First thing I do on a fresh QubesOS install is keep the foundation clean. Anything that touches the system—sys-net, sys-firewall, sys-usb, sys-whonix, all the service qubes—stays minimal. I don’t install a thing into the templates attached to those qubes. Same goes for the default DVM. Clean base, minimal attack surface.
When I need to install apps, I don’t contaminate the original templates. I clone the template, rename it, and point my daily App Qubes (personal, work, etc.) to the clone. So if Fedora ships as fedora-41-xfce, mine becomes fedora-41-xfce-custom, and that’s where the apps I need get installed.
If I’m building a sensitive qube—banking, crypto, whatever—I’ll clone the untouched template again and keep that one lean too. Only install what I need. Nothing more.
And this applies to everything in Qubes: Fedora, Debian, Whonix, Arch, Kali… whatever template you bring in. The rule is simple—keep the base template pristine, do your work in cloned templates, and let compartmentalization actually mean something.
Keeping things minimal, isolated, and compartmentalized is one of the cleanest OPSEC habits you can build in QubesOS.
#IKITAO #QubesOS #OPSEC #INFOSEC
