The Problem: Your Computer Is a House With No Doors
Normally, all your programs live in the same space. Your browser, your email, your documents — same room. If one program gets infected, it can snoop through your email, steal your files, spy on everything you type. It's like living in a studio apartment with a stranger who might be a thief. You have no doors to close.
The Qubes OS Insight: Put Everything in a Separate Room
Qubes OS had a brilliant idea. Instead of running everything in the same environment, it creates multiple separate "virtual computers" — one for browsing, one for email, one for documents. If your browser catches a virus, the virus stays locked inside. It can't reach your email or your files. It's like an apartment with locked doors between every room.
The catch? To create these virtual computers, Qubes OS uses virtualization: it pretends to run several computers inside your real computer. This takes a lot of RAM (at least 8 GB), a lot of disk space (30+ GB), and an installation that can take hours. It's like building a concrete bunker when all you needed was drywall. The complexity itself becomes a risk: more code means more bugs, and more bugs mean more security holes.
The dropQbsd Bet: Same Security, Zero Bloat
dropQbsd takes the same idea as Qubes OS — isolating functions into separate compartments — but does it without virtualization. Instead of creating virtual computers, it uses a feature that's been in Unix for forty years: separate users.
On top of OpenBSD (the most thoroughly audited operating system on earth — zero telemetry, two remote holes in twenty-five years), dropQbsd creates four users:
userweb— web browsing only. Cannot touch your email or documents. Can't even see your local network.usermail— email only. Cannot browse the web or access your files.userdoc— documents and sync only. Cannot reach the internet.user— the conductor. Does nothing directly: doesn't browse, doesn't write mail, doesn't archive files. It just launches applications in the right domains. Has no admin privileges.
These four users share a single folder — the drop zone — to exchange files under strict rules. Every 60 seconds a script checks that everything is in order. If something's wrong, the offending file gets quarantined with an explanation ticket.
The Self-Destructing Browser
The most exposed part of any computer is the browser. It's the main entry point for viruses, trackers, and malware. dropQbsd treats it as disposable: every time you open the browser, it's created in RAM. When you close it, everything disappears. Cookies, history, credentials, any malware — gone. Next session starts from zero.
Bookmarks and passwords don't live in the browser — they live in a password manager like KeePassXC. The browser stays an empty room you destroy every time you leave.
What It Protects You From
- A virus in your browser can't read your email. Domains are isolated.
- A virus in your email can't reach your local network. The firewall blocks it.
- A compromised browser gets destroyed on exit. Next time it's clean.
- No file moves between domains unchecked. The drop zone is policed every 60 seconds.
- Your main account can't become admin. It has no
doasaccess. The only path to root privileges is a 10-line binary that can do exactly one thing: launch apps in domains — nothing else.
What It Does NOT Protect You From
- Someone who can see your screen can intercept what you type in other domains. This is a limitation of X11, the graphics system, not a dropQbsd bug. If your adversary is physically at your computer or has already compromised a domain with screen access, they can snoop keystrokes. For this specific threat, Qubes OS is better.
- If the
useraccount (the conductor) gets compromised, everything falls. That's the weak point:userholds the keys to launch apps in all domains. That's whyusernever browses the web, never opens suspicious attachments, never runs untrusted programs. Its home directory stays empty and clean. For extra hardening,~/Desktopand~/Documentscan be made read-only. - A kernel-level attack hits all domains. They share one kernel. That's the price of skipping virtualization.
The Comparison
| dropQbsd | Qubes OS | |
|---|---|---|
| How it isolates | Separate Unix users | Virtual machines (Xen) |
| Minimum RAM | 512 MB | 8 GB |
| Disk space | ~2 GB | 30+ GB |
| Install time | 10 minutes | 1–2 hours |
| Rebuild from scratch | 30 minutes | Hours/days |
| Code to audit | ~500 lines of scripts + 10 lines of C | Millions of lines |
| Protects against | Malware, network attacks, data leaks | Malware, network attacks, data leaks, kernel exploits, keystroke snooping |
Choose dropQbsd if you want compartmentalization without the weight of virtualization. Choose Qubes OS if your adversary can exploit kernel bugs or intercept keystrokes at the graphics level.
Why OpenBSD and Not Linux
Linux distributions ship with millions of lines of code nobody has audited end-to-end. Systemd, pulseaudio, dbus. Many distros now include telemetry, crash reporters, and automatic callbacks to external servers.
OpenBSD doesn't. It's the only operating system on earth that undergoes continuous, funded, line-by-line security auditing. Zero telemetry. Small enough for one person to understand. Two remote holes in the default install in over twenty-five years — that's not marketing, that's an engineering track record.
Security is simplicity. Privacy is auditable. OpenBSD delivers both as engineering discipline, not ad copy.
What Does It Cost?
Nothing. OpenBSD is free. dropQbsd is free and open source (ISC license). It runs on hardware you already own — even ten-year-old machines. No licenses, no antivirus subscriptions, no forced hardware upgrades every five years.
Is It for You?
- If you're a professional handling sensitive data (lawyers, accountants, journalists, doctors) and want to sleep at night.
- If you run a business that needs GDPR compliance and wants it to be technical, not just paperwork.
- If you're a regular user tired of telemetry, antivirus bloat, and operating systems that decide what you can and can't do.
- If you're curious to see how simple and clean a computer can be.
Repository: github.com/nobraininside/dropQbsd
Ten minutes to install. Rebuildable in thirty. Zero lock-in.