Build Documentation: Physical Isolation

From Whonix
Jump to navigation Jump to search

Security by Isolation. Using Whonix with Physical Isolation on Bare Metal for Better Security.

Introduction[edit]

FREE

Warning: It is essential to read the Security and Support Status, Warnings and First Time Users entries in this chapter.

Overview[edit]

Info

Physical isolation requires:

First Time Users[edit]

Whonix default admin password is: No password required. (Passwordless login.)

  • Default username: Click = Copy Copied to clipboard! user
  • Default password: No password required. (Passwordless login.) [1]

Whonix first time users warning Warning:

  • If you do not know what metadata or a man-in-the-middle attack is.
  • If you think nobody can eavesdrop on your communications because you are using Tor.
  • If you have no idea how Whonix works.

Then read the Design and Goals, Whonix and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix is the right tool for you based on its limitations.

Technical Introduction[edit]

The default Whonix configuration consists of two virtual machines (VMs) running on the same physical host. This means any exploits targeting the VM implementation or the host can still break out of the torified client VM and expose the IP address of a user. Further, any malware running on the host has full control over all VMs. To protect against these attacks a different approach is required -- physical isolation. In this configuration the gateway system is installed on separate hardware, which drastically reduces the trusted computing base (TCB)archive.org iconarchive.today icon by more than half.

The following instructions describe how to install and configure two computers and set up an isolated point to point network between them. [2] This way one computer acts as the client (Whonix-Workstation), while the other is the proxy (Whonix-Gateway) which transparently routes all the Whonix-Workstation traffic via Tor.

The Whonix-Gateway on its own physical device can be run either directly on hardware or inside a VM. Both options have distinct advantages and disadvantages, but using an additional VM for the Whonix-Gateway is unrecommended. In contrast, the Whonix-Workstation should always be installed in a VM because this will hide hardware serial numbers. Also read the wiki entry recommending use of multiple VM Snapshots for better security.

In this configuration the host operating system(s) should only be used for downloading operating system updates, hosting Whonix-Gateway or Whonix-Workstation and nothing else. The configuration is also more secure if the physical systems are exclusively used for hosting Whonix, or if storage devices are separated for Whonix and non-Whonix use cases. The reason is this avoids any potential infection of the Whonix hard drive by another operating system.

Warnings[edit]

Please note the following warnings about physical isolation:

Configuration[edit]

Physical Isolation Configuration[edit]

Table: Physical Isolation Configuration Comparison

Configuration Advantages Disadvantages
Spare Hardware and VM
  • A graphical host can be installed.
  • The Whonix download version is used.
  • The graphical network manager on the host can be used, for example to connect to WiFi.
  • A VPN can be easily set up on the host. Tor will then be tunneled through the VPN.
  • This has a higher attack surface because VM code is involved.
Spare Hardware without VM
  • This is more secure because less code is involved.
  • The setup is slightly more complicated.
  • It is more difficult to set up a VPN.
  • It is more difficult to set up 3G/4G/5G networking compared to using a Windows host.

Hardware Configuration[edit]

It is recommended that two dedicated computers are utilized for Whonix that are never used for activities that could reveal your identity. Alternatively, an existing computer that is already in use can be utilized for Whonix-Gateway. To offer some isolation, all internal and external drives should be disconnected, with boots occuring from an eSATA, USB or another internal drive into a clean environment.

For non-anonymous use, the physical arrangement can be used as is without any modification. This includes the use of a non-anonymous home (dial-up) Internet router, without any changes. In contrast anonymous use requires:

  1. Whonix-Gateway
  2. an anonymous 3G/4G/5G modem or an anonymous WiFi adapter (see below)
  3. Whonix-Workstation

In terms of the specific hardware used for Whonix-Gateway, various devices are feasible and it does not have to be a big desktop computer or ordinary server. Alternatives include:

How to utilize devices like a Linux server is beyond the scope of this chapter and better resources already exist on the Internet. Similarly for Whonix-Workstation, a device that is suitable should be chosen.

Pre-installation Prerequisites[edit]

Info Refer to the Computer Security Education chapters here and apply relevant steps.

