Actions

Qubes-Whonix ™ Security

From Whonix



About this Qubes-Whonix Security Page
Support Status stable
Difficulty easy
Contributor torjunkie [archive]
Support Support
Qubeswhonix23324.jpg

Introduction[edit]

The following list of actionable items can help to improve security and anonymity on the Qubes platform, and by extension Qubes-Whonix ™ users. It is advised to regularly consult either the Google Qubes forums [archive] or preferably the JavaScript-free option The Mail Archive [archive].

Additional channels exist for the latest security news [archive] and advice [archive]. A Qubes forum [archive] has also been established for general discussion, user support and Qubes news. [1]

Security Domain[edit]

GPG and Software Packages[edit]

  • Always keep the system up-to-date in dom0 [archive], template VMs and standalone VMs [archive].
    • Prefer the Qubes Update tool or its command-line equivalent for updates. [2] [3] [4]
  • Check gpg is enabled in config files [archive] (gpgcheck=1) if new Fedora repositories are installed.
  • New repositories should be considered less trusted -- it is safest to keep them separate from TemplateVMs that feed more sensitive VMs.
  • Safely import new signing keys by checking it is the same from multiple sources.
  • Preferably only install packages from trusted sources, for example pre-configured Fedora, Debian, Whonix ™ and Qubes sources.
  • Untrusted or unverifiable programs should be installed in Standalone VMs or less trusted, cloned templates.

Hardware / Hardware Settings[edit]

  • Enable VT-d/IOMMU [archive] via BIOS to have DMA protection [archive], [5] effective network isolation and the ability to assign PCIe devices to a HVM. Check it is running via dom0 (qubes-hcl-report). [6]
  • Ensure Intel VT-x [archive] or AMD-V [archive] is available, since it is required for running HVM domains, such as Windows-based AppVMs.
  • Prepare and utilize a USB qube [archive] to protect against side-channel attacks. [7]
  • Use a Yubikey [archive] to enhance the security of Qubes user authentication, mitigate the risk of password snooping and to improve USB keyboard security.
  • Prefer Intel Integrated Graphics Processing (IGP) units for greater system stability and security. [8]
  • Ensure computer hardware meets all other Qubes-Whonix ™ requirements for the best security, functionality and future compatibility with Qubes 4.X releases.

ISO and Qubes Version[edit]

Protecting User Data and Activities[edit]

  • For critical user data, protect against unintentional leaks [archive] by setting an empty NetVM field (set to "none") for the corresponding qube.
  • Do not forget that any files or changes to a TemplateBasedVM's /home, /usr/local and /rw/config directories will persist across reboots; any sensitive material should be stored safely in non-networked VMs.
  • For sensitive activities, do not run trusted, high-value VMs in paralell with untrusted VMs. [11]
  • Observe the security context [archive] of colored windows borders in Qubes before running applications or manipulating data.
  • If paying in cryptocurrencies:
    • Consider utilizing a “split” bitcoin wallet [archive] which creates an offline “cold storage” wallet and an online “watching only” wallet. A blanket recommendation is impossible regarding which wallet should be used; see Bitcoin, Bitcoin Core and Money for further information.
    • Consider using a hardware wallet which has better security than a software wallet.
  • Avoid dual / multi-boot configurations [archive] in Qubes. The other OS could modify the unprotected /boot partition or firmware to maliciously compromise Qubes and/or spy on user activities.
  • Be careful when running command line operations. Refer to a suitable resource first [archive], then proceed.
  • Use split-GPG [archive] for email to reduce the risk of key theft used for encryption / decryption and signing.
  • Do not allow Qubes-Whonix ™ or other VMs to completely "own" the full screen [archive]. [12]
  • Disable previews (thumbnails) when using a file manager like Nautilus, as this is a known attack vector.
  • If utilizing a SSD, consider setting up a periodic job in dom0 to trim the disk [archive] since this aids against local forensics. [13] [14]

Template and Other VMs[edit]

