Qubes/DisposableVM

Advanced Users Only![edit]

Prefer Qubes R4 for DisposableVMs - a serious privacy bug is still unresolved in earlier versions.

Warning! A few usability issues in DisposableVMs affect anonymity. If the risks are unknown to the user, then first carefully read this page, and preferably upgrade to the recently released Qubes R4 [1] before relying on DisposableVMs for strong anonymity. [2]

What are DisposableVMs?[edit]

In the Qubes TemplateVM model, ^[3] any changes made to a root filesystem of a TemplateBasedVM are lost upon reboot. This is advantageous for several reasons: it saves time and disk space, and allows faster, centralized updates for applications that are usually found inside the root filesystem. However, certain directories are designed to persist between reboots in order to store files and settings. These directories are stored in /rw/ and include /home/user as well as additional directories defined by "bind directory" settings. ^[4]

Qubes does not have a built-in snapshot capability like VirtualBox that can completely revert all changes back to a previous VM state. ^{[5] [6]} In other words, no method exists within AppVMs to reverse changes made to the persistent file system without implementing some type of custom solution. To ensure that all filesystem changes are discarded after a session, Qubes offers DisposableVMs. When a DisposableVM is shutdown, the VM is removed from Qubes and all related VM images are deleted from the host filesystem. This method is not yet amnesic and should not be relied upon for anti-forensics!

While DisposableVMs ensure that files do not persist without user intervention, the downside is the user can no longer decide whether or not the current VM state should be kept or destroyed. Users must choose beforehand to use a standard AppVM or a DisposableVM; this decision cannot be changed after the fact.

The Layered DisposableVM System[edit]

Qubes R3.2

Qubes R3.2 uses a two-layered approach to DisposableVMs. At the core of the system is a TemplateVM upon which a DisposableVM-Template is based. Every time a new DisposableVM is launched, it is based on the DisposableVM-Template - hence, two layers. In a standard Qubes-Whonix installation:

• The base TemplateVM is whonix-ws.
• The DisposableVM-Template is called whonix-ws-dvm.
• Each new DisposableVM (disp1, disp2, ...) is based on whonix-ws-dvm.

Once a DisposableVM-Template is created, its /home/user/ directory can be customized ^[7] independently of the base TemplateVM. In this special case, the DisposableVM-Template will continue to inherit changes from the base TemplateVM's root filesystem (for example, package updates), but user files in /home/user/ will persist independently.

Qubes R4

DisposableVMs in Qubes R4 are based on a DVM Template, rather than a TemplateVM. This means that DisposableVMs are more flexible and convenient, but potentially less anonymous if configured poorly. The characteristics of DisposableVMs are compared to Template(Based)VMs below.

Table: Qubes R4 Inheritance and Persistence

TODO: Briefly describe customization path in Qubes R4.

DisposableVM Traffic is Stream Isolated from Other VMs[edit]

DisposableVMs work especially well with Whonix-Gateway because each VM is assigned a unique internal IP address. In this way, all traffic from a DisposableVM is stream isolated from all other traffic arising from VMs running in paralell.

Warnings[edit]

Warning: Do not Use Firefox from Qubes' DisposableVM Default Start Menu[edit]

Do not expect anonymity when selecting Qubes Start Menu -> DisposableVM -> Firefox! Using any browser other than Tor Browser is strongly discouraged if anonymity is desired, see Tor Browser. The default Qubes start menu option is best not used at all, unless the menu entry is manually edited to launch Tor Browser in place of Firefox. [10]

Warning: Use Caution when Spawning DisposableVMs from Other VMs[edit]

If a DisposableVM is created from within a VM that is not connected to Whonix-Gateway, the new DisposableVM may route its traffic over clearnet. [11] This is because DisposableVMs inherit their NetVMs from the calling VM, or the calling VM's dispvm_netvm setting if different. The dispvm_netvm setting can be configured per VM via: dom0 -> Qubes VM Manager -> VM Settings -> Advanced -> NetVM for DisposableVM [12] If the calling VM is connected to Whonix-Gateway, this step is not necessary and the DisposableVM's traffic will be routed over Tor.

