Installation - wizardofhoms/risks GitHub Wiki


  • There are only two files to be installed in the vault VM: the risks CLI, and its _risks completion script. Since these scripts are used to handle sensitive data, you should spend the required time to thorougly review the code in them. A good hour should be needed for this, since these scripts are quite long (although most of the CLI is auto-generated, and redundant, so quickly reviewed).
  • It is strongly advised to use a debian-minimal template for the vault: all installation instructions are adapted for this distribution.

To follow the installation instructions and proceed fast and without problems, you need:

  • A debian-minimal TemplateVM, in which to install the vault dependencies.
  • A whonix AppVM with network access, in which to download and build some tools.

TemplateVM Setup

Runtime dependencies

First, install most packages through apt in the TemplateVM:

sudo apt install zsh cryptsetup steghide dosfstools wipe xclip pass e2fsprogs qubes-gpg-split gnupg2 socat pinentry-curses ssh-askpass-gnome libnotify-bin sox haveged rng-tools make file rig

Building and installing fscrypt

We then install fscrypt, a high-level encryption tool. For this tool to be built, we need to have a recent Go toolchain, build the library with a glibc version available on Debian, so the following instructions should be used in a disposable client Whonix VM, with network access. It is important to perform all the following operations in the same shell session/terminal:

# Install dependencies
sudo apt install libpam0-dev

# Install Go
git clone && cd update-golang
wget -qO hash.txt
sha256sum -c hash.txt
sudo ./ -declutter 
export PATH=/usr/local/go/bin:$PATH

# Dowload and build the fscrypt binary
cd /tmp && git clone && cd fscrypt

# Move to the TemplateVM
qvm-copy ./bin/fscrypt

Then, install the produced binary into the vault TemplateVM:

sudo cp /home/user/QubesIncoming/<disp_where_fscrypt_was_build>/fscrypt /usr/bin

Building and installing Spectre

Still in the Whonix disposable VM with network access, we build the spectre password manager and copy the resulting binary to our TemplateVM with the following commands:

sudo apt install libncurses-dev libsodium-dev libjson-c-dev jq
cd /tmp && git clone --recursive && cd cli
qvm-copy spectre

In the TemplateVM, install the binary:

sudo cp QubesIncoming/<disp_whonix_vm>/spectre /usr/bin


First download the tomb script from the Whonix VM, and copy it in the TemplateVM:

cd /tmp
wget -c
wget -c
sha256sum -c Tomb-2.9.tar.gz.sha
qvm-copy Tomb-2.9.tar.gz

After, install the tomb script in the TemplateVM, and remove unneeded packages/artifacts:

cd ~/QubesIncoming/<vm_where_tomb_was_downloaded>
tar xvfz Tomb-2.9.tar.gz
cd Tomb-2.9
sudo make install PREFIX=/usr 
cd ..
rm -fR Tomb-2.9
sudo apt remove make

GPG-split (optional)

It is likely that you will need to use GPG keys outside of the vault. If yes, install GPG-split:

sudo apt install qubes-gpg-split

Final setup steps

Initialize the fscrypt tool (which will create a conf in /etc/fscrypt.conf and a /.fscrypt directory). Answer "N" to the fscrypt prompt, then shutdown the template:

sudo fscrypt setup

Accessorily, set the user shell to ZSH:

sudo chsh user -s /usr/bin/zsh

The TemplateVM for the vault is now ready, and can be powered off.

Vault AppVM Setup

Installing risks

Now that our vault VM has all the required dependencies, we can install the risks tools. The following commands download the CLI, its completions, the signature and the sha256sum, and verify that the sha256 and GPG signature are valid/correct.


# Import wizardofhoms GPG key
gpg --keyserver --search [email protected]
gpg --verify risks.gpg risks
sha256sum -c risks.sha

Alternatively, you can get the GPG keys here:[email protected]

Once done, move the files over to the vault VM:

qvm-copy risks _risks

Copy the files to their respective places (adapt the directories of this example), and launch a new terminal to load changes:

# Command script
sudo cp QubesIncoming/joe-dvq/risks /usr/local/bin/risks && sudo chmod +x /usr/local/bin/risks
# Completions
sudo mkdir -p /usr/local/share/zsh/site-functions
sudo cp QubesIncoming/joe-dvq/_risks /usr/local/share/zsh/site-functions/_risks

Final setup steps

Enable filesystem encryption in the /rw device, needed by fscypt, and setup fscrypt itself on the corresponding mount point (answer 'N' to the fscrypt prompt):

sudo /sbin/tune2fs -O encrypt /dev/xvdb     # /dev/xvdb is the device storing the /rw filesystem in Qubes
sudo fscrypt setup /rw

We disable history in the VM. ZSH, by default does not save any history. Ensure you don't have these settings in .zshrc. For bash, use the following commands:

echo 'unset HISTFILE' >> .bashrc
source .bashrc
wipe -f .bash_history

Then, we disable swap for the VM, since tomb requires it to be off.

sudo sh -c "sed 's/bin\/sh/bin\/bash/g' -i /rw/config/rc.local"
sudo sh -c 'echo "swapoff -a" >> /rw/config/rc.local'

Finally, run the CLI without command. This will create a ~/.risks/ directory and will write the default configuration file in it:

$ risks
risks  .  Creating RISKS directory in /home/user/.risks
risks  .  Writing default configuration file to /home/user/.risks/config.ini

You can check the generated configuration file ~/.risks/config.ini, which stores all values needed by risks. By default, none of those settings need to be changed. Should you want to modify them, you can either edit the configuration file in place, or use risks config set <variable> <value> commands (autocompleted).

The vault AppVM is now ready for correct operation of the risks CLI.

Optional setup

The risks CLI has a hidden command risks identity, printing the currently active identity. It can be useful to integrate a call to this command somewhere in the prompt, like this in ZSH:

setopt promptsubst
PROMPT="my_prompt_variables [ $(risks identity) ] $"

Once an identity is active, the prompt should look like this:

 [email protected] [ John_Doe ] $
⚠️ ** Fallback** ⚠️