smrtak on Nostr: # Trezor Suite on QubesOS R4.2 (successfully tested recently with TS5 on R4.2.3) ## ...
# Trezor Suite on QubesOS R4.2
(successfully tested recently with TS5 on R4.2.3)
## Foreword
It is not in scope of this text to go too deep into QubesOS rabbit hole...
You should understand and double check what you type into your terminal, especially in dom0.
Keep that in mind and stay vigilant when following any tutorial published online or downloading files from internet.
Always verify source, URL, hashes or signatures)
**USE AT OWN RISK!**
## Prerequisites:
- QubesOS R4.2 installed
- Familiarity with QubesOS and its terminology (e.g., AppVMs, templates, networking, etc.)
## What you will end up with:
- Disposable `sys-usb` qube based on `debian-13-minimal` template
- AppVM qube `TrezorSuite` using `whonix-workstation-17` template
- Ability to use and control Trezor Hardware Wallet with companion app Trezor Suite
## Tips
- to start root terminal for template based on minimal template you can use command in `dom0`:
```
qvm-run -u root tpl-d13m-usb xterm
```
- to copy file between AppVMs you can use command:
```
qvm-copy /path/to/file
```
pop-up in `dom0` will ask for destination
## Steps:
1. In `dom0`:
```
sudo qubes-dom0-update
qvm-template install debian-13-minimal
```
2. Create two clones:
```
qvm-clone debian-13-minimal tpl-d13m-usb
qvm-clone whonix-workstation-17 wws17-ts
```
3. Prepare `tpl-d13m-usb` template for `sys-usb`:
```
qvm-run --pass-io -u root tpl-d13m-usb "apt update && apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus zenity policykit-1 trezor libfuse2 socat -y"
qvm-shutdown --wait tpl-d13m-usb
```
4. Create disposable AppVM using the `tpl-d13m-usb` template and label it "red":
```
qvm-create --template tpl-d13m-usb --label red tpl-d13m-usb-dvm
```
5. Set the `tpl-d13m-usb-dvm` qube as disposable template:
```
qvm-prefs tpl-d13m-usb-dvm template_for_dispvms true
```
6. Add app menus to the `tpl-d13m-usb-dvm` qube:
```
qvm-features tpl-d13m-usb-dvm appmenus-dispvm 1
```
7. Disable networking for the `tpl-d13m-usb-dvm` qube:
```
qvm-prefs tpl-d13m-usb-dvm netvm none
```
8. Create a new AppVM for TrezorSuite (TrezorSuite) using the `wws17-ts` template
```
qvm-create --property memory=400 --property maxmem=2048 --property template=wws17-ts -l purple TrezorSuite
qvm-prefs TrezorSuite netvm ${netVM} # set netvm for your needs, some prefer `sys-vpn` others may `sys-firewall`
qvm-features TrezorSuite menu-items "qubes-run-terminal.desktop " # adding terminal to GUI menu
```
9. Start terminal in disposable AppVM with networking access and download following files:
```
cd ~/Dowloads
mkdir usb && cd usb
curl -O https://data.trezor.io/bridge/2.0.30/trezor-bridge_2.0.30_amd64.deb
curl -O https://data.trezor.io/udev/51-trezor.rules
mkdir ../ts && cd ../ts
curl -O https://data.trezor.io/suite/releases/desktop/latest/Trezor-Suite-24.12.3-linux-x86_64.AppImage
curl -O https://data.trezor.io/suite/releases/desktop/latest/Trezor-Suite-24.12.3-linux-x86_64.AppImage.asc
curl -O https://trezor.io/security/satoshilabs-2021-signing-key.asc
# import signing key
gpg --import satoshilabs-2021-signing-key.asc
# verify AppImage
gpg --verify Trezor-Suite-24.12.3-linux-x86_64.AppImage.asc
# you should see something similar:
# user@disp1234:~/Downloads/ts$ gpg --verify Trezor-Suite-24.12.3-linux-x86_64.AppImage.asc
# gpg: assuming signed data in 'Trezor-Suite-24.12.3-linux-x86_64.AppImage'
# gpg: Signature made Wed 18 Dec 2024 05:40:31 PM CET
# gpg: using RSA key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C
# gpg: Good signature from "SatoshiLabs 2021 Signing Key" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C
cd ..
