Question regarding "1 guard/client per internet-connected program"

The Whonix Website recommends 1 guard per application for better security.
My interpretation of it is this:

  1. Import fresh untouched whonix-gw and whonix-ws template
  2. Make a backup template clone of original and never touch these backup
  3. Import fresh untouched sys-whonix
  4. Make backup clone of sys-whonix and never touch this backup
  5. Rename untouched whonix-gw to a particular application (whonix-gw-email)
  6. Rename untouched whonix-ws to particular application (whonix-ws-email)
  7. Rename untouched sys-whonix to a particular applicatoin (sys-whonix-email)
  8. Start sys-whonix-email which uses whonix-gw-email as template
  9. Setup Tor and connect
  10. Open whonix-ws-dvm that uses whonix-ws-email as template
  11. Only use whonix-e-mail setup in a single fixed geographical location (e.g. home)

Am I understanding this right? I’m still kind of confused.

Lastly, Is this the correct way of obtaining fresh untouched whonix-ws, whonix-gw, and sys-whonix?

  1. Delete existing whonix-ws and whonix-gw templates
  2. Delete sys-whonix and anon-whonix
  3. type “sudo qubesctl state.sls qvm.anon-whonix” in dom0

Reference, what you’re probably talking about:
Increase Protection from Malicious Entry Guards: One Guard per Application

That chapter was updated by me just now:

Whonix ™ developer HulaHoop recently approached Tor researcher, Tariq Elahi, to discuss how exposure to malicious guards in multi-Workstation scenarios could be measured. It was discovered that 1 guard/client per internet-connected program (not identity!) is the safest possible configuration. In fact, the probability of a network adversary observing a user’s activities is lower than the default scenario, whereby one Tor Entry Guard is relied upon for all applications.

A newer development however might conflict with this. The blog post by The Tor Project [archive], New low cost traffic analysis attacks and mitigations [archive] (forum discussion [archive]) discusses website fingerprinting. Quote:

In terms of mitigating the use of these vectors in attacks against Tor, here’s our recommendations for various groups in our community:

Users: Do multiple things at once with your Tor client

Therefore it looks like a difficult choice. Either:

  • A) Increase Protection from Malicious Entry Guards, or
  • B) do multiple things at once with your Tor client for better protection against website fingerprinting.

//cc @HulaHoop


Thanks for the info.
If I were to defend against the malicious guards, did I have the right idea in my OP? I still dont understand how you can take a “snapshot”. Thanks Patrick


Qubes does not support snapshots. Might be possible to work around it by using Qubes VM snapshots using git / SVN or copies of VMs but that becomes rather complicated. And due to the new developments mentioned in my previous post, I am not interested in this.