I talked about Qubes OS in my post on secure operating systems. I concluded that it is indeed quite nice, and it is also what I use, however, besides the worse performance when compared to other OSes, it also is quite buggy as a disadvantage. Some of these have the potential of making the OS unusable, and mitigations are not specified in the documentation, so I thought mentioning fixes for those here, as well as some general stuff on improving your user experience and security while using Qubes. This article assumes you are familiar with the Qubes OS documentation.
Some things can already be improved while using the Anaconda-based installer.
I recommend setting up partitioning manually after
auto-generating the layout: Shrink down
the default 500MiB to something like 100MiB (this is enough), and
consider using a different file system for the other partitions
performance, I recommend XFS for
/ and EXT2 for
/boot, however, other file systems may be of interest
While I recommend having and using Whonix on Qubes for privacy reasons, you might not need Debian (or at least not the full eversion, just the minimal template), and not installing it will speed up the process as well as saving bandwidth and disk space.
System not asking for passphrase while booting when using storage encryption
You need to either remove
rhgb from or add
plymouth.ignore-serial-consoles to the kernel boot
options. The former will disable the graphical boot screen and
replace it with a text interface, while the latter will make you
unable to see systemd messages while booting and shutting down.
Use minimal TemplateVMs
Instrutions in the docs. I recommend this because things like Thunderbird or Firefox will take up lots of disk space while not being desired by everyone, so uninstalling the default templates (after making sure that network and such works, note there is no minimal template for Whonix) could be desired.
Disable passwordless root in domUs
I feel like the docs understate the advantages of this. The easiest PrivEsc attack is fakesudo (basically aliasing sudo to something that grabs your password), whereas this method is immune to it, so it is great for adding a small amount of defense in depth.
WiFi is broken
It seems like the power-saving tool
certain aspects of PCIe passhtrough in default settings. Do not use
it; if you have already used it, you need to reinstall your NetVM.
At least it appeared to be like this for me (Intel 7265 WiFi
Domains not booting randomly (
qrexec-agent failed to
This seems to occasionally happen. Try to boot them manually from the Qube Manager.
Use the MirageOS-based firewall
While it necessarily requires you to trust a third party, it may increase performance and security, as well as being much more lightweight. The Whonix wiki mentions it.