Virtual Machines

A VM is useful to compartmentalize different activities on your computer. For example, you could do all financial transactions in one VM, general browsing in another VM, a VM to experiment with an OS, and only run games from Steam on your host OS (also referred to as bare metal). If you've never used a VM before, it's a useful skill to have and the VMs themselves are useful for many different tasks, with the former examples being a few of them. It's also an important part of a privacy and security strategy.

Before going further, it's important to understand some of the drawbacks of a VM:

If you get malware on your host OS, everything is compromised, even the VMs themselves. You can't open a VM and have your activity be private when malware can record everything the host does.

VMs require extra resources. Let's say you want to want 4 Windows 11 VMs - W11 can do okay for light usage with two cores/threads and 4GB of RAM, but if you want to use it for heavier tasks, double those resources. Gaming also isn't viable for most people since GPU passthrough needs to be done, which comes with its own nuances.

A VM can't save you from making bad decisions. If you regularly used Whonix, but aren't paying attention and try logging into Gmail, you've just revealed activity you likely didn't want known. VMs also aren't immune to malware and can be infected - that infection can also spread to the host OS in some cases. Misconfiguration is one of the biggest risks with a VM, which is why it's important to spend some time familiarizing oneself with these before using them for regular business. One critical example: shared folders/clipboard can be a hazard without proper caution (moving files to and from a VM and a host).

Some people will use a VM to test an unknown file for malware. The idea itself is smart and I'm not suggesting someone do otherwise but it's important to know malware can detect when it's in a VM and choose to not run, so it tricks the user to running the infected file on the host.

IP address can still be exposed. If you're trying to keep yourself as private as possible through VM activity, you'll need to be running a VPN or Tor for your web activity (more on this later in this page). WebRTC being disabled applies to both the host and VMs.

If you're doing important business inside VMs, be sure to properly backup important data, which will need to be done from within the VM if you use a high level of security (e.g. install a cloud backup solution from inside the VM). Snapshots are not the same as backups.

Each hypervisor (HyperV, VirtualBox, VMWare, etc) has it's own quirks. Learn the hypervisor inside and out to make sure you properly set up your VMs.

All other standard privacy and security practices applies to VMs as well (e.g. keep security updates applied, use firewalls, etc).

That might have sounded like doom and gloom and that a VM isn't worth using, which is not the case at all. Here's why I recommend using them:

If you get malware on a VM, it's generally going to be contained (as long as it doesn't escape or you don't move infected files out to the host). This means you can nuke and pave the VM instead of the bare metal OS. As long as you weren't using the VM for anything sensitive and there wasn't an escape, your data isn't compromised either.

You can use a VM specifically to test unknown files and check them for infections. I mentioned above that some malware can detect when it's in a VM and won't run. Here's what you can do to counter that - run the file(s) through VirusTotal. While not 100% accurate, it'll give a good indication if something is okay or not. If you still aren't sure and want to run it anyway, keep it in the VM for a while to see how it does. If it's malicious, it may get installed on other people's computers which will eventually get caught by AV, which will then generate a signature for that malware, which will then cause the AV to remove it from your VM (if applicable).

VMs are a powerful privacy enhancement when used right. Let's use this scenario - you could do all general browsing through Whonix, which uses Tor to route all internet traffic. While Tor tends to be slow, Whonix has specific hardening applied to give privacy protections (just don't use this to login to any accounts tied to your real identity). You could then have a VM with Windows, Arch, or some other OS that you use to login to all big tech accounts. Although things like the Facebook Tracking Pixel are a privacy nightmare, they wouldn't have any idea about your general browsing done through Whonix. If you build a strategy with VM usage, you can achieve a high level of compartmentalization between all your computer activity. Note on networking: a VPN can be useful for VMs but if you want a better level of privacy for activity which is not explicitly tied to your real identity, Whonix is the better choice.

You get flexibility you didn't previously have. If you're a daily driver of Windows but want to try out different flavors of Linux without nuking your host, you can install as many distro VMs as you want.

If you're using snapshots with your VMs (which are different "points in time"), if you have an update go bad or want to quickly get rid of bloat you installed, you can just shut down the VM and roll it back to a previous snapshot, easy peasy lemon squeezy.

When you choose a hypervisor, there's generally three main choices most home users will find suitable - HyperV, VirtualBox, and VMWare. HyperV is available only on Windows on Pro editions and up. I've found it to be my personal favorite to use on a bare metal Windows OS for most cases. VirtualBox is made by Oracle and is free to use. It works well and is useful for some niche use cases (e.g. using Whonix on Windows, some Linux distros, etc). VMWare is another option, but I haven't used it since Broadcom bought the company. I would suggest doing some further research on this if you decide you want to use it for yourself. There's also Qubes OS for those who want a daunting learning curve. Qubes is way more than I can feasibly explain the facets of here, so I recommend checking out their site to learn more. It's an S tier OS but it's not for the faint of heart.

Note: I've mentioned Whonix multiple times, as it's one of my favorite choices for a VM. Before you delve deep into using it, I strongly recommend reading the documentation on their website and understanding the ways you could have OPSEC breakage and what you need to do for proper configuration.

Here are some general guidelines to follow when you're setting up a VM and are following good privacy and security practices:

Host machine security

Keep security updates applied on your main OS. Plenty of 0-days come up and they need to be patched out when available (see the WebP 0 day for an example of how these can be a big issue). These updates apply to the OS itself and software installed. Use security software for the host - if on Linux or Mac, a well configured firewall is good, if on Windows, a security suite is recommended (Defender works well enough for 95% of use cases). If you're going to use multiple VMs and plan to have them handle the majority of your daily usage, keep the usage and software installed on your bare metal OS minimal. It'll force you to use the VMs more and it lessens the chance of the host getting infected.

Hypervisor configuration

Apply updates to the hypervisor when they're available, since security patches are likely to be one part of the update.

Disable sharing features - this means clipboard (copy and paste), and dragging and dropping files between the host and VM. You don't have to always disable this, but understand the risk that comes with having it enabled. If you have a highly structured stack of VMs, this feature wouldn't be as needed anyway.

Network configuration - you could have VMs with no internet access and some with internet. In the hypervisor settings, you can configure this per VM. You can do some interesting configurations with this. For example, with Whonix, there are two VMs created - gateway and workstation. Gateway is used to connect to the internet and it creates an adapter for workstation to use. Workstation is what you use for normal Whonix usage, which only connects to the internet through the adapter created by gateway. Workstation has no internet access if gateway isn't running.

Set security settings for Windows VMs - SecureBoot and a TPM are good to use. I explain these in detail in the Windows section.

VM configuration

Standard security practices apply the same as for a host OS, with some additional considerations.

Disconnect the internet to the VM while installing an OS - this is especially important for Windows. Since you have a chance to make a "clean room" version of Windows, you want to make sure it isn't dialing home before you get a firewall configured and the network properly set up. You can turn on internet to it once everything is set the way you want it to be.

In many cases, it's a good idea to use either a VPN or Tor. If you're using a VM and will be logging into accounts tied to your real identity, having your real IP exposed may be fine if your threat model isn't going to be an issue. Tor is only a good idea to use if the entire OS is set up to do it (e.g. Whonix). See the Tor page for more info (COMING SOON).

Have a firewall installed. VMs still need to be secured properly and you don't want anything to dial home that doesn't absolutely need to.

Use full disk encryption if you're familiar with its configuration. For all the reasons I explained in the encryption page, you want to apply the same standard to your VMs.