Installing and securing Whonix using QEMU and KVM on Debian. : OpSec | Torhoo darknet markets
This guide is about installing Whonix, both Gateway and Workstation on a blank Debian machine, be it 11, 12 or 13 - although I'd recommend 12 or 13 for your own safety and longer term security support. If this guide goes well, I will create one to secure Debian as well to create a neat, safe system for the dark web in the absence of Qubes.
Not every user needs Qubes, and not every user wants Qubes, or is able to run Qubes. A hardened Debian system with Whonix in QEMU and KVM is the closest security you can get to that, and I will explain part of it in this guide and part in another upcoming one.
The first set of commands are from the wiki, and will be strictly related to setting up your system to be able to run QEMU and KVM.
sudo apt update && sudo apt install --no-install-recommends qemu-kvm qemu-system-x86 libvirt-daemon-system libvirt-clients virt-manager gir1.2-spiceclientgtk-3.0 dnsmasq-base qemu-utils iptables safe-rm xz-utils spice* && sudo adduser "$(whoami)" libvirt && sudo adduser "$(whoami)" kvm && sudo systemctl restart libvirtd && sudo virsh -c qemu:///system net-autostart default && sudo virsh -c qemu:///system net-start default
After you've done that, you will have QEMU installed successfully. I recommend not touching anything inside of it yet. Let's move on to download and install Whonix. Reboot before proceeding. I will assume you already downloaded and verified the images from Whonix. The wiki is clear on this. Move to the directory where you downloaded Whonix.
tar -xvf Whonix*.libvirt.xz && touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted && sudo virsh net-define Whonix_external*.xml && sudo virsh net-define Whonix_internal*.xml && sudo virsh define Whonix-Gateway*.xml && sudo virsh define Whonix-Workstation*.xml && sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2 && sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2 && sudo virsh net-start default && sudo virsh net-start Whonix-External && sudo virsh net-start Whonix-Internal
Your machines are now ready. I recommend modifying the default settings inside Virtual Machine Manager, as follows.
- RAM for Workstation, minimum 4GB.
- RAM for Gateway, minimum 2GB for GUI access which you need, to rotate Tor circuits and identities with ease.
- Increase vCPU count for better performance.
- Enable XML editing in settings.
- Enable copy pasting by changing <clipboard copypaste="no"/> to <clipboard copypaste="yes"/> in the XML details of each machine.
- If you don't have a dedicated GPU, do not mess with 3D acceleration and it will be messy and laggy.
Now that that's done, boot up the Gateway in the maintainance mode and follow my lead.
- Change all user passwords and disable auto-login.
- Update and upgrade system packages.
- Reboot in normal mode, you're done.
Now to finish up, boot up the Workstation in the maintainance mode and once again follow me.
- Change all user passwords and disable auto-login.
- Update and upgrade system packages.
- Install the Monero GUI wallet "monero-gui" package.
- Install Gajim for XMPP "gajim" package.
- Install Kleopatra for PGP "kleopatra" package.
- Update and upgrade system packages.
- Reboot in normal mode, and configure Tor Browser to maximum security settings and disable JS.
This is the basics of QEMU and KVM for Whonix, on Debian. If you want a second part to this that will harden Debian into a secure and safe fortress to host your dark web QEMU boxes, show some love here and I'll take it into consideration.
The first suggestion that the Whonix website gives for installing Whonix is to use Kicksecure [source] https://www.whonix.org/wiki/USB_Installation.
Kicksecure is already a far more secure setup for Debian, and it's made by the same people who develop Whonix.
https://www.kicksecure.com
https://www.kicksecure.com/wiki/About#Implementation_of_the_Securing_Debian_Manual
"A hardened Debian system with Whonix in QEMU and KVM is the closest security you can get to"
I firmly disagree. I can come up with two alternatives right off of the top of my head:
1) Kicksecure + Whonix. This is far more secure than any amount of hardening anyone on Dread would ever put into their Debian installation, or even know how to put into their Debian installation.
2) GrapheneOS + Whonix. (will probably exist in a year or so) The Tor Browser for Aarch64 is still being worked on, and alphas already exist. Soon after there are stable releases, Whonix would probably follow suit by adding Arm64 support (this is already on the forums and there's a page on the website about Arm64 support).
Hell, I think even just using Alpine Linux would be better, as it has significantly less attack surface to boot, so at least hardening efforts aren't just all patching holes that the distribution already created for you to be attacked through.
This isn't to say that your guide is bad, nor am I attacking you personally, it's just that this seems to not be the most obviously safe way to go about installing Whonix, and a guide here is somewhat unnecessary, as Whonix already has installation guides on the website...
I asked for a shortened Guide. The one on Whonix is about 50 pages.
That's the current link in our Wiki.
You're right about KickSecure. I should add it as the most secure system.
Alpine is a good suggestion as second best.
Debian may be "Good Enough" depending on your Threat level.
I think you just earned a co credit on the Guide.
whonix is based off kicksecure fyi.
I think debian morphed to KS is my preferred method
I obviously understand that without whonix, something like ubuntu would be much worse than kicksecure. I guess my question is what would possibly happen that would let whonix VM get breached out into the base OS, debian or whatever?