# ready to move downloads where we need them
qvm-copy usb
# in dom0 pop-up select `tpl-d13m-usb`
qvm-copy ts
# in dom0 pop-up select `TrezorSuite`
```
10. In the `tpl-d13m-usb` qube:
```
sudo dpkg -i /home/user/QubesIncoming/disp1234/trezor-bridge_*_amd64.deb
echo -e "systemctl enable trezord.service \nsystemctl start trezord.service" | sudo tee -a /rw/config/rc.local
sudo mv /home/user/QubesIncoming/disp1234/51-trezor.rules /etc/udev/rules.d/51-trezor.rules
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
sudo poweroff
```
11. In the `tpl-d13m-usb-dvm`:
```
sudo mkdir -p /usr/local/etc/qubes-rpc
echo "socat - TCP:localhost:21325" | sudo tee /usr/local/etc/qubes-rpc/trezord-service
sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service
sudo poweroff
```
12. In `dom0`, stop (existing and) running `sys-usb` and replace its template with newly created and customized `tpl-d13m-usb-dvm`:
```
qvm-shutdown --wait sys-usb
qvm-prefs --get sys-usb template # display currently used template name, remember this in case of roll-back
qvm-prefs --set sys-usb template tpl-d13m-usb-dvm && qvm-start sys-usb
```
13. In `dom0`, add the necessary policy for the Trezor RPC service:
```
echo '@anyvm @anyvm allow,user=trezord,target=sys-usb' > /etc/qubes-rpc/policy/trezord-service
```
14. In `dom0`, update and install the Trezor Python package in AppVM's template:
```
qvm-run --pass-io -u root wws17-ts "apt update && apt install --no-install-recommends pip -y"
qvm-shutdown --wait wws17-ts
```
15. Setting up `TrezorSuite` AppVM:
```
echo 'socat TCP-LISTEN:21325,fork EXEC:"qrexec-client-vm sys-usb trezord-service" &' | sudo tee -a /rw/config/rc.local
pip install --user trezor
```
- On Qubes R4.2, you may experience an error with the above command. Try this workaround instead:
```
pip install --user trezor --break-system-packages
```
16. Setup `Trezor-Suite-24.*.AppImage` file for use:
```
mv /home/user/QubesIncoming/disp1234/Trezor-Suite-*.AppImage ~/
chmod u+x ~/Trezor-Suite-*.AppImage
sudo poweroff
```
Start `sys-usb`, start terminal in `TrezorSuite` and launch `./Trezor-Suite-*.AppImage`
You should now be able to use Trezor Suite with your hardware wallet on QubesOS.
There are some ways how to add AppImage to menu, but I am ok with terminal. In case you'd like to explore this possibility look here:
https://forum.qubes-os.org/t/appimage-added-to-application-list-but-wont-execute-program/16687
Note: This guide has been inspired by multiple articles on the Qubes Forum.
To name a few: https://forum.qubes-os.org/t/ultimate-guide-on-using-trezor-on-qubes/18310 and https://forum.qubes-os-os.org/t/debian-10-minimal-configuration/2603
#QubesOS #TrezorSuite #HWW
(successfully tested recently with TS5 on R4.2.3)
## Foreword
It is not in scope of this text to go too deep into QubesOS rabbit hole...
You should understand and double check what you type into your terminal, especially in dom0.
Keep that in mind and stay vigilant when following any tutorial published online or downloading files from internet.
Always verify source, URL, hashes or signatures)
**USE AT OWN RISK!**
## Prerequisites:
- QubesOS R4.2 installed
- Familiarity with QubesOS and its terminology (e.g., AppVMs, templates, networking, etc.)
## What you will end up with:
- Disposable `sys-usb` qube based on `debian-13-minimal` template
- AppVM qube `TrezorSuite` using `whonix-workstation-17` template
- Ability to use and control Trezor Hardware Wallet with companion app Trezor Suite
## Tips
- to start root terminal for template based on minimal template you can use command in `dom0`:
```
qvm-run -u root tpl-d13m-usb xterm
```
- to copy file between AppVMs you can use command:
```
qvm-copy /path/to/file
```
pop-up in `dom0` will ask for destination
## Steps:
1. In `dom0`:
```
sudo qubes-dom0-update
qvm-template install debian-13-minimal
```
2. Create two clones:
```
qvm-clone debian-13-minimal tpl-d13m-usb
qvm-clone whonix-workstation-17 wws17-ts
```
3. Prepare `tpl-d13m-usb` template for `sys-usb`:
```
qvm-run --pass-io -u root tpl-d13m-usb "apt update && apt install --no-install-recommends qubes-usb-proxy qubes-input-proxy-sender qubes-core-agent-nautilus zenity policykit-1 trezor libfuse2 socat -y"
qvm-shutdown --wait tpl-d13m-usb
```
4. Create disposable AppVM using the `tpl-d13m-usb` template and label it "red":
```
qvm-create --template tpl-d13m-usb --label red tpl-d13m-usb-dvm
```
5. Set the `tpl-d13m-usb-dvm` qube as disposable template:
```
