Compartmentalization. Managing multiple Qubes-Whonix Templates.

Introduction[edit]

Multiple Qubes-Whonix Templates provides much greater flexibility over a single template when choosing software packages. The additional cloned templates can be customized with software to meet specific requirements; something impossible to achieve with a single Template. ^[1]

Rationale[edit]

Packages from a later release: Installing packages from a later release could end up breaking the system. For example, mixing packages from Debian Stable with those of a later release like Debian Testing can lead to an unstable system because of associated software dependencies required for full functionality. ^[2] ^[3] Prior to installing Debian packages from a later release, first read Install from Debian Testing .
Custom software: Additional cloned templates makes it easy to install custom software used for a specific application. For example, users could Tunnel UDP over Tor by configuring whonix-workstation-17 to route all applications through a VPN tunnel. However, this method also increases the risk of identity correlation. To mitigate this risk, the App Qube based on this template should only be used for the particular application that must be routed through the tunnel-link. Before installing custom software it is recommended to first read Install Software: General Advice.
Untrusted packages: It is unwise to install untrusted packages in a template used for sensitive activities. With multiple cloned Templates, a single template can be designated as a less trusted domain for that purpose. ^[4] Read Trusting your templates prior to installing untrusted packages.

Cloning Templates[edit]

Note: Each Template's root filesystem runs independently from all other Templates. ^[5] Therefore, each individual Template must be updated separately. This is a Qubes default and unspecific to Qubes-Whonix.

Qube Manager[edit]

Cloning templates in Qubes-Whonix is easily accomplished via Qube Manager.

1. Naming convention advice.

Be careful with naming conventions for both Templates and App Qubes (based on those templates) so they are not confused with each other. This will minimize the chance of basing an App Qube on the wrong template.

When creating App Qubes based on cloned Templates, a purpose-based naming convention is sensible so there is no ambiguity regarding the intended function of an App Qube. For example, if an App Qube is created to tunnel UDP over Tor, appending tunnel-udp (the purpose) to the end of anon-whonix would lead to the name anon-whonix-tunnel-udp.

2. Template cloning.

To clone Qubes-Whonix Templates, follow the steps below in Qube Manager:

Qube Manager → VM to be Cloned → Clone qube → Enter name for Qube clone

Figure: Cloning Whonix qubes

When prompted, give the newly cloned VM a name that is not easily confused with other VMs. This minimizes the chances of basing an App Qube on the wrong template; there could be serious security concerns if a "trusted" App Qube was based on the wrong Template with untrusted packages.

Figure: Clone Renaming

3. Done.

Cloning has been completed.

4. UpdatesProxy Settings.

The user might wish to customize the UpdatesProxy Settings.

UpdatesProxy Settings[edit]

Reminder: The net qube setting of Templates should be set to None. ^[6]

A cloned Whonix Template will by default be upgraded through sys-whonix. ^[7] This is a known Qubes usability issue. ^[8]

If you would like to change the UpdatesProxy setting for any Template, apply the following steps.

Choose either Option A (stable) or Option B (testers only). In doubt, choose Option A.

Option A[edit]

Qubes old qrexec policy format.

1. In dom0, open /etc/qubes-rpc/policy/qubes.UpdatesProxy with root rights.

sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy

2. Add at the top of that file.

Syntax:

name-of-template-vm $default allow,target=name-of-net-qube

Example line entry example:

Note: Replace sys-whonix-cloned with the actual name of the VM such as for example sys-whonix2.

whonix-workstation-17-clone-1 $default allow,target=sys-whonix-cloned

Full example:

If the user already completed adding above line entry, the following is not required. It's just for illustrative purposes. A complete file could look like this.

## Note that policy parsing stops at the first match, ## so adding anything below "$anyvm $anyvm action" line will have no effect ## Please use a single # to start your custom comments # Upgrade all Templates through sys-whonix. #$type:TemplateVM $default allow,target=sys-whonix # Upgrade whonix-gateway-17-clone-1 through sys-whonix-cloned. whonix-gateway-17-clone-1 $default allow,target=sys-whonix-cloned # Upgrade whonix-workstation-17-clone-1 through sys-whonix-cloned. whonix-workstation-17-clone-1 $default allow,target=sys-whonix-cloned # Upgrade Whonix Templates through sys-whonix. $tag:whonix-updatevm $default allow,target=sys-whonix # Deny Whonix Templates using UpdatesProxy of any other VM. $tag:whonix-updatevm $anyvm deny # Default rule for all Templates - direct the connection to sys-net # Note: 'TemplateVM' not only 'Template' is correct. The 'VM' cannot be omitted. $type:TemplateVM $default allow,target=sys-net $anyvm $anyvm deny

4. Save the file.

<Ctrl-X> --> press Y --> <Enter>

5. Done.

The procedure is now complete.

Option B[edit]

Qubes new qrexec policy format.

