QubesOS 4.2.4

Goal

Automatically shut down sensitive Qubes I always forget to shutdown when I close my laptop (password managers, sys-net, vault, sys-usb, etc). I like the idea of ensuring specific Qubes have been shutdown in case of theft or not knowing whether my laptop will resume in a friendly or hostile environment.

Configuration

Mostly takes place from dom0 1. Tag VMs to shutdown upon suspend with a tag of your choice qvm-tags <VM NAME> a shutdown-on-suspend 2. Edit the 52qubes-pause-vms script

sudo vi /usr/lib64/pm-utils/sleep.d/52qubes-pause-vms

1. Add the following commands to the suspend section (above the existing qubesd-query command), matching the tag you set earlier

   # Cycle through all Qubes with the shutdown-on-suspend tag
   for QUBE in $(qvm-ls --tags shutdown-upon-suspend | awk 'NR>1 {print $1}'); do
       # Trigger parallel shutdown commands in the background
       qvm-shutdown --wait --force $QUBE &
   # Close the for loop
   done
   # Wait until all shutdown commands complete
   wait
   

Troubleshooting

• Make sure the target Qubes are running then trigger a suspend by running systemctl suspend and note how long it takes for the computer to go to suspend. If it suspends quickly, there's a chance it isn't working.
• Check logs via journalctl -b suspend

Feedback

Always open to it. This community has been so helpful to me--I wanted to share a guide that I hope may help someone else.