smrtak on Nostr: # Trezor Suite on QubesOS R4.2 (successfully tested recently on R4.2.3) ## Foreword ...
# Trezor Suite on QubesOS R4.2
(successfully tested recently on R4.2.3)
## Foreword
It is not in scope of this text to go too deep into QubesOS rabbit hole...
You should understand and double check what you type into your terminal, especially in dom0.
Keep in mind and stay vigilant when following any tutorial published online or downloading files from internet.
Always verify source, URL, hashes or signatures)
**USE AT OWN RISK!**
## Prerequisites:
- QubesOS R4.2 installed
- Familiarity with QubesOS and its terminology (e.g., AppVMs, templates, networking, etc.)
## What you will end up with:
- Disposable `sys-usb` qube based on `debian-12-minimal` template
- AppVM qube `trezorSuite` using `whonix-workstation-17` template
## Tips
- to start root terminal for template based on minimal template you can use this command from `dom0`:
```
qvm-run -u root tpl-d12m-usb xterm
```
- to copy file between AppVMs you can use command:
```
qvm-copy /path/to/file
```
pop-up in `dom0` will ask for destination
## Steps:
1. In `dom0`, update QubesOS:
```
sudo qubes-dom0-update
```
2. Install the `debian-12-minimal` template:
```
qvm-template install debian-12-minimal
```
3. Create two clones:
```
qvm-clone debian-12-minimal tpl-d12m-usb
qvm-clone whonix-workstation-17 wws17-ts
```
4. In the `tpl-d12m-usb` qube, install necessary packages:
```
qvm-run --pass-io -u root tpl-d12m-usb "apt update && apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus zenity policykit-1 libblockdev-crypto2 ntfs-3g socat -y"
```
5. Shutdown the `tpl-d12m-usb` qube:
```
qvm-shutdown --wait tpl-d12m-usb
```
6. Create a new AppVM using the `tpl-d12m-usb` template and label it "red":
```
qvm-create --template tpl-d12m-usb --label red tpl-d12m-usb-dvm
```
7. Set the `tpl-d12m-usb-dvm` qube as disposable template:
```
qvm-prefs tpl-d12m-usb-dvm template_for_dispvms true
```
8. Add app menus to the `tpl-d12m-usb-dvm` qube:
```
qvm-features tpl-d12m-usb-dvm appmenus-dispvm 1
```
9. Disable networking for the `tpl-d12m-usb-dvm` qube:
```
qvm-prefs tpl-d12m-usb-dvm netvm none
```
10. Create a new AppVM for TrezorSuite (trezorSuite) using the `wws17-ts` template
```
qvm-create --property memory=400 --property maxmem=2048 --property template=wws17-ts -l purple trezorSuite
qvm-prefs trezorSuite netvm ${netVM} # set netvm for your needs, some prefer sys-whonix other may sys-firewall
qvm-features trezorSuite menu-items "qubes-run-terminal.desktop " # adding terminal to GUI menu
```
11. In the `tpl-d12m-usb` qube, install Trezor Bridge:
```
sudo dpkg -i trezor-bridge_2.0.27_amd64.deb
```
(Can be downloaded from https://data.trezor.io/bridge/2.0.27/trezor-bridge_2.0.27_amd64.deb)
12. Configure Trezor Bridge to start on boot:
```
echo -e "systemctl enable trezord.service \nsystemctl start trezord.service" | sudo tee -a /rw/config/rc.local
```
13. Add udev rules for Trezor:
```
sudo vi /etc/udev/rules.d/51-trezor.rules
```
(You can get the udev rules from the official source: https://data.trezor.io/udev/51-trezor.rules)
14. Make the udev rules executable:
```
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
```
15. Power off the `tpl-d12m-usb` qube:
```
sudo poweroff
```
16. In the `tpl-d12m-usb-dvm` qube, create the necessary Qubes RPC directory:
```
sudo mkdir -p /usr/local/etc/qubes-rpc
```
17. Add the Trezor RPC service:
```
echo "socat - TCP:localhost:21325" | sudo tee /usr/local/etc/qubes-rpc/trezord-service
```
18. Make the Trezor RPC service executable:
```
sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service