Prerequisites[edit]

Physical isolation has several prerequisites:

  1. System requirements: Available hardware must meet the minimum specifications.
  2. Whonix-Gateway: A device with at least two network adapters -- at least one of them ethernet [7] -- capable of running Linux. The Whonix-Gateway will run Debian. [8]
  3. Whonix-Workstation: A device connected via ethernet to the Whonix-Gateway. It must only have this one NIC and no other network connectivity! It must also be connected by wire. [9] This will be the torified client system or Whonix-Workstation and it must be capable of running Debian. [10]
  4. VM client: It is recommended to use a VM as the client, namely the same Whonix-Workstation that most "normal" (non-physical isolation) Whonix users rely upon. [11] [12] [13]
  5. Host build environment: The build environment must have a working Internet connection to Debian mirrors.
  6. Virtual console: Although optional, it is also useful to know how to open a second virtual console.

Host Preparation[edit]

1. Prepare to build on Debian bookworm.

To obtain Debian safely, see: Debian ISO OpenPGP verification. Around 15 GB of free space is required. [14]

2. Adjust terminal settings.

It is recommended to set the terminal (such as Konsole) to unlimited scrollback, so it is possible to watch the full build log.

3. Install build dependencies.

Install build dependencies and get the source code.

Update the package lists.

Click = Copy Copied to clipboard! sudo apt update

Install build dependencies.

Click = Copy Copied to clipboard! sudo apt install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev fasttrack-archive-keyring safe-rm

System Preparation[edit]

1. Confirm prerequisites are met.

  • Debian bookworm is installed.
  • User account user exists.

2. Become root. [15] [16]

Click = Copy Copied to clipboard! su -

3. Install sudo and adduser packages.

1. Update the package lists.

Click = Copy Copied to clipboard! apt update

2. Upgrade the system.

Click = Copy Copied to clipboard! apt full-upgrade

3. Install sudo and adduser packages.

Click = Copy Copied to clipboard! apt install --no-install-recommends sudo adduser

4. Set user rights.

The following commands must be run either by root or using sudo.

Create group console.

Click = Copy Copied to clipboard! addgroup --system console

Add user user to group console.

Click = Copy Copied to clipboard! adduser user console

Add user user to group sudo.

Click = Copy Copied to clipboard! adduser user sudo

5. Reboot. [17]

Click = Copy Copied to clipboard! reboot

How-to: Install Whonix-Gateway[edit]

Recommended: On Hardware[edit]

Get Debian[edit]

Download a Debian bookworm 64-bit installation ISOarchive.org iconarchive.today icon. Detailed instructions for this procedure are not part of this chapter, but the Debian Host Operating System Tips chapter provides some steps.

It is possible to choose an ISO for any desktop environment (Xfce, GNOME, KDE, LXDE, ...). However, because the command line is extensively used the Debian bookworm network install (netinst) version is recommended (it is the most minimal).

Install Debian[edit]

In the installer boot menu of Debian bookworm, press "Install" and choose the following settings: 

Select a language: English
Select your location: United States
Configure the keyboard: (select yours)
Hostname: host
Domain name: (empty)
Root password: (set up a strong password)
Full name for the new user: user
Username for your account: user
Password for the new user: (choose a good password, different from root password)
Partitioning method: Guided - use entire disk (it is a good idea to set up cryptsetup encrypted LVM at this point)
Partitioning scheme: All files in one partition (select the listed device in the next step)
Partition disks/overview: Finish partitioning
Write changes to disk: Yes

Debian archive mirror country: Go back
Continue without a network mirror: Yes

Use a network mirror: No
Participate in the package usage survey: No
Software selection: None; deselect all options (using Space)
Install the GRUB boot loader: Yes (select the listed device in the next step)
Finish the installation: Continue

Installation Screenshots[edit]

For a visual walk-through of the minimal Debian bookworm installation, click on Expand on the right. For up-to-date screenshots of this process, refer to the The Debian Administrator's Handbook: 4.2. Installing, Step by Steparchive.org iconarchive.today icon. If utilizing this guide, remember to set:

  • the English language
  • the United States location
  • hostname to "host"
  • an empty domain name
  • a strong root password
  • full name to "user"
  • username to "user"
  • a strong user password
  • full disk encryption (recommended)
  • installation without a mirror
  • refuse survey participation

Optional: Customizing Full Disk Encryption[edit]

If you wish to configure a custom encryption algorithm to enhance security during the minimal Debian bookworm installation, click on Expand on the right.

