Hardware Recommendations

While the preceding section discussed very basic levels of security, this section is targeted at more advanced users looking a 'one size fits all' style solution for higher levels of security. There are a number of recommendations here, which have alternatives, but this is proposed for users who want to follow a 'happy' path for more advanced security. Feel free to substitute alternatives depending on your preferences / budget. The following sections on secure self hosted ops and recovery procedures may make some assumptions about this recommended hardware, but it should be possible to substitute custom solutions as well (for more advanced users.)

QubesOS / Laptop

Jumping straight in, there's a rather long standing academic discussion debating the merits of VMs with USB malware prevention against air-gapped computers, and while ideally some combination of the two is best, the preceding recommendations in Security Procedures introduction primarily assumed a user dealing with conventional consumer hardware who typically uses cold wallets or has access to cheap dispoable air-gapped devices (99% of users.) For those who want an arguably higher level of security, or more convenience in mixing security into their day-to-day live, QubesOS is undoubtedly the most recommended OS to work with.

Unfortunately, there is very little hardware that is guaranteed to work with Qubes for one reason or another, it's not a very friendly process guaranteeing random hardware will work, and is a bit of trial and error in terms of making recommendations. Ideally, most people would be able to put together their own computers and guarantee it will work, or choose a laptop / mini-pc that is most suited to their end use case, but in this case there's not a lot of easy paths to guaranteed success, given the limited resources of the Qubes team and the limited reach of usage.

While there is a more detailed list of individual hardware components with their various Qubes compatibility ratings, it's recommended that most users will likely need a laptop for their daily driver / workstation. (assuming that for the most part, they can accomplish the majority of tasks without GPU acceleration and other nicities. We'll discuss in later sections how to work around these limitations with proper streaming RDP, Windows or other GPU based VMs, etc, but for now the assumption is that a laptop + dock is an ideal entry point into hardware.)

The best firmware / boot process is coreboot + HEADS. These can provide a level of attestion not found in conventional boot loaders. Coreboot can be used with Tianocore/EDK2 but it is in theory less secure than HEADS + security key. Unfortunately, this restricts the hardware landscape even more. We'll save any discussion of the security advantages (anti-evil maid problem,) for later.

Starlabs is one of the approved QubesOS vendors, they don't offer HEADS, but they are US based. If you're primarily interested in US supply chain hardware, they or Purism are basically the only options. We'll discuss Purism next, but for now unless you really really need US hardware at a more competitive price than Purism, it is recommended to avoid. They don't have the best reviews compared to the other options, and potential quality issues. They should be kept in mind, but we recommend alternative.

That leaves Nitropads against NovaCustom. We mostly recommend NovaCustom for a few reasons. If you're US based, their process is a lot smoother, as they handle all imports as part of price calculation, NitroKey requires you to deal with customs. They also exclusively sell laptops, as opposed to other hardware, and they use the same HEADS+nitrokey boot key as nitropads. Their website is a little nicer in terms of insisting you choose compatible options (such as 1080p and no NVIDIA for Qubes, as QubesOS has not certified any NVIDIA due to GPU RAM vulnerabilities and bootloader incompatibilites.) Nitrokey only explains this in the small details at bottom. They also have pretty great reviews (nitro is close on this point as well.) The most interesting point really though, is the legal framework for where they're based. In theory NL laws may be superior to those in Germany (where nitro is based.) This is likely a moot point however, as both companies rely on the same base system model, and mostly customize it the same way. Nova is a bit better about accessories though and customer experience, and focused entirely on the laptop product line.

There is an honorable mention for Purism laptops again here. The downsides are a large number of negative reviews, questionable decisions by the company, and potentially overpriced hardware. In some aspects, they are extremely good however, so we won't rule out the use of their mini-PC model, especially the v3, but we don't recommend their phones -- and their laptops should really only be used if you are concerned about a supply chain attack, and or prefer exclusive US vendors.

Phones / Internet

Having reviewed a ton of security discussions about this, the TLDR of recommendation is Pixel phone with GrapheneOS paired with an anti-sim swapping carrier / eSIM data provider. Cloaked Wireless is the top recommendation due to easy ability to replace existing phone plans (and allow outbound calls for instance.) And does not require KYC / accepts Monero for privacy. Silent Link offers a great auxiliary pairing here, allowing you to swap to their eSIM for the cheapest / best price per GB of high priority traffic in the event you need larger amounts of traffic than Cloaked provides, or in the event you wish to use it with a WAN failover to 4G/5G on your router.

While we are rooting for Linux phones to eventually succeed, or non-Google hardware / non-Qualcomm components, right now there are too many usability problems. If you really don't care about performance, budget, or compatibility, Purism phones are worth mentioning for their secure supply chain. But if you're an average phone user, want compatibility / normal phone expectations, unfortunately Google's Pixel hardware paired with GrapheneOS is likely the best choice. Especially if you're migrating from a conventional consumer iPhone or Android and have expectations of being able to use a phone somewhat 'normally'. While there is still a risk of an intel ME style backdoor in Pixel hardware, it's on the same relative level of risk associated with QubesOS hardware, which is to say, there are enough audits / network traffic inspections that have been done to provide a certain level of security guarantee.

There's no perfect balance here, so the current recommendation / guides are written for GrapheneOS -- but still can be adapted to others.

