Actions

Qubes/DisposableVM

< Qubes(Redirected from Qubes/Disposable VM)

Advanced Users Only![edit]



What are DisposableVMs?[edit]

In the Qubes TemplateVM model, [3] any changes made to a root filesystem of a TemplateBasedVM are lost upon reboot. This is advantageous for several reasons: it saves time and disk space, and allows faster, centralized updates for applications that are usually found inside the root filesystem. However, certain directories are designed to persist between reboots in order to store files and settings. These directories are stored in /rw/ and include /home/user as well as additional directories defined by "bind directory" settings. [4]

Qubes does not have a built-in snapshot capability like VirtualBox that can completely revert all changes back to a previous VM state. [5] [6] In other words, no method exists within AppVMs to reverse changes made to the persistent file system without implementing some type of custom solution. To ensure that all filesystem changes are discarded after a session, Qubes offers DisposableVMs. When a DisposableVM is shutdown, the VM is removed from Qubes and all related VM images are deleted from the host filesystem. This method is not yet amnesic and should not be relied upon for anti-forensics!

While DisposableVMs ensure that files do not persist without user intervention, the downside is the user can no longer decide whether or not the current VM state should be kept or destroyed. Users must choose beforehand to use a standard AppVM or a DisposableVM; this decision cannot be changed after the fact.

Table: Qubes R4 Inheritance and Persistence

Inheritance [7] Persistence [8]
TemplateVM n/a Everything
TemplateBasedVM /etc/skel/ to /home/ /rw/ (includes /home/ and bind-dirs)
DVM Template [9] /etc/skel/ to /home/ /rw/ (includes /home/ and bind-dirs)
DisposableVM /rw/ (includes /home/ and bind-dirs) Nothing
The Layered DisposableVM System[edit]

Qubes uses a two-layered approach to DisposableVMs. At the core of the system is a TemplateVM upon which a DVM Template is based. Every time a new DisposableVM is launched, it is based on the DVM Template - hence, two layers. In a standard Qubes-Whonix installation:

Once a DVM Template is created, its /home/user/ directory can be customized [10] independently of the TemplateVM. In this special case, the DVM Template will continue to inherit changes from the base TemplateVM's root filesystem (for example, package updates), but user files in /home/user/ will persist independently.

It is possible to have multiple DVM Templates and DispVMs at the same time. Any TemplateBasedVM can be enabled for use as a template for dispvms, by setting its template_for_dispvms property.

Qubes R4's Qubes-Whonix 14's default DVM Template (Template:Whonix-ws-14-dvm ) can be easily created using salt and will has this property set.

DisposableVM Traffic is Stream Isolated from Other VMs[edit]

DisposableVMs work especially well with Whonix-Gateway. [11] All traffic from a DisposableVM is stream isolated from all other traffic arising from VMs running in parallel.


Warnings[edit]

Warning: Use Caution when Spawning DisposableVMs from Other VMs[edit]

[14]

Warning: DisposableVMs are not Amnesic[edit]

[15] [16] [17] [18] [19]

Warning: DisposableVMs may be Linkable to other VMs Connected to the Same Whonix-Gateway[edit]

Warning: Do not start Tor Browser a DVM Template[edit]

Reasons: Tor_Browser/Advanced_Users#Running_Tor_Browser_in_Qubes_TemplateVM

Start Tor Browser only TemplateBased AppVMs or DispVMs. See Qubes/DisposableVM#Start_Tor_Browser_in_a_DisposableVM.

Warning: Do not start Tor Browser Updater a DVM Template[edit]

Reasons: Tor_Browser/Advanced_Users#tb-updater_in_Qubes_DVM_Template

Run Tor Browser Downloader by Whonix developers in Whonix-Workstation TemplateVM ({{{{whonix-ws}}}}) instead.