1. Disable Qubes old-style UpdatesProxy qrexec configuration file.

In dom0, move the Qubes old-style configuration file /etc/qubes-rpc/policy/qubes.UpdatesProxy out of the way. ^[9]

If there is an error that this file no longer exists that is OK too. The only purpose of this step is to make sure /etc/qubes-rpc/policy/qubes.UpdatesProxy no longer exists.

sudo mv /etc/qubes-rpc/policy/qubes.UpdatesProxy ~/

2. In dom0, open /etc/qubes/policy.d/30-user.policy with root rights.

sudo nano /etc/qubes/policy.d/30-user.policy

3. Learn the syntax.

Syntax: ^[10]

qubes.UpdatesProxy      *   name-of-template-vm    @default    allow target=name-of-net-qube

4. See this example.

Example line entry example:

qubes.UpdatesProxy * whonix-workstation-17-clone-1 @default allow target=sys-whonix-cloned

Full example:

If the user already completed adding above line entry, the following is not required. It's just for illustrative purposes. A complete file could look like this.

qubes.UpdatesProxy * whonix-gateway-17-clone-1 @default allow target=sys-whonix-cloned qubes.UpdatesProxy * whonix-workstation-17-clone-1 @default allow target=sys-whonix-cloned

5. Add new entry to the file.

Based on the syntax and examples above.

Note: Replace sys-whonix-cloned with the actual name of the VM such as for example sys-whonix2.

6. Save the file.

<Ctrl-X> --> press Y --> <Enter>

7. Done.

The procedure is now complete.

Footnotes[edit]

↑ Optionally, the default template can be cloned and used as the default template for App Qubes. Having a “known-good” backup template available at all times is best practice.
↑ Using packages from different repositories can lead to Dependency Hell .
↑ This problem can be avoided by cloning additional Whonix templates and preferring packages from a single repository in each Template.
↑ It is strongly encouraged to only install signed packages from a trusted source.
↑ This applies to all Templates, even if they were cloned.
↑
Since Templates in Qubes R4 and above are supposed to be upgraded through qrexec based Qubes updates proxy.
- Qubes documentation: How to install software - Technical details
- Qubes issues: implement qrexec based updates proxy
↑ Because /etc/qubes-rpc/policy/qubes.UpdatesProxy contains: $tag:whonix-updatevm $default allow,target=sys-whonix Quote:

Note that policy parsing stops at the first match, [...]
↑
- add UpdateVM setting to qubes-vm-settings
- cloned Whonix templateVM connects / upgrades through sys-whonix even if net qube is set to a different Whonix-Gateway net qube
↑ Qubes dom0 configuration folder /etc/qubes-rpc/policy is legacy. It was replaced with the new-style qrexec config folder /etc/qubes/policy.d/ which is used here in the documentation. This is [[unspecific|unspecific to Whonix.
↑
This works because as per Qubes default, Qubes parses configuration file /etc/qubes/policy.d/30-user.policy before /etc/qubes/policy.d/90-default.policy. See also Qubes dom0 file /etc/qubes/policy.d/90-default.policy. cat /etc/qubes/policy.d/90-default.policy /etc/qubes/policy.d/90-default.policy comes with the following comment on top.
```
## Do not modify this file, create a new policy file with a lower number in the
## filename instead. For example `30-user.policy`.
```

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

[1] Optionally, the default template can be cloned and used as the default template for App Qubes. Having a “known-good” backup template available at all times is best practice.

[2] Using packages from different repositories can lead to Dependency Hell .

[3] This problem can be avoided by cloning additional Whonix templates and preferring packages from a single repository in each Template.

[4] It is strongly encouraged to only install signed packages from a trusted source.

[5] This applies to all Templates, even if they were cloned.

[6] Since Templates in Qubes R4 and above are supposed to be upgraded through qrexec based Qubes updates proxy.
Qubes documentation: How to install software - Technical details

Qubes issues: implement qrexec based updates proxy

[7] Qubes documentation: How to install software - Technical details

[8] Qubes issues: implement qrexec based updates proxy

[7] Because /etc/qubes-rpc/policy/qubes.UpdatesProxy contains: $tag:whonix-updatevm $default allow,target=sys-whonix Quote:

Note that policy parsing stops at the first match, [...]

[8] 
add UpdateVM setting to qubes-vm-settings

cloned Whonix templateVM connects / upgrades through sys-whonix even if net qube is set to a different Whonix-Gateway net qube

[11] UpdateVM setting to qubes-vm-settings

[12] Whonix templateVM connects / upgrades through sys-whonix even if net qube is set to a different Whonix-Gateway net qube

[9] Qubes dom0 configuration folder /etc/qubes-rpc/policy is legacy. It was replaced with the new-style qrexec config folder /etc/qubes/policy.d/ which is used here in the documentation. This is [[unspecific|unspecific to Whonix.

[10] This works because as per Qubes default, Qubes parses configuration file /etc/qubes/policy.d/30-user.policy before /etc/qubes/policy.d/90-default.policy. See also Qubes dom0 file /etc/qubes/policy.d/90-default.policy. cat /etc/qubes/policy.d/90-default.policy /etc/qubes/policy.d/90-default.policy comes with the following comment on top.
## Do not modify this file, create a new policy file with a lower number in the ## filename instead. For example `30-user.policy`.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

Multiple Qubes-Whonix Templates

Contents

Introduction[edit]

Rationale[edit]

Cloning Templates[edit]

Qube Manager[edit]

UpdatesProxy Settings[edit]

Option A[edit]

Option B[edit]

See Also[edit]

Footnotes[edit]

Navigation menu

Multiple Qubes-Whonix Templates

Introduction[edit]

Rationale[edit]

Cloning Templates[edit]

Qube Manager[edit]

UpdatesProxy Settings[edit]

Option A[edit]

Option B[edit]

See Also[edit]

Footnotes[edit]

Navigation menu

Search