Actions

Whonix Live Mode

About this Whonix Live Page
Support Status testing
Difficulty medium
Maintainer Algernon
Support Support

Introduction[edit]

Users can optionally run Whonix as a live system. [1] Booting into live mode will make all writes go to RAM instead of the hard disk. Everything that is created / changed / downloaded in the VM during that session will not persist after shutdown. This also holds true for malicious changes made by malware, so long as it did not break out of the virtual machine.

There are two live mode options available, grub-live and ro-mode-init.

  • grub-live will create a new boot menu entry which the user has to select manually but it is the more failsafe and hence the recommended option.
  • With ro-mode-init the boot menu will stay the same and the system will automatically boot into live mode when it detects a read-only disk otherwise it boots normally into persistent mode.

Warning[edit]


When Whonix is run as a live system, all changes are written to RAM by default. However, it is possible for this design to be bypassed if swap files, core dumps and other relevant configurations are in effect. Fortunately, most of these can be disabled. [2] [3] [4] [5]

To stymie disk forensics, ideally full disk encryption should be applied on the host and the computer should be powered off when not in use. Alternatively, the whole host OS could be run from RAM, or a live system run on the host with all writes going to RAM. The latter method also requires a correctly implemented write protection switch.

To make memory forensics harder, the machine should either be removed from any power source (by pulling the plug / removing the battery) and/or the memory should be wiped upon shutdown.

Live-mode Configuration[edit]

Qubes[edit]

grub-live is currently unsupported on Qubes, but may become available in the future. Refer to the following forum discussion for further information.

In Qubes R4, Qubes DisposableVMs are a suitable alternative, as well as the Qubes Live USB.

VirtualBox[edit]

1. Backup.

Option 1: Create a snapshot of your VM. OR

Option 2: Alternatively backup the /boot folder.

sudo cp -a /boot /boot.back

2. Install grub-live.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the grub-live package.

sudo apt-get install grub-live

The procedure of installing grub-live now complete.

Following reboot, a second boot entry called "Whonix Live-mode" will be visible. Simply press Enter to boot the live system and use it as normal.

To increase security, the VM disks can be set to read-only. Otherwise, malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way.

1. To do so, power off the machine.

2. From the command line run:

VBoxManage setextradata vmname "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/Readonly" 1

to set the disk to read-only with "vmname" being the name of your virtual machine e.g. Whonix-Gateway. To boot into normal mode again, simply revert this change via:

VBoxManage setextradata vmname "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/Readonly"

and choose the normal boot option in the GRUB menu.

KVM[edit]

1. Backup.

Option 1: Create a snapshot of your VM. OR

Option 2: Alternatively backup the /boot folder.

sudo cp -a /boot /boot.back

2. Install grub-live.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the grub-live package.

sudo apt-get install grub-live

The procedure of installing grub-live now complete.

Following reboot, a second boot entry called "Whonix Live-mode" will be visible. Simply press Enter to boot the live system and use it as normal.

To increase security, the VM disks can be set to read-only. Otherwise, malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way. To do so, power off the machine and set the hard disk to read-only in the virt-manager GUI before booting into live mode. To boot into normal mode again, simply revert this change and choose the normal boot option in the GRUB menu.

Alternative Configurations[edit]


Virtualbox and KVM:

VirtualBox only:

Debugging/Errors[edit]

An inconsistent filesystem will likely result in errors during live-boot. For instance, inconsistencies can arise when the VM is killed instead of performing a normal shutdown in persistent mode. Therefore, to make sure it is consistent, run fsck in persistent mode. Debian automatically does this during boot. VMs running in live mode can be killed without problems.

In the case of non-fsck related errors using ro-mode-init (like dropping to an initramfs shell), add the following to the kernel command line/GRUB menu for easier debugging:

debug=1 break=init-premount

Miscellaneous[edit]

In the future, running Whonix from a Live CD or DVD might be supported. Check this wiki entry at a later date.

To learn more about live mode, refer to the Live-mode forum discussion.

Footnotes[edit]


Random News:

We are looking for video production specialists to help create demonstration, promotional and conceptual videos or tutorials.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)