Warning: Check the Tor Browser Version[edit]

Warning: Avoid Ephemeral Whonix-Gateway ProxyVMs in Qubes R4[edit]


Some Whonix users have the mistaken belief that disposableVMs for both the Whonix-Gateway and Whonix-Workstation in Qubes R4 is the ultimate configuration: increasing their security, without any corresponding privacy downside. This reasoning is incorrect for the following reasons: [23] [24] [25]

  • DisposableVMs are not amnesic. In practice this means traces of their activity can be left on storage or in memory, making them vulnerable to forensic operations. [26]
  • Using a disposableVM for the Whonix-Gateway results in non-persistent entry guards to the Tor network; behavior unlike the default configurations for Whonix, Tor, and the Tor Browser Bundle. Mathematically speaking, end-to-end correlation attacks are more likely to succeed when a user chooses many random entry and exit points to the Tor network, rather than semi-permanent entry guards which are only rotated every few months. [27] [28]


The solution to the first problem is only allowing in-RAM execution of DisposableVMs, but this is not planned for implementation in the short-term. There is no perfect solution to the second problem. That said, there is an actual unstated security-privacy trade-off by running this configuration. Theoretically, an ephemeral Whonix-Gateway ProxyVM is only able to be infected for a single session (via the /home, /usr/local and /rw directories), since it is discarded upon shutdown. This provides a counterbalance to the increased threat of malicious guards, as Whonix becomes more "Tails-like".


Setup[edit]

Note: All examples below reference GUI actions whenever possible. The equivalent command line interface commands are listed in the footnotes.

Creating Whonix default DVM Template Based on Whonix-Workstation[edit]

Step 0: Update Qubes-Whonix.

Qubes/Update

Step 1: Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole or Xfce Terminal

Step 2: Create Template:Whonix-ws-14-dvm DVM Template.

sudo qubesctl state.sls qvm.whonix-ws-14-dvm

Step 3: Enable DVM Template presentation in the Qubes VM Manager (QVMM).

TODO: Is this still required or already by default?

dom0 -> Qubes VM Manager -> (menu) View -> enable 'Show/Hide internal VMs'

dom0 -> Qubes VM Manager -> enable 'Show/Hide inactive VMs'

Qubes-Whonix DisposableVMs are now ready for use.

Creating a named Whonix DispVM Based on Whonix-Workstation[edit]

For most users: not required, skip.

Do NOT include -dvm into the names of DispVMs! That would result in Tor Browser not being inherited from Whonix-Workstation TemplateVM ({{{{whonix-ws}}}}).

TODO: what is the following useful for?

qvm-create -C DispMV -l red --template [[:Template:Whonix-ws-14-dvm]] anon-whonix-disp

qvm-run -a anon-whonix-disp konsole

Deleting a DVM Template[edit]

If a DVM Template has been customized by the user and the user wishes to undo these customizations a DVM Template can be deleted in the same manner as other VMs.

TODO: document that no VM may use that DVM Template as its DVM Template anymore, otherwise deletion will fail

dom0 -> Qubes VM Manager -> right-click on 'Template:Whonix-ws-14-dvm' -> click 'Remove VM' [29]

Customizing DVM Templates[edit]

Extra caution must be exercised when customizing (DVM Template). [30] From a privacy perspective, one would ideally want to have a DVM Template that is indistinguishable from any other Whonix-Workstation. If changes are made to the DVM Template, these may link all of the DisposableVMs via a uniquely generated fingerprint should they be compromised independently. Risky changes include, but are not limited to: the installation of obscure programs, uncommon configuration settings, or the placement of unique data files. Always remember that the DisposableVM will likely be exposed to the greatest Internet threats.

TODO: Don't the timestamps of files installed by `apt-get update` already constitute a unique fingerprint?

Tor Browser is specifically designed to prevent websites from fingerprinting the user or identifying them based on the browser fingerprint. It should generally be used in its stock configuration in order to make the user's fingerprint less unique, due to commonality with the larger pool of Tor users. Each individual browser change can contribute to significant worsening of the fingerprint, so it is advisable to only make alterations if the expected impact is known. See also Tor_Browser/Advanced_Users#tb-updater_in_Qubes_DVM_Template and Tor_Browser/Advanced_Users#tb-updater_in_Qubes_TemplateVM.

