Anthony J. Martinez

Smooth Sailing on PureOS

After some eleven weeks of full time use of my Purism Librem 14 using Qubes OS, I have decided to give the native Pure OS as shot. While this will not provide the same degree of isolation I had in Qubes OS, the primary use cases for this machine do not necessarily require that degree of separation. When I do not wish to leave a trace, or otherwise find that the native attack surface is too great, I have a Tails stick I can boot.

As I write this, my laptop has been running Pure OS smoothly for two days. Almost the entirety of that time has passed while using the USB-C hub that was giving me fits in Qubes OS. In fact, right now I've got a USB-C SSD plugged in to send a Qubes backup across the ocean to my backup server at home. This very same operation failed somewhat regularly if I used the USB-C hub in Qubes, but has not been problematic yet in Pure OS.

Migrating my data from multiple qubes, into a single yet still "reasonably secure" Pure OS install was fairly simple thanks to Borg Backup. For those maybe curious about how such a thing can be accomplished, this is what I did:

• Execute a complete Qubes Backup so the system can be restored if desired.
• Create an unencrypted borg repo from each critical qube on removable media.
  • borg init --encryption=none /mnt/removable/qube-name
• Create an archive with the important files from each critical qube into the appropriate repo.
  • borg create -C zlib,4 --stats --progress /mnt/removable/qube-name::qube-name ~
• Mounted the archive from within Pure OS
  • mkdir /tmp/borg && borg mount /media/username/diskname/qube-name::qube-name /tmp/borg
• Moved files from /tmp/borg/home/user/ to their rightful place on the new system
• Unmounted the archive
• Nuked the archive, since we do not leave unencrypted data around for any reason - right?
• Imported my GPG public key, which I host on this server.
• Put an end to the ssh-agent competition as described here
• Installed wireguard-tools, and configured an interface for my VPN.

With all of this done, I can use the system just as I was previously for management of my private network and for development purposes. While I am no longer using Split GPG and Split SSH, my private key material is not directly on the system and can be accessed only when my Librem Key is plugged in and unlocked. As I noted before, if one wishes to execute cryptographic operations using the pkcs11 interface it is still necessary to first stop gpg-agent. An alternative, however, is just to encrypt to yourself using gpg directly: gpg -se -r yourname <filename>.

So far, the only thing I have installed from a non-purism repository is syncthing. This actually exists in the default repositories, but the version is extremely stale so I added the developer's repository and stable branch to my sources.list.d and pinned the package to come from there in all cases. Long time users of Debian-based sytems will not be surprised by this at all.