<p>In this tutorial we're going to cover how to setup the open source hypervisor QEMU/KVM in <ahref="../linux/index.html">Linux</a> host OS, using the libvirt technology.</p>
<li><p>Hardware : PC / Laptop / Homeserver / Remote Server</p></li>
<li><p>Host OS : <ahref="../linux/index.html">Linux</a></p></li>
</ol>
<p>I recommend using this setup first of all to <b>isolate your Public use</b>, and to <b>segment it from the other Uses</b> such as <ahref="../privacy/index.html">Private use</a>, but it can later be used for <ahref="../anonymityexplained/index.html">Anonymous use</a>, and also <ahref="../encryption/index">Sensitive Use</a>, as per the <ahref="../opsec4levels/index.html">4 basic OPSEC levels</a>.</p>
<p>But currently, he has only one laptop with linux as the host OS.</p>
<imgsrc="21.png"class="imgRz">
<p>So the idea basically is that Bob does not need to purchase 4 laptops each for a different usage, he just needs to virtualise those machines using a Hypervisor:</p>
<imgsrc="22.png"class="imgRz">
<p>Bob is going to use a QEMU/KVM hypervisor to virtualize 4 VMs, each for a specific use. The windows VM will be for public use, the debian VM will be for the private use, the Whonix VM will be for Anonymous use, and the other whonix VMs in the veracrypt hidden volume be used for sensitive uses.</p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /white -->
<divid="anon2">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<!-- <h2><b>Host OS Hardening</b></h2> </br> </br>
<p>Now that we're in our host OS, let's do a few basic things to harden it:</p>
<p>Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. </p>
<pre><codeclass="nim">
nihilist@debian:~$ su -
root@debian:~# crontab -e # run it as the root user!
#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors
root@debian:~# vim /etc/sysctl.conf
root@debian:~# cat /etc/sysctl.conf | grep printk
kernel.printk = 3 4 1 3
</code></pre>
<p>Like so we're making sure that logfiles, and that kernel output is minutely cleared</p>-->
<h2><b>Virtualisation setup</b></h2></br></br>
<p>Next <b>we do not virtualize anything using closed-source software</b> like VMWare Workstation or else. <b>We use QEMU/KVM with virt-manager, which is an open source hypervisor</b>:</p>
<p>And also create another NAT network so that we can put all the untrusted VMs such as Windows into:</p>
<imgsrc="50.png"class="imgRz">
<p>That way, the adversary that can normally see what's going on in the network attached to the Windows VM can no longer see as it is being put in a different network altogether. </p>
<p>Then you can add the file directories in virt-manager like so:</p>
<imgsrc="13.png"class="imgRz">
<imgsrc="12.png"class="imgRz">
<p>And now you're all set to start making VMs while maintaining the open-source requirement. If you still want to use a closed-source OS, you can do so in a QEMU VM from virt-manager. <b>always remember that closed-source OSes like Windows belong in a VM, never out of one.</b></p>
<p>Additional notes: you can prevent an adversary to tamper with your laptop, by using glitter polish as shown in mullvad's <ahref="https://mullvad.net/en/blog/how-tamper-protect-laptop-nail-polish">tutorial</a>, and also make sure that your phone does not have a closed-source host OS by using <ahref="https://grapheneos.org/install/cli"> Graphene OS</a>.</p>
</div>
</div><!-- /row -->
</div><!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<divid="anon1">
<divclass="container">
<divclass="row">
<divclass="col-lg-8 col-lg-offset-2">
<h2><b>How to setup Vms for Public and Private use</b></h2></br></br>
<p>Next, Bob needs to use VMs for 2 basic needs: Public internet usage, and Private internet usage. He first needs to download the <ahref="https://www.microsoft.com/en-us/software-download/windows10ISO">Windows ISO</a> file, and the <ahref="https://www.debian.org/distrib/netinst">debian iso</a> file too:</p>
<p>Then in both VMs he installs the OS on the virtual disk:</p>
<imgsrc="36.png"class="imgRz">
<imgsrc="37.png"class="imgRz">
<p>Then Bob can launch both VMs (make sure that the VM boots onto the disk instead of the iso in the boot settings):</p>
<imgsrc="38.png"class="imgRz">
<imgsrc="39.png"class="imgRz">
<p>Then Bob can use the windows VM for his public usage (such as KYC services, and closed-source software), and use the debian VM for his private usage (any personal matter, with only open source software)</p>
<p>From inside the Debian VM, you can run the following from a terminal to be able to copy and paste from inside the VM out, and from outside the VM in:</p>
<pre><codeclass="nim">
su -
apt update -y
apt install spice-vdagent -y
reboot now
</pre></code>
<p>Do not do the same for the windows VM, otherwise you'd be allowing the Windows VM to spy on what your clipboard contains, from outside the VM. Make sure it is kept isolated as it is by default here.</p>
<p>Next, Bob can setup a <ahref="../vpn/index.html">VPN</a> by default into his debian VM to prevent his ISP from spying on what he is doing.</p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <ahref="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><imgsrc="\CC0.png">