Goal
Master specialized security operating systems (Whonix and Tails) for maximum anonymity and build practical compartmentalization workflows for different use cases.
Prerequisites: Week 8a (VM Fundamentals)
This is Part 2 of 2 - Covers Whonix, Tails, and practical workflows.
1. Whonix: Maximum Anonymity Through Isolation
What is Whonix?
Two-VM architecture for Tor isolation:
┌─────────────────────────────────────────┐
│ Whonix-Workstation │
│ (Where you actually work) │
│ - Browser, apps, files │
│ - Cannot directly access internet │
│ - All traffic → Whonix-Gateway │
└──────────────┬──────────────────────────┘
│ Internal Network Only
↓
┌─────────────────────────────────────────┐
│ Whonix-Gateway │
│ (Tor relay) │
│ - Routes all traffic through Tor │
│ - No applications run here │
│ - Workstation cannot bypass Tor │
└─────────────────────────────────────────┘
Why this matters:
- Even if Workstation is compromised, traffic still goes through Tor
- No possibility of IP leaks or non-Tor traffic
- Gateway enforces Tor at network level
Installing Whonix
Method 1: Download Pre-built VMs (Easiest)
# Download Whonix for VirtualBox
cd ~/Downloads
wget https://download.whonix.org/ova/16.0.7.1/Whonix-XFCE-16.0.7.1.ova
# Verify signature
gpg --verify Whonix-*.ova.asc Whonix-*.ova
# Import into VirtualBox
vboxmanage import Whonix-*.ova
Method 2: Build from Source (Advanced)
See: https://www.whonix.org/wiki/Build_Documentation
Using Whonix Safely
DO: ✅ Use Whonix-Workstation for anonymous browsing ✅ Keep both VMs updated regularly ✅ Use Whonix for activities requiring strong anonymity ✅ Take snapshots before risky operations
DON’T: ❌ Log into personal accounts from Whonix ❌ Install proprietary software (telemetry risks) ❌ Maximize Tor Browser window (fingerprinting) ❌ Upload personal files (metadata leaks)
Whonix Use Cases
When to use Whonix:
- Whistleblowing or leaking documents
- Sensitive investigative journalism
- Accessing .onion sites securely
- Research on sensitive topics
- Bypassing censorship in hostile environments
When NOT to use Whonix:
- Regular browsing (Tor Browser on host OS is fine)
- Streaming video (too slow)
- Banking (use dedicated banking VM instead)
- Activities where speed matters
2. Tails: Amnesic Operating System
What is Tails?
The Amnesic Incognito Live System
Key features:
- Runs entirely from USB (no installation needed)
- All traffic forced through Tor
- Amnesia: Everything forgotten on shutdown
- Leaves no trace on host computer
- Portable: Use on any computer
Boot Tails USB → Use computer → Shut down → All data erased
(Unless using persistent storage)
When to Use Tails vs Whonix
Use Tails when:
- You need to use a public/untrusted computer
- You want zero traces left behind
- You’re traveling and need portable anonymity
- You’re in a hostile environment (journalism, activism)
Use Whonix when:
- You’re on your own trusted computer
- You need persistent setup (installed apps, saved files)
- You want VM snapshots for testing
- You need better performance than live USB
Creating a Tails USB
Requirements:
- USB drive (8GB minimum)
- Computer with internet access
Step 1: Download Tails
wget https://tails.boum.org/install/download/tails-amd64-5.18.img
# Verify signature
wget https://tails.boum.org/install/download/tails-amd64-5.18.img.sig
gpg --verify tails-*.img.sig tails-*.img
Step 2: Write to USB
# Find USB device
lsblk
# Write image (WARNING: Destroys all data on USB!)
sudo dd if=tails-amd64-5.18.img of=/dev/sdX bs=4M status=progress
sync
Step 3: Boot from USB
- Restart computer
- Enter BIOS/UEFI boot menu (usually F12, F2, or Del)
- Select USB drive
- Boot Tails
Tails Persistent Storage
Encrypted persistent volume on USB:
What you can persist:
- Personal files and documents
- Browser bookmarks
- Email client settings
- GnuPG keys
- SSH keys
- Additional software
Setup during first boot:
- Applications → Tails → Configure persistent volume
- Create strong passphrase
- Select what to persist
- Reboot and unlock persistent storage
Security note: Persistent storage is encrypted, but adversary with physical USB can attempt brute-force
3. Practical Compartmentalization Workflows
Example 1: Journalist Compartmentalization
Real Identity VM:
- Personal email, social media
- Public research and writing
- Bylined articles
Work Identity VM:
- Corporate email and tools
- Standard journalism work
- Known source communications
Anonymous Source VM (Whonix):
- SecureDrop for tips
- Anonymous email (ProtonMail)
- Signal with burner number
- Tor-only browsing
Tails USB (Travel/Public Computers):
- Accessing encrypted files on the go
- Emergency anonymous communication
- Using hotel/cafe computers safely
Example 2: Security Researcher Compartmentalization
Main Workstation:
- Daily work, email, communication
- Safe browsing and research
Malware Analysis VM:
- Isolated network (no internet)
- Snapshots before every analysis
- Testing suspicious files
- Restored after each session
Penetration Testing VM:
- Kali Linux or Parrot OS
- VPN for ethical hacking work
- Authorized pentest tools
- Isolated from personal data
Documentation VM:
- Writing reports and findings
- Screenshots and evidence
- No risky tools or connections
Example 3: Privacy Advocate Compartmentalization
Personal VM:
- Real identity
- Banking, shopping, family
- Standard security practices
Pseudonymous VM:
- Online pseudonym
- Forums, communities
- VPN for IP privacy
- Separate email alias
Anonymous Research VM (Whonix):
- Investigating privacy violations
- Accessing leaked documents
- Anonymous tip submissions
- No link to any identity
4. Hands-On Labs
Lab 1: Create Your First Compartmentalized Setup
Goal: Build a basic two-VM compartmentalization setup
Steps:
- Install VirtualBox or virt-manager
- Create “Personal” VM (Debian or Ubuntu)
- Create “Work” VM (same or different OS)
- Configure different network settings
- Take baseline snapshots
- Test isolation (can VMs talk to each other?)
