Hi, I asked this question on the Qubes forum:
A user suggested it might be better posed here.
I’m planning to create one or more persistent VMs with custom templates to host specific, isolated non-browser apps, e.g. Signal, to be routed through sys-whonix. (One app per qube is the idea.) I’d prefer the underlying templates have a small footprint, as I’m resource-constrained. This might suggest debian-12-minimal as the starting template to host each app rather than whonix-workstation-17, as the former is smaller.
My instinct is that would be ok- I’m more concerned about stream isolation / cross-VM identity correlation than about local VM security, which is what I understand to be the benefit of Kicksecure vs Debian. And the apps being in separate VMs, all routing through sys-whonix, should promote stream isolation (true?). But maybe there are further privacy-related features that go into whonix-workstation-17 to make it a superior choice as a base template despite its larger footprint.
To sort-of summarize as a question: with respect to privacy, is there something to be favored about whonix-workstation-17 vs debian-12-minimal given these qubes won’t be disposable and won’t be running Tor Browser, but will be routing through sys-whonix? Also: is there something misguided about what I’m planning to do?
Thanks