```
19. Power off the `tpl-d12m-usb-dvm` qube:
```
sudo poweroff
```
20. In `dom0`, stop (existing and) running `sys-usb` and replace its template with newly created and customized `tpl-d12m-usb-dvm`:
```
qvm-shutdown --wait sys-usb
qvm-prefs --get sys-usb template # display currently used template name, remember this in case of roll-back
qvm-prefs --set sys-usb template tpl-d12m-usb-dvm && qvm-start sys-usb
```
21. In `dom0`, add the necessary policy for the Trezor RPC service:
```
echo '@anyvm @anyvm allow,user=trezord,target=sys-usb' > /etc/qubes-rpc/policy/trezord-service
```
22. In `dom0`, update and install the Trezor Python package in AppVM's template:
```
qvm-run --pass-io -u root wws17-ts "apt update && apt install --no-install-recommends pip -y"
```
23. Setting up trezorSuite AppVM:
```
echo 'socat TCP-LISTEN:21325,fork EXEC:"qrexec-client-vm sys-usb trezord-service" &' | sudo tee -a /rw/config/rc.local
pip install --user trezor
```
- On Qubes R4.2, you may experience an error with the above command. Try this workaround instead:
```
pip install --user trezor --break-system-packages
```
24. Download or copy the `Trezor-Suite-24.*.AppImage` file, verify it, and give it executable permissions:
```
chmod u+x /path/to/Trezor-Suite-*.AppImage
```
Now shut down all the templates (in case any of them are still running), `sys-usb`, and `trezorSuite` AppVM qubes.
Start `sys-usb`, start terminal in `trezorSuite` and launch `/path/to/your/Trezor-Suite-*.AppImage`
You should now be able to use Trezor Suite with your hardware wallet on QubesOS.
Note: This guide has been inspired by multiple articles on the Qubes Forum.
To name a few: Ursidae's post that I found here: https://forum.qubes-os.org/t/ultimate-guide-on-using-trezor-on-qubes/18310 and https://forum.qubes-os-os.org/t/debian-10-minimal-configuration/2603
#trezor #trezorSuite #qubesOS
(successfully tested recently on R4.2.3)
## Foreword
It is not in scope of this text to go too deep into QubesOS rabbit hole...
You should understand and double check what you type into your terminal, especially in dom0.
Keep in mind and stay vigilant when following any tutorial published online or downloading files from internet.
Always verify source, URL, hashes or signatures)
**USE AT OWN RISK!**
## Prerequisites:
- QubesOS R4.2 installed
- Familiarity with QubesOS and its terminology (e.g., AppVMs, templates, networking, etc.)
## What you will end up with:
- Disposable `sys-usb` qube based on `debian-12-minimal` template
- AppVM qube `trezorSuite` using `whonix-workstation-17` template
## Tips
- to start root terminal for template based on minimal template you can use this command from `dom0`:
```
qvm-run -u root tpl-d12m-usb xterm
```
- to copy file between AppVMs you can use command:
```
qvm-copy /path/to/file
```
pop-up in `dom0` will ask for destination
## Steps:
1. In `dom0`, update QubesOS:
```
sudo qubes-dom0-update
```
2. Install the `debian-12-minimal` template:
```
qvm-template install debian-12-minimal
```
3. Create two clones:
```
qvm-clone debian-12-minimal tpl-d12m-usb
qvm-clone whonix-workstation-17 wws17-ts
```
4. In the `tpl-d12m-usb` qube, install necessary packages:
```
qvm-run --pass-io -u root tpl-d12m-usb "apt update && apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus zenity policykit-1 libblockdev-crypto2 ntfs-3g socat -y"
```
5. Shutdown the `tpl-d12m-usb` qube:
```
qvm-shutdown --wait tpl-d12m-usb
```
6. Create a new AppVM using the `tpl-d12m-usb` template and label it "red":
```
qvm-create --template tpl-d12m-usb --label red tpl-d12m-usb-dvm
```
7. Set the `tpl-d12m-usb-dvm` qube as disposable template:
