I run KVM all day long on two different Hosts: Gentoo Hardened and Fed 22. On either Host, KVM flawlessly mounts the USB devices, irrespective of the Guest operating system, except for the Workstation. This statement also holds true when I run VBox, instead of KVM.
- What KVM Host OS are you running?
- Please describe/show the exact KVM (or VBox) parameters you used to successfully mount a USB device inside the Workstation.
More generally, users alone, should be the ones who decide if they trust their own USB devices being attached to an 'untrusted' guest. This decision should not be made for them.
I agree that encryption presents its own issues, and is far from a perfect solution. However, given that, having an encrypted system is far safer than not having one, period.
Focusing on remote possibilities, or highly improbable breaches, and using that as an excuse/rationale for not offering encryption borders on the absurd.
Whonix should be offering encryption as the default option, with a clear explanation of its advantages and disadvantages. The key point, as above, is to let the users decide if they want to use encryption or not.
I was thinking along the lines of you encrypting the Workstation, prior to release, with an easy, published passphrase. Then teach users about cryptsetup's relevant commands to re-take control of their encrypted Workstation.
VBox 5 (only) now offers Guest OS encryption using the AES-XTS256-plain64 (or 128) ciphers. However, it will likely take a long time for a large percentage of your user base to migrate to VBox 5.
I think using the cryptsetup approach is more than sufficient.
On the Dolphin display issue, I have no time or interest in researching how Dolphin came to look as it currently does in the Workstation, nor to read any rationale supporting the 'need' for changes. I just think Dolphin looks awful in the Workstation, period. It's a personal 'thing,' so don't take it personally.