Some changes, like disabling JavaScript by default, may make sense to users in terms of a usability-security trade-off.

Customizing TorBrowser in DVM Template[edit]

For most users, Tor Browser customizations in DVM Template or TemplateVM are discouraged. Advanced users who want to do it anyway, see Tor_Browser/Advanced_Users#DVM_Template_Customization.

Customizing apps other than Torbrowser in DVM Template[edit]

Please remember that only files in /home/user (or more generally, in /rw) can be customized in a DVM Template.

As stated earlier, customization is completely optional.

1. Launch the app in the DVM template

Either open dom0 terminal and run

qvm-run -a [[:Template:Whonix-ws-14-dvm]] <app>

Or from GUI: open Qubes manager, right click Template:Whonix-ws-14-dvm > Run command in qube, type name of <app>

3. Customize Application Settings

Customize the app as normal.

4. Exit Application

Save settings if required in the application, exit the application so settings get stored on the disk.

5. Shutdown the DVM Template

Either use a dom0 terminal

qvm-shutdown [[:Template:Whonix-ws-14-dvm]]

or use Qubes manager

dom0 -> Qubes VM Manager -> right-click on 'Template:Whonix-ws-14-dvm' -> click 'Shutdown VM'

Your changes will be available the next time you start a DispVM.

Updating a DVM Template[edit]

Changes to the underlying TemplateVM ({{{{whonix-ws}}}}) are detected automatically and the DVM Template is updated without user intervention. That means package updates that are applied to {{{{whonix-ws}}}} are also applied to the Template:Whonix-ws-14-dvm.

Keeping Tor Browser Updated[edit]

To obtain the latest Tor Browser, the simplest method is to use Whonix's built-in Tor Browser downloader functionality. Simply update using Tor Browser Downloader by Whonix (tb-updater) in Whonix-Workstation TemplateVM ({{{{whonix-ws}}}}) when performing your usual maintenance upgrading.

Qubes App Launcher (blue/grey "Q") -> {{{{whonix-ws}}}} -> Konsole [31] [32]

Update the package lists.

sudo apt-get update

Upgrade.

sudo apt-get dist-upgrade

If it's not upgraded, use update-torbrowser to download a new copy of Tor Browser.

Launch Tor Browser Downloader by Whonix and follow the instructions. [33]

update-torbrowser --input gui

Shutdown the DVM Template. [34]

dom0 -> Qubes VM Manager -> right-click on 'Template:Whonix-ws-14-dvm' -> click 'Shutdown VM'


Usage[edit]

DisposableVMs are well-suited for risky and largely independent activities, like web browsing or opening untrusted files. In contrast, AppVMs might be better suited for activities necessitating file persistence, like email clients with local email storage.

With either kind of VM, Qubes' VM integration tools, like secure file copy [35] and secure clipboard, [36] mean that clean, trusted files and text can be easily and safely transferred to trusted VMs should it be necessary.

User Tips[edit]

  • Remember that a DisposableVM automatically shuts down when first user-launched process is terminated. If a new DisposableVM is created by launching Tor Browser and you start typing in an editor, all your work will be lost when you close Tor Browser. To avoid this, you can launch a terminal in the DisposableVM and then launch additional applications from the terminal. Then the DisposableVM is only destroyed after exiting the terminal.
  • In Qubes, it is inadvisable to store valuable information in an untrusted VM. This view is supported by the fact that Tor Browser doesn't remember bookmarks or credentials. A best practice for storing sensitive information is to use the offline vault VM to run applications like password managers. @rustybird has announced a new "split-tor-browser" [37] package that can retrieve urls and credentials from a trusted VM for use in a DisposableVM's web browser. This package has not yet been tested or endorsed by Whonix, but it looks promising.
  • Sometimes a non-networked DisposableVM is useful for opening untrusted files that might otherwise try to use the network maliciously. Like all Qubes VMs, the NetVM for a DisposableVM can be changed dynamically while the VM is running. Simply set the NetVM to "none" using the Qubes VM Manager or the command line interface. [38] Warning: Use utmost caution if deciding to re-establish network connectivity. There is currently no mechanism in place to prevent connections to a clearnet NetVM.

