Qubes, Whonix, or Tails:

which Linux distro

should you use to stay
anonymous?
TAILS FROM USB WITH VPN
PROXY TOR ONION

There are a variety of privacy-focused operating systems

available. Most of them are Linux-based and, much like Linux
itself, it can be hard to figure out the differences between
such a wide variety of options. In general, there are two main
types of security/privacy operating systems: those that focus
on providing anonymity and those that contain penetration
tools for computer research. This article focuses on the
privacy aspect and will explore three main ways of achieving
this: two that use virtualization to create isolation, and
the old tried-and-true method of using Live CDs.

A Live CD is a bootable CD (or USB drive) that you stick into

a computer before booting up. Live CDs do not install anything
on the host system and it leaves no documents or other traces
behind when it is shut down. This ensures that there is no
way for any malware or tracking software to survive multiple
sessions. We will use the TAILS Live CD in this article.

For virtualization, we will be looking at Qubes OS and Whonix.

Qubes OS creates a series of increasingly trusted virtual
machines so that activities taking place in an untrusted
virtual machine cannot affect applications in others. Whonix
has a two-part system whereby you perform all your work in
a virtual machine workstation. It routes all of your network
traffic through the other virtual machine gateway which
connects to the Tor network.

All three methods have their pros and cons.

Qubes OS – A reasonably secure operating

system
Qubes OS is best described as a Xen distribution running
virtual Linux domains. Xen is a very stable and
mature bare-metal type 1 hypervisor. This type of
virtualization is analogous to what you may be picturing when
using a product like VirtualBox with one important difference.
A type 1 hypervisor has has no operating system
running below it which can be compromised. Xen is installed
on the bare metal and can then create and manage virtual
machines.

This architecture allows Qubes to create separate virtual

machines (domains, in Xen parlance) in which to run
applications. This ensures that risky applications can’t
affect trusted applications, or even write to the underlying
file system. This degree of separation doesn’t provide much
anonymity in itself, but it does provide a significant degree
of protection from malware spread. If you end up being infected
with malware from a bad website, or by falling prey to an email
phishing scam, it would be hard for that malware to spread
outside of the domain it is in.

Qubes calls these Xen domains qubes. It creates a number of

qubes in which to assign application instances. For example,
surfing miscellaneous websites that you have no reason to
trust is probably best done in the untrusted qube. Work related
activities on trusted websites and applications may be done
in the trusted zone. The point being that each qube only has
the potential to affect applications in the same qube.

To make it easy to keep the qubes straight as you use them,

each window has an “unforgeable” coloured window border that
indicates the security level of each qube. The Qubes team
indicates that the window borders are unforgeable because they
are constructed at the Xen domain zero (dom0) level, which
is the privileged domain Xen starts at boot time, and it manages
all the other domains, or qubes in this case. The qubes are
unable to interact with dom0 and qubes
are unprivileged meaning they cannot access low level system
functions themselves.
The window border coloring provides a fairly instant way to
see the trust level of each window. In this screenshot we can
see red (untrusted), green (trusted) and yellow (somewhere
in the middle) window borders. It’s also easy to see that the
password prompt is from an application in the trusted (green)
domain even though it happens to be overlaid on an untrusted
(red) application. A very common phishing technique is to use
a website to create a very realistic login box for some service
and attempt to get people to enter their credentials. If that
were the case here, the password box would have a red border
which would be your signal that something risky may be
happening.
An excellent way to tack a good anonymity layer onto the already
robust security model is to use Whonix, discussed later, with
Qubes. Because Qubes OS runs each application in a separate
qube, the Whonix gateway and workstation will run in separate
qubes. This further abstracts them from each other. If the
Whonix gateway or workstation are run in their own qube and
are somehow compromised, they would be unable to access any
other application on the computer. There are
instructions here on how to create the necessary Qubes OS
templates for Whonix.

