







These DisposableVM (DispVM) instructions only apply to Qubes-Whonix ™ 15 in Qubes R4. [1] [2] [3] A few usability issues in DispVMs affect anonymity. If the risks are unknown to the user, then first carefully read this page.

What are DisposableVMs? [ edit ]

In the Qubes TemplateVM model, [4] any changes made to a root filesystem of a TemplateBasedVM [archive] are lost upon reboot. This is advantageous for several reasons: it saves time and disk space, and allows faster, centralized updates for applications that are usually found inside the root filesystem. However, certain directories are designed to persist between reboots in order to store files and settings. These directories are stored in /rw , include /home/user and /usr/local as well as additional directories defined by "bind directory" settings. [5]

Qubes does not have a built-in snapshot capability like VirtualBox that can completely revert all changes back to a previous VM state. [6] [7] In other words, no method exists within AppVMs to reverse changes made to the persistent file system without implementing some type of custom solution. To ensure that all filesystem changes are discarded after a session, Qubes offers DispVMs. When a DispVM is shutdown, the VM is removed from Qubes and all related VM images are deleted from the host filesystem. This method is not yet amnesic and should not be relied upon for anti-forensics!

While DispVMs ensure that files do not persist without user intervention, the downside is the user can no longer decide whether or not the current VM state should be kept or destroyed; users must choose beforehand to use a standard AppVM or a DispVM.

Table: Qubes R4 Inheritance and Persistence

The Layered DisposableVM System [ edit ]

Qubes uses a two-layered approach to DispVMs. At the core of the system is a TemplateVM upon which a DisposableVM Template [archive] is based. Every time a new DispVM is launched it is based on the DisposableVM Template - hence, two layers. In a standard Qubes-Whonix ™ installation:

The Whonix-Workstation ™ default TemplateVM is whonix-ws-15 .

. The Whonix-Workstation ™ default DisposableVM Template is called whonix-ws-15-dvm .

. Each Whonix-Workstation ™ default DispVM ( disp1, disp2, ... ) is based on whonix-ws-15-dvm .

Once a DisposableVM Template is created, its /home/user/ directory can be customized [11] independently of the TemplateVM. In this special case, the DisposableVM Template will continue to inherit changes from the base TemplateVM's root filesystem (like package updates), but user files in /home/user/ will persist independently.

It is possible to have multiple DisposableVM Templates and DispVMs at the same time. Any TemplateBasedVM can be enabled for use as a template for DispVMs, by setting its template_for_dispvms [archive] property.

In Qubes R4, Qubes-Whonix ™ 15's default DisposableVM Template ( whonix-ws-15-dvm ) can be easily created using salt and will have this property set.

DisposableVM Traffic Stream Isolation [ edit ]

DispVMs work especially well with Whonix-Gateway ™. [12] All DispVM traffic is stream-isolated from the traffic of other VMs running in parallel.

Warnings [ edit ]

Table: DispVM Warnings

Setup [ edit ]

Note: Examples below reference GUI steps whenever possible, but Qube Manager configuration options in R4 are limited in comparison to earlier releases. [32] Where relevant, additional command line commands are listed in the footnotes.

Create a Whonix ™ Default DisposableVM Template based on Whonix-Workstation ™ [ edit ]

Update Qubes-Whonix ™. Open a dom0 terminal: Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal Create whonix-ws-15-dvm DisposableVM Template.

sudo qubesctl state.sls qvm.whonix-ws-dvm sudo qubesctl state.sls qvm.whonix-ws-dvm

Qubes-Whonix ™ DispVMs are now ready for use.

Create a Named Whonix ™ DisposableVM based on Whonix-Workstation ™ [ edit ]

Nearly all users can skip this step. A specific use case for DispVM naming conventions has not (yet) been identified.

Do not include -dvm when naming DispVMs! Tor Browser will not be inherited from Whonix-Workstation ™ TemplateVM ( whonix-ws-15 ) if this advice is ignored.

Before creating named DisposableVMs, familiarize yourself with their behavior and read all relevant warnings. Failure to do so could lead to unwanted behavior which occurs without the user's knowledge.

1. Create a DispVM called anon-whonix-disp based on the whonix-ws-15-dvm Template. In dom0 run. qvm-create -C DispVM -l red --template whonix-ws-15-dvm anon-whonix-disp qvm-create -C DispVM -l red --template whonix-ws-15-dvm anon-whonix-disp 2. Launch Xfce Terminal in the DispVM. qvm-run -a anon-whonix-disp xfce4-terminal qvm-run -a anon-whonix-disp xfce4-terminal

TODO - Investigate use cases for this procedure:

A named DisposableVM might be useful for a larger root/private image.