TODO: fix links and generally check

Adding a Desktop Shortcut[edit]

1. From the Qubes application menu, drag and drop a menu item onto the desktop.

2. Double-click the newly created launcher to start it.

3. At first start, it is safe to click "Mark Executable".

Adding an XFCE4 panel shortcut[edit]

1. From the Qubes application menu, drag and drop a menu item onto the panel.

Start Tor Browser in a DisposableVM[edit]

Using the GUI: Qubes App Launcher (blue/grey "Q") -> Disposable: Template:Whonix-ws-14-dvm -> Tor Browser (AnonDist)

Using the dom0 command line:

qvm-run --dispvm=[[:Template:Whonix-ws-14-dvm]] torbrowser

After launch, do not forget to check the Tor Browser version!


TODO[edit]


Footnotes[edit]

  1. DisposableVMs have significant improvements; see https://github.com/QubesOS/qubes-issues/issues/866#issuecomment-220495485
  2. A serious privacy bug is unresolved in Qubes R3.2 / R3.2.1 and below. Only Qubes R4 and above is supported by Whonix developers.
  3. AppVMs (qubes) and TemplateVMs
  4. How to make any file in a TemplateBasedVM persistent using bind-dirs
  5. Apart from qvm-revert-template-changes which can only revert to the state existing before the last shutdown of the TemplateVM.
  6. Qubes VM snapshots using git / SVN.
  7. Upon creation.
  8. Following shutdown.
  9. https://github.com/QubesOS/qubes-issues/issues/4175
  10. https://www.qubes-os.org/doc/dispvm-customization/
  11. Because each VM is assigned a unique internal IP address.
  12. DisposableVMs are created in one of two ways:
    • Open in DisposableVM. On the command line (domU), run.
      qvm-open-in-dvm
    • Run in DisposableVM. On the command line (domU), run.
      qvm-run --dispvm
  13. On the command line (dom0), run.
    qvm-prefs -s vmname dispvm_netvm sys-whonix
  14. Whonix default NetVM settings fixes
  15. Whonix is not amnesic.
  16. Is there a substitute for Whonix's lack of an Amnesic feature?
  17. DisposableVMs do not run entirely in RAM.
  18. DisposableVMs: support for in-RAM execution only (for anti-forensics) #904
  19. 4.0rc1 dirty shutdown causes dispVMs to remain persistent #3037
  20. https://lists.torproject.org/pipermail/tor-dev/2016-October/011591.html
  21. Multi GW Documentation.
  22. These references might not apply (to the same degree) to Qubes R4 and above with Qubes-Whonix 14 and above.
  23. DisposableVMs are not Amnesic.
  24. https://github.com/QubesOS/qubes-issues/issues/904
  25. Tor Entry Guards.
  26. This is another reminder of why full disk encryption should always be used on the host.
  27. https://trac.torproject.org/projects/tor/ticket/8240
  28. The reason is there are both malicious and benign guards in the Tor network. The more often the user "rolls the dice" (changes guards), the greater the chance of striking out.
  29. On the command line (dom0), run.
    qvm-remove <vmname>
  30. Qubes documentation: DisposableVM Customization
  31. dom0 -> Qubes VM Manager -> right-click on '{{{{whonix-ws}}}}' -> click 'Run command in VM' -> type 'konsole'
  32. On the command line (dom0), run.
    qvm-run -a {{{{whonix-ws}}}} konsole
  33. update-torbrowser
  34. On the command line (dom0), run.
    qvm-shutdown {{{{whonix-ws}}}}
    or
    DVM Template command line (domU), run.
    sudo poweroff
  35. Qubes documentation: Copying and Moving Files Between Domains
  36. Qubes documentation: Copying and Pasting Text Between Domains
  37. Github: Split Browser
  38. On the command line (dom0), run.
    qvm-prefs disp<1 | 2 | ...> netvm none

Random News:

Please contribute by helping to answer Whonix questions.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)