By default, accessing USB devices is disabled. Enabling USB access comes with specific security risks, but for most of us, it’s a necessity. For example, I need access to my YubiKey in a specific domain.
Qubes uses a sys-vm called sys-usb to proxy the USB devices. Normally, this is created during the installation process (you are asked at the end). But if you do not have it, you can create it by running the following command in the dom0 terminal:
sudo qubesctl state.sls qvm.usbYou can check the detected USB Devices by running in the dom0 terminal:
qvm-usbThe output should look like this:
$ qvm-usb
BACKEND:DEVID DESCRIPTION USED BY
sys-usb:2-4 AsusTek_Computer_Inc._AURA_LED_Controller
sys-usb:2-6 Generic_Flash_Card_Reader_Writer
sys-usb:6-3 Logitech_USB_Receiver
sys-usb:8-1 Microsoft_Natural_Ergonomic_Keyboard_4000
sys-usb:8-2 Yubico_YubiKey_FIDO+CCID work
If no devices are detected, you need to enable the usb by running (if you have a USB keyboard or mouse) and reboot.
sudo qubesctl state.sls qvm.usb-keyboardTo passthrough a USB device to a Qube, the following command must be ran in the dom0 terminal:
qvm-usb attach DOMAIN sys-usb:6-2Where the DOMAIN is the QUBE and the sys-usb:6-2 is the device id from the qvm-usb provided list.
There is also the option to use following tray icon. Right click on it, choose the usb device and then the DOMAIN where it should be passed.
The official documentation regarding the usage of USB devices in Qubes OS is available at https://www.qubes-os.org/doc/usb-qubes/