This guide explains the process of installing and using Trezor cryptocurrency hardware wallets on Qubes OS. Many people have been having issues using Trezor on Qubes so I compiled an exhaustive and ultimate guide on the process. Please comment any issues and I will help troubleshoot.

I am posting the brief instructions here. If you require more detail please see my Github.

Written by Ursidae: https://ursidaecyber.com

Step 1: Install Trezor Suite

  1. Install the Trezor Suite .AppImage from the Trezor website along with the signature and signing key in a new Whonix AppVM dedicated to Trezor.

  2. Verify the download.

  3. Execute code:

sudo chmod u+x /Downloads/Trezor-Suite-23.4.2-linux-x86_64.AppImage
  1. Right click on the .AppImage file and press execute to open the application.

Step 2: Port Listening

In Trezor Whonix AppVM:

  1. Execute command:
sudo nano /rw/config/rc.local
  1. Add the following code to the file:
socat TCP-LISTEN:21325,fork EXEC:qrexec-client-vm sys-usb trezord-service &
  1. Save and exit.

Step 3: Dom0 Trezor Policy

In Dom0:

  1. Execute:
sudo nano /etc/qubes-rpc/policy/trezord-service
  1. Add this code to the new file:
$anyvm $anyvm allow,user=trezord,target=sys-usb
  1. Save and exit.

Step 4: Fedora Cloning

  1. Clone your current regular fedora-37 template Qube and name it fedora-37-sys.

  2. Clone the fedora-37-dvm Qube and name it fedora-37-sys-dvm.

  3. Set the template for the fedora-37-sys-dvm as fedora-37-sys.

  4. Set sys-usb’s template as fedora-37-sys-dvm.

Step 5: Trezord Service

In fedora-37-sys-dvm:

  1. Execute in terminal:
sudo mkdir /usr/local/etc/qubes-rpc
  1. Execute:
 sudo nano /usr/local/etc/qubes-rpc/trezord-service
  1. Add this code to the file:
socat -- TCP:localhost:21325

  1. Save and exit.

  2. Execute:

sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service

Step 6: Trezor Bridge

In fedora-37-sys:

Download the Trezor Bridge .rpm file from Trezor.

  1. Execute:
sudo chmod u+x /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm
  1. Then execute:
sudo rpm -i /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm

Step 7: Udev rules

Note on Udev rpm use: Using the Trezor-provided Udev rpm file does not work for Qubes. See in-depth explanation section below. Use the provided Method 1 or 2 here. Use method 1 if comforable with enabling networking in template and method 2 if not.

Method 1: Manual Build

In fedora-37-sys:

  1. Run:
sudo nano /etc/udev/rules.d/51-trezor.rules

Copy and paste this code into the file:

# Trezor

SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"

KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"

# Trezor v2

SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"

SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"

KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"

  1. Save and exit.

  2. Execute:

sudo chmod +x /etc/udev/rules.d/51-trezor.rules

OR

Method 2: Curl Installation

  1. In fedora-37-sys enable networking.

  2. Install curl:

sudo dnf install curl
  1. Download Udev rules:
sudo curl https://data.trezor.io/udev/51-trezor.rules -o /etc/udev/rules.d/51-trezor.rules
  1. Allow execution:
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
  1. Revoke fedora-37-sys networking permissions.

Step 8: Install Trezor Dependencies

In the Trezor Whonix AppVM:

  1. Install pip:
sudo apt install pip
  1. Execute:
pip3 install --user trezor

AND

In fedora-37-sys:

  1. Allow networking.

  2. Execute:

sudo dnf install trezor-common
  1. Revoke networking permissions in fedora-37-sys.

Done.