^[13]

Warning: DisposableVMs are not Amnesic[edit]

All changes to a DisposableVM's file system are discarded upon shutdown. However, DisposableVMs are similar to snapshots insofar as they can leave traces of their activity on storage and in memory. These traces may be later recoverable through data forensics. This is further justification for using full disk encryption on the Qubes host and completely shutting down the system when it is not in use. Laptop users may wish to remove batteries to ensure that power to the RAM is indeed disconnected.

^{[14] [15] [16] [17] [18]}

Warning: DisposableVMs may be Linkable to other VMs Connected to the Same Whonix-Gateway[edit]

The Tor Project developer Teor has stated that Tor caches DNS, HS descriptors, pre-emptive circuits, etc. [19] which may lead to linkability between AppVMs and DisposableVMs sharing the same gateway. The extent to which this is a threat for Whonix users is currently under investigation. [20]

Warning: Check the Tor Browser Version[edit]

Keeping Tor Browser updated in a (customized) DisposableVM can be difficult for several reasons, but it is necessary. To learn about recent Tor Browser versions, follow The Tor Project blog or look at raw data for the latest Recommended TBB Versions. When using DisposableVMs, use the Tor Browser Internal Updater daily to check the browser is up to date. Tor Browser's version number can also be checked manually: Tor Browser -> Menu -> Help -> About Tor Browser. See Updating Tor Browser for more information.

Warning: Avoid Ephemeral Whonix-Gateway ProxyVMs in Qubes R4[edit]

Using disposable Whonix-Gateway ProxyVMs in Qubes R4 makes the user less anonymous due to the configuration having non-persistent entry guards!

Some Whonix users have the mistaken belief that disposableVMs for both the Whonix-Gateway and Whonix-Workstation in Qubes R4 is the ultimate configuration: increasing their security, without any corresponding privacy downside. This reasoning is incorrect for the following reasons: ^{[21] [22] [23]}

• DisposableVMs are not amnesic. In practice this means traces of their activity can be left on storage or in memory, making them vulnerable to forensic operations. ^[24]
• Using a disposableVM for the Whonix-Gateway results in non-persistent entry guards to the Tor network; behavior unlike the default configurations for Whonix, Tor, and the Tor Browser Bundle. Mathematically speaking, end-to-end correlation attacks are more likely to succeed when a user chooses many random entry and exit points to the Tor network, rather than semi-permanent entry guards which are only rotated every few months. ^{[25] [26]}

The solution to the first problem is only allowing in-RAM execution of DisposableVMs, but this is not planned for implementation in the short-term. There is no perfect solution to the second problem. That said, there is an actual unstated security-privacy trade-off by running this configuration. Theoretically, an ephemeral Whonix-Gateway ProxyVM is only able to be infected for a single session (via the /home, /usr/local and /rw directories), since it is discarded upon shutdown. This provides a counterbalance to the increased threat of malicious guards, as Whonix becomes more "Tails-like".

Setup[edit]

These instructions are current as of Qubes 3.2. Updated documentation will be required for Qubes 4.0 since it is anticipated it will bring major changes to the DisposableVM implementation. [27]

Note: All examples below reference GUI actions whenever possible. The equivalent command line interface commands are listed in the footnotes.

Creating a New DisposableVM-Template Based on Whonix-Workstation[edit]

echo "tb_install_follow=false" | sudo tee -a /etc/torbrowser.d/50_user.conf

noaskstart=true update-torbrowser --input gui >/dev/null 2>&1

qvm-create-default-dvm whonix-ws

qvm-remove <oldDisposableVM-Template>

qvm-create-default-dvm whonix-ws

qvm-prefs -s whonix-ws-dvm netvm sys-whonix

qvm-run -a whonix-ws-dvm konsole

touch /home/user/.qubes-dispvm-customized

noaskstart=true update-torbrowser --input gui >/dev/null 2>&1

sudo poweroff

qvm-create-default-dvm whonix-ws

Create and Configure a DisposableVM-Template

Step 1: Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole or Xfce Terminal

Step 2: Create a DisposableVM-Template.

