Privacy/security considerations for templates of qubes that route through sys-whonix

Hi, I asked this question on the Qubes forum:

A user suggested it might be better posed here.

I’m planning to create one or more persistent VMs with custom templates to host specific, isolated non-browser apps, e.g. Signal, to be routed through sys-whonix. (One app per qube is the idea.) I’d prefer the underlying templates have a small footprint, as I’m resource-constrained. This might suggest debian-12-minimal as the starting template to host each app rather than whonix-workstation-17, as the former is smaller.

My instinct is that would be ok- I’m more concerned about stream isolation / cross-VM identity correlation than about local VM security, which is what I understand to be the benefit of Kicksecure vs Debian. And the apps being in separate VMs, all routing through sys-whonix, should promote stream isolation (true?). But maybe there are further privacy-related features that go into whonix-workstation-17 to make it a superior choice as a base template despite its larger footprint.

To sort-of summarize as a question: with respect to privacy, is there something to be favored about whonix-workstation-17 vs debian-12-minimal given these qubes won’t be disposable and won’t be running Tor Browser, but will be routing through sys-whonix? Also: is there something misguided about what I’m planning to do?


This wiki page applies:

1 Like

Thanks for the reference. I think the upshot is there are sufficient further privacy features in whonix-workstation-17 to make it a better choice than debian-12-minimal as a base template despite the larger footprint. Specifically:

  • uwt wrappers
  • timezone obfuscation (UTC)
  • sdwdate
  • “Other numerous security/privacy enhancements”, including kloak (someday)

I could implement them myself in a custom debian-12-minimal but it would have to be careful work. Perhaps I could lightly trim down a custom whonix-workstation-17 as this user has done but it’s not clear it would be worthwhile.