Best machine privacy strategy for launching and using Whonix from USB

Hi devs and community,
Curious what you recommend as a workflow for optimal privacy of launching and using Whonix in “PERSISTENT mode USER”.

I am concerned with my physical machine components having motherboard and HDD device bios/firmware backdoor spyware (or hidden executable partitions).

My initial pan was considering the following launch sequences:

START IDEA: Mount the entire Whonix ISO files onto a brand new large USB storage device via Tails (freshly and firstly inserted only into the Tails cold boot system to confirm only manufacture USB firmware is in play)

Launch Option 1/DEFAULT) Local small machine with two Ethernet ports and HDD ruining a fresh Linux OS environment and the Whonix-Gateway --> Launch VM instance of Whonix-Workstation on the master main machine with fresh Ethernet feed from the Gateway device, reference: https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation

Launch Option 2) Tails USB (for cold boot protection into a default Tor IP) --> Launch VM instance of Whonix ISO running on the second larger brand new USB device created in START IDEA step.

My only concern with Option 1) is the need for additional separate hardware, and the risk of HDD or mobo firmware spyware, I am hoping to get away with using Launch Option 2) as this provides the cold boot protection and can use just one ordinary desktop.

What do you guys recommend or use in your personal machine launch sequence for best privacy and security?

Thanks in advance.

There’s no ISO at time of writing. Once there is, there will be a news and obvious download links.

Seems like mostly separate issue. Compromised hardware cannot hardly be fixed by software.


[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]