Network Configuration[edit]

The external interface (usually eth0) may need to be configured according to the requirements of your local network, for example static or simply left to use DHCP if the gateway is connected to a DHCP-capable router. For wlan, refer to upstream wiki documentation:

Check that the Internet is working.

Log On and Upgrade Debian[edit]

1. Install security updates.

Log on, install all security updates and reboot.

2. Log in with "root".

3. Add the bookworm main contrib non-free repository source.

Click = Copy Copied to clipboard! echo "deb https://deb.debian.org/debian bookworm main contrib non-free" >> /etc/apt/sources.list

4. Add the bookworm updates repository source. [26]

Click = Copy Copied to clipboard! echo "deb https://security.debian.org/debian-security bookworm-security main" >> /etc/apt/sources.list

5. Refresh package lists and upgrade.

Click = Copy Copied to clipboard! apt update && apt full-upgrade -y

Firmware Updating and Security Problems[edit]

Processor microcode updates are recommended to address speculative execution flaws; see Firmware Updating and Security Problems for further information.

Update the package lists.

Click = Copy Copied to clipboard! sudo apt update

For Intel.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends iucode-tool intel-microcode

For AMD.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends amd64-microcode

Preparation[edit]

1. Install sudo and git. [27] 

## Install "sudo" and git.
apt install sudo git -y

2. Prepare the system for the Whonix build.

You must build as user "user" and that user must be a member of the "sudo" group. Rebooting applies the changes. 

## Add "user" to "sudo" group
addgroup user sudo

## Reboot the system
shutdown -r now

## (host) login with "user"
user

3. Optional: Consider taking an image of the installation in case the build script fails partway through.

Get the Source Code[edit]

Get the Signing Key[edit]

Info This step is recommended for better security, but is not strictly required. (See Trust.)

Get the Whonix Signing Key and import it.

Get the Source Code[edit]

FREE

Note: By proceeding, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.

1. Install git.

Click = Copy Copied to clipboard! sudo apt update && sudo apt install git

2. Get the source code including git submodules. [28] [29]

Note: Replace 17.2.8.5-stable with the actual tag you want to build.

Click = Copy Copied to clipboard! git clone --depth=1 --branch 17.2.8.5-stable --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Whonix/derivative-maker.git

3. Check if above command succeeded.

If there have been errors such as: 

fatal: unable to access 'https://github.com/.../': Could not resolve host: github.com

Or. 

fatal: unable to access 'https://github.com/.../': gnutls_handshake() failed: The TLS connection was non-properly terminated.

Then the download probably failed.

Checking if the download failed or succeeded can be done by checking the exit code.

Choose your shell.

Zsh in Kicksecure or Derivatives

If the last line contains something such as the following. 

zsh: exit 1

Then do not proceed and see footnote. [30]

bash and other Shells

Show the exit code.

Click = Copy Copied to clipboard! echo $?

Output should show. 

0

If any other exit code is shown, do not proceed and see footnote. [30]

4. Done.

Git repository cloning has been completed.

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required. (See Trust.)

  • Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
  • Optional, not required: Digital signatures are optional and not mandatory for using Whonix, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
  • Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

1. Verify the chosen tag to build.

Note: Replace with tag you want to build.

Click = Copy Copied to clipboard! git verify-tag 17.2.8.5-stable

2. Check the output of the verification step.

If the file is verified successfully, the output will include Good signature, which is the most important thing to check. 

gpg: Good signature

This output might be followed by a warning as follows. 

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Whonix signing key and the web of trust. To remove this warning, the Whonix signing key must be personally signed with your own key.

warning Remember to check the GPG signature timestamp. For instance, if you previously saw a signature from 2023 and now see one from 2022, this could indicate a potential rollback (downgrade) or indefinite freeze attack.[31]

2. Verify the git commit to build. [32]

Note: Replace 17.2.8.5 with the actual git tag being verified.