Router

Protectli Vault is the short answer here. If you are an expert, or a crazy person, you might have some more luck buying cheap Chinese hardware and rolling the dice at flashing coreboot and other security patches, but it's not really recommended. Protectli charges a ridiculous markup for security, but given that you likely do not need a very expensive router for handling the typical internet bandwidth requirements, it's not that much of a surcharge here. It's recommended to configure with OPNSense (better UI experience and open source related drama with pfSense.)

Their external 4G/5G modem is recommended since FreeBSD doesn't play well with WiFi or modems, and any wireless access point can be used (as you can heavily control the traffic even if the AP bridge has issue.) We'll discuss more recommendations of other specific WAN sources at a later time, but the router is most important to secure primarily.

Again, you do not need to spend a lot of money here for it to work. Even if you have a large internal data operations, you could get a hardware ASIC routing device for internal only, and leave the WAN security to a cheap Protectli. It is using software routing instead of hardware, which doesn't scale, but if you're using a typical connection at or under 1gbps + failover to cell, wifi, or Starlink, you're not going to hit any scaling limits.

Mini-PC

The best usage of a mini-PC falls under the bucket of 'I want a security server that requires a password to reboot'. You don't really want to run large workloads on a mini-PC in general, it's fine for modest usage, but the place that it shines is that it can essentially be always on, especially with a lithium UPS and failover cell router. The best thing to do here is use it as a Tang server, or an authentication or password server. Basically, any service or operation that deals with 'always-on' style security, and avoids the issue of reboot authentication / at rest encryption. If you want to maintain other servers, you need some way to securely reboot them to remount the LUKS / other encrypted partitions. A mini-PC provides the best source of trust for that, and you can have tons of anti-tamper mechanisms on this (security camera with frigate, automated shutdowns, etc.) Basically, for any problem of 'always-on' hot security, miniPC solves it extremely well.

The secure versions of these get sold out very quickly, and the Purism mini v3 is going to release soon, it is likely actually going to be the best recommendation due to superior firmware. Nitro doesn't offer coreboot + HEADS on their miniPC, only on their desktop PC, so there's not much distinction here between Starlabs Byte and Nitro PC1

Ideally here, you're also running QubesOS on this, but any hardened Linux variant can work, because if you keep the attack surface on this low by only running essential security / backup / ops services -- you can avoid a lot of the hassle of potential problems. A mini-PC is also really great for services that really need extremely high uptime, or act as coordinators for the rest of the nodes (such as DNS, or chron jobs, etc.)

Server

So right now, there's a couple choices here to make regarding security model for your servers. It's extremely inconvenient to deal with the performance / price tradeoff here, since most vendors really do not care about or support strong security at a premium value. The best deals available for server hardware require you to purchase essentially Gen-1 processors. In general the average high end server processor is priced at around $10k/chip for the upper ranges. Most of the value of that is lost in the first 18 months or so, which means a Gen-1 chip on average is going to be only like 5-20% of the price (depending when you buy it in the cycle.)

There is a caveat here, that there are more expensive motherboards / chips you can buy, but they really do not compare to the laptop / mini-PC areas, because it's basically impossible to get reasonable performance on a server while still getting a good deal. Laptops / phones / miniPCs simply do not require high performance, so it's okay to sacrifice a lot for a premium on security. Servers DO, and will simply price anyone out of the market who wants to invest in higher security hardware. It ends up not being worth it, and it is instead better to protect your key servers, routers, and user interfaces, while treating servers as ephemeral workhorses where you only check their inputs / outputs. This is not perfect, but its the situation the vast majority of consumers / self hosters are faced with.

That being said, there will be a more expanded section in the future here. For now, the best deals to be found are used data-center hardware. The efficiency curve for power electricity usage from a server, for home use, DRASTICALLY advantages Gen-1 processors. You do NOT want any generations older than that. The goal is essentially to buy the newest processor you possibly can, that has depreciated significantly from the original purchase price. This gives you the most power / best performance per dollar, and keeps your electricity costs low.

It's recommended to use AMD chips for power efficiency, while for 'desktop' style interactions (such as single core bound build processes, games, etc.) its better to use Intel.

Desktop / Server / "Normal" machines

Here is where you probably want an Intel chip. If you're an average user, you might have some tasks that require a GPU, or maybe Windows. Either a game, or a video-heavy application like editing or CAD or any number of common consumer applications. While Linux support has come a long way, there's still only really 2 paths here to re-using the hardware properly.

1. Dual booting windows, this is no longer actively recommended unless absolutely necessary, but, if you think you might need it in the future, or know you will, you absolutely NEED to format the device first with Windows before Linux, as the other way doesn't work.
2. Relying on VFIO GPU mounts with Linux for VM passthroughs. This is the recommended way. It has come a long way in the past, where now you can support the vast majority of apps either with wine like emulation or straight up Windows VMs with full passthrough. The one tricky caveat here is that you'll need to deal with the video gable requiring direct GPU connection for the video, apart from that, this option lets you re-use the GPU for server tasks / dynamically rebind the GPU between VM restarts.

For most usage, you can rely on Linux here. For casual app usage without strong latency requirements, you can use Parsec or Moonlight to stream the video back to QubesOS laptop, this will be noticable to some people in some apps, so there's really no substitute for a direct video link (unless you use a Nexdock or similar lapdock to pipe the video feed direct from your 'Desktop' like server.)

The main idea here is to re-use the hardware for processing of other tasks, such as HA for services. Since typically you need expensive hardware to render these common apps, there's no reason for it to go to waste.

Hardware Configuration:

You need a tool to enable proper boot / TPM usage like Mortar.