Pairing Whonix ™ with network printers is strongly discouraged. This is because most (if not all) network printing relies upon insecure, unencrypted protocols. This means the documents being printed will likely be visible to attackers who are able to sniff the local network, or who control the (normally untrusted) Qubes NetVM. This is a limitation of modern printers and printing protocols and not something that can be solved by Qubes or any other OS.
AFAICT this is not accurate anymore. Modern printers support IPPS (IPP over TLS); I successfully tested both printing and faxing over IPPS with an HP printer that I picked at random from a store near me. TLS certificate validation seems to be weak by default, but there are settings (which I haven’t tested yet) that claim to enable strict TLS certificate validation for IPPS. IPPS unfortunately is not advertised or documented by printer vendors (at least HP), so it took a lot of trial-and-error to figure out how to enable it, but AFAICT the instructions I came up with are not vendor-specific, so they should work with any modern printer.
Given this, would Kicksecure/Whonix be interested in the following?
- Wiki updates that make it clear that IPPS is a thing, and explain how to use it.
- Package updates that enforce IPPS, i.e. causing CUPS to error if the user tries to print using an unencrypted protocol such as IPP over TCP or JetDirect, and enforce strict TLS certificate validation for IPPS. Note that strict TLS certificate validation requires the user to generate a TLS cert/keypair and upload them to the printer (preferably over a USB connection so that the upload can’t be wiretapped) before printing/faxing will be accepted over IPPS; this shouldn’t be difficult but it does mean that a nonzero amount of setup is needed. Also note that faxing over IPPS requires specifying the recipient phone number via the command-line (I can’t find a working GUI for this), so the UX is slightly worse than unencrypted faxing (printing works fine via GUI).
(Looks like the Qubes documentation is also wrong in the same way, but I’m not comfortable submitting documentation changes to Qubes because I’ve only tested this on a non-Qubes system – testing on Qubes is inconvenient because Qubes doesn’t run on ppc64le, which is my main machine now.)