It might also be useful for activities such as building TemplateVMs in a DispVM.

Customization [ edit ]

DisposableVM Templates [ edit ]

Extra caution must be exercised when customizing a DisposableVM Template. [33] From a privacy perspective, it is ideal to have a DisposableVM Template that is indistinguishable from any other Whonix-Workstation ™. If changes are made to the DisposableVM Template, these may link all of the DispVMs via a uniquely generated fingerprint should they be compromised independently. Risky changes include, but are not limited to:

Installation of obscure programs;

Uncommon configuration settings; or

The placement of unique data files.

Always keep in mind the DispVM will likely be exposed to the greatest Internet threats.

Tor Browser is specifically designed to prevent website fingerprinting or identification based on the user's browser fingerprint. It is safest to run Tor Browser in its stock configuration so the fingerprint is less unique, due to commonality with the larger Tor Browser user pool. Each individual browser change can significantly worsen the fingerprint because of the associated entropy, [34] so only make alterations if the impacts are known. See also: tb-updater in Qubes DisposableVM Template.

A decision must be made in advance whether to disable JavaScript by default. There is a usability-security trade-off to consider: fingerprinting and usability is worsened by disabled JavaScript, but this provides better protection against vulnerabilities. Conversely, enabled JavaScript improves usability and increases the risk of exploitation, but the browser fingerprint is (likely) more common.

Tor Browser in DisposableVM Template [ edit ]

For most users, Tor Browser customizations in the DisposableVM Template or TemplateVM are discouraged. Advanced users who wish to customize the DVM template despite the risks should follow these steps.

Applications other than Torbrowser in DisposableVM Template [ edit ]

Customization is completely optional. Only files in /home/user (or more generally, in /rw) can be customized in a DisposableVM Template.

1. Launch the application in the DVM template. Either open dom0 terminal and run. qvm-run -a whonix-ws-15-dvm <app> qvm-run -a whonix-ws-15-dvm <app> Or use Qube Manager: dom0 → Qube Manager → right-click 'whonix-ws-15-dvm' → Run command in qube → type name of the <app> 2. Customize application settings. Customize the application as per normal procedures. 3. Exit the application. If required, save application-specific settings, then exit the application so settings are stored on the disk. 4. Shutdown the DVM template. Either use a dom0 terminal. qvm-shutdown whonix-ws-15-dvm qvm-shutdown whonix-ws-15-dvm Or use Qube Manager: dom0 → Qube Manager → right-click 'whonix-ws-15-dvm' → left-click 'Shutdown qube' The changes will be available when the DispVM is restarted.

Delete a DisposableVM Template [ edit ]

If a DisposableVM Template has been customized and it is necessary to revert these changes, a DisposableVM Template can be deleted the same way as any other VM.

Note the DisposableVM Template cannot be deleted while it is the default DispVM of another VM, otherwise an error message appears. In that case, follow tips found here [archive] on how to manually change the default DispVM of VMs to another setting, then repeat the procedure.

dom0 → Qube Manager → right-click 'whonix-ws-15-dvm' → left-click 'Delete qube' [35]

To obtain the latest Tor Browser, the simplest method is to use Whonix ™ built-in Tor Browser downloader functionality. Simply update using Tor Browser Downloader by Whonix ™ (tb-updater) in Whonix-Workstation ™ TemplateVM ( whonix-ws-15 ) when performing your usual maintenance updating:

Qubes App Launcher (blue/grey "Q") → whonix-ws-15 → Xfce Terminal [36] [37]

Update the package lists.

sudo apt-get update sudo apt-get update

Upgrade.

sudo apt-get dist-upgrade sudo apt-get dist-upgrade

If Tor Browser is not upgraded, use update-torbrowser to download a new copy.

Launch Tor Browser Downloader by Whonix ™ and follow the instructions. [38]

update-torbrowser --input gui update-torbrowser --input gui

Shutdown the DisposableVM Template: [39]

dom0 → Qube Manager → right-click on 'whonix-ws-15-dvm' → click 'Shutdown qube'

Changes to the underlying TemplateVM ( whonix-ws-15 ) are detected automatically and the DisposableVM Template is updated without user intervention. That means package updates that are applied to whonix-ws-15 are also applied to the whonix-ws-15-dvm .

Usage [ edit ]

DispVMs are well-suited for risky and largely independent activities, like web browsing or opening untrusted files. In contrast, AppVMs might be better suited for activities necessitating file persistence, like email clients with local email storage.

With either kind of VM, Qubes' VM integration tools like secure file copy [archive] and secure clipboard [archive] ensure that clean, trusted files and text can be easily and safely transferred to trusted VMs (if necessary).

