[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Running Whonix-Workstation as StandaloneVM

I’m interested to know if running Whonix-Workstation as a StandaloneVM is considered safe. I can’t seem to find any information about this lying around but this is probably my poor search skills.

At face value everything seems to work fine except there is a small issue with sdwdate-gui which can be resolved by adding the ‘anon-vm’ tag to the StandaloneVM. I notice that the StandaloneVM ends up with the ‘whonix-updatevm’ tag which may or may not need to be removed for safe use.

The use case is that I’d like to develop from within Whonix and doing it within an AppVM is quite painful when dealing with software that insists on installing outside the home directory.

If somebody could provide any resources or configuration “gotchas” I would be very thankful. If there is an easier way to develop within Whonix I would also like to know.

Consider the Qubes OS design diagram:
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Qubes

Whonix-WS is generally considered a more vulnerable and less trusted environment - hence why it borrows the read-only root filesystem from TemplateVMs and the only persistent directories by default are /rw/ See: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser/Advanced_Users#tb-updater_in_Qubes_DisposableVM_Template

&

It is far safer to set up multiple WS TemplateVMs with your preferred software, and then create WS AppVMs off of those templates. See: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Multiple_Whonix-Workstation

&

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Multiple_Qubes-Whonix_TemplateVMs

Bonus points if they are run as Disposable AppVMs.

By having Whonix-WS as standalone, you’re trusting that it won’t be pwned at some stage, with the root filesystem being infected with god knows what. That’s a poor security model to implement since it will be persistent. That doesn’t mean advanced malware does not already exist that targets /rw/ – in fact I’d lay bets on it – but it certainly reduces the scope of your potential problems.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]