  • Never run applications in TemplateVMs or dom0, except updating tools or editors for configuration purposes (running applications poses security risks).
  • Do not configure either sys-whonix or anon-whonix as a Standalone VM [archive]. [15] [16]
  • Consider creating separate, specialized minimal TemplateVMs [archive] for distinct AppVM clearnet activities (like browsing) to reduce the attack surface. [17] [18]
  • Avoid configuring network traffic between two qubes [archive] for security reasons.
  • Consider replacing passwordless root access with a dom0 user prompt [archive]. [19]
  • Consider leveraging the non-persistence of Qubes' templates to fend off malware [archive] by locking-down, quarantining and checking the contents of /rw private storage. [20] [21]
    • vm-boot-protect-root: suitable for service VMs like sys-usb and sys-net, as well as AppVMs such as untrusted, personal, banking, vault and so. [22]
    • vm-boot-protect: suitable for virtually any Debian or Fedora VM, such as Whonix ™ VMs, Standalone VMs and DispVMs.
    • Non-Linux VMs are currently unsupported for both modes.
  • Consider split dm-crypt [archive] to isolate device-mapper based secondary storage encryption (not the root filesystem) and LUKS header processing to DisposableVMs.
  • Consider running sys-net, sys-firewall and sys-usb as Static DisposableVMs [archive].
  • Consider setting dom0 and all TemplateVMs to update over Tor by configuring this option on Qubes' first boot. [23] [24]
  • Prevent qubes which normally connect to clearnet from downloading repository metadata; see footnotes. [25] [26]
    • Disable the "Check for qube updates by default" option in Qube Manager Global settings: Qube ManagerSystemGlobal settingsUncheck Check for qube updates by default; and
    • Disable the qubes-update-check service for relevant TemplateVMs: Qubes ManagerRight-click TemplateVMQubes settingsServicesUncheck qubes-update-check. [27]
  • Disable cups in all TemplateVMs as well as in StandaloneVMs that have been created; see footnotes. [28] [29]

Footnotes[edit]

  1. https://www.mail-archive.com/qubes-users@googlegroups.com/msg35196.html [archive]
  2. Updating Qubes OS [archive]:

    Warning: Updating with direct commands such as qubes-dom0-update, dnf update, and apt update is not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, as described below. (By contrast, installing packages using direct package manager commands is fine.)

  3. Replace built-in Qube Manager update functionality with the Qubes Update tool [archive]
  4. It is understood that other mechanisms do not have the same security benefits of Qubes Updater GUI which uses the Salt version for update commands. That is, Qubes repository metadata may not be verified which allows attackers to block (but not modify) packages from being updated. For further information, see: Recommendation against "qubes-dom0-update" (use "Qubes Updater" instead) [archive].
  5. Qubes FAQ [archive]:

    DMA is mechanism for PCI devices to access system memory (read/write). Without VT-d, any PCI device can access all the memory, regardless to which VM it is assigned (or if it is left in dom0). Most PCI devices allow the driver to request an arbitrary DMA operation (like “put received network packets at this address in memory”, or “get this memory area and send it to the network”). So, without VT-d, it gives unlimited access to the whole system. Now, it is only a matter of knowing where to read/write to take over the system, instead of just crashing. But since you can read the whole memory, it isn’t that hard.

  6. The Qubes wiki [archive] notes:

    If VT-d is not active, attempt to activate it by selecting the VT-d flag within the BIOS settings. If your processor/BIOS does not allow VT-d activation you still enjoy much better security than alternative systems, but you may be vulnerable to DMA attacks. Next time you buy a computer consult our HCL (Hardware Compatibility List) [archive] and possibly contribute to it.

  7. Automatically configured in Qubes R4, but an optional configuration in R3.2.
  8. Proprietary binary blobs of other GPU manufacturers pose security risks and the available open source drivers are notoriously unstable in Qubes.
  9. User note: Qubes R4.0 and above provides fully virtualized (HVM or PVH) VMs that have greater protection [archive] against processor speculative execution bugs like the Meltdown and Spectre attacks, and other exploits. Qubes R3.2 and earlier versions relied on para-virtualized (PV) VMs.
  10. For instance, this security bug [archive] allowed an attacker to escape from a PV domain and exploit the dom0 hypervisor. It only affected Qubes R3.2, since Qubes R4 only runs untrusted code in PVH or HVM domains [archive] by default.
  11. A successful exploit of the untrusted qube provides an avenue for attacking the sensitive qube.
  12. Without visible, colored decorations drawn by each VM window, a malicious application might only pretend to release the full screen (while the screen appears normal), or the full desktop may be emulated so users are tricked into entering sensitive information into false "trusted" domains.
  13. This can be configured with either systemd (weekly only) or cron (daily or weekly).
  14. Qubes wiki [archive]:

