Instructions + download for installing whonix xfce on kvm? Could see only see virtualbox instructions

First time around I just want to get setup and had trouble initially with the kvm way but so I just ended up going with virtualbox but I want to figure the kvm way properly now for the reasons stated in the wiki- that is is properly FOSS- and I prefer its more stripped down nature in general. I now have the time and inclination to getting it cracked. I have used kvm in the past but have just used it via making my own shell scripts with the commands to run a vm, not using virsh.

I actually prefer that way but I guess it would not be practical here since the virsh xml files contain a lot of the setup info? and it would be cirtcuitous to do it that way for setting the gateway and workstation up?

Also can I do cli-gateway and xfce-worstation because I think it is superfluous to have a desktop for the gateway since it is not used.

My general philosophy is in line with linux philosophy of most simple and efficient so it was good to see that xfce was being considered to replace kde.

Where should I get the latest downloads for cli-gateway and whonix-xfce? and corresponding info on how to setup?

Also regarding encryption, would you need to setup an encrypted partition and just setup kvm within that? rather than there just being a simple switch like in virtualbox for kvm which deals with encryption?

You should be able to find all the instructions on how to correctly setup Whonix KVM here:

The downloadable files are also there (go to “Download Whonix” section).

There is currently no cli version for KVM.

Pingaeir via Whonix Forum:

Also can I do cli-gateway and xfce-worstation

There is a command to convert virsh settings into QEMU commands but you lose out on security enhancements such as svirt apparmor sandboxing of VMs. If you are OK with that I can find it for you.

You can but you will need to build a cli-only GW for the moment as I haven’t gotten around to doing cli-specific builds.

+1

https://whonix.org/wiki/KVM for downloads and setup info.

For building see:

You setup a partition and just move the image there and point the VM settings to the alternate location. It would be easier to just encrypt your entire host to begin with.

Thanks. I guess it is a good idea to run it in a stock way as per the base instructions before trying the more exotic builds/flavors as to qemu commands and the like.

Ah so xfce is the standard DE now with this download link in the KVM instructions? I presume so since it gives xfce troubleshooting at the bottom. As I was reading around forum posts a couple days ago I didn’t hit on any message that it had actually been rolled out and was still much in development stage; maybe I just didn’t reach to the latest posts as I was only skimming around :).

Yes I already knew the KVM install link it was just that when I tried initially, maybe 8-9 months ago, KDE was still the default.

Cool. I shall start again from the top with the wiki and concern myself with my other issues later if needed. It might be moot now anyway, regarding the cli version since xfce is lightweight anyway so that circumvents the original concern such as to now be a non-issue.

Yep Rolled out pretty fast I know.

Great. Try it out and let us know if there is anything you need.

I am tied up in a bit of a mess here with libvirt commands

$  virsh -c qemu:///system net-define Whonix_external*.xml
error: Failed to define network from Whonix_external_network-14.0.1.4.4.xml
error: operation failed: network 'external' already exists with uuid 417ba234-1cde-4fbb-8837-417a0b6453a

I have already undefined and deleted the old attempt/previous version from many months ago but how do I get rid of all this net stuff because it is conflicting with this current attempt.

I was not sure what I need to search for online and c+p of the error didn’t bear and fruit on my cursory inspection.

Obvious step here. Did you check if they are still loaded by libvirt?:

# virsh net-list --all

https://wiki.libvirt.org/page/Networking

They are.

$  virsh net-list --all
 Name       State      Autostart   Persistent
-----------------------------------------------
 external   inactive   yes         yes
 internal   inactive   no          yes

Hey I have never used virsh (apart from that brief failed attempt in the past) so no step is obvious yet to me :). As I said I’m used to qemu but I shall persist and see if I get the hang of it.

Now sorry for stupid questions but how do I remove it + if there is a common place I can look for these obvious answers related to libvirt where is it?

I am reading the archwiki for libvirt but it doesn’t seem completely answer such issues.

EDIT just saw the link. Will read now. Thanks.

EDIT2: ah virsh net-undefine <name> was what I was after; found in the virsh man. I always forget man pages are the first place you should look

Ok now I can’t delete them for system? only session.

Sessions removed as expected but when I ran sudo for the other commands the networks still show yet when I try and undefine them they show success yet still show up and I can’t re-add them because it is still saying the already exist.

Also do all these commands have to be run with system virsh? I am guessing so? because I tried doing them for session earlier and it said that the last command

virsh -c qemu:///session net-start internal

would not work related to privileges.

file -> edit -> connection details ->virtual networks

What file? and what is that response to as I asked two things, how to remove the system networks, and also asked if it all can be run via session.

Unclear what you are responding to.

file -> edit -> connection details ->virtual networks I am running from command line, not gui.

EDIT: ah I needed sudo net-destroy <name>

Ok I installed it now and got it running but sudo virt-viewer --connect qemu:///system Whonix-Gateway when I get in I am not allowed to get past the terms as the mouse will not respond to clicking the radio.

I tried tabbing and it works to scroll to the accept however if I press enter it will still just exit and shutdown.

EDIT: got that with some tabbing and also up and down arrow. No mouse at all, need to play around there, something to do with virt-viewer I guess and nothing to do with whonix.

Sorry this applies to the virtual machine manager gui which you should have installed as per wiki instructions. In this network pane you will see all virtual networks and can manipulate them from there.

Ok I have everything setup now nearly. Running the console from virt-manager solved the kb/mouse issues.

One last thing though- copy and paste from host to guest works on gateway but not on workstation. Why would that be? I will be needing it most for the workstation obviously because that is the one that is being used.

I suppose I will look into debugging spice and that side of things.

Clipboard sharing is disabled by default for security reasons as per official documentation:

SPICE allows accelerated graphics and clipboard sharing. The clipboard is disabled by default for security reasons to prevent accidentally copying a link to a website you visited anonymously to your non-anonymous host browser or vice versa and to stop malware in Whonix ™ Workstation from pilfering sensitive info from your clipboard.

You can easily enable it if you want to (be aware of the security implications):

If you still want to enable it, edit the VM config file, then change <clipboard copypaste='no'/> to ‘yes’ then save and restart.

Source:

Ok, I thought that might be the case. In that case what do you suggest if you use a lot of passwords.

Still use clipboard just with due diligence or is there a more advised way?

I will prefer not to compromise security as the clipboard ‘pilfering’ is a valid one from a best practices point of view.

You could enable clipboard sharing if you accept the risks (=the Workstation has access to the host’s clipboard content and vice-versa).
Otherwise I guess you could create a veracrypt container with your passwords inside on your host (or if your are really paranoiac, you could create it on a machine without internet access, then copy it to the host) that you would access from the Workstation with a shared folder.

Use a password manager in the WS like keepassx which we now include I believe. Then regularly make backups of the encrypted manager database and archive that.