External Publication
Visit Post

Segmentation of apps through VMs/Containers on Debian

Privacy Guides Community [Unofficial] May 22, 2026
Source

Well I was involved with a discussion about this segmentation issue a week or so ago:

Qubes OS Forum – 14 May 26

What's your Template:AppQube Ratio?

General Discussion

This is more of a threat model discussion: I don’t believe there’s a “right” or “wrong” take On one extreme end, you could install every program within the stock fedora template, and create many app Qubes from it. This has the benefit of limiting...

Reading time: 4 mins 🕑 Likes: 61 ❤

Immediately under that is my participation into the topic, which is referring to another similar topic discussion:

Qubes OS Forum – 21 Nov 25

Do you have a template for each pseudonym/activity, or a template for each...

General Discussion

For example, if I have a pseudonym John, and I need three apps: A browser (Brave, Trivalent, whatever) SimpleX Thunderbird Would you: create a template named, say, whonix-workstation-17-john, and install the three programs in there (I know...

Reading time: 6 mins 🕑 Likes: 42 ❤

So the problem is that you are containing each individual app into separate VMs, but you do not compartmentalize your identity into separate VMs instead, which means you are paying a lot for resources. To address that, you could separate your identity into similar workflows, such as the Qubes OS default qubes:

  1. Personal
  2. Untrusted
  3. Vault
  4. Work

This suggestion is incredibly generic because I have no idea what your identity consists of. Journalists and whistleblowers have specific needs that may not be applicable to your threat model, and so on. You will likely want to look at this documentation for some inspiration to compare against:

Qubes OS

How to organize your qubes

When people first learn about Qubes OS, their initial reaction is often, “Wow, this looks really cool! But… what can I actually do with it?” It’s not always obvious which qubes you should create, w...

This information will nudge you into a more relevant direction, but you will still be required to do the initial bootstrap yourself.

Discussion in the ATmosphere

Loading comments...