Whonix user isolation (user-sysmaint-split) breaks VeraCrypt workflow

Then I don’t understand something. Using option ‘remove user-system split’ I am reducing security. So I wanted to use this option temporarily to install trusted packages and then restore the system to the previous configuration. And now I find out that it is not recommended to do this?

I have a dilemma and I don’t know what to do.

I installed program VeraCrypt, but I can’t decrypt the shared container. The mount takes forever to load

1 Like

You don’t need to remove user-sysmaint-split to install VeraCrypt. You can do that from within PERSISTENT Mode | SYSMAINT Session. You need to remove user-sysmaint-split to use VeraCrypt, because the way it operates requires elevating permissions to root during use. While user-sysmaint-split is not installed, theoretically malware that gains access to your user account can elevate to root, and if that happens, reinstalling user-sysmaint-split won’t fix the compromise after the fact.

Using VeraCrypt requires removing a security feature of the OS because of how VeraCrypt works. There is no alternative at the moment. Whether that’s a choice you want to make depends on your threat model and workflow.

3 Likes

So why can’t I decrypt the shared container? It takes forever to decrypt and nothing happens.

Therefore, I’m not sure if it wouldn’t be better to use VeraCrypt on my Windows system and simply share the decrypted container. In that case, I wouldn’t have to use the ‘remove user-sysmaint-split’ option and thus reduce the security of whonix itself. But I’m not sure if this would expose my Windows system to attack again.

1 Like

Because mounting the decrypted shared container requires root permissions. This is a VeraCrypt design decision.

We generally like to stick to “one forum post = one topic”. The question of where to mount the container is off-topic for this particular thread.

2 Likes

I thought, that using the ‘remove user-system split’ option there will be no more problems with root and permissions. So how to decrypt a file using Veracrypt gui with root privileges?

1 Like

I may be misunderstanding; I was under the impression that you reinstalled user-sysmaint-split, then tried to decrypt with VeraCrypt, and it hung forever. If you still have user-sysmaint-split uninstalled and VeraCrypt is hanging during decryption, I don’t know why that’s happening, and don’t think that’s something we can help with. VeraCrypt’s support forums might be more appropriate.

2 Likes

So, the last question: Does using whonix with ‘remove user-system split’ significantly reduce security?

1 Like

Answer is documented here (you lose the security enhancements mentioned here):

2 Likes

I’m curious what you would choose? Using the default, more secure whonix configuration without ‘sudo’, sharing the decrypted container from Windows. Or removing it (user-sysmaint-split) and instead being able to use VeraCrypt and decrypt files on the workstation itself? I’m in a dilemma because I’m afraid that by granting higher permissions to the workstation, someone could access my main Windows system and infect it, even if I don’t check the contents of the encrypted container on Windows.

1 Like

Not easy to answer because the answer is entirely threat-model-dependent. Can be resolved as per:

2 Likes

LUKS is not a substitute for the deniable encryption that veracrypt can offer, because if you’re forced to type a password you can’t deny not knowing the password when it comes to LUKS encryption. Meanwhile with veracrypt you can be forced to type a password and still not reveal the existance of a hidden volume.

This is also the whole point behind why i’m recommending my audience to use kicksecure in the first place, because the live mode and ram wipe packages allow users to safely (meaning deniably) create, mount and use hidden vercrypt volumes.

it was great when zulucrypt was installed by default but given that it’s no longer the case there’s a need to have a substitute to be able to mount veracrypt containers. (which i understand why it was removed, its unmaintained is my guess)

In the meantime i’m going to revert to recommending my audience to remove the user-sysmaint split and installing regular veracrypt to be able to create and mount those volumes from live mode, it’s some additional steps but at least it’s still doable. Hoping to change your mind on veracrypt specifically, as there’s alot of hope coming from my opsec community to simplify these kinds of setups.

Here are the relevant tutorials i previously wrote on that topic:

http://opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion/opsec/privacy-on-your-computer-with-linux/index.html?h=privacy+computer

http://opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion/opsec/live-mode/index.html?h=live+mode

http://opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion/opsec/plausible-deniability-with-veracrypt/index.html?

http://opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion/opsec/sensitive-vm/index.html?h=vm

i’m currently rewriting these tutorials i previously wrote to match the KS17→ KS18 changes, so it’s a WIP, just fyi

If it’s static (non-changing) command line commands, you could probably set up a privleap configuration file.

See folder /etc/privleap/conf.d. There’s examples there.

Any addional privleap config action could be created based on these examples.

Related:

ChatGPT might be able to given enough examples. It would be a simple text remix.

Claude Opus 4.8 max is definitely able to sufficiently “understand” privleap code base, generate functional configuration files (tested in similar privleap cases), explain how to set it up and probably even debug it in case of issues.

(I don’t review all sorts of AI models.)

The expenses to develop something like this are at a historic low.

Once you have instructions, you could add them the wiki (edits are moderated) and I’d review them to be non-malicous.

I cannot complete the full service for you and provide conplete, tested, polished copy/paste instructions due to time restraints. → Policy Rationale