Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-25 07:35:32 -04:00
Code Issues Projects Releases Packages Wiki Activity

whonix updates

Browse source
This commit is contained in:
anarsec 2023-07-13 23:20:32 +00:00
parent 849dc2dfb5
commit 6f33bc5e8d
No known key found for this signature in database
5 changed files with 19 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

22
content/posts/qubes/index.md
View file

@ -190,7 +190,11 @@ How the App qubes will be organized, without displaying service qubes or Templat
* **A vault qube**. This will be used for all data storage, because a qube that doesn't need networking shouldn't have it. This qube can be reassigned to the `debian-11-documents` Template so that trusted files can be opened there.
* **A disposable Whonix qube**. The default `whonix-ws-16-dvm` qube is disposable (noted by the "dvm" naming, meaning disposable virtual machine). You can think of it as similar to Tails: system-wide Tor, and erasure after shutdown (without the anti-forensics property, as noted above). All Whonix App qubes use the `whonix-ws` (workstation) Template and only the `sys-whonix` qube uses the `whonix-gw` (gateway) Template.
* **A disposable Whonix-Workstation qube (`whonix-ws-16-dvm`)**.
* [Remember](#general-usage) - Whonix works by using the Whonix-Workstation Template (`whonix-ws-16`) for the App qube and the Whonix-Gateway Template (`whonix-gw-16`) for a separate Service qube named `sys-whonix` (not shown in this diagram). Unless you are an advanced user, you should never be touching the Whonix-Gateway - all of your activity happens in Whonix-Workstation. When an App qube is disposable, the naming convention is to append `-dvm` for *disposable virtual machine*.
* Disposables display in a way that may be confusing in the Qubes **Applications menu**. You will see two entries for this qube: the **Disposable: whonix-ws-16-dvm** entry which is where you launch applications from, and the **Template (disp): whonix-ws-16-dvm** entry which is the Template for the disposable (do not use applications from here).
* You can think of a disposable Whonix-Workstation qube as similar to Tails: system-wide Tor, and erasure after shutdown (without the anti-forensics property, as noted above).
* Do not customize the disposable Template at all, in order to resist fingerprinting.
* **A disposable Debian or Fedora qube**. The default `debian/fedora-dvm` qube (depending on your post-installation decision) is disposable, and is great for web browsing that blocks Tor, such as logging into online banking.
@ -204,7 +208,8 @@ It's possible to just use the system as it is now, but let's show you how to cre
* **Type**: AppVM
* **Template**: whonix-ws-16
* **Networking**: sys-whonix
* The official Monero wallet is natively included in whonix-ws. Now that the qube exists, in the **Settings → Applications** tab, bring Monero Wallet into the Selected column, and press **OK**. The shortcut will now appear in the Applications Menu.
* Now that the qube exists, [install the Monero wallet in the App qube](https://www.kicksecure.com/wiki/Monero#c-kicksecure-for-qubes-app-qube). Then in the **Settings → Applications** tab, bring Monero Wallet into the Selected column, and press **OK**. The shortcut will now appear in the Applications Menu.
* This App qube is not made disposable - our preference is that all networked qubes are disposable, but a straight-forward set up requires that data persists for the wallet to function properly.
* **An offline disposable qube**. Right now both disposables have networking (with and without Tor). Finally, we will demonstrate how to create a disposable without networking for opening untrusted files (like PDFs and LibreOffice documents). Again, go to **Applications menu → Qubes Tools → Create Qubes VM**
* **Name**: debian-11-offline-dvm
@ -222,6 +227,7 @@ It's possible to just use the system as it is now, but let's show you how to cre
* **Split-ssh**: SSH keys live in an offline qube and their access is tightly controlled
* **Mullvad-vpn**: A [VPN](/glossary/#vpn-virtual-private-network) qube using the WireGuard protocol (via Mullvad). Mullvad is one of the only reputable VPN companies - they accept cryptocurrency, and also sell [voucher cards](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/).
* **sys-vpn**: A VPN qube using the OpenVPN protocol
* **split-xmr**: The monero wallet lives in an offline qube and its access is tightly controlled.
