Make KeePassXC an already-available app in Vault, in Qubes' OEM configuration

[ninavizz]

The problem you're addressing (if any)
When a user freshly installs Qubes OS, they need to know to go into the apps preferences to choose to make KeyPassX available to them in the Vault VM. It would be a more user friendly experience if the app were just simply there.

Describe the solution you'd like
When a user installs Qubes OS and goes to use Qubes for the first time, KeyPassX should be available to them in the App Menu, as a default.

Where is the value to a user, and who might that user be?
One less fussy thing to have to do when configuring Qubes as a security-tight machine, and when onboarding a new user.

Describe alternatives you've considered
How it is today. Which is fine(ish)... it's just one more hurdle for users accustomed to out-of-the-box usable machines, to have to navigate.

Additional context
Walking a user through how to do this in a security training, felt like lost time. "How to use Qubes" is a different topic, from "Let's set you up to be safe."

[andrewdavidwong]

Fixed typo from "KeyPass" to "KeePass."

Also, there seems to be some disagreement about whether we should use X or XC, so I just made it "X(C)" in the title.

[andrewdavidwong]

Ah, here's the related issue I was thinking of: #3542.

Given that we go out of our way to add a password manager to the Fedora template (as an exception to our usual policy), it certainly makes sense to add the shortcut by default.

(And since we've decided on XC rather than X, per #3542, I'll update the title again to reflect this.)

[deeplow]

As far as I'm aware, these default qubes are installed via saltstack. However it doesn't have a way to select which applications show up by default. There is some discussion on making that available in qubes-devel.

So that may be a dependency for the resolution of this issue.

[ninavizz]

TY for that helpful context @deeplow, and cross-linking the prior issue I didn't find @andrewdavidwong!

[p1xxxel]

All that is needed to make the shortcut appear on the app launcher is to have have a desktop entry
at /home/$USER/.local/share/applications with the name org.qubes-os.vm.vault.org.keepassxc.KeePassXC.desktop like this :

[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
X-Qubes-VmName=vault
X-Qubes-AppName=org.keepassxc.KeePassXC
Icon=/home/$USER/.local/share/qubes-appmenus/vault/apps.icons/org.keepassxc.KeePassXC.png
Name=vault: KeePassXC
GenericName=vault: Password Manager
Categories=Utility;Security;Qt;X-Qubes-VM;
Exec=qvm-run -q -a --service -- vault qubes.StartApp+org.keepassxc.KeePassXC
X-Qubes-DispvmExec=qvm-run -q -a --service --dispvm=vault -- qubes.StartApp+org.keepassxc.KeePassXC

Can this not be solved by creating this file at the time of installation when user selects to create the default vms?

[unman]

We dont currently dig in to the individual qubes like this. sys-net doesnt have a shortcut to Network Manager. Not saying we couldnt, just that we dont. Is "vault" the only case where expected applications have to be manually added to the menu? And, to point out the obvious, there will be people who want to use a vault without using KeePassXC.

[brendanhoar]

This seems to be a good opportunity to introduce (and provide some sort of UI for) a handful of user-configurable Salt state options that would cover "commonly requested" configuration options that should not be the default.

B

[ninavizz]

@unman If we're not forcing users into anything, I don't see the harm in pre-configuring some basic/recommended security opportunities for folks to get started? Linux norms and getting one's head around inheritance/descendant properties of templates/app-qubes are known barriers to many coming into Qubes OS for security—and lowering that initial barrier as much as possible w/o compromising the power-user's experience, seems like a nice thing to do?

If a user doesn't want it, once it's there, they can just un-check it in the "Applications" tab on the individual qube's Settings panel. Getting it on that panel, tho, is the harder part.

@brendanhoar Yeah, I think a "Q Manage" panel would be a place for that—where Salt recipes would live in one tab, and Qubes Manager would live in another. Separate from the extended "Qubes Settings" UI, that would do policies management. #1939 is an olde-tyme issue for a Salt recipes GUI, that your idea would be great to factor into!

[p1xxxel]

We dont currently dig in to the individual qubes like this. sys-net doesnt have a shortcut to Network Manager. Not saying we couldnt, just that we dont. Is "vault" the only case where expected applications have to be manually added to the menu? And, to point out the obvious, there will be people who want to use a vault without using KeePassXC.

What I think is that if someone is checking the box to make default VMs such as personal and vault, they are a new user. Someone who has already used Qubes would probably just want to import from backup.

Yes, there will be people who would want a vault without a password manager but that would be a small % of new users (Old users would just import from backup instead of creating the default qubes again.)

Also KeePassXC is already installed, this is just preconfiguring a shortcut to show in the quick launch menu.

Maybe once you select to make the default VMs in the installer, another screen can be shown about the default shortcuts and then the user can uncheck the recommended shortcuts if they don't want it.

[unman]

Maybe once you select to make the default VMs in the installer, another screen can be shown about the default shortcuts and then the user can uncheck the recommended shortcuts if they don't want it.

Let's not make the setup any more complicated.