qvm-create-default-dvm whonix-ws

Step 3: Enable DisposableVM-Template presentation in the Qubes VM Manager (QVMM).

dom0 -> Qubes VM Manager -> (menu) View -> enable 'Show/Hide internal VMs'

dom0 -> Qubes VM Manager -> enable 'Show/Hide inactive VMs'

Step 4: Configure Whonix-Gateway as the NetVM. ^[32]

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> VM Settings -> NetVM -> sys-whonix

If intending to spawn DisposableVMs from other VMs, configure the NetVM for the DisposableVM setting, see Warning: Use caution when spawning DisposableVMs from other VMs.

The DisposableVM is now ready for use and is configured with all of the applications present in the Whonix-Workstation template, including Tor Browser.

Also follow the next step #Edit Qubes DisposableVM start menu to make sure Firefox is not accidentally started, since this is discouraged!

Edit Qubes' DisposableVM Start Menu[edit]

Complete the following to work around #Warning: Do not use Firefox from Qubes DisposableVM default start menu.

In Qubes dom0.

alt + F3 -> on the left side, click 'DisposableVM' -> right-click on 'Firefox' -> edit ->

• Name: DisposableVM: Tor Browser
• Command: sh -c 'echo torbrowser | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red'

-> click 'Save'

While editing entries, it is also possible to edit the xterm entry and change it to konsole. This is not important for security, but may be a personal preference.

Deleting a DisposableVM-Template[edit]

Deleting a DisposableVM-Template is not usually necessary, since only one DisposableVM-Template is allowed (before Qubes 4.0). Creating a new DisposableVM-Template will overwrite the existing one. However, if a template has been customized, the existing one may need to be deleted to start with a fresh unmodified DisposableVM-Template.

A DisposableVM-Template can be deleted in the same manner as other VMs.

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Remove VM' ^[33]

Customizing a DisposableVM-Template[edit]

Extra caution must be exercised when customizing a DisposableVM-Template. ^[34] From a privacy perspective, one would ideally want to have a DisposableVM-Template that is indistinguishable from any other Whonix-Workstation. If changes are made to the DisposableVM-Template, these may link all of the DisposableVMs via a uniquely generated fingerprint should they be compromised independently. Risky changes include, but are not limited to: the installation of obscure programs, uncommon configuration settings, or the placement of unique data files. Always remember that the DisposableVM will likely be exposed to the greatest Internet threats.

Tor Browser is specifically designed to prevent websites from fingerprinting the user or identifying them based on the browser configuration. It should generally be used in its stock configuration in order to make the user's fingerprint less unique, due to commonality with the larger pool of Tor users. Each individual browser change can contribute to significant worsening of the fingerprint, so it is advisable to only make alterations if the expected impact is known.

Some changes, like disabling JavaScript by default, may make sense to users in terms of a usability-security trade-off. Additionally, minor cosmetic changes like the UI layout, or the placement of buttons, may be considered harmless to privacy while enhancing personal usability.

Please remember that only files in /home/user/ can be customized in a DisposableVM-Template. ^[35]

As stated earlier, the following steps to customize the DisposableVM are completely optional.

1. Configure Qubes to Preserve Customized Changes

Open a terminal in the DisposableVM-Template. ^[36]

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Run command in VM' -> type 'konsole'

Instruct Qubes to preserve changes.

touch /home/user/.qubes-dispvm-customized

2. Launch the Application to Customize ^[37]

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Run command in VM'

Enter the name of the application. For example. ^[38]

torbrowser

libreoffice

3. Finalize the DisposableVM-Template

Once satisfactory changes have been made, shutdown the DisposableVM-Template. ^[39]

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Shutdown VM'

4. Regenerate the DisposableVM-Template

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole or Xfce Terminal

Regenerate the template.

qvm-create-default-dvm whonix-ws

All of the changes to /home/user/ in the DisposableVM-Template should now persist whenever the template is re-created.

