Hardening Qubes-Whonix

I’ve decided to go for a general checklist of the most important ‘hardening’ ideas as a wiki entry instead and mark some items as ‘Qubes-Whonix or non-Qubes-Whonix only’.

This fits better with the Security wiki and it’s nice to have a quick reference for users who don’t want to trawl the documents and discover various things they could (or should) have done, but missed.

See the suggested entry further below. If you’re happy with it, I’ll post it straight away.

Ideas I’ve discarded:

Running hardened alpha Tor Browsers if adventurous due to near-term (December) sandboxing opportunities;

→ Scrapped this idea, since we now know sandboxing works with any Tor Browser series.

following Qubes guideline for MAC spoofing

→ Scrapped this idea.

Although this is now easy using a Debian-9 template and the latest Network Manager (see updated Qubes docs), MAC spoofing is NOT recommended for home PCs or laptops from my reading e.g. TAILS docs, because it hurts your anonymity. So, this can’t be recommended unless one is using a laptop from various locations. Plus, MAC addresses are largely hidden, especially with use of VMs and Whonix.

Anyhow, based upon the lengthy discussions in this thread and input from various people, I think this entry is now suitable for the Security wiki:

#General Hardening Checklist

It is possible to significantly harden your platform and improve the chances of successful anonymous activity. This depends upon a user’s skill level, motivations and available hardware. This checklist is intended to provide a quick overview of some of the most important issues, categorized by difficulty level (easy, moderate and difficult).

Note: some of these recommendations are Qubes-Whonix or non-Qubes-Whonix specific; they have been marked accordingly.

###Easy

Blogging

• To blog anonymously, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometry analysis and other covert channels. Surfing Posting Blogging - Whonix

Disabling/Minimizing Hardware Risks

• In Qubes-Whonix, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise of dom0 (PS/2 adapters and available controllers are required);
• Do not enable audio input to any VM unless strictly required and consider disabling microphones where possible (muting on the host) or unplugging external devices; Computer Security Education - Whonix
• Preferably detach or cover webcams unless they are in use; and Computer Security Education - Whonix
• Avoiding using wireless devices, since they are insecure. Computer Security Education - Whonix

Mandatory Access Control

• Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs; and Security Guide - Whonix
• Enable seccomp on the Whonix-Gateway AppVM. Security Guide - Whonix

Passwords and Logins (Qubes-Whonix Only)

• Store all login credentials and passwords in an offline vault VM (preferably with KeypassX) and securely cut and paste into the Tor Browser; and
• Copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.

Tor Browser Series and Settings

• Consider using the ‘hardened’ Tor Browser series for additional ALSR memory protections;
• Default search settings to the DuckDuckGo .onion hidden service;
• Select ‘ClearClick’ protections in NoScript;
• Run the Tor Browser Security Slider in the highest position;
• Disable Javascript by default and only allow sparingly for trusted sites;
• Use .onion hidden services where possible to stay within the Tor network; and
• Follow all other Whonix recommendations for safe use of the Tor Browser. Tor Browser Essentials

VirtualBox (non-Qubes-Whonix Only)

• Remove a host of VirtualBox features to reduce the attack surface; Security Guide - Whonix
• Take regular ‘clean’ VM snapshots that are not used for any activities; and Security Guide - Whonix
• Spoof the Initial Virtual Hardware Clock Offset. Advanced Security Guide - Whonix

Whonix Updates

• Install newer Tor versions via jessie-proposed-updates. Whonix ™ APT Repository

###Moderate

Create a USB Qube (Qubes-Whonix only)

• Prepare and utilize a USB qube to protect dom0 from malicious USB devices. Redirecting…

Networking (Qubes-Whonix Only)

• Use the Debian-8 Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not ‘ping home’, unlike the Fedora Template. Meta-ticket: suggest/remove default applications in official templates · Issue #1781 · QubesOS/qubes-issues · GitHubDisable sys-net pings to fedoraproject.org

Newer Kernels (Qubes-Whonix Only)

• Install newer kernels to benefit from additional protections (including grsec elements) being mainlined by the kernel hardening project. Redirecting…

Onionizing Repositories

• Default the Debian, Whonix and Qubes package updates to Tor hidden service repositories. Security Guide - Whonix

Sandboxing

• Use the alpha sandbox to restrict the Tor Browser; and Tor Browser Essentials
• Use Firejail to restrict Firefox-ESR, VLC and other applications. Security Guide - Whonix

Secure Back-ups (Qubes-Whonix Only)

• Store encrypted back-ups on a separate back-up disk that is already encrypted with LUKS. Improve qvm-backup key derivation/management · Issue #971 · QubesOS/qubes-issues · GitHub

Time Stamps (non-Qubes-Whonix only)

• Disable ICMP and TCP timestamps on your host operating system. Computer Security Education - WhonixComputer Security Education - Whonix

###Difficult

Anti-Evil Maid (Qubes-Whonix only)

• If you have a Trusted Platform Module, use AEM protection to attest that only desired (trusted) components have been loaded and executed during the system boot. Anti evil maid (AEM) | Qubes OS https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README

Chaining Anonymizing Tunnels

• Avoid this course of action; the anonymity benefits are unproven and it may actually hurt your anonymity and security. Combining Tunnels with Tor

Disposable VMs (Qubes-Whonix Only)

• Run all instances of the Tor Browser in a DispVM - preferably uncustomized to resist fingerprinting. Qubes Disposables

Email (Qubes-Whonix Only)

• Use split-GPG for email to reduce the risk of key theft used for encryption/decryption and signing. Split GPG | Qubes OS

Grsec Templates

• In Qubes-Whonix, use dom0, Debian, Fedora and Whonix grsec templates to provide significant kernel exploit protections; and Deprecated/grsecurity - Whonix
• In non-Qubes-Whonix, install the latest Grsecurity kernel on your host or KVM Whonix guest. Deprecated/grsecurity - Whonix

Host Security (non-Qubes-Whonix Only)

• Follow all Whonix recommendations to harden your host OS e.g. minimize the attack surface, utilize full-disk encryption, torify apt-get traffic, scan your firewall, and other measures. Advanced Security Guide - Whonix Advanced Security Guide - Whonix