QubesOS pros

 Application separation through the use of sandboxed

virtual machines ensures that an exploited app, or
malicious javascript, can’t be passed to other
applications or to the host operating system.
 The use of Whonix within QubesOS provides a further level
of separation from the internet by forcing all your
internet traffic through the Whonix Tor gateway

QubesOS cons

 Qubes OS is difficult to test because it does not perform

well, or at all, in a virtual machine.
 There is an unsupported Live CD on the download page.
It may or may not work for your system. And, since it
is unsupported, it doesn’t really fulfill the job of a
Live CD by allowing you to use it to gain confidence as
to how a full installation will work. Therefore, you’re
 pretty much stuck with an all-or-nothing install
of Qubes onto your machine to see how it fares.

Whonix – Anonymity in two parts

Whonix is designed specifically to provide anonymity while
using the internet. It consists of two virtual machines,
the gateway and the workstation. The workstation can only
talk to the gateway and the gateway connects to the internet
via Tor. Both are VirtualBox virtual machine appliances, so
you can run it on any operating system that runs VirtualBox.

The Whonix workstation and gateway are configured to use a

private network on your host computer. The workstation routes
all of its traffic to the gateway, which uses the Tor network
to access the internet. All network activity performed on the
workstation is done through Tor.

The host machine does not participate in the Whonix private

network and therefore continues to use its normal internet
connection.

In addition to simply proxying all workstation requests

through Tor, the Whonix gateway also protects against being
identified by using Tor circuits for different applications.
The gateway implements Stream Isolation to ensure that
different applications on the workstation take different
paths through Tor. While this is configured by default, you
can learn more about Tor isolation on the Whonix wiki.
Download the two appliances from the Whonix website here, and
then import them one-by-one into VirtualBox.

Select File -> Import Appliance:

VirtualBox will take a few minutes to read the appliance and

then display its settings. Click the Import button to
finalize it, and then click the Start button to launch the
gateway virtual machine.
Whonix Gateway

The gateway can be run from the command line. If your system
has less than 2GB RAM, it may be painful to run two full-blown
desktops, so you can opt to run the gateway headless. I will
use the desktop for both the workstation and the gateway for
this article as it is easier to demonstrate the concepts.

The first run wizard displays two screens full of warnings

about how Whonix should not be relied upon to provide
anonymity:

Whonix is experimental software. Do not rely on it for strong anonymity.

That’s a little disconcerting because the main page of the

Whonix website specifically states it
provides fail-safe anonymity:

It makes online anonymity possible via fail-safe, automatic, and

desktop-wide use of the Tor network.

I think the underlying message here is that there are many

ways in which you can betray your identify that have nothing
to do with technical safeguards.

The next step is to configure how the gateway should connect

to the Tor network. The options here mimic the normal Tor setup
options regarding bridges and proxies. When you hover over
any of these options, Whonix will display the changes that
are needed in your torrc file to achieve that change. It will
not make any changes automatically for you.

The next step is to configure how you’d like updates to be

done.
And finally, an admonishment that this is the Whonix gateway
and should not be used as the workstation.
Whonix Workstation

Now that your Whonix gateway is installed and connected to

Tor, it’s time to launch the workstation. Import the
workstation virtual machine as you did the gateway and boot
it. The same Terms and Conditions doom-and-gloom are displayed.
You can then configure your update preferences.

Let the first update complete and the workstation is ready

to use:
If you want to see your gateway in action, launch the Tor
browser in the workstation, then launch the Tor Anonymizing
Relay Monitor (ARM). You’ll see the traffic from the
workstation going through your gateway.

For some basic help, open a terminal window and just

type whonix by itself. A help screen will appear that includes
the default user credentials. You can use those to sudo to
root in order to see your network interfaces.
A quick check of the network interfaces shows that the
workstation is using a private IP address as expected and is
routing all of its traffic through the gateway.

Shutting down the gateway stops the workstation from being

able to connect to the internet at all.

Whonix pros

 Using the VirtualBox technology ensures that the widest

range of people can use Whonix. VirtualBox is available
for every major operating system and is free.
 The default installation and use is extremely easy. No
special knowledge or configuration is required to get
to work.
Whonix cons

 While the Whonix workstation is separated from the host

computer, there is no further separation. Performing
both risky and non-risky behaviours in the workstation
is just as dangerous as doing both on the host computer.
 Since the anonymity is provided only in the workstation
virtual machine, it can be easy to forget to use it, and
end up using the host machine by accident.

