Goal
Understand why identity compartmentalization is critical for operational security and learn to create isolated environments using virtual machines.
Prerequisites: Weeks 1-7 (encryption, Tor, networking)
This is Part 1 of 2 - Covers compartmentalization concepts and VM basics.
1. Why Compartmentalization Matters
The Problem: Identity Bleeding
Without compartmentalization:
- Your work browsing reveals your personal interests
- One compromised account can pivot to others
- Metadata from different identities gets correlated
- Single point of failure across your entire digital life
Real-world example:
Personal Gmail → LinkedIn → Corporate Email → VPN → Home IP
↓ ↓ ↓ ↓ ↓
All linked to single identity - one breach = total exposure
The Solution: Separate Compartments
Compartmentalization creates isolation boundaries:
- Work identity ≠ Personal identity ≠ Anonymous identity
- Different browsers, email aliases, VM environments
- Compromise of one compartment doesn’t affect others
Goal: Multiple isolated personas that cannot be linked
2. Levels of Compartmentalization
Level 1: Browser Profiles & Containers (Basics)
Browser profiles - Separate cookies, history, logins
# Firefox profiles
firefox -P # Launch profile manager
firefox -P "Work" # Launch specific profile
firefox -P "Personal"
firefox -P "Research"
Firefox Containers - Micro-compartmentalization within one profile
- Shopping container (isolated from social media)
- Banking container (never mixed with other sites)
- Social media container (tracked, but isolated)
When to use: Low-threat scenarios, convenience over security
Level 2: VM-Based Compartmentalization (Intermediate)
Virtual machines - Complete OS isolation
Use cases:
- Work VM (corporate tools, VPN, separate from personal)
- Research VM (questionable downloads, testing software)
- Banking VM (financial transactions only, never browse elsewhere)
- Anonymous VM (Tor, no personal accounts)
When to use: Medium-threat scenarios, need strong isolation
Level 3: Whonix & Tails (Advanced)
Specialized security-focused operating systems
Whonix - Two-VM Tor isolation
- Gateway VM: Routes all traffic through Tor
- Workstation VM: Cannot leak non-Tor traffic
Tails - Amnesic live OS
- Runs from USB, leaves no trace
- All traffic forced through Tor
- Forgets everything on shutdown
When to use: High-threat scenarios, maximum anonymity needed
3. Virtual Machine Basics
What is a Virtual Machine?
Virtualization = Computer inside a computer
Physical Hardware (Host OS)
↓
Hypervisor (VirtualBox, KVM, VMware)
↓
Virtual Machines (Guest OS)
↓
Isolated environments with own CPU, RAM, disk
Benefits:
- Complete isolation (separate network, filesystem)
- Snapshots (save/restore system state)
- Sandboxing (test dangerous software safely)
- Compartmentalization (different VMs for different identities)
Choosing a Hypervisor
VirtualBox (Recommended for Beginners)
Pros:
- Easy to install and use
- Cross-platform (Linux, Windows, macOS)
- Good guest additions (clipboard, shared folders)
- Extensive documentation
Cons:
- Oracle-owned (not fully open source)
- Performance slightly worse than KVM
Install:
# Ubuntu/Pop!_OS
sudo apt install virtualbox virtualbox-ext-pack
# Verify installation
vboxmanage --version
QEMU/KVM (Recommended for Advanced Users)
Pros:
- Fully open source
- Better performance (native Linux virtualization)
- More flexible and powerful
- Industry standard for servers
Cons:
- Steeper learning curve
- Command-line focused (GUI via virt-manager)
- Linux host only
Install:
# Ubuntu/Pop!_OS
sudo apt install qemu-kvm libvirt-daemon-system virt-manager
# Add user to libvirt group
sudo usermod -aG libvirt $USER
# Verify KVM support
kvm-ok
Creating Your First VM
VirtualBox Method
Step 1: Download an OS ISO
# Example: Download Debian
wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.2.0-amd64-netinst.iso
# Verify checksum
sha512sum debian-12.2.0-amd64-netinst.iso
Step 2: Create VM
