Then I don’t understand something. Using option ‘remove user-system split’ I am reducing security. So I wanted to use this option temporarily to install trusted packages and then restore the system to the previous configuration. And now I find out that it is not recommended to do this?
I have a dilemma and I don’t know what to do.
I installed program VeraCrypt, but I can’t decrypt the shared container. The mount takes forever to load
You don’t need to remove user-sysmaint-split to install VeraCrypt. You can do that from within PERSISTENT Mode | SYSMAINT Session. You need to remove user-sysmaint-split to use VeraCrypt, because the way it operates requires elevating permissions to root during use. While user-sysmaint-split is not installed, theoretically malware that gains access to your user account can elevate to root, and if that happens, reinstalling user-sysmaint-split won’t fix the compromise after the fact.
Using VeraCrypt requires removing a security feature of the OS because of how VeraCrypt works. There is no alternative at the moment. Whether that’s a choice you want to make depends on your threat model and workflow.
So why can’t I decrypt the shared container? It takes forever to decrypt and nothing happens.
Therefore, I’m not sure if it wouldn’t be better to use VeraCrypt on my Windows system and simply share the decrypted container. In that case, I wouldn’t have to use the ‘remove user-sysmaint-split’ option and thus reduce the security of whonix itself. But I’m not sure if this would expose my Windows system to attack again.
Because mounting the decrypted shared container requires root permissions. This is a VeraCrypt design decision.
We generally like to stick to “one forum post = one topic”. The question of where to mount the container is off-topic for this particular thread.
I thought, that using the ‘remove user-system split’ option there will be no more problems with root and permissions. So how to decrypt a file using Veracrypt gui with root privileges?
I may be misunderstanding; I was under the impression that you reinstalled user-sysmaint-split, then tried to decrypt with VeraCrypt, and it hung forever. If you still have user-sysmaint-split uninstalled and VeraCrypt is hanging during decryption, I don’t know why that’s happening, and don’t think that’s something we can help with. VeraCrypt’s support forums might be more appropriate.
So, the last question: Does using whonix with ‘remove user-system split’ significantly reduce security?
Answer is documented here (you lose the security enhancements mentioned here):