Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

Run Whonix on a Physical Box with KVM using Qemu

I have a physical box with WAN and LAN, some sort of arm64 device, running DietPi

I want to get Whonix onto the box.

Qubes is the best thing ever, after Whonix, but it’s got a lot of hardware demands. I’m also not sure to what extent Qubes protects against infected firmware (although it still may be better than non-Qubes). I do not always trust my hardware. In an emergency, it may not be easy to get a copy of Qubes on whatever hardware is available. (I know using whatever hardware is available has risks, but please do not use the fact that risks exist as an argument against trying to mitigate risks of certain threat models.) I want a small box where anything that goes through it goes through Tor. I know about TorBox but it is designed for a Raspberry Pi that has WiFi and I don’t want to project some WiFi signal out onto the world any time I run this. Even if TorBox does MAC cloning or changes the MAC any time it’s run, I don’t know what is going on during that critical boot time when there’s power and the software hasn’t started running. If a TorBox sends out a previous MAC address or it’s default MAC address when it’s starting prior to the software running, it provides a lot of information that could be picked up by mesh networks that send telemetry back to larger companies and sell it to data brokers. I’m aware of how hardware fingerprinting works and how Tor browser tries to reduce the attack surface and utility of that, but I do not care about that. I just want Whonix on a box.

I can get Buster on DietPi and install an interface and then just throw in Qemu and emulate KVM and try to route things around until it works. I could delete DietPi and just throw on pure Debian as another option. My box has a decent processor and RAM.

Are there any pitfalls I might run into? Am I approaching this problem the wrong way?

Have you considered Kicksecure as your base OS? If debian will run, Kicksecure is a good option