VM Live Mode: Stop Persistent Malware

From Whonix

(Redirected from Whonix Live)

VM Live Mode Mode boot option in boot menu. (more screenshots)
VM Live Mode Host Live Mode Whonix ™ on USB

Users can optionally run Whonix ™ as a live system. FREE Either by using:

This is only available in Non-Qubes-Whonix ™.

The primary objective of VM live mode is preventing malware from gaining persistence and having an unchanged system after each reboot. This is also useful for improved storage device privacy as well as experimental changes like testing software.

  • Windows logo - 2012.svg.png Rsz osx.png Tux.png Any host operating system: Follow instructions on this wiki page to selectively run Whonix ™ virtual machines (VMs) in Live Mode.
  • Debian.png Tux.png Debian hosts: It is possible to boot your existing, installed Debian host operating system into Live Mode by following the Host Live Mode wiki page instructions.

If you are interested in installation of Whonix ™ on USB, see Whonix ™ on USB.


Booting into live mode will ensure all disk writes to the virtual hard drive are forgotten after shutdown because all writes go to volatile memory (RAM) instead of the hard disk. In other words, after shutdown everything that happened during a previous boot session will not be visible (persist) on the virtual hard drive, including:

  • everything that is created / changed / downloaded in the virtual machine (VM);
  • any websites visited, files downloaded or documents created; and
  • any other modifications of the virtual hard drive or activity history.

This also holds true for malicious changes made by malware, except when:

Info Tip: Since live mode makes each write go to RAM, increasing the memory assigned to the VM will improve performance; for example, if large files are regularly downloaded.


Figure: Persistent Mode Boot
Persistent Mode Boot

Figure: Live Mode Boot
Live Mode Boot


Table: VM Live Mode Warnings

Domain Recommendations
Forensics By itself, starting a VM in live mode is not amnesic. Many users are unaware that activities performed inside the VM might be stored on the host mass storage device (hard drive, HDD, SSD) in locations that are hard to review (for the majority). Extra steps must be performed on the host operating system to minimize these traces -- see Anti-Forensics Precautions, or better, use Host Live Mode.
Malware To prevent malware from remounting the hard drive as read-write it is strongly recommended to use read-only hard drive mode. This raises the bar as malware would need to break out of the VM to gain persistence.
Other Precautions
  • Whonix-Workstation ™ and Whonix-Gateway ™: It is recommended to regularly boot into persistent mode for installation of updates.
  • Whonix-Gateway ™: If live mode is used with Whonix-Gateway ™, regularly booting into persistent mode is important to keep Tor's normal guard rotation schedule.
  • KVM: Hard shutdowns of a VM can prevent loading of the filesystem with a read-only marked drive on next boot. Do not use 'Force Off/Reset' on KVM to avoid this possibility.

Live Mode on Whonix-Gateway ™[edit]

The first start of Whonix-Gateway ™ should not use live mode. This will allow Tor to make use of Tor Entry Guards.

From the second start of Whonix-Gateway ™ it is recommended to run it in live mode. This should eliminate any Tor-related, cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users:

  • Consensus files: These files will be (re-)downloaded more frequently.
  • Tor guards: When switching to a new guard after some months have passed. [2]

Functionality Test[edit]

Create a new file in your home directory then reboot (assuming you were already booted in the live mode from the boot menu) then restart the VM. You should not see that file anymore.


In the future, running Whonix ™ from a Live DVD or Live USB might be supported. Check this wiki page Whonix-Host.

Technical Details[edit]

Most users can skip this chapter. See [archive] for further script details.

  • The meaning of 0 in lsblk output is read-write.
  • The meaning of 1 in lsblk output is read-only.

If anything in coloumn RO is set to 0, then it is not blessed read-only hard drive mode.

Example lsblk without any snapd installed, Whonix-Gateway ™, live mode, and read-only hard drive mode enabled.

sudo lsblk --all
sda      8:0    0  100G  1 disk 
└─sda1   8:1    0  100G  1 part /lib/live/mount/medium

Example lsblk without any snapd installed, Whonix-Gateway ™, live mode, and read-only hard drive mode disabled.

sudo lsblk --all
sda      8:0    0  100G  0 disk 
└─sda1   8:1    0  100G  0 part /lib/live/mount/medium

Example lsblk with snapd and WickrMe installed, Whonix-Workstation ™, persistent mode, and read-only hard drive mode disabled.

sudo lsblk
loop0    7:0    0 62.1M  1 loop /snap/gtk-common-themes/1506
loop1    7:1    0  446M  1 loop /snap/wickrme/352
loop2    7:2    0   55M  1 loop /snap/core18/1754
sda      8:0    0  100G  0 disk 
└─sda1   8:1    0  100G  0 part /lib/live/mount/medium
sr0     11:0    1 1024M  0 rom


  1. There are two live mode options available, grub-live [archive] and ro-mode-init [archive].
  2. [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.