Actions

Multiple Qubes-Whonix ™ templates

From Whonix



Multiplequbeshwonix.jpg

Introduction[edit]

Multiple Qubes-Whonix ™ Templates provides much greater flexibility over a single template when choosing software packages. The additional cloned templates can be customized with software to meet specific requirements; something impossible to achieve with a single Template. [1]

Rationale[edit]

  • Packages from a later release: Installing packages from a later release could end up breaking the system. For example, mixing packages from Debian Stable [archive] with those of a later release like Debian Testing [archive] can lead to an unstable system because of associated software dependencies required for full functionality. [2] [3] Prior to installing Debian packages from a later release, first read Install from Debian Testing.
  • Custom software: Additional cloned templates makes it easy to install custom software used for a specific application. For example, users could Tunnel UDP over Tor by configuring whonix-ws-16 to route all applications through a VPN tunnel. However, this method also increases the risk of identity correlation. To mitigate this risk, the App Qube based on this template should only be used for the particular application that must be routed through the tunnel-link. Before installing custom software it is recommended to first read Install Software: General Advice.
  • Untrusted packages: It is unwise to install untrusted packages in a template used for sensitive activities. With multiple cloned Templates, a single template can be designated as a less trusted domain for that purpose. [4] Read Trusting your templates [archive] prior to installing untrusted packages.

Cloning Templates[edit]

Info Note: Each Template's root filesystem runs independently from all other Templates. [5] Therefore, each individual Template must be updated separately.

Qube Manager[edit]

Cloning templates in Qubes-Whonix ™ is easily accomplished via Qube Manager. Be careful with naming conventions for both Templates and App Qubes (based on those templates) so they are not confused with each other. This will minimize the chance of basing an App Qube on the wrong template.

When creating App Qubes based on cloned Templates, a purpose-based naming convention is sensible so there is no ambiguity regarding the intended function of an App Qube. For example, if an App Qube is created to tunnel UDP over Tor, appending tunnel-udp (the purpose) to the end of anon-whonix would lead to the name anon-whonix-tunnel-udp.

To clone Qubes-Whonix ™ Templates, follow the steps below in Qube Manager:

Qube ManagerVM to be ClonedClone qubeEnter name for Qube clone

Figure: Cloning Whonix ™ qubes
Qubesmanagercloning.png

When prompted, give the newly cloned VM a name that is not easily confused with other VMs. This minimizes the chances of basing an App Qube on the wrong template; there could be serious security concerns if a "trusted" App Qube was based on the wrong Template with untrusted packages.

Figure: Clone Renaming
Qubeclonerenaming.png

Additional Settings[edit]

Info Reminder: In Qubes R4 and above the NetVM setting of Templates should be set to None. [6]

Whonix ™ first time users warning A cloned Whonix ™ Template will by default be upgraded through sys-whonix. [7] This is a known Qubes usability issue. [8]

If you would like to change the UpdatesProxy setting for any Template, apply the following steps.

1. In dom0, open /etc/qubes-rpc/policy/qubes.UpdatesProxy with root rights.

sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy

TODO: the following steps require testing.

2. Add at the very top of that file.

Syntax:

name-of-template-vm $default allow,target=name-of-proxy-vm

For example:

whonix-ws-16-clone-1 $default allow,target=sys-whonix-cloned

3. Save the file.

<Ctrl-X> --> press Y --> <Enter>

The procedure is now complete.

Footnotes[edit]

  1. Optionally, the default template can be cloned and used as the default template for App Qubes. Having a “known-good” backup template available at all times is best practice.
  2. Using packages from different repositories can lead to Dependency Hell.
  3. This problem can be avoided by cloning additional Whonix ™ templates and preferring packages from a single repository in each Template.
  4. It is strongly encouraged to only install signed packages from a trusted source.
  5. This applies to all Templates, even if they were cloned.
  6. Since Templates in Qubes R4 and above are supposed to be upgraded through qrexec based Qubes updates proxy.
  7. Because /etc/qubes-rpc/policy/qubes.UpdatesProxy [archive] contains:
    $tag:whonix-updatevm $default allow,target=sys-whonix

    Quote:

    Note that policy parsing stops at the first match, [...]



Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Multiple Qubes-Whonix TemplateVMs&body=https://www.whonix.org/wiki/Multiple_Qubes-Whonix_TemplateVMs link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Multiple_Qubes-Whonix_TemplateVMs&title=Multiple Qubes-Whonix TemplateVMs link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Multiple_Qubes-Whonix_TemplateVMs&t=Multiple Qubes-Whonix TemplateVMs link=https://mastodon.technology/share?message=Multiple Qubes-Whonix TemplateVMs%20https://www.whonix.org/wiki/Multiple_Qubes-Whonix_TemplateVMs&t=Multiple Qubes-Whonix TemplateVMs

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.