qvm-prefs tpl-d13m-usb-dvm template_for_dispvms true
```
6. Add app menus to the `tpl-d13m-usb-dvm` qube:
```
qvm-features tpl-d13m-usb-dvm appmenus-dispvm 1
```
7. Disable networking for the `tpl-d13m-usb-dvm` qube:
```
qvm-prefs tpl-d13m-usb-dvm netvm none
```
8. Create a new AppVM for TrezorSuite (TrezorSuite) using the `wws17-ts` template
```
qvm-create --property memory=400 --property maxmem=2048 --property template=wws17-ts -l purple TrezorSuite
qvm-prefs TrezorSuite netvm ${netVM} # set netvm for your needs, some prefer `sys-vpn` others may `sys-firewall`
qvm-features TrezorSuite menu-items "qubes-run-terminal.desktop " # adding terminal to GUI menu
```
9. Start terminal in disposable AppVM with networking access and download following files:
```
cd ~/Dowloads
mkdir usb && cd usb
curl -O https://data.trezor.io/bridge/2.0.30/trezor-bridge_2.0.30_amd64.deb
curl -O https://data.trezor.io/udev/51-trezor.rules
mkdir ../ts && cd ../ts
curl -O https://data.trezor.io/suite/releases/desktop/latest/Trezor-Suite-24.12.3-linux-x86_64.AppImage
curl -O https://data.trezor.io/suite/releases/desktop/latest/Trezor-Suite-24.12.3-linux-x86_64.AppImage.asc
curl -O https://trezor.io/security/satoshilabs-2021-signing-key.asc
# import signing key
gpg --import satoshilabs-2021-signing-key.asc
# verify AppImage
gpg --verify Trezor-Suite-24.12.3-linux-x86_64.AppImage.asc
# you should see something similar:
# user@disp1234:~/Downloads/ts$ gpg --verify Trezor-Suite-24.12.3-linux-x86_64.AppImage.asc
# gpg: assuming signed data in 'Trezor-Suite-24.12.3-linux-x86_64.AppImage'
# gpg: Signature made Wed 18 Dec 2024 05:40:31 PM CET
# gpg: using RSA key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C
# gpg: Good signature from "SatoshiLabs 2021 Signing Key" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C
cd ..
# ready to move downloads where we need them
qvm-copy usb
# in dom0 pop-up select `tpl-d13m-usb`
qvm-copy ts
# in dom0 pop-up select `TrezorSuite`
```
10. In the `tpl-d13m-usb` qube:
```
sudo dpkg -i /home/user/QubesIncoming/disp1234/trezor-bridge_*_amd64.deb
echo -e "systemctl enable trezord.service \nsystemctl start trezord.service" | sudo tee -a /rw/config/rc.local
sudo mv /home/user/QubesIncoming/disp1234/51-trezor.rules /etc/udev/rules.d/51-trezor.rules
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
sudo poweroff
```
11. In the `tpl-d13m-usb-dvm`:
```
sudo mkdir -p /usr/local/etc/qubes-rpc
echo "socat - TCP:localhost:21325" | sudo tee /usr/local/etc/qubes-rpc/trezord-service
sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service
sudo poweroff
```
12. In `dom0`, stop (existing and) running `sys-usb` and replace its template with newly created and customized `tpl-d13m-usb-dvm`:
```
qvm-shutdown --wait sys-usb
qvm-prefs --get sys-usb template # display currently used template name, remember this in case of roll-back
qvm-prefs --set sys-usb template tpl-d13m-usb-dvm && qvm-start sys-usb
```
13. In `dom0`, add the necessary policy for the Trezor RPC service:
```
echo '@anyvm @anyvm allow,user=trezord,target=sys-usb' > /etc/qubes-rpc/policy/trezord-service
```
14. In `dom0`, update and install the Trezor Python package in AppVM's template:
```
qvm-run --pass-io -u root wws17-ts "apt update && apt install --no-install-recommends pip -y"
qvm-shutdown --wait wws17-ts
```
15. Setting up `TrezorSuite` AppVM:
```
echo 'socat TCP-LISTEN:21325,fork EXEC:"qrexec-client-vm sys-usb trezord-service" &' | sudo tee -a /rw/config/rc.local
pip install --user trezor
```
- On Qubes R4.2, you may experience an error with the above command. Try this workaround instead:
```
pip install --user trezor --break-system-packages
```
16. Setup `Trezor-Suite-24.*.AppImage` file for use:
```
mv /home/user/QubesIncoming/disp1234/Trezor-Suite-*.AppImage ~/
chmod u+x ~/Trezor-Suite-*.AppImage
sudo poweroff
```
Start `sys-usb`, start terminal in `TrezorSuite` and launch `./Trezor-Suite-*.AppImage`
You should now be able to use Trezor Suite with your hardware wallet on QubesOS.
There are some ways how to add AppImage to menu, but I am ok with terminal. In case you'd like to explore this possibility look here:
https://forum.qubes-os.org/t/appimage-added-to-application-list-but-wont-execute-program/16687
Note: This guide has been inspired by multiple articles on the Qubes Forum.
To name a few: https://forum.qubes-os.org/t/ultimate-guide-on-using-trezor-on-qubes/18310 and https://forum.qubes-os-os.org/t/debian-10-minimal-configuration/2603
#QubesOS #TrezorSuite #HWW