, malware can also be installed. Be wise, stay safe, use Qubes. :slight_smile:

2 Likes

As a long time Qubes user, thank you for the breakdown and ideas. This has given me a different perspective on DVMs. I’ll look into using them more often.