Whonix in a VB?

2 replies [Last post]
john.rook
Offline
Joined: 04/08/2018

Some privacy advocates tout the benefits of running Whonix in a Virtual Box - and then running that through an Open VPN router - saying this creates significant compartmentalised layers of security.
While I'm aware that Intel/AMD computer chips are all compromised & back-doored, does Whonix in a VB create any significant benefits?

Any thoughts or input appreciated . . . .

koszkonutek
Offline
Joined: 03/19/2020

Firstly, VirtualBox is not a fully free virtualization tool. Its BIOS needs to be compiled using certain compiler under a nonfree (although OSI-approved) license.

The most popular tool for the job that happens to be 100% free is QEMU[1]. It might feel a bit different than VB. Mainly because it is console-driven (some third-party GUI front-ends exist, tho) and because it might lack some convenience features that VB provides by default, e.g. automatic guest screen resizing (although it can also be achieved with some tricks).

Getting back to the main question: Whonix routes all its traffic through Tor. Despite its possible weaknesses, it is still one of the most effective ways of anonymizing one's network traffic.

Does it make sense to layer Tor with OpenVPN? It might when your ISP is blocking or forbidding Tor access. Or when you just want to hide the fact that you are using Tor. Just keep in mind that this way your VPN provider will be able to see
* your location and
* that you are using Tor.

There are also other pros and cons of using a VM, not related to network anonymity. For example, it creates a higher attack surface. With just one operating system, an attacker would need to find a security hole in that particular system to take control over your applications. With 2 operating systems (Whonix guest + some host OS) a hole in any of those is sufficient.

On the other hand, VM lets you easily create quick&dirty operating system installations that you can just delete after use. This makes it more difficult to place a *persistent* backdoor on your PC.

Overall, I'd suggest you make a choice based on your personal preference and on the assumption that it is a good security practice to use separate operating systems for work, leisure, etc. This leaves you with a few options:
* install additional Whonixes inside VMs or
* install additional Whonixes on some spare computers or
* install Whonixes inside QubesOS[2] (which is conceptually similar to the VM approach but uses Xen-based security-oriented hypervisor instead of something boring like QEMU that I advertised above)

[1] https://www.qemu.org/
[2] https://www.whonix.org/wiki/Qubes

john.rook
Offline
Joined: 04/08/2018

Thanks so much koszkonutek for your time, input, info & considered thoughts. I'll look into it all - its very much appreciated.