If you want your qubes that are not using Tor to be forced through a VPN, this is the easiest way to set that up.
@ -292,16 +298,16 @@ Adapted from the [docs](https://www.qubes-os.org/doc/how-to-back-up-restore-and-
The Whonix project has their own [extensive documentation](https://www.whonix.org/wiki/Documentation). So does [Kicksecure](https://www.kicksecure.com/wiki/Documentation), which Whonix is based upon. When Whonix is used in Qubes OS it is sometimes referred to as Qubes-Whonix. Whonix can be used on other operating systems as well, but it's preferable to use it on Qubes OS due to the superior isolation it provides.
Different applications on a Whonix App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated - this is called [Stream Isolation](https://www.whonix.org/wiki/Stream_Isolation).
[Several default applications](https://www.whonix.org/wiki/Stream_Isolation#List) on a Whonix-Workstation App qube are configured to use unique circuits of the [Tor network](/glossary#tor-network) so that their activity cannot be correlated - this is called [Stream Isolation](https://www.whonix.org/wiki/Stream_Isolation).
Note that [multiple Whonix App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) should not be used simultaneously:
To take advantage of compartmentalization, create distinct Whonix-Workstation App qubes for distinct activities/identities, like we did [above](#creating-qubes) for the Project-monero qube. Distinct Whonix-Workstation App qubes are automatically stream isolated. Note that it is considered best practice to not use [multiple Whonix-Workstation App qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstation#Safety_Precautions) simultaneously:
> It is safest to only use one Whonix-Workstation at a time and for a single activity. New risks are introduced by running multiple Whonix-Workstation at the same time. For instance, if a single Whonix-Workstation was compromised, it could potentially perform various side channel attacks to learn about running processes in other VMs, and not all of these can be defeated. Depending on user activities, a skilled adversary might be able to correlate multiple Whonix-Workstations to the same pseudonym.
Also worth noting is that "for those who regularly download Internet files, Tor Browser's default download folder is inconvenient." Follow the [docs](https://www.whonix.org/wiki/Tor_Browser#Navigating_Tor_Browser_Downloads) to change the default in the `whonix-ws` (workstation) Template.
> While multiple Whonix-Workstation are recommended, this is not an endorsement for using them simultaneously! It is safest to only use one Whonix-Workstation at a time and for a single activity. New risks are introduced by running multiple Whonix-Workstation at the same time. For instance, if a single Whonix-Workstation was compromised, it could potentially perform various side channel attacks to learn about running processes in other VMs, and not all of these can be defeated. Depending on user activities, a skilled adversary might be able to correlate multiple Whonix-Workstations to the same pseudonym.
Tor Browser can't upload files from `/home/user/QubesIncoming/` due to how permissions are set, so move files somewhere in `/home/user/` to upload them, such as the Downloads directory.
Occasionally, a new version of Tor Browser will be available before it can be updated through the Qubes Update tool. If this is the case, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-ws-16`). As the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary) specify, do NOT run this tool from within a disposable Template - the disposable Template will be automatically updated.
# Password Management
Passwords should be managed with KeePassXC from the `vault` App qube. If unfamiliar with KeePassXC, you can learn about it in [Tails for Anarchists](/posts/tails/#password-manager-keepassxc). This leaves three passwords that must be memorized:
@ -338,7 +344,7 @@ There is a lot more flexibility in how you configure Qubes OS than Tails, but mo
* Phishing awareness
* This is where Qubes OS really shines. Awareness is no longer your only defence - the design of Qubes OS protects against [phishing](/glossary/#phishing) attacks.
* Open attachments in a qube that is disposable and offline.
* Open links in a Whonix qube that is disposable.
* Open links in a Whonix-Workstation qube that is disposable.
## Post-installation Decisions