Combination of custom native keyboard layout and Whonix can get you deanonymized after VM exploit?


Last time I tried Qubes, the default keyboard layout was that of dom0. Is this still the case? If so, that is very problematic.

Consider the following scenario:

You live in a not very large country. Let's say Sweden as an example. According to the Tor project, there are around 5000 Tor users in Sweden. How many of those do you think use Whonix? 100? How many of those do you think use Qubes-Whonix? ... 5-10?

So, you're a Swedish Qubes-Whonix user, and someone exploits your browser. Normally this would not be a problem. But since your keyboard layout is Swedish, you're now essentially de-anonymized, as there are only a handful of Qubes-Whonix users in your country.

The default layout should be US or something.


Good day,

Your layout may be changed via the "Keyboard setting" in the Qubes Manager independently from dom0. Whether the standard is US QWERTY on Qubes, I'm not sure. Would have to look that up.

Have a nice day,


qubesdb-read /qubes-keyboard

Two cases to distinguish. You

  • a) are NOT typing in that VM while being compromised and

  • b) you are typing while that VM being compromised.

a) are NOT typing in that VM while being compromised:

  • Having the keyboard layout set to US in the VM could help.
  • How likely is it that users are NOT typing the the VM?

b) you are typing while that VM being compromised.

  • Who with a native keyboard would stick to an English keyboard layout?

  • [1] Don't you think that typing English on a native keyboard with English keyboard layout inevitably due to keystroke fingerprinting (different timings and mistakes one is making) will reveal that you have a physical native rather than English keyboard anyhow?

  • Perhaps as a stopgap we should recommend everyone to get used to a physical US keyboard? But how likely are users to adhere that advice?

  • A better fix might be to implement some enhancement in Qubes... Let the user choose its keyboard layout in dom0. Always have the VM think it is using keyboard layout US. And then have dom0 somehow translate the native keyboard layout to US in the VM? Is that even conceivable? (I mean, there are certain native keyboard keys that do not exist on US keyboards - and perhaps vice versa?) And wouldn't that still be fully vulnerable to [1]?

There is also kloak - anti keystroke deanonymization tool in the pipeline of being added to Whonix. See this ticket where I just now posted a related comment.