Click = Copy Copied to clipboard! git verify-commit 17.2.8.5-stable^{commit}

3. Check the output of the verification step.

4. Done.

Choose Version[edit]

1. Retrieve a list of available git tags.

Click = Copy Copied to clipboard! git --no-pager tag

2. Use git checkout to select the preferred version to build.

Note: Replace 17.2.8.5-stable with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. Follow the Whonix News Blog as it might contain information.

Click = Copy Copied to clipboard! git checkout --recurse-submodules 17.2.8.5-stable

3. Digital signature verification.

Optional. If you choose to perform digital signature verification above, you could verify the currently chosen commit ("HEAD") yet again for extra security.

Click = Copy Copied to clipboard! git verify-commit HEAD

4. Done.

Version selection has been completed.

Check Git[edit]

1. Check if you really got the version you want.

Click = Copy Copied to clipboard! git describe

The output should show. 

17.2.8.5-stable

2. Check if source folder is pristine.

Click = Copy Copied to clipboard! git status

Output should be the following.

  • A)

HEAD detached at 17.2.8.5-stable
nothing to commit, working tree clean
or,

  • B)
Not currently on any branch.
nothing to commit, working tree clean

If it shows something else, do not continue.

3. Done.

Optional Build Configuration[edit]

Refer to Optional Build Configuration for additional configuration options like:

  • 32-bit vs 64-bit builds
  • Whonix APT repository
  • APT onion build sources
  • torified or host APT cache
  • build variables changes
  • skipping steps
  • source code changes

Network Verification[edit]

Before running the derivative-maker script make sure eth0 and eth1 refer to the correct interfaces. 

## May be helpful.
dmesg | grep eth

If non-default network interface names are in use, please click on Expand on the right.

Minor Issues[edit]

Info It is currently recommended to skip this step. It is simpler to change these files later on after building Whonix.

Most configuration files work well inside VMs and on hardware. Minor issues such as deactivating powersaving, passwordless reboot, shutdown and so on are only recommended for VMs. They can be easily commented out by putting a hash # in front of them. Since they are marked, use grep to locate them. 

grep -r VMONLY* *

Run Build Script[edit]

It is recommended to create a log of the build process by redirecting all the output to a log file. Be aware that by doing so no build progress will appear on the screen -- instead a text log file will be created in the home folder. 

./derivative-maker --flavor whonix-gateway-xfce --target root --build >> ~/log-phyiso 2>&1

To optionally watch the progress, open a second virtual console and type. 

tail -f ~/log-phyiso

Use the following command to avoid creating a log of the build process; the build progress will then appear on screen. Note this is unrecommended because if anything goes wrong during the build, it is harder to pinpoint the exact error without a log file. 

./derivative-maker --flavor whonix-gateway --target root --build

Final Steps[edit]

Info This is untested since use /etc/network/interfaces.d instead of /etc/network/interfacesarchive.org iconarchive.today icon was implemented; see footnote. [34] Please test and leave feedback.

Reboot. 

sudo reboot

Login as new user user. (If you didn't install as user user, the old user and home folder will still exist.)

Done.

Cleanup[edit]

Info This step is optional.

Remove temporary files.

Warning: This command will run git clean -d --force --force in Whonix's main source code folderarchive.org iconarchive.today icon (~/derivative-maker) as well as in all subfolders of the Whonix packages folderarchive.org iconarchive.today icon (~/derivative-maker/packages). This means if any files were purposefully added to any of these folders that have not been committed to git, these will be deleted. [35]

Click = Copy Copied to clipboard! ./help-steps/cleanup-files


Raspberry Pi[edit]

See Raspberry Pi.

Unrecommended: In a VM[edit]

This configuration is entirely untested.

1. Install a new operating system.

  • It is advisable to install a new operating system just for hosting the Whonix-Gateway VM.
  • Any operating system that can run VirtualBox works, but an open source system is preferable.