    TRIM can improve security against local forensics when using SSDs, because with TRIM enabled deleting data (usually) results in the actual data being erased quickly, rather than remaining in unallocated space indefinitely. However deletion is not guaranteed, and can fail to happen without warning for a variety of reasons.

  15. Unlike AppVMs where only the /rw/ directories are persistent, Standalone VMs are complete clones of the template which have independent file systems. This means it is more vulnerable to the threat of persistent malware.
  16. https://forums.whonix.org/t/running-whonix-workstation-as-standalonevm/12008 [archive]
  17. Qubes developer unman has noted [archive]:

    It’s a mistake to think that attacks need be against applications. Every time you install an application, it will bring with it a number of libraries, dependencies and recommends. Use of those libraries from the application may be well controlled, but an attacker may be able to chain and abuse them in unexpected ways. That is increasing the attack surface, and using tuned templates minimises that risk.

  18. This also reduces the frequency of updates and the associated threat of broken templates. Further, adversaries that get a toe-hold on a user's system will have less potential software vulnerabilities to exploit/chain.
  19. There might be potential attacks against the hypervisor or daemons/backends in dom0 that require root access. Qubes founder Joanna Rutkowska initially assessed there was limited benefit from isolating the root account from the user account, because all user data is already accessible from the latter [archive]. However, she later changed her opinion on the matter; see here [archive].
  20. vm-boot-protect.service:

    • Acts at VM startup before private volume /rw mounts
    • User: Protect /home desktop & shell startup executables
    • Root: Quarantine all /rw configs & scripts, with whitelisting
    • Re-deploy custom or default files to /rw on each boot
    • SHA256 hash checking against unwanted changes
    • Provides rescue shell on error or request
    • Works with template-based AppVMs, sys-net and sys-vpn
  21. Disabling of Qubes' default passwordless-root is also required.
  22. If regular Linux applications like Firefox, Chromium, KeePassXC, office/media applications and Thunderbird are used without tailored Qubes-specific settings in /rw, then no configuration should be necessary.
  23. https://github.com/QubesOS/qubes-issues/issues/1159#issuecomment-167432121 [archive]
  24. This option has been available since Qubes R3.1 and prevents adversaries from easily learning which packages are installed or updated / upgraded. The dom0 UpdateVM can also be changed in Qube Manager Global settings.
  25. https://www.mail-archive.com/qubes-users@googlegroups.com/msg27567.html [archive]

    It is the qubes that perform update checks and then notify dom0 accordingly. So if you have a qube connected to clearnet it will check over clearnet. You can disable this in clearnet connected qubes - it's the qubes-update-check service. Or you can disable globally in qubes-global-settings.

  26. This removes any time-based correlation by adversaries, which might otherwise occur when package updates over Tor happen shortly after clearnet repository metadata is downloaded.
  27. Tests have shown that both settings must be disabled to prevent clearnet repository metadata downloads and update notifications.
  28. https://github.com/QubesOS/qubes-issues/issues/5179 [archive]
  29. In TemplateVM / StandaloneVM.
    sudo systemctl mask cups

    Now cups will no longer needlessly autostart in every VM. If it is necessary to use a dedicated printing VM later on, follow these steps to start cups.

    sudo systemctl unmask cups
    sudo systemctl start cups

    These two commands can probably be automated using /etc/rc.local.



Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Qubes-Whonix Security&body=https://www.whonix.org/wiki/Qubes-Whonix_Security link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Qubes-Whonix_Security&title=Qubes-Whonix Security link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Qubes-Whonix_Security&t=Qubes-Whonix Security link=https://mastodon.technology/share?message=Qubes-Whonix Security%20https://www.whonix.org/wiki/Qubes-Whonix_Security&t=Qubes-Whonix Security

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.