Updating a DisposableVM-Template[edit]

Changes to the underlying TemplateVM (whonix-ws) are detected automatically and the DisposableVM-Template is updated without user intervention. That means package updates that are applied to whonix-ws are also applied to the whonix-ws-dvm.

Updating Tor Browser[edit]

Tor Browser presents a special situation because it is installed in a user's home directory. As a result, the TemplateVM (whonix-ws) never updates existing Tor Browser installations.

Non-Customized DisposableVM-Templates Users

To obtain the latest Tor Browser, the simplest method is to use Whonix's built-in Tor Browser downloader functionality. Simply update using Tor Browser Downloader by Whonix (tb-updater) in whonix-ws when performing your usual maintenance upgrading.

Update and upgrade.

sudo apt-get update && sudo apt-get dist-upgrade

Then, create a new DisposableVM to overwrite the existing one.

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole or Xfce Terminal

Create a new DisposableVM-Template using the updated whonix-ws TemplateVM.

qvm-create-default-dvm whonix-ws

Customized DisposableVM-Template Users

Users have two choices:

1. Tor Browser Downloader by Whonix (tb-updater) (update-torbrowser)
2. Tor Browser's internal updater.

Option #1: Use update-torbrowser to download a new copy of Tor Browser

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Run command in VM' -> type 'konsole' ^[40]

Launch Tor Browser Downloader by Whonix and follow the instructions. ^{[29] [30] [31]}

noaskstart=true update-torbrowser --input gui >/dev/null 2>&1

Shutdown the DisposableVM-Template. ^[41]

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Shutdown VM'

Regenerate the DisposableVM-Template.

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole or Xfce Terminal

Then run.

qvm-create-default-dvm whonix-ws

Option #2: Use Tor Browser's internal updater and download new updates only

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Run command in VM' -> type 'torbrowser' ^[42]

Use Tor Browser's Internal Updater by clicking TorButton and selecting Check for Tor Browser Update. Close and restart Tor Browser.

Shutdown the DisposableVM-Template. ^[43]

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Shutdown VM'

Regenerate the DisposableVM-Template.

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole or Xfce Terminal

Regenerate the template.

qvm-create-default-dvm whonix-ws

Usage[edit]

DisposableVMs are well-suited for risky and largely independent activities, like web browsing or opening untrusted files. In contrast, AppVMs might be better suited for activities necessitating file persistence, like email clients with local email storage. Qubes' VM integration tools, like secure file copy ^[44] and secure clipboard, ^[45] mean that clean, trusted files and text can be easily and safely transferred to trusted VMs should it be necessary.

User Tips[edit]

• Remember that a DisposableVM is shutdown when the first user-launched process is terminated. If a new DisposableVM is created by launching Tor Browser and text is then composed in an editor, all of the work will be lost upon closing Tor Browser. To avoid this, it is prudent to launch a DisposableVM via a terminal and launch additional applications from the command line. In this scenario, the DisposableVM is destroyed by simply exiting the terminal.

• In Qubes, it is inadvisable to store valuable information in an untrusted VM. This view is supported by the fact that Tor Browser doesn't remember bookmarks or credentials. A best practice for storing sensitive information is to use an offline vault VM and applications like password managers. @rustybird has announced a new "split-tor-browser" ^[46] package that can retrieve urls and credentials from a trusted VM for use in a DisposableVM's web browser. This package has not yet been tested or endorsed by Whonix, but it looks promising.

• Sometimes a non-networked DisposableVM is useful for opening untrusted files that might otherwise try to use the network maliciously. Like all Qubes VMs, the NetVM for a DisposableVM can be changed dynamically while the VM is running. Simply set the NetVM to "none" using the Qubes VM Manager or the command line interface. ^[47] Warning: Use utmost caution if deciding to re-establish network connectivity. There is currently no mechanism in place to prevent connections to a clearnet NetVM.