```
qvm-prefs tpl-d12m-usb-dvm template_for_dispvms true
```
8. Add app menus to the `tpl-d12m-usb-dvm` qube:
```
qvm-features tpl-d12m-usb-dvm appmenus-dispvm 1
```
9. Disable networking for the `tpl-d12m-usb-dvm` qube:
```
qvm-prefs tpl-d12m-usb-dvm netvm none
```
10. Create a new AppVM for TrezorSuite (trezorSuite) using the `wws17-ts` template
```
qvm-create --property memory=400 --property maxmem=2048 --property template=wws17-ts -l purple trezorSuite
qvm-prefs trezorSuite netvm ${netVM} # set netvm for your needs, some prefer sys-whonix other may sys-firewall
qvm-features trezorSuite menu-items "qubes-run-terminal.desktop " # adding terminal to GUI menu
```
11. In the `tpl-d12m-usb` qube, install Trezor Bridge:
```
sudo dpkg -i trezor-bridge_2.0.27_amd64.deb
```
(Can be downloaded from https://data.trezor.io/bridge/2.0.27/trezor-bridge_2.0.27_amd64.deb)
12. Configure Trezor Bridge to start on boot:
```
echo -e "systemctl enable trezord.service \nsystemctl start trezord.service" | sudo tee -a /rw/config/rc.local
```
13. Add udev rules for Trezor:
```
sudo vi /etc/udev/rules.d/51-trezor.rules
```
(You can get the udev rules from the official source: https://data.trezor.io/udev/51-trezor.rules)
14. Make the udev rules executable:
```
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
```
15. Power off the `tpl-d12m-usb` qube:
```
sudo poweroff
```
16. In the `tpl-d12m-usb-dvm` qube, create the necessary Qubes RPC directory:
```
sudo mkdir -p /usr/local/etc/qubes-rpc
```
17. Add the Trezor RPC service:
```
echo "socat - TCP:localhost:21325" | sudo tee /usr/local/etc/qubes-rpc/trezord-service
```
18. Make the Trezor RPC service executable:
```
sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service
```
19. Power off the `tpl-d12m-usb-dvm` qube:
```
sudo poweroff
```
20. In `dom0`, stop (existing and) running `sys-usb` and replace its template with newly created and customized `tpl-d12m-usb-dvm`:
```
qvm-shutdown --wait sys-usb
qvm-prefs --get sys-usb template # display currently used template name, remember this in case of roll-back
qvm-prefs --set sys-usb template tpl-d12m-usb-dvm && qvm-start sys-usb
```
21. In `dom0`, add the necessary policy for the Trezor RPC service:
```
echo '@anyvm @anyvm allow,user=trezord,target=sys-usb' > /etc/qubes-rpc/policy/trezord-service
```
22. In `dom0`, update and install the Trezor Python package in AppVM's template:
```
qvm-run --pass-io -u root wws17-ts "apt update && apt install --no-install-recommends pip -y"
```
23. Setting up trezorSuite AppVM:
```
echo 'socat TCP-LISTEN:21325,fork EXEC:"qrexec-client-vm sys-usb trezord-service" &' | sudo tee -a /rw/config/rc.local
pip install --user trezor
```
- On Qubes R4.2, you may experience an error with the above command. Try this workaround instead:
```
pip install --user trezor --break-system-packages
```
24. Download or copy the `Trezor-Suite-24.*.AppImage` file, verify it, and give it executable permissions:
```
chmod u+x /path/to/Trezor-Suite-*.AppImage
```
Now shut down all the templates (in case any of them are still running), `sys-usb`, and `trezorSuite` AppVM qubes.
Start `sys-usb`, start terminal in `trezorSuite` and launch `/path/to/your/Trezor-Suite-*.AppImage`
You should now be able to use Trezor Suite with your hardware wallet on QubesOS.
Note: This guide has been inspired by multiple articles on the Qubes Forum.
To name a few: Ursidae's post that I found here: https://forum.qubes-os.org/t/ultimate-guide-on-using-trezor-on-qubes/18310 and https://forum.qubes-os-os.org/t/debian-10-minimal-configuration/2603
#trezor #trezorSuite #qubesOS