Actions

Combine Whonix Live VMs with Read-only Mode for Virtual Hard Drives

From Whonix

< Whonix Live



Read-live23231.jpg

Introduction[edit]

It is possible to optionally set the virtual machine (VM) disks to read-only. This increases the security of the Whonix ™ Live configuration, because otherwise malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way.

Read-only Mode Configuration[edit]

Qubes[edit]

grub-live is currently unsupported on Qubes, but may become available in the future. Refer to the following forum discussion [archive] for further information.

In Qubes R4, Qubes DisposableVMs are a suitable alternative, as well as the Qubes Live USB [archive].

VirtualBox[edit]

1. Set the VM disks to read-only.

Follow these steps:

  • Power off the virtual machine (VM).
  • Set the disk to read-only.
    • The name of the VM in the following example below is Whonix-Workstation-XFCE. It could be replaced with the name of any other VM such as Whonix-Gateway-XFCE.
    • On the host, on the command line, run.

VBoxManage setextradata Whonix-Workstation-XFCE "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

2. Remove VirtualBox virtual DVD drive.

Only required the the VM has a virtual DVD drive. Not required in Whonix ™ version 15.0.1.2.7 and above since it no longer comes with a virtual DVD drive by default. See footnote for Whonix ™ build version lower than 15.0.1.2.7. [1]

3. Launch the live system.

Following reboot, a second boot entry called "Whonix ™ Live-mode" will be visible. Choose it. Then press Enter to boot the live system and use it as normal.

4. Optional: Revert the read-only change.

To boot into normal mode again, run this command on the host to revert the change.

VBoxManage setextradata Whonix-Workstation-XFCE "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly"

The normal boot option can now be selected in the GRUB menu.

5. Optional: Re-add virtual DVD .

Only when you need this; see footnotes. [2]

Troubleshooting: If system does not boot, make sure you are using the Recommended VirtualBox Version for Whonix ™ VirtualBox. [3]

KVM[edit]

1. Set the VM disks to read-only.

Follow these steps:

  • Power off the machine.
  • Set the hard disk to read-only in the virt-manager GUI before booting into live mode.

2. Launch live-mode.

Following reboot, a second boot entry called "Whonix ™ Live-mode" will be visible. Choose it. Then press Enter to boot the live system and use it as normal.

3. Optional: Revert the read-only change.

To boot into normal mode again, revert the change from step 1 and choose the normal boot option in the GRUB menu.

Alternative Configurations[edit]

Ambox warning pn.svg.png Skip this section if the KVM Live-mode or Virtualbox Live-mode configuration steps above have already been completed.

Virtualbox and KVM:

VirtualBox only:

Footnotes[edit]

  1. Careful. If you remove the wrong drive, your VM will no longer boot. If you are worried, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device symbolclick on disk removal symbol
    3. VirtualBox will ask

    Are you sure you want to delete the optical drive?

    You will not be able to insert any optical disks or ISO images or install the Guest Additions without it!

    4. click "Remove"

    https://forums.whonix.org/t/no-longer-add-virtual-dvd-drive-to-vm-by-default/9337 [archive]

  2. Careful. If you remove the wrong drive, your VM will no longer boot. If you are worried, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device add symbolclick Leave Emptyclick OK
    3. Usual way to add DVD's to VirtualBox VMs can now be used such as VirtualBoxclick a VMclick on [Optical Drive]
  3. A user reported on telegram that upgrading VirtualBox fixed this an issue which preventing booting the system in read-only mode.


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.