Shut down / save and Live mode questions

Host: Debian, with FDE
Hypervisor: VirtualBox
Whonix: 14 XFCE

1. Is it preferable to shut down the machine or to save its state? the advantage in saving is a quicker launch next time.

2. I wonder about using Live Mode as described in http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix_Live. It is clear that it isn’t easily amnesic, however I didn’t see the state of Whonix Gateway expressly mentioned in this context - my questions are:

• Does Whonix Gateway keep connection logs?
• Where can I see them and how could they be cleared?
• When using Whonix-Workstation in Live Mode, is it advisable to do the same with Whonix-Gateway?
• Actually, any reason not to use Live Mode on Whonix-Gateway always?

Thanks in advance.

1. Shutdown. When you save the state you obviously loose some of the live features. If you search the forum you can also find other issues related to saving the state like clock skew. It is in general not recommended independent of hypervisor or live mode.

2. You will find the standard linux logs under /var/log or /run/log. I think only the tor log would matter but unless you change something on purpose it won’t log connections. In most cases they are automatically rotated or cleaned during restart.
   It makes more sense for Live mode on the Workstation because there most of the relevant stuff like browsing, chatting … happens. You can of course also use it on the gateway but imho it is less likely to be attacked.
   You should not always use live mode. In particular not during the first boot because then you will always go through the whonix setup procedure. Also for updates you need to boot the VMs in persistence mode.

Same as Debian / Tor.

Frequently Asked Questions - Whonix ™ FAQ

Breaks Tor entry guards.

Unless you always boot into live mode probably not. This could only happen if you install grub-live by default in the images and a user always boots this mode.
atm you boot into persistent mode and Tor should set the entry guards. I don’t know how tor checks if the ~3 months are over but in theory, if you at some point boot into persistent mode after the 3 months, you should get a new guard node.

We don’t have researched the details researched.

• When booting “too late” into into persistent mode: a random new entry guard will be chosen.
• When booting “too late” into into persistent mode again: a random new entry guard will be chosen again.
• When booting “too late” into into persistent mode again and again: a random new entry guard will be chosen again and again.

So this has potential to break Tor entry guards unless having the schedule under tight observation.

Not sure what you mean with “too late”. When you boot into persistent mode after ~3 months you get a new guard. This is normal behaviour. It should stay the same for the next three months no matter if you boot into persistent or live mode.

Algernon:

Not sure what you mean with “too late”.

After Tor is due to Tor entry guard change.

When you boot into persistent mode after ~3 months you get a new guard. This is normal behaviour. It should stay the same for the next three months no matter if you boot into persistent or live mode.

Yes.

However, if users use Whonix daily and users boot into persistent mode
only after 4 months because users forgot about it, then users will be
probably using a different Tor entry guard at every boot.

If less than 1 month, let’s say 20 days and 20 boots, then that’s 20
different picks of Tor entry guards.

Let’s say 1 days and 1 boots in live mode after Tor entry guard change
is due, then that’s 1 different picks of Tor entry guards.

So the timing would have to be very accurate. Otherwise more entry
guards will be used than usual with persistence.

That’s true. So it is probably a wise decision to also boot into persistent mode from time to time also due to general updates. I’ll add that to the wiki.