• DisposableVMs can be created directly by launching programs from the application menu using shortcuts (see below for instructions). DisposableVMs can also be spawned by using context-menus or the command line interface in other AppVMs. See Qubes DisposableVM documentation for different methods. As a reminder, be sure to heed the relevant warning in the Warnings section.

Adding a Desktop Shortcut[edit]

Qubes 3.2 / XFCE4[edit]

To create a desktop shortcut that starts Tor Browser inside a DisposableVM, perform the following steps.

Right click anywhere on the free space of the desktop -> Create Launcher ->

• Name: DispTB
• Command: sh -c 'echo torbrowser | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red'

-> Click Create

Double-click the newly created desktop shortcut to start it. At first start, it is safe to click "Mark Executable".

In order to see the desktop shortcuts, users may prefer to use the XFCE workspace switcher to navigate to another empty virtual desktop so existing windows do not need to be minimized.

Start Tor Browser in a DisposableVM[edit]

Tor Browser can be started with a desktop shortcut like in the above example, or via another method. After launch, do not forget to check the Tor Browser version!

Adding Shortcuts to Application Menus[edit]

^[48]

Qubes 3.2 / XFCE4 (Untested)[edit]

Make a .desktop file for every DisposableVM shortcut that will be added to the menu.^[49] These .desktop files must be placed in ~/.local/share/applications/.

Open a terminal in the DisposableVM-Template.

dom0 -> Qubes VM Manager -> right-click on 'whonix-ws-dvm' -> click 'Run command in VM' -> type 'konsole' ^[50]

Create a local applications directory.

mkdir -p ~/.local/share/applications/

Use a text editor to create and open each .desktop file and logically name each one.

kwrite ~/.local/share/applications/dvm-torbrowser.desktop

As appropriate, add the following entries and substitute fields to each .desktop file. In the Exec field, substitute torbrowser with the command used to launch each relevant application matching the shortcut. For example: konsole, kwrite, libreoffice, kgpg, okular, dolphin and so on.

[Desktop Entry]
Name=Tor Browser
Comment=Launch Tor Browser in DisposableVM
Type=Application
Terminal=false
Exec=sh -c 'echo torbrowser | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red'

Icon= & Category= are also useful fields. Feel free to research the .desktop specification using the footnote above.

Once the .desktop files have been created, they need to be added to the Applications menu. Use a text editor to edit the following file.

kwrite ~/.config/menus/xfce-applications.menu

Find the menu entry associated with the DisposableVM-Template. (Help!)

<Menu>
    <Name>DisposableVMTemplate</Name>

In the <Include> subsection, add the appropriately named .desktop file.

<Filename>dvm-torbrowser.desktop</Filename>

Qubes 3.2 / XFCE4: MenuLibre (Untested)[edit]

sudo qubes-dom0-update menulibre

Qubes 3.1 / KDE4[edit]

dom0 -> right-click Application Launcher Menu -> click `Edit Applications` -> Select DisposableVM from the VM entries on the left panel -> Press the arrow button to expand the menu -> Click New Item on the Toolbar -> Type in a Name for the shortcut ->

Type in the specific command to launch the program in the DisposableVM. Tor Browser, konsole and dolphin are provided as examples below.

sh -c 'echo torbrowser | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red'

sh -c 'echo konsole | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red'

sh -c 'echo dolphin | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red'

-> Click on the square in the upper right in order to choose an icon ^[51] -> Click Save.

Command Line Interface[edit]

It is simple to start applications like konsole or Tor Browser in a DisposableVM.

Open a dom0 terminal.

echo konsole | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red

echo torbrowser | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red

Qubes R4[edit]

whonix-ws-14-dvm is the DVM Template. ^[52]

Do NOT include -dvm into the names of DispVMs! That would result in Tor Browser not being inherited from whonix-ws-14 TemplateVM.

qvm-create -C DispMV -l red --template whonix-ws-14-dvm anon-whonix-disp

qvm-start anon-whonix-disp konsole

Footnotes[edit]

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)