2. Download the Whonix-Gateway image. [36]

3. Configure networking.

  • Adapter 1 can be set up as a NAT network.
  • Adapter 2 must either:
    • Be set to NAT as well -- but ports must be forwarded from the host to the guest; or
    • It is much simpler to use bridged networking and set it to the second physical interface (the one that goes into the isolated network/point to point ethernet); see NAT vs Bridging below.

4. Note the following warnings.

  • This configuration is not recommended unless Tor must be run through an unsupported 3G/4G/5G modem and a third physical device is unaffordable.
  • Using NAT for a virtualized Whonix-Gateway requires setting up port forwarding in VirtualBox. Using a bridged network may be easier, but then the router may see the gateway MAC address which identifies as Whonix-Gateway. [37]

How-to: Install Whonix-Workstation[edit]

Recommended: In a VM[edit]

First Steps[edit]

  1. Install and update the host operating system. It can be any operating system that is capable of running VirtualBox, but be aware of Transparent Proxy Leaksarchive.org iconarchive.today icon. Windows or other commercial proprietary systems are not recommended.
  2. Download the Whonix-Workstation image. [38]
  3. If the physical network between Whonix-Gateway and a router uses 10.152.152.* then review and edit all shell scripts and switch the internal network to something else! [39]

Host Network Adapter[edit]

Configure the host to use a static IP configuration. 

## {{project_name_workstation_short}}
## /etc/network/interfaces for the host,
## when using Physical Isolation,
## with {{project_name_workstation_short}} in a VM.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   ## Increment last octet of address
   ## on optional additional hosts.
   address 10.152.152.11
   netmask 255.255.192.0
   gateway 10.152.152.10
   #pre-up /usr/bin/whonix_firewall

   ## Out commented.
   ## For what do we require the network and broadcast
   ## instances anyway?
   #network 10.152.152.0
   #broadcast 10.152.152.255

#auto eth0
#iface eth0 inet dhcp

## end of /etc/network/interfaces

If the physical network between Whonix-Gateway and a router uses 10.152.152.*, then review and edit all /etc/network/interfaces.

NAT vs Bridging[edit]

In the default Whonix VirtualBox image, the network adapter setting for Adapter 1 (eth0) is set to internal network and will therefore not work out of the box. There are two ways to fix this: NAT (recommended) or using a bridged network (unrecommended).

Recommended: NAT[edit]

To use NAT, edit /etc/network/interfaces in Whonix-Workstation to utilize either DHCP (easier, shown in the example below) or a static IP for VirtualBox NAT. 

sudoedit /etc/network/interfaces

Replace it with. 

## {{project_name_workstation_short}}
## /etc/network/interfaces in a VM
## when using Physical Isolation.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

## end of /etc/network/interfaces

Unrecommended: Bridged Network[edit]

This is untested.

If bridged networking is configured, then everything should work by default. [40] The reason is Whonix-Workstation can see the MAC address of whatever network adapter it is connected to.

For this reason it is recommended to change the MAC address for both the Workstation host and the Whonix-Gateway; see Changing MAC Addresses.

Macvtap on KVM[edit]

Change the network source of the ethernet nic to "macvtap" and the source mode to "passthrough". Be aware that you cannot use networking on the host anymore.

Attach a USB-ethernet Adapter to the VM[edit]

Remove the network adapter from the VM and instead attach a USB-ethernet adapter to the host and redirect it to the VM.

Unrecommended: On Hardware[edit]

Installing Whonix-Workstation on hardware without using a VM is recommended against, because hardware serials are visible to Whonix-Workstation.

The instructions are very similar, if not identical, to those in the How-to: Install Whonix-Gateway - Recommended: On Hardware section. The only difference is replacing --flavor whonix-gateway with --flavor whonix-workstation in relevant steps.

Expected Build Warnings[edit]

See Expected Build Warnings.

Post-installation Advice[edit]

Info It is recommended to consult the Whonix Documentation in further depth. The Essential Host Security and Post-installation Security Advice chapters apply to both computers!

Stay Tuned[edit]

It is absolutely crucial to subscribe to and read the latest Whonix news category 'important-news' to stay in touch with ongoing developments. This way users benefit from notifications concerning important security advisories, potential upgrade issues and improved releases which address identified issues, like those affecting the updater or other core elements.