Tails – The Amnesic Incognito Live System

Tails is a live operating system built off Debian GNU/Linux.
There is no installation process. You boot your computer with
it, and it runs from the temporary media you booted from. When
you shut it down, it forgets (amnesic) and helps keep you
anonymous while using it (incognito).

All network connections are routed through the Tor network

and applications attempting to access the internet directly
are blocked. Tor is set up by default, but Tails can also be
configured to use the I2P anonymous network.

Start here to kick off the download

process: [Link] The
instructions seem to be a little involved; I am not sure why
they include the need for multiple USB sticks or a mobile phone
to read instructions. I simply downloaded the Tails ISO file
and loaded it into VirtualBox as I would any other. If you’re
going to use Tails properly you will need to burn that ISO
to some media that you can boot from; usually a CD/DVD or a
USB stick.

The first boot will display the Tails Greeter where you can
optionally configure some options before the desktop loads.
To use Tails with I2P instead of Tor, you will need to reboot.
When the boot loader menu appears, press the Tab button to
display the current boot options. Press the Spacebar and then
add i2p to the existing options. Press Enter to continue
booting.
The notification panel at the bottom of the desktop will tell
you whether Tor or I2P is configured:

Launch the I2P browser to see the status of your I2P connection
by selecting the Application -> Internet menu option.
Wait while it loads:
Much like Tor has internal sites that use the .onion extension,
I2P has its own hidden services that use the .i2p extension.
Unlike Tor, the I2P router will not allow you to access clear
net sites by default. You will need to configure an Outproxy
in order to access regular internet sites while using I2P.

There are only HTTP, HTTPS, and email Outproxies available.

If you need a SOCKS outproxy to do more with, then you should
stick with Tor.

Tails Pros

 Live CDs in general are very easy to use. You can burn
once, use anywhere which is very handy if you’re on
multiple untrusted computers.
 The default configuration to use Tor provides
out-of-the-box anonymity, to the extent that Tor
provides it.

Tails Cons

 Tails does not encrypt documents created during its

session by default, but has an encrypted persistent
volume feature you can use for this.
 All Live CDs don’t address the monolith problem; the
operating system has no segregation so risky activities
in one application can affect others.

Other Live CD distros

The Live CD is seen as one of the easiest ways to provide some
security and anonymity. For that reason, there is a wide
variety of Live CDs available. A few others that caught my
eye while writing this article are IprediaOS and TENS.

IprediaOS

Ipredia OS uses the I2P anonymizing network instead of the

Tor network which is prevalent among the other distros. I2P
is available for Windows, Linux, macOS, and Android. IprediaOS
is available as an installable Live CD download using the Gnome
desktop or the Lightweight X11 Desktop (LXDE).

Anonymity comes from the use of the I2P network as well as

from the pre-installed applications. The provided
applications support anonymous BitTorrent, email, IRC and web
browser. Much like Tor has internal onion sites, I2P has
internal I2P sites named eepSites with the .i2p extension.

Download an installable Live CD from the Ipredia site.

TENS – Trusted End Node Security

[Trusted End Node

Security[([Link] TENS was
created by the U.S. Department of Defence (DoD). Interestingly,
the U.S. DoD signs its own SSL certificates. Your browser most
likely does not have the DoD listed as a trusted Certificate
Authority, so you will likely see SSL errors when you try to
visit the site. It seems safe to do so based on my research,
but your level of paranoia should rule your actions.

TENS boots into RAM, does not write anything to disk, and
therefore creates a trusted, temporary end node on almost any
computer. Note that the purpose of TENS is to create a trusted
END node; it was created to protect the computer that you’re
connecting to; it’s not designed to protect you, per se.

There are a few different versions, two of which are available

to the public. Public Deluxecomes with Libre Office, whereas
the standard Public version does not. The Professional
version is only available to U.S. government personnel.
Individual departments can request custom builds and it is
the only approved method to connect to DoD systems on
non-government equipment.

See also: What are the best Linux VPN services?