So my home PC runs Windows 10 Pro and I was told hosting on Windows is a bad idea. I have a scalable VPS which currently runs Ubuntu. I know that Debian buster is recommended and I will switch to it if what I’m wanting to do will work. I’d like to setup both the Whonix-Gateway and the Whonix-Workstation on the VPS and SSH from my home PC to the VPS in order to use Whonix. However, I’m not sure if doing that compromises anonymity/security. I plan on using VirtualBox with XFCE.
I’m also curious as to what the recommended hardware requirements would be for the VPS. I’m currently using 2 vCPUs and 2GB of Ram but the service is scalable.
As far as I am concerned: Generally speaking, if your host can visualize, it should theoretically be able to visualize Whonix too. The specs on yours are probably too low. But:
If a breach of your anonymity would bring you in trouble, I’d personally highly recommend against using any hardware that e.g. you are not in sole control of OR which leads back to your real identity either by payment or by using unsecured connections (from a windows host, e.g.) to it etc…
If you are planning on using VBox with XFCE, you’ll have to use a protocol/program that supports displaying stuff other than text.
Remote administration of any system should be considered a potential anonymity hazard, since it is not under the user’s physical protection and could be compromised. All activities, all programs, everything should be assumed to be monitored by the host of the server (VPS, dedicated server, etc.).
Needless to say, Whonix ™ should not be hosted in the cloud, on a foreign server that is not controlled by the user, on a virtual private server (VPS), or other remote hosting options. The risks include:
Data on these systems is readily accessible to their owners.
Data can be accidentally or deliberately altered / deleted.
Legal ownership of data is disputed.
Shared technological vulnerabilities include insecure interfaces and application program interfaces (APIs), data loss / leakage and hardware failure.
Proven vulnerability to large scale attacks like “hyperjacking”[archive], along with exposure to traditional threats like network eavesdropping, invasion, denial of service attacks, side-channel attacks and so on.
Concluding: Instead, you’d be better of using VBox on your Windows PC and not adding a lot of other attack surfaces.
I’ll agree to that, consider using something, especially if de-anonymization is a risk for your personal well-being.
Thanks a lot! Very helpful. Would a dual boot be possible to avoid hosting on windows/vps all together? Like add a partition for the linux OS and just restart my computer+select boot device whenever I’d like to switch between linux and windows? Or is just hosting on Windows my best option until I’m able to get a 2nd machine in my possession
Good questions. I won’t give a definitive answer here (as in I don’t want to recommend one or the other, as both aren’t optimal), but seeing that the only other option would be going without any anonymization at all for the time being, you’ll probably have to settle with something.
users should avoid dual / multi-boot configurations. The other OS (like Windows) could modify the unprotected /boot partition or firmware to maliciously compromise … the host OS, and also potentially spy on user activities.
On the other hand, using Windows as a host OS has even more implications, which you can get a list of here:
So none is optimal, until you’ll have separate hardware for running Whonix. Until then, settle for the best option in your opinion and don’t take any unnecessary risks.
Alright, thanks a ton for your time. You’ve answered all of the questions I had. I am probably just going to hold off until I have separate hardware since my situation isn’t urgent and I don’t want to decrease the benefits Whonix offers by being impatient. Again, thank you!!
Hidden services are definitely weaker than regular Tor circuits
Therefore using a VPS to host servers might have advantages too. If the VPS gets attacked, de-anonymized, that doesn’t necessarily apply to the remote administrator of that service. (Connecting to a compromised VPS would increase attack surface for the remote administrator but that’s certainly better than having a locally compromised VM.)
I don’t think I would make a general recommendation for either option. Seems to complex. Advantages and disadvantages for both solutions. An individual choice based on priorities. However, it would be interesting to explore these two options and good to document in Whonix documentation.
A VPS means your service can be taken down offline or discovered if the datacenter is compromised however it helps reduce risks to your anonymity is you use a minimal remote administration protocol like SSH because the attack surface is very limited. This presupposes that you’ve figured out how to properly pay them in a privacy preserving cryptocurrency because otherwise the money trail will get you.