Qubes OS is widely regarded as one of the most secure Open Source operating systems for workstations and laptops. Qubes OS uses the XEN hypervisor to compartmentalize applications into individual VMs. If one VM is compromised, the other VMs remain unaffected. By default, each Qubes OS installation comes with a pre configured and ready to use installation of whonix – specifically a VM running whonix-gateway, which is responsible of tunneling all traffic it receives into tor, and a VM for whonix-workstation, which uses the whonix-gateway to tunnel its traffic into tor, and which is where you run tor-browser and other applications that have been optimized for additional anonymity.
How Does Qubes OS Provide Additional Security Against Malware?
On Qubes OS, you commonly have one VM for each application, or group of applications. Your browser, email client and password store are all in different VMs and are hence isolated from each other. If you browse a website that manages to install malware, your email client will not be affected.
Qubes OS further enhances security by its ingenious use of different VM types: TemplateVMs are used to install and configure software, like a browser, but never to execute the browser or even browse the internet. AppVMs use a temporary snapshot of a TemplateVM to execute the browser program and surf the internet. While the /home/ directory of a AppVM is persistent, all other directories are discarded upon shutdown of the VM, along with all malware that has possibly been installed in it. DisposableVMs take a snapshot of a TemplateVM as well as a snapshot of the /home/ directory of an AppVM, and discard all data upon shutdown.
Qubes OS uses specialized network VMs to add an additional layer of security. The network VM called sys-net has the PCI network cards attached – wifi and ethernet. Attached to sys net is the VM sys-firewall VM, which uses nftables rules to filter outgoing traffic for VMs attached to it. Attached to sys-firewall would be, for example, the browser and the email client VM – sys-firewall could be configured to allow the email client VM to only access gmail.com but no other websites. A password-store VM is commonly not attached to any network VM and is hence cut off from the internet, similar to an airgapped machine.
Additionally, Qubes OS provides several clever mechanisms for managing untrusted files. When you receive an email with a .pdf file, Qubes OS provides easy to use mechanisms to open that .pdf in a disposable VM instead of the AppVM of the email client. Copy pasting text between VMs is made easy with clever shortcuts, so that you can copy paste passwords from the password-store VM into the browser VM.
How is Whonix Configured to Work Inside of Qubes OS?
Whonix integration into Qubes OS makes use of these compartmentalization and templating features. Whonix by default operates through two distinct VMs: the Whonix-Gateway, called sys-whonix in Qubes OS, and the Whonix-Workstation, called anon-whonix in Qubes OS.
sys-whonix is connected to sys-firewall. It handles all network traffic coming from anon-whonix. sys-whonix is configured to ensure that no traffic it receives from anon-whonix can bypass Tor. This means that anon-whonix has no possible way to determine the IP address that the ISP assigns to the router that the computer or laptop that runs Qubes uses, which means that if anon-whonix is compromised, the attacker does not have the ability to determine the user’s real IP address by bypassing Tor. Hence, even if anon-whonix is infected by malware, the user stays anonymous.
Both sys-whonix and anon-whonix are AppVMs by default, which allows the user to make persistent configurations to the torification configurations in sys-whonix as well as persistently save files in /home/ of anon-whonix, such as downloading files using the tor-browser or, for example, persistently store configuration for the tor-enhanced IRC client hexchat, such as user authentication data and default servers to join. Both sys-whonix and anon-whonix can be configured to be DisposableVMs. It is also very simple to have multiple sys-whonix and anon-whonix VMs, some of which are AppVMs and some of which are DisposableVMs.
How Does Qubes Running Whonix Compare to Other Linux Distributions for Using Tor?
When comparing Whonix on Qubes OS to other Linux distributions that are designed to provide anonymity through the tor network, like Tails or Subgraph OS, Qubes OS has several advantages.
Tails is a live system that is designed to boot of a USB-stick and hence leave no trace on the host machine it is running on. It also routes all of its traffic through the Tor network. Tails however lacks the compartmentalization of whonix. If tails is compromised, it is much more easy to determine the users public IP address.
Subgraph OS and Qubes Whonix both aim to enhance security and anonymity, but they do so through fundamentally different architectures. Subgraph OS utilizes Linux namespaces and seccomp-bpf for application containment which creates isolated environments within a single kernel to restrict the potential impact of exploits. This approach relies on the robustness of Linux’s internal isolation mechanisms, which can be circumvented if vulnerabilities in the kernel or containment layers are exploited. In contrast, Qubes OS running Whonix uses XEN-based virtualization to create entirely separate virtual machines (VMs) for different components. This VM-based isolation ensures that even if one VM is compromised, the attack cannot affect others, which significantly reduces the risk of cross-domain attacks. Qubes OS use of dedicated networking VM chains (sys-net <-> sys-firewall <-> sys-whonix) offers a more robust and compartmentalized security model compared to Subgraph’s single-kernel containment.
Summary
Qubes OS is not only an excellent choice for using Tor but also a robust operating system for everyday work and common tasks. Its unique architecture, which isolates applications into individual VMs, enhances security across all activities by containing potential threats within specific compartments. This means that browsing the web, checking emails, and managing passwords are all done in separate, isolated environments, which minimizes the risk of malware spreading throughout the system. Despite its advanced security features, Qubes OS remains very user-friendly and almost makes the user forget that they are not using a traditional Linux based operating system. The seamless integration of different VMs and the intuitive management interface ensure that users can carry out their regular computing tasks without much additional complication. This makes Qubes OS an ideal choice for high-security environments, such as the workstations used by the security focused Linux support company Blunix GmbH – by implementing Qubes OS on all their consultants workstations, a very high level of security can be ensured when handling client data and access keys while maintaining strong anonymity for researching new topics and technologies.
Lastly, it is easily possible to setup a VM like sys-net-vpn in front of sys-whonix, which would effectively hide the fact that you are using Tor from your ISP. For added privacy, users can also configure a network VM chain like VPN-Tor-VPN, which conceals Tor usage from both ISPs and the websites you visit or the services you use.
Qubes + Whonix are an ideal choice for anyone who uses their computer for regular tasks but also requires strong anonymity for browsing the web.