See Stay Tuned for further information.

Extra Packages for Better Hardware Support[edit]

Some packages for bare metal could be missing. Below is an incomplete list of packages, which may or may not be useful for better hardware support. [41] 

xorg
xserver-xorg-input-all
xserver-xorg-input-wacom
xserver-xorg-input-geode
xserver-xorg-input-vmmouse
xserver-xephyr

xserver-xorg-input-*
xserver-xorg-*

acpi-support-base
acpid
acpi

discover
discover-modprobe
discover-data

hwdata

mdetect

apt-cache show task-desktop
apt-cache show task-kde-desktop
apt-cache show task-laptop

If you have EFI bios. 

grub-efi-amd64

To compile a more complete list, install Debian (with Xfce) on bare metal using the regular Debian installer medium. Then compare the package list against those installed in Whonix.

  • diff "dpkg -l" with Whonix
  • diff "sudo lsmod" with Whonix
  • contribute the findings

Troubleshooting[edit]

Known Bugs[edit]

To learn about known bugs affecting all platforms, see here. Refer to the issue tracker for a list of all all open issues affecting Whonix.

Security and Support Status[edit]

Currently there is no dedicated contributor for Whonix physical isolation. This configuration is a remnant from earlier times when no other supported platforms were available. Despite this reality, the setup and instructions are still functional and a small percentage of the Whonix user population relies upon it.

Lead Whonix developer, Patrick Schleizer, has shifted his focus to Qubes-Whonix, but grave security issues are unlikely due to the Whonix design. Unfortunately there are no Whonix contributors testing Whonix physical isolation. As a consequence, no progress on the Whonix Physical Isolation development task listarchive.org iconarchive.today icon should be expected. Until this situation changes the supported platforms table will continue to list physical isolation's security status as "experimental".

Help Wanted[edit]

Footnotes / References[edit]

  1. Kicksecure logo Rationale for Change from Default Password changeme to Empty Default PasswordOnion network Logo
  2. Alternatively an ordinary, completely isolated, LAN behind the Whonix-Gateway can be set up.
  3. This refers to staying anonymous while building Whonix from source code. Since building Whonix requires a unique selection of software to be downloaded, the ISP can likely guess that a user is building Whonix.
  4. Due to the lack of an ethernet interface this is a difficult configuration and beyond the scope of the Whonix documentation. However, as a tip some (after market) firmwares support USB-host. This makes it possible to plug USB devices into your phone, such as an USB ethernet card. For example, some rooted Android smartphones can installarchive.org icon Debian Linux.
  5. A contributor or maintainer is required, see: Whonix - Raspberry Piarchive.org iconarchive.today icon development thread.
  6. For example, something like OpenWRTarchive.org iconarchive.today icon.
  7. The other one may be either an Anonymous Mobile Modem, an Anonymous WiFi Adapter, or another ethernet or WiFi device connected to the modem/router.
  8. Theoretically any operating system that supports iptables or pf (packet filter) could be used. Advanced users who do not want to utilize Debian need to edit the source code. This is easy for Debian derivatives, but much more difficult for other distributions such as *BSD. In any case, the operating system choice does not really matter because this system is only used for running Tor. A cheap plug computer like the Raspberry Pi, or the hardware used by Torouter would be sufficient.
  9. If wire connections are not configured, isolation and security is significantly weakened. If the Whonix-Workstation were infected, it could jump onto another network and start leaking information.
  10. Any operating system can be used, but this is not recommended! If this advice is ignored, read the following Transparent Proxy Leaksarchive.org iconarchive.today icon warning, especially for Windows.
  11. Either Download the image or build it from source code.
  12. A generic VM image cannot leak identifying hardware serial numbers or unique software fingerprints via software updates.
  13. This ensures the VM client has the latest security features and most secure configurations, for example stream isolation to protect against identity correlation through circuit sharing, HexChat IRC hardening, Whonix protocol leak protection and fingerprinting protection, and so on.
  14. The build scripts can be adapted to run on other *NIX systems, but they currently assume apt and grml-debootstrap are available.
  15. Parameter - is required to set the correct paths to /usr/sbin. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833256archive.org iconarchive.today icon
  16. Other methods are possible.
  17. Usability. Otherwise after installation is complete, user might not be able to login. Needs further testing if still required. Can be avoided for remote servers.
  18. This should occur by default.
  19. Full disk encryption (FDE) is recommended if planning to use physical isolation or the installation as the main system.
  20. It takes a few minutes for the base system installation to finish.
  21. Extra packages are not required, so do not select a mirror; "Go back".
  22. Select "No thanks".
  23. Using the space bar.
  24. This yields ~90 bits of entropy against classical computing attacks. To protect against hypothetical quantum computer attacks that halve the key search space, utilize a 14-word diceware passphrase.
  25. This section previously recommended a passphrase of at least 26 characters, including symbols.
  26. TODO: check whether this step is still required.
  27. git is needed to obtain the source code. Alternatively, a git tag can be downloaded as an archive using a (torified) browser: https://github.com/Whonix/derivative-maker/tagsarchive.org iconarchive.today icon
  28. Optional git parameters:
    • --depth=1: Used to speed up the download.
    • --branch 17.2.8.5-stable: Usability. Used to speed up the download.
    • --jobs=4: Used to speed up the download.
    • --recurse-submodules --shallow-submodules: Usability.
    Knowledgeable git users are free to drop any of these optional parameters.
  29. Alternatively, this can be achieved with the following commands in several steps. This is useful if network issues arise.
    • Over HTTPS:
      • Click = Copy Copied to clipboard! git clone --depth=1 --branch 17.2.8.5-stable https://github.com/Whonix/derivative-maker.git
    • Over SSH.
      • Might work better over slow networks but requires a GitHub account and a configured SSH public key at GitHub. See footnote [A] below.
      • Click = Copy Copied to clipboard! git clone --depth=1 --branch 17.2.8.5-stable git@github.com:Whonix/derivative-maker.git
    Click = Copy Copied to clipboard! cd derivative-maker Click = Copy Copied to clipboard! git submodule update --init --recursive --progress --jobs=4

