I dove into Qubes 3.0/Whonix 11 as my daily OS about 2 months ago. I am now running Qubes 3.1 RC1/Whonix 220.127.116.11.2 testers. Sometimes I have to stop myself from over compartmentalizing. It’s another issue of where to draw the security line. I have spent some time thinking over this issue, and moving this line around myself.
I would like to describe the way I have my system setup and take criticism or provoke discussion from other users on this over compartmentalization dilemma.
I’ll start with my templates:
The templates stay disconnected to networking, and remain as they were when they were installed/authenticated. They remain as a bit of protection in case of a disaster. I always have this to fix my clones from.
I then clone these templates like below.
<clone> -> <net vm>
- fedora-23-clone -> sys-update
- whonix-gw-clone -> sys-update
- whonix-ws-clone -> sys-update
- whonix-ws-clone-bitcoin -> sys-update
- whonix-ws-clone-chat -> sys-update
- whonix-ws-clone-server -> sys-update
In the case of clones 3, 4, 5, and 6; these clones then get the necessary software added to them for they’re specific purpose. The others get software updates. The clones use the proxy vm “sys-update” for software updates.
This is how my proxy vms look.
<proxy vm> | <template> -> <net vm>
- sys-net | fedora23-clone -> n/a
- sys-firewall | fedora23-clone -> sys-net
- sys-update | whonix-gw-clone -> sys-firewall
- sys-web | whonix-gw-clone -> sys-firewall
- sys-btc | whonix-gw-clone -> sys-firewall
- sys-server | whonix-gw-clone -> sys-firewall
- sys-bridged | whonix-gw-clone -> sys-firewall (this proxy vm is only available if needed, not normally used)
Here is my app vms with brief explanation.
<app vm> | <template> -> <net vm>
usb | fedora-23-clone -> n/a
For mounting all usb connected devices as outlined in the release notes for Qubes 3.1 RC1.
vault | whonix-ws-clone-bitcoin -> n/a
My gpg keys are kept here, and this is where all encryption, decryption, signing, etc. is done. This is where my passwords are stored. This is where bitcoin transactions are created and signed. This is where all things are written, proof read, and stored. Vault also serves as backup for sensitive data from other vms.
media | whonix-ws-clone -> n/a
This is for VLC. Playing media which has been downloaded on the web vm and then copied here.
web | whonix-ws-clone -> sys-web
Web browsing, downloading music, download youtube videos, etc. Sometimes push signed git commits.
develop | whonix-ws-clone -> sys-web
Clone gits, mess with developing things in experimental conditions. Not worried to destroy and rebuild if necessary. Sometimes push signed git commits here.
chat | whonix-ws-clone-chat -> sys-web
Different communication methods/clients. Email, im, irc, etc.
btc | whonix-ws-clone-bitcoin -> sys-btc
Signed bitcoin transactions are pushed. Some bitcoin applications that I do dev on are running here (when in stable condition) as well with a bitcoin node.
server | whonix-ws-clone-server -> sys-server
Serving up hidden services for various things: bitcoin full node, electrum node, etc.
Please tell me how far past the edge have I gone? Am I just giving myself some security theatre?