Previous Page

nihilist - 12 / 03 / 2023

whonix in a plausible deniability Setup

In this tutorial we're going to look at how to use whonix in a plausible deniability environment using QEMU KVM and veracrypt.

Initial Setup

First go here to download whonix for qemu,

Then extract the .xz file where you want the image to be at:

[ 10.8.0.3/24 ] [ nowhere ] [~/Downloads]
→ mv Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz /mnt/VAULT/ISOs/whonix/

[ 10.8.0.3/24 ] [ nowhere ] [~/Downloads]
→ cd /mnt/VAULT/ISOs/whonix/

[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ tar -xvf Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz
WHONIX_BINARY_LICENSE_AGREEMENT
WHONIX_DISCLAIMER
Whonix-Gateway-XFCE-16.0.9.0.xml
Whonix-Workstation-XFCE-16.0.9.0.xml
Whonix_external_network-16.0.9.0.xml
Whonix_internal_network-16.0.9.0.xml
Whonix-Gateway-XFCE-16.0.9.0.Intel_AMD64.qcow2
	
[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted

[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ ls -lash
total 7.9G
4.0K drwxr-xr-x 2 nothing nothing 4.0K Dec 29 20:10 .
4.0K drwxr-xr-x 4 nothing nothing 4.0K Dec 29 20:09 ..
 40K -rw-r--r-- 1 nothing nothing  39K Oct 21  2015 WHONIX_BINARY_LICENSE_AGREEMENT
   0 -rw-r--r-- 1 nothing nothing    0 Dec 29 20:10 WHONIX_BINARY_LICENSE_AGREEMENT_accepted
8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 21  2015 WHONIX_DISCLAIMER
4.0K -rw-r--r-- 1 nothing nothing  172 Oct 21  2015 Whonix_external_network-16.0.9.0.xml
2.7G -rw-r--r-- 1 nothing nothing 101G Oct 21  2015 Whonix-Gateway-XFCE-16.0.9.0.Intel_AMD64.qcow2
4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21  2015 Whonix-Gateway-XFCE-16.0.9.0.xml
4.0K -rw-r--r-- 1 nothing nothing   97 Oct 21  2015 Whonix_internal_network-16.0.9.0.xml
3.8G -rw-r--r-- 1 nothing nothing 101G Oct 21  2015 Whonix-Workstation-XFCE-16.0.9.0.Intel_AMD64.qcow2
4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21  2015 Whonix-Workstation-XFCE-16.0.9.0.xml
1.4G -rw-r--r-- 1 nothing nothing 1.4G Dec 29 20:06 Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz

So now we have the qcow2 files, so we can proceed following the instructions:

[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ vim Whonix-Gateway-XFCE-16.0.9.0.xml                                                                                         

[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ cat Whonix-Gateway-XFCE-16.0.9.0.xml | grep VAULT
      <source file='/mnt/VAULT/ISOs/whonix/Whonix-Gateway-XFCE-16.0.9.0.Intel_AMD64.qcow2'/>

[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ vim Whonix-Workstation-XFCE-16.0.9.0.xml

[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ cat Whonix-Workstation-XFCE-16.0.9.0.xml | grep VAULT
      <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation-XFCE-16.0.9.0.Intel_AMD64.qcow2'/>



[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ sudo virsh -c qemu:///system net-define Whonix_external*.xml
[sudo] password for nothing:
Network Whonix-External defined from Whonix_external_network-16.0.9.0.xml


[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ sudo virsh -c qemu:///system net-define Whonix_internal*.xml
Network Whonix-Internal defined from Whonix_internal_network-16.0.9.0.xml


[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→  sudo virsh -c qemu:///system net-autostart Whonix-External
Network Whonix-External marked as autostarted


[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ sudo virsh -c qemu:///system net-start Whonix-External
Network Whonix-External started


[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ sudo virsh -c qemu:///system net-autostart Whonix-Internal
Network Whonix-Internal marked as autostarted


[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ sudo virsh -c qemu:///system net-start Whonix-Internal
Network Whonix-Internal started


[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ sudo virsh -c qemu:///system define Whonix-Gateway*.xml
Domain 'Whonix-Gateway' defined from Whonix-Gateway-XFCE-16.0.9.0.xml


[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
→ sudo virsh -c qemu:///system define Whonix-Workstation*.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-16.0.9.0.xml

make sure you give them 4gb of RAM before launching them, then launch them:

On the whonix gateway side:

Here if you want to specify a tor bridge node to connect to you can, but if not then you can click Next:

Then we follow what the systemcheck suggests us to do, updating the packages:

Then just use the VM as intended:

And that's it! We have been able to install the Whonix Workspace and Whonix Gateway.