    [A] GitHub SSH public key setup.

    1. You need to create an SSH public key.

    Undocumented.

    2. You view your your SSH public key.

    Click = Copy Copied to clipboard! cat ~/.ssh/id_ed25519.pub

    3. Copy it.

    4. And paste your the SSH public key on GitHub.

    https://github.com/settings/keysarchive.org iconarchive.today icon

  30. Jump up to: 30.0 30.1 Delete the derivative-maker source code folder and retry. 
    sudo rm -r derivative-maker
  31. As defined by TUF: Attacks and Weaknesses:
  32. It is advisable to verify the signature of the git commit as well. By convention, git tags should point to signed git commits. Beginning from git tag 9.6 and above. (forum discussionarchive.org iconarchive.today icon)
  33. This is required for Whonix-Workstation in Whonix 14 and above.
  34. whonix-gw-network-confarchive.org iconarchive.today icon ships a file /etc/network/interfaces.d/30_non-qubes-whonixarchive.org iconarchive.today icon. Normally it should not conflict with /etc/network/interfaces. If it does, consider:
    • removing source-directory /etc/network/interfaces.d from /etc/network/interfaces (if there are no other files in the /etc/network/interfaces.d folder); or
    • moving /etc/network/interfaces.d/30_non-qubes-whonix out of the way. (sudo mv /etc/network/interfaces.d/30_non-qubes-whonix ~/)
  35. https://github.com/Whonix/derivative-maker/blob/master/help-steps/cleanup-filesarchive.org iconarchive.today icon
  36. Or build it from source code.
  37. This is not a concern in home networks, but is a risk in untrusted networks or when using a modem to connect.
  38. Or build it from source code.
  39. TODO: check whether this step is still required.
  40. At least it should work, although it is untested by developers.
  41. These are suggestions only and individual users may need to undertake further research in their personal circumstances.
Notification image
Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

Retrieved from "https://www.whonix.org/w/index.php?title=Dev/Build_Documentation/Physical_Isolation&oldid=103673"