Nested Virtualization

From Whonix


It is possible to run virtual machines (VMs) inside other VMs. That is called nested virtualization: [1]

Nested virtualization refers to virtualization that runs inside an already virtualized environment. In other words, it's the ability to run a hypervisor inside of a virtual machine (VM), which itself runs on a hypervisor.

With nested virtualization, you're effectively nesting a hypervisor within a hypervisor. The hypervisor running the main virtual machine is considered a level 0, or LO hypervisor, and the initial hypervisor running inside the virtual machine is referred to as a level 1 or L1 hypervisor. Further nested virtualization would result in a level 2 (L2) hypervisor inside the nested VM, then a level 3 (L3) hypervisor within that nested VM, and so forth.

Not all hypervisors and operating systems support nested virtualization. Hypervisors that do support nested virtualization include KVM and VMware ESXi hypervisors (called Nested ESXi). Nested ESXi also supports Hyper-V, Xen and KVM guest hypervisors as of ESXi version 6.0.

Security Considerations[edit]

Nested virtualization isn't a by-product of developing a virtualizer. Just by developing a functional virtualizer there is not automatically offerthe possibility to run nested virtualization of its own or third party virtualizers. For example while the virtualizer VirtualBox existed for years, the ability to run VirtualBox inside VirtualBox using Intel CPUs was only released in VirtualBox 6.1 in 2020. [2] This demonstrates that extra code is required for this functionality and extra code means more attack surface.

By mixing virtualizers, for example by running the virtualizer VirtualBox inside another virtualizer VMware the attack surface increases as both virtualizer code gets involved.


Running VirtualBox, KVM or Qubes inside Qubes is difficult and is not offically supported by the Qubes developers; this is unrelated to Whonix ™. To learn more about the current state of support, search the qubes-devel [archive] and qubes-users [archive] mailing lists for terms such as VirtualBox, KVM and/or nested virtualization.


See Nested KVM Virtualization.

VirtualBox inside VirtualBox[edit]

First change your host key: VirtualBoxPreferencesInputHost Key. The "outside" and the "inside" Host Key must differ, otherwise you can not leave the "inside" VM anymore.

Using ACPI [3] and IOAPIC [4] [5] for all VMs significantly speeds up the "inside" VM. These settings are in use for Whonix ™ VMs by default.

VirtualBox only partially supports VT-in-VT -- nested AMD-V is functional (although not feature complete), while nested VT-x for Intel CPUs is still a work-in-progress. [6] Therefore the "inside" VM might be slow depending on your host's make and performance. For Intel CPUs, in the "inside" VM, disable VT: VirtualBoxright-click on VMSettingsSystemAccelerationuncheck "Enable VT-x/AMD-V"

Forum discussion: [archive]

Running Whonix ™ in a Nested Virtual Machine[edit]

Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!

Only Whonix ™ 64-bit builds are available for download. See Dev/64bit for why. Some virtualizers have no or limited support running nested VMs that require 64-bit. This might be an issue when trying to run Whonix ™ in a nested virtual machine.

See Also[edit]


  1. [archive]
  2. [archive]

    Hardware-assisted Nested virtualization on Intel CPUs has been available starting with VirtualBox 6.1.0

  3. vboxmanage "Whonix-Workstation" modifyvm --acpi on
  4. VirtualBoxright-click on VMSettingsSystemuncheck "Enable IO APIC"
  5. vboxmanage "Whonix-Workstation" modifyvm --ioapic on
  6. [archive]

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

There are five different options [archive] for subscribing to Whonix source code changes.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.