Deliverable: Two functional, isolated VMs
Lab 2: Set Up Whonix
Goal: Install and configure Whonix for anonymous browsing
Steps:
- Download Whonix OVA
- Verify GPG signature
- Import into VirtualBox
- Start Gateway, then Workstation
- Test Tor connectivity
- Visit check.torproject.org
- Try accessing .onion sites
Deliverable: Working Whonix setup with verified Tor connectivity
Lab 3: Create a Tails USB
Goal: Build a Tails USB with persistent storage
Steps:
- Download Tails ISO
- Verify signature
- Write to USB drive
- Boot Tails on your computer
- Configure persistent storage
- Save test file, reboot, verify persistence
Deliverable: Bootable Tails USB with working persistent storage
Lab 4: Design Your Personal Compartmentalization Strategy
Goal: Create a custom compartmentalization plan for your threat model
Steps:
- List your digital activities
- Categorize by threat level
- Design compartments (browser, VM, Whonix, Tails)
- Map email aliases to compartments
- Document your strategy
Deliverable: Written compartmentalization plan
5. Security Considerations & Common Mistakes
Mistakes to Avoid
❌ Logging into personal accounts from anonymous VMs
- Breaks compartmentalization immediately
- Links identities through server logs
❌ Reusing usernames across compartments
- “bob123” in work VM and anonymous VM = linkable
❌ Sharing clipboard between host and VM
- Data leakage vector
- Disable VirtualBox Guest Additions clipboard sharing
❌ Maximizing Tor Browser window
- Fingerprinting via screen resolution
- Keep Tor Browser at default size
❌ Mixing threat levels in one VM
- Don’t do banking and malware analysis in same VM
- Each compartment = one purpose
Advanced Considerations
VM Detection:
- Some websites detect virtualization
- Banking sites may flag VMs as suspicious
- Use physical machine for high-assurance activities if needed
Performance:
- VMs consume significant RAM and CPU
- Host needs powerful hardware for multiple VMs
- Consider dedicated compartmentalization machine
Backups:
- Encrypted backups of VM disk images
- Snapshot strategy for disaster recovery
- Test restore procedures
6. Journal & Git Commit
echo "Week 8: Completed compartmentalization - created VMs for work/personal/anonymous use, set up Whonix, created Tails USB. Key insight: isolation boundaries prevent identity correlation." >> notes/week08_journal.md
git add .
git commit -S -m "Week 8 - Compartmentalization, Whonix, Tails"
Week 8 Checklist
Concepts:
- Understand why compartmentalization matters
- Know different levels (browser, VM, Whonix, Tails)
- Understand when to use each method
Practical Skills:
- Install and configure VirtualBox or KVM
- Create and manage virtual machines
- Take and restore VM snapshots
- Set up Whonix for anonymous browsing
- Create bootable Tails USB
- Design personal compartmentalization strategy
Operational Security:
- Never cross-contaminate compartments
- Use appropriate email aliases per VM
- Disable risky features (shared clipboard)
- Maintain separate browser profiles/containers
- Document your compartmentalization setup
Additional Resources
Official Documentation
- Whonix Wiki: https://www.whonix.org
- Tails Documentation: https://tails.boum.org/doc
- VirtualBox Manual: https://www.virtualbox.org/manual
- KVM/QEMU: https://www.linux-kvm.org
Advanced Reading
- “Qubes OS: Reasonably Secure Operating System” (ultimate compartmentalization)
- Whonix security design documentation
- Tails design documentation
Key Takeaways
- Whonix provides network-level Tor enforcement - Workstation cannot leak non-Tor traffic
- Tails leaves no trace - Amnesic by design, perfect for hostile environments
- Different tools for different scenarios - Match compartment type to threat level
- Never cross-contaminate compartments - That defeats the entire purpose
- Document your strategy - Future you will thank present you
- Test your isolation - Verify VMs can’t communicate when they shouldn’t