The Qubes Forum is moving to a new home!

Update: The migration has been completed successfully!

Since the Qubes Forum first launched over nine months ago, it’s been far more popular than we anticipated! While this has been a pleasant surprise, one consequence is that we’ve outgrown the free hosting for open source projects that Discourse has generously been providing to us. As a result, we must switch to a new paid host. We’re also taking this opportunity to move the forum to our official domain!

In order to ensure a smooth and orderly transition, we’re announcing these changes well in advance. The move is scheduled for 2021-07-01 (July 1), which is a little over two weeks from the date of this announcement. We hope this gives everyone sufficient time to prepare so that the transition doesn’t come as a surprise.

Once the move has been completed, the forum’s new address will be:

Again, this link will not take you to a fully functional forum until the migration on 2021-07-01. We hope that this new address better reflects the forum’s official nature, as well as being intuitive and easy to remember. :)

Rest assured, we’ll be taking a full backup of the current forum and copying everything over to the new forum, including all categories, topics, posts, private messages, and even likes! After the migration, the old forum will automatically redirect visitors to the new address for at least a few months.

We’d like to thank you, the Qubes community, for making the forum a success. Your passion and engagement helps the project grow as we continue our journey together. On a personal note, I’d also like to give special recognition to a few individuals whose efforts made this forum possible to begin with and continue to sustain it. Thank you, deeplow, Simon Newton, and Michael Carbone for your tireless work. We wouldn’t have this forum without you!

Important note for U2F two-factor authentication users

If you’re using a U2F key for two-factor authentication (2FA) on the forum, you’ll have to use a backup code in order to log in on the new domain. Alternatively, you can disable two-factor authentication before the migration and re-enable it afterward. Please make sure you have either saved a copy of your backup codes or disabled 2FA before 2021-07-01, or you will be locked out of your forum account!

This is a companion discussion topic for the original entry at

Oh, good. I won’t have to correct ‘Discord’ anymore.


Before someone asks, here’s how to get these backup codes:

1 Like

As I understand changing the domain is what will break 2FA.

This in turn means that everyone using 2FA will need to generate a new code once the move happened – right? The “recovery code” simply allows to login once to then generate the new code.

Is it possible for you to disable 2FA for everyone right before moving to the new domain?

In the current scenario we have the risk that some won’t see the warning in time and then loose access to the forum, which will probably lead to a lot of requests to unlock their old accounts (assuming the mods can disable 2FA – why wouldn’t they?)

In the scenario where all 2FA gets shut off before moving, we remove a level of authentication but no one will loose access and as soon as they return they are free to re-enable 2FA. Wouldn’t that be easier?

After all this is a discussion forum and not a bank account.

Changing the domain name only breaks FIDO U2F 2FA, assuming TOTP 2FA secrets are migrated to the new server.

When a U2F device is used as the second factor, the domain/origin is part of a static identifier used for initial registration and subsequent sign/authenticate operations. In Yubico’s case, it’s also used to generate the keypair. So if the domain name changes (and assuming the browser is legitimate), the browser would be requesting the U2F token to sign a challenge that it simply doesn’t have an association for.


  1. If you use a U2F key as your second login factor
  2. Once the domain switch happens, it will be equivalent to losing the U2F key

Therefore there are two things users who match criteria (1) should do now:

  1. Enable backup codes now and store them if not already done, OR
  2. Disable U2F 2FA before the switch

…as those appear to be the only way to get back into your account via self-service. This is my understanding as a forum user.

My bank account still wants to SMS me, forces a maximum 16 character password, and only allows 4 choices for the symbol characters, all while including many ad, session playback, and tracking scripts…can I store my money on the forum instead???



Nope as far as I am aware.


1 Like