User Tips [ edit ]

Table: DispVM User Tips

Category Recommendation Data Storage In Qubes, it is unrecommended to store any valuable data in an untrusted VM. This perspective is reinforced by the Tor Browser design which similarly does not remember bookmarks or credentials. Best practice is to store sensitive data in an offline vault VM; for instance, when accessing passwords with a password manager.



@rustybird has announced a new "split-tor-browser" [40] package that can retrieve urls and credentials from a trusted VM for use in a DispVM's browser. This package is yet to be tested or endorsed by Whonix ™, but it looks promising. DispVM Shutdown A DispVM automatically shuts down when the first user-launched process is terminated. For example, if a new DispVM is created by launching Tor Browser and a user simultaneously starts typing in an editor later on, all this work will be lost after Tor Browser is closed. To avoid this, first launch a terminal in the DispVM and then launch additional applications from the terminal. This way the DispVM is only destroyed after exiting the terminal. Offline DispVMs Use utmost caution if deciding to re-establish network connectivity for off-line DispVMs! No mechanism is currently available to prevent connections to a clearnet NetVM.



Non-networked DispVMs are useful for opening untrusted files that potentially might try to use the network maliciously. Like all Qubes VMs, the NetVM for a DispVM can be changed dynamically while the VM is still running. Simply set the NetVM to "none" using Qube Manager or the command line interface. [41] Shortcuts DispVMs can be created directly by launching programs from the application menu using shortcuts; see below for instructions.



DispVMs can also be spawned by using context-menus or the command line interface in other AppVMs. Refer to the Qubes DisposableVM documentation [archive] for instructions on different methods.



for instructions on different methods. Note the relevant warning concerning shortcuts in this chapter ("Spawning DisposableVMs"). Spawning DispVMs from other AppVMs There are several ways to spawn DispVMs from TemplateBased AppVMs. In fact, in addition to the dom0 terminal and application menu, users can also spawn DispVMs from the AppVM terminal emulator or context-menu. [42] These tools provide a safe and convenient way to open files and email attachments that could contain malicious code. There is also an option to convert potentially dangerous PDFs [archive] into trusted PDFs and open it in a DispVM. [43]



These tools provide a safe and convenient way to open files and email attachments that could contain malicious code. There is also an option to convert potentially dangerous PDFs into trusted PDFs and open it in a DispVM. The most commonly used methods to spawn DispVMs from TemplateBased AppVMs are listed below. It is recommended to read the "Spawning DisposableVMs" warning detailing DispVM network settings before proceeding:

Context-menu

Dolphin file manager - open file in DispVM: File → Actions → Edit/View in DisposableVM

Nautilus file manager - open file in DispVM: File → Edit/View in DisposableVM

Nautilus file manager- sanitize PDF: PDF → Convert to Trusted PDF

Thunderbird E-mail client - open email attachment in DispVM: Email → Attachments → Open in DispVM

Command line interface - open file in DispVM: qvm-open-in-dvm <file_name> qvm-open-in-dvm <file_name>

Add a Desktop Shortcut [ edit ]

From the Qubes application menu, drag and drop a menu item onto the desktop. Double-click the newly created launcher to start it. At first start, it is safe to click "Mark Executable".

Add an XFCE4 Panel Shortcut [ edit ]

From the Qubes application menu, drag and drop the menu item onto the panel.

Start Tor Browser in a DisposableVM [ edit ]

Tor Browser can be started via the GUI or on the command line.

If you are using a GUI , complete the following steps. Qubes App Launcher (blue/grey "Q") → Disposable: whonix-ws-15-dvm → Tor Browser (AnonDist) If you are using a terminal , complete the following steps. qvm-run --dispvm=whonix-ws-15-dvm torbrowser qvm-run --dispvm=whonix-ws-15-dvm torbrowser

After launch, always first check the Tor Browser version!

Figure: Tor Browser in Qubes-Whonix ™ DisposableVM

Start Terminal Emulator in a DisposableVM [ edit ]

Terminal emulator xfce4-terminal can be started via the GUI or on the command line.

If you are using a GUI , complete the following steps. Qubes App Launcher (blue/grey "Q") → Disposable: whonix-ws-15-dvm → Xfce Terminal If you are using a terminal , complete the following steps. qvm-run --dispvm=whonix-ws-15-dvm xfce4-terminal qvm-run --dispvm=whonix-ws-15-dvm xfce4-terminal

TODO [ edit ]

TODO document how to use multiple DisposableVM Templates - https://forums.whonix.org/t/is-anyone-interested-in-using-multiple-dvm-templates-based-on-whonix-ws-dvm/5757/5 [archive]



Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow:

Donate:

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.