To Patrick and all who contribute to the project,
Like I’m sure most agree here, Whonix is much safer than Tails as a solution to secure one’s anonymity (i.e. protecting IP address leakage due to exploits in the OS where you do your Internet) due to the ingenious VM sandboxing design.
That’s why Whonix exists.
However, over time I have been increasingly concerned as I discover more ways in which Whonix data (or forensic evidence of its usage) can be leaked, read by, or stored in the host OS system, such as the visual ‘Preview’ pane that shows each VM’s live screen activity in the VirtualBox main GUI (which is enabled by default), or countless other metadata files written deep in your host OS file system, or actual sensitive Whonix data potentially saved to the swap partition.
This forensic data and leakage about your Whonix is a high security risk to many users around the world, in which LUKS encryption of your host OS hard drive is useless if governments can legally seize your equipment and force you to decrypt it anyway.
The RAM-only ‘live’ amnesic computing design, such as the hardened Tails OS, offers a type of security which cannot be replicated by ANY operating system (like Qubes) that writes in-session data to the hard disk. If there were an OS that offered cryptographically secure plausible deniability like the open-source and now well-audited hidden VeraCrypt volume software, it would be different (and VeraCrypt’s Windows hidden OS doesn’t count because researchers defeated it).
That’s why Tails exists.
More than ever, I am strongly interested in Tails as a host OS for Whonix. I’d feel much safer if I knew that all sensitive information or forensic data about Whonix would at least leak to a RAM-only environment that’s instantly and quite securely wiped as soon as I remove the Tails USB drive, instead of potentially being permanently written on an SSD cell somewhere deep on the hard disk as evidence to be collected.
To combine both worlds and still have fully deniable encryption of all sensitive data, you can store your Whonix VMs inside a hidden VeraCrypt volume (on your fast internal SSD) and then run them in a VirtualBox instance on Tails (on your USB). For convenience, you can build your own install scripts and use Tails’ Dotfiles persistence feature to launch your preferred OS settings and the VMs quite automatically at each startup.
So with this in mind I recently experimented with Whonix in Tails and made headway with (almost) getting it to work. (The only remaining step is I’m not sure how to modify Gateway to get its Tor wizard to actually connect, but full Internet is working in any non-Whonix VM.)
Here are my steps for it:
Boot up the latest Tails (currently v3.13.1) from a USB.
At Tails log in, create an admin password for the session.
Open Tails’ Root Terminal and do the following:
apt-get update; apt-get install make; apt-get install -y -t sid linux-headers-$(uname -r)
Open Tails’ Tor Browser and go to https://www.virtualbox.org/wiki/Linux_Downloads and download the latest “Debian 9” .deb installer file for VirtualBox.
Then in Root Terminal do after this example to install VirtualBox: 'dpkg -i ‘/home/amnesia/Tor Browser/virtualbox-6.0_6.0.4-128413~Debian~stretch_amd64.deb’; apt -y --fix-broken install’
Optionally, download Oracle’s VirtualBox extension pack and install it in VirtualBox.
Now start VirtualBox in Tails, and import or create some VMs for testing them.
(WARNING: When you power on the VM in the following step, it will be connecting to your pre-Tor IP!)
- Change the VM’s Network settings to ‘Bridged Adapter’, then power it on and test.
So in my testing I see that Whonix-Gateway doesn’t connect out of the box, but interestingly, if you try any vanilla Linux VM like Arch Linux’s live ISO in VirtualBox you’ll see that your ‘naked’ pre-Tor Internet is automatically working in such VMs.
I’m no expert but I’m guessing the kernel modules loaded by VirtualBox are bypassing Tails’ Tor process and iptables security completely. This actually means that we can avoid ‘Tor-over-Tor’ with Whonix in Tails!
As long as Gateway has its own strict iptables security (which we already rely on with Whonix with any other host OS), IMO this is OK. This is therefore an opportunity to consider Tails like another host OS for Whonix like Qubes, but with the amazing unique feature of hardened amnesia security. (Are there any well-maintained RAM-only live Linux distributions which are accessibly Debian-based and don’t include Tor hardening? I’ve not found one. Maybe Knoppix? It looks like Tails is the biggest one.)
I think that by now, both Tails and Whonix have matured as separate projects which, like Qubes-Whonix, could be combined as ‘Tails-Whonix’ to enjoy the benefits of both projects with no compromise.
In this way Tails and Whonix can still have autonomy from each other, just like how Qubes and Whonix don’t depend on each other incestuously but can compliment one another.
It is ironic that ‘Tails-Whonix’ users would never use the Tails’ Tor Browser but only use Tails as a ‘dumb’ pre-Tor host for Whonix’s superior Tor security. But both projects can still respect, learn and borrow from each other over time in a friendly way. And as another benefit, downloading and setting up Whonix all from within Tails could be a great way to more privately, anonymously, and securely do it. I trust the Tails Project to keep Debian up-to-date and secure.
So, I want to do extensive testing of Whonix inside Tails (and also explore how convenient I can make it Persistence-wise inside a VeraCrypt volume), but I need help in knowing what modification is required in Gateway’s iptables / OS config to make it actually connect to Tor.
I look forward to your thoughts and contributions.