Actions

Combine Whonix ™ Live VMs with Read-only Mode for Virtual Hard Drives

From Whonix

< VM Live Mode



Read-live23231.jpg

Introduction[edit]

It is possible to optionally set the virtual machine (VM) disks to read-only. This increases the security of VM Live Mode, because otherwise malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way.

Read-only Mode Configuration[edit]

Qubes[edit]

grub-live is currently unsupported on Qubes, but may become available in the future. Refer to the following forum discussion [archive] for further information.

In Qubes R4, Qubes DisposableVMs are a suitable alternative.

VirtualBox[edit]

1. Set the VM disks to read-only.

Follow these steps:

  • Power off the virtual machine (VM).
  • Set the disk to read-only.
    • The name of the VM in the following example below is Whonix-Workstation-XFCE. It could be replaced with the name of any other VM such as Whonix-Gateway-XFCE.
    • On the host command line, run.

VBoxManage setextradata Whonix-Workstation-XFCE "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

2. Remove VirtualBox virtual DVD drive.

This is only required if the VM has a virtual DVD drive. It is not required in Whonix ™ version 15.0.1.2.7 and above since it no longer comes with a virtual DVD drive by default. See footnote for a Whonix ™ build version lower than 15.0.1.2.7. [1]

3. Launch the live system.

Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter to boot the live system and use it as normal.

4. Optional: Revert the read-only change.

To boot into normal mode again, run this command on the host to revert the change. 

VBoxManage setextradata Whonix-Workstation-XFCE "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly"

The normal boot option can now be selected in the GRUB menu.

5. Optional: Re-add the virtual DVD.

Only when you need this; see footnotes. [2]

Troubleshooting: If the system does not boot, check the Recommended VirtualBox Version for Whonix ™ VirtualBox is in use. [3]

KVM[edit]

1. Set the VM disks to read-only.

Follow these steps:

  • Power off the machine.
  • Set the hard disk to read-only in the virt-manager GUI before booting into live mode.

2. Launch live-mode.

Following reboot, a second boot entry called "VM Live Mode-mode" will be visible. Select it and then press Enter to boot the live system and use it as normal.

3. Optional: Revert the read-only change.

To boot into normal mode again, revert the change from step 1 and choose the normal boot option in the GRUB menu.

Alternative Configurations[edit]

Ambox warning pn.svg.png Skip this section if the KVM Live-mode or Virtualbox Live-mode configuration steps above have already been completed.

Virtualbox and KVM:

VirtualBox only:

Footnotes[edit]

  1. Be careful. If the wrong drive is removed, the VM will no longer boot. If you are concerned, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device symbolclick on disk removal symbol
    3. VirtualBox will ask:

    Are you sure you want to delete the optical drive?

    You will not be able to insert any optical disks or ISO images or install the Guest Additions without it!

    4. Click "Remove"

    https://forums.whonix.org/t/no-longer-add-virtual-dvd-drive-to-vm-by-default/9337 [archive]

  2. Be careful. If the wrong drive is removed, the VM will no longer boot. If you are concerned, clone the VM first before proceeding.
    1. Power off the VM.
    2. VirtualBoxclick a VMSettingsStorageclick on DVD device add symbolclick Leave Emptyclick OK
    3. The usual method to add DVDs to VirtualBox VMs can now be used such as: VirtualBoxclick a VMclick on [Optical Drive]
  3. A user reported on Telegram that upgrading VirtualBox fixed this issue which prevented booting the system in read-only mode.
Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=VM Live Mode/Read Only Mode Hard Drive&body=../VM_Live_Mode/Read_Only_Mode_Hard_Drive link=https://reddit.com/submit?url=../VM_Live_Mode/Read_Only_Mode_Hard_Drive&title=VM Live Mode/Read Only Mode Hard Drive link=https://news.ycombinator.com/submitlink?u=../VM_Live_Mode/Read_Only_Mode_Hard_Drive&t=VM Live Mode/Read Only Mode Hard Drive link=https://mastodon.technology/share?message=VM Live Mode/Read Only Mode Hard Drive%20../VM_Live_Mode/Read_Only_Mode_Hard_Drive&t=VM Live Mode/Read Only Mode Hard Drive

Have you contributed to Whonix ™? If so, feel free to add your name and highlight what you did on the Whonix ™ authorship page.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=VM_Live_Mode/Read_Only_Mode_Hard_Drive&oldid=68518"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information