Plausible Deniability Setup

There are times when you might be forced to reveal the contents of a harddrive. To combat this you can go for a "Plausible Deniability Setup" where you have a drive that can be split. In my case i use a harddrive for this purpose, so it is actually possible to completely wipe it's contents if needed unlike on a SSD.

First install veracrypt:

[ 10.0.2.2/24 ] [ /dev/pts/35 ] [/mnt]
→ sudo pacman -S veracrypt

Then just select the following:

Then setup the hidden inner volume:

Then you can just mount the volume you created like so:

Now we successfully mounted it in /mnt/veracrypt1 and as you can see it's type "Normal". This is the procedure to do if you want to are forced to give away your password. Now if you want to mount the real hidden volume instead you do the following:

And there you go ! You have plausible deniability setup on a drive connected to your computer. It is also being mounted in /mnt/veracrypt1, this time as the type "Hidden". Then you can put the whonix VMs in both partitions:

[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt]
→ cd veracrypt1

[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
→ wget https://download.whonix.org/libvirt/16.0.9.0/Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz

You can go through the above setup we saw in the first part to setup the whonix VMs on both partitions.

Keep in mind that there may be forensics clues on the Host OS (like command history) that may lead to the VMs so you have to replicate the VMs on both partitions. Such a setup will allow you to completely deny the existance of the whonix VMs B and their real usage. Instead when you are forced to reveal the password of your harddrive you can give the password of the Decoy outer volume with password A. NEVER mention password B anywhere, memorize it yourself. So go through the above process to setup the whonix VMs on both partitions after installing the veracrypt hidden volume (do not select "will mount only on linux" otherwise it will give you an error.) Then we will use 2 scripts to ensure a quick setup and trackscleaning:

[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
→ cat cleantraces.sh
#!/bin/bash
sudo virsh -c qemu:///system destroy Whonix-Gateway
sudo virsh -c qemu:///system destroy Whonix-Workstation
sudo virsh -c qemu:///system undefine Whonix-Gateway
sudo virsh -c qemu:///system undefine Whonix-Workstation
sudo virsh -c qemu:///system net-destroy Whonix-External
sudo virsh -c qemu:///system net-destroy Whonix-Internal
sudo virsh -c qemu:///system net-undefine Whonix-External
sudo virsh -c qemu:///system net-undefine Whonix-External

sudo virsh undefine Whonix-Workstation
sudo virsh undefine Whonix-Gateway

[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
→ cat getvms.sh
#!/bin/bash

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml
	

One is used to setup the VMs, the other is there to remove the VMs. I combine them into one script:

[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
→ cat refreshvms.sh
#!/bin/bash

#remove VMs

sudo virsh -c qemu:///system destroy Whonix-Gateway
sudo virsh -c qemu:///system destroy Whonix-Workstation
sudo virsh -c qemu:///system undefine Whonix-Gateway
sudo virsh -c qemu:///system undefine Whonix-Workstation
sudo virsh -c qemu:///system net-destroy Whonix-External
sudo virsh -c qemu:///system net-destroy Whonix-Internal
sudo virsh -c qemu:///system net-undefine Whonix-External
sudo virsh -c qemu:///system net-undefine Whonix-External

echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
read

#install VMs

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml

That way you can have that script on both partitions, and simply refresh the VMs back to normal after you're done using it on the hidden volume.

[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
→ chmod +x refreshvms.sh

[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
→ ./refreshvms.sh
[sudo] password for nothing:
Domain 'Whonix-Gateway' destroyed

Domain 'Whonix-Workstation' destroyed

Domain 'Whonix-Gateway' has been undefined

Domain 'Whonix-Workstation' has been undefined

Network Whonix-External destroyed

Network Whonix-Internal destroyed

Network Whonix-External has been undefined

error: failed to get network 'Whonix-External'
error: Network not found: no network with matching name 'Whonix-External'

Network Whonix-External defined from Whonix_external_network-16.0.9.0.xml

error: Failed to define network from Whonix_internal_network-16.0.9.0.xml

Network Whonix-External marked as autostarted

Network Whonix-External started

Network Whonix-Internal marked as autostarted

Network Whonix-Internal started

Domain 'Whonix-Gateway' defined from Whonix-Gateway-XFCE-16.0.9.0.xml

Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-16.0.9.0.xml