# Command-line method
vboxmanage createvm --name "WorkVM" --register
vboxmanage modifyvm "WorkVM" --memory 4096 --cpus 2
vboxmanage createhd --filename "WorkVM.vdi" --size 50000
Step 3: Attach ISO and install
- Open VirtualBox GUI
- Select VM → Settings → Storage
- Attach ISO to optical drive
- Start VM and install OS
KVM/virt-manager Method
Step 1: Launch virt-manager
virt-manager
Step 2: Create new virtual machine
- File → New Virtual Machine
- Choose ISO image
- Allocate RAM (4GB minimum)
- Create virtual disk (50GB for work VM)
- Customize network settings
Step 3: Install OS normally
VM Best Practices for Compartmentalization
Network Isolation
NAT (Network Address Translation) - Default, shares host IP
- VM can access internet through host
- VM not directly accessible from outside
- Use for: Most compartments
Bridged - VM gets own IP on network
- VM appears as separate machine on network
- Use for: VMs that need to act as servers
Internal Network - VMs can only talk to each other
- Complete network isolation from host
- Use for: Whonix Gateway ↔ Workstation
Snapshot Strategy
Take snapshots before risky operations:
# VirtualBox
vboxmanage snapshot "WorkVM" take "BeforeUpdate"
# Restore if something breaks
vboxmanage snapshot "WorkVM" restore "BeforeUpdate"
Snapshot workflow:
- Fresh install → “Clean Install” snapshot
- Fully configured → “Configured Baseline” snapshot
- Before updates → “Pre-Update” snapshot
- Monthly → “Monthly Backup” snapshot
Resource Allocation
RAM allocation guidelines:
- Light browsing VM: 2GB RAM
- Work VM (office apps): 4GB RAM
- Development VM: 8GB RAM
- Host needs at least 4GB remaining
DO NOT: Allocate more RAM than host has available
Disk space:
- Minimal OS: 20GB
- Standard desktop: 50GB
- Development environment: 100GB+
4. Compartmentalization Strategies
Strategy 1: Activity-Based Compartments
Organize by what you’re doing:
┌─────────────────────┐
│ Work VM │ Corporate email, Slack, work files
│ (Company VPN) │ Isolated from personal life
└─────────────────────┘
┌─────────────────────┐
│ Personal VM │ Banking, personal email, social media
│ (No VPN) │ Real identity, careful browsing
└─────────────────────┘
┌─────────────────────┐
│ Research VM │ Testing software, risky downloads
│ (Snapshot-based) │ Disposable, restored after use
└─────────────────────┘
┌─────────────────────┐
│ Anonymous VM │ Tor-only, no personal accounts
│ (Whonix) │ Whistleblowing, sensitive research
└─────────────────────┘
Strategy 2: Threat-Model-Based Compartments
Organize by threat level:
Low Threat (Browser containers only)
- Shopping on known sites
- Social media browsing
- News reading
Medium Threat (Separate VM)
- Banking and financial transactions
- Work-related activities
- Personal communications
High Threat (Whonix/Tails)
- Whistleblowing
- Investigative journalism
- Activist coordination
- Sensitive research
Strategy 3: Identity-Based Compartments
Organize by persona:
Real Identity VM:
- Uses real name and personal email
- KYC services (banking, government, medical)
- Social media under real name
- No VPN (or VPN for geo-blocking only)
Pseudonymous Identity VM:
- Consistent pseudonym across sites
- Separate email alias
- VPN for IP privacy
- No real-name services
Anonymous Identity VM:
- No accounts linked to any identity
- Tor-only
- Disposable email
- Never reuses usernames
Up Next
Week 8b covers advanced compartmentalization with Whonix and Tails, plus practical workflows for journalists, researchers, and privacy advocates.
Key Takeaways
- Compartmentalization prevents identity bleeding - One compromise doesn’t expose everything
- Three levels exist - Browser profiles → VMs → Specialized OSes
- VirtualBox is easiest - KVM is more powerful but complex
- Snapshots are essential - Save state before risky operations
- Match strategy to threat model - Don’t over-engineer for your actual risks
- Network isolation matters - NAT for most, Internal for high security