Proper Persistence/KeePass storage with VM Snapshots

Hello,

I’ve read on the wiki that the best thing to do is to keep clean snapshots of the Whonix VM’s always updated. However, how does this work with persistent storange, like Keepass password db’s? Is it safe to keep those in the snapshots? If not, what’s the safest way to transfer this between vm’s (shared folders?)

Also, is it “safer” to keep the Keepass program and db in the host?

Thanks for all the hard work!

1 Like

Indeed. That might not be well documented.

With persistent storage that most likely doesn’t work “directly”. In documentation, the snapshot is just there to be easily create a clone from it which is updated and ready to be used for an activity.

“And indirectly”? Using a shared folder? Not sure how much sense that makes.

Safer against data loss, perhaps. Because data on the host is easier to access, backup, less likely to get inaccessible than data inside a VM (virtual hard drive corruption).

On the downside, it has higher attack surface.

No method is truly great but here’s an overview:


related documentation:
https://www.whonix.org/wiki/Whonix-Workstation_Security#VM_Snapshots

So the snapshots are there kind of like Qubes, to dedicate a certain VM to a given activity?

Would using VMs like this be useless if I need to keep persistent Keepass/PGP keys/etc. in the Whonix workstation?

I see.

The Whonix KeePassXC documentation states,

It is recommended to install keepassxc inside an offline (vault) VM

Would one use a kicksecure vm for that? Or does it not matter because it’s offline.

Edit: Reading more, I see that

Kicksecure ™ is unsuitable [for keepass offline vm] due to Boot Clock Randomization and sdwdate clock randomization. (Unless disabled and offline.)

Kinda. VM snapshots could be used similar to a Qubes Disposable VM. Again, not useful for persistence.

Combining snapshots with persistence isn’t well thought through.

There’s a good chance some other place has more clever ideas than I currently have. This is unspecific to Whonix. See: