Privacy/security considerations for templates of qubes that route through sys-whonix

Because of resource constraints on my system I’m increasingly taking the approach of compiling a custom slim template for every app or service qube I run- work which is somewhat worthwhile, as it does produce real, measurable memory savings.

Next I’m planning to create a non-disposable qube for Signal, to be routed through sys-whonix. Then maybe other non-disposable qubes for other non-browser networked apps, also to be routed over Tor. I am wondering- what base template would be best for these Tor-routed qubes? With respect to privacy and security, is there still something to be favored about (the relatively heavy) whonix-workstation-17 vs debian-12-minimal given these qubes won’t be disposable and won’t be running Tor Browser, but will be routing through sys-whonix?


AKAIK, there shouldn’t be any concerns. What’s happening is just that IP traffic is being received by sys-whonix, and then being sent through the Tor network. With Signal, for instance, there isn’t even an official Fedora version available and so Debian must be used. Personally, I use a minimal template dedicated to Signal due to having to manually install it. Please don’t mistake my advice alone because there is a possibility there are concerns I am unaware of.

I do have a few recommendations for reducing your resource usage: Sys-whonix can be safely reduced to 512MB of RAM, and I use 400MB without issue. I have had no issue with Signal running on a Debian minimal template with 1000MB of RAM, and top shows ~60MB free. My sys-firewall has 400MB with no problem (I don’t use complicated firewall rules).

Experiment with reducing RAM usage if you can; I used Qubes for 2.5 years on 16GB of RAM with nothing reduced, and it was very difficult, but it’s much easier now that I’ve found the RAM defaults are way more than necessary for me. A caveat would be to be careful and test first, because YMMV and it may crash your stuff if you put too little.

1 Like

You can read this:
Anonymize Other Operating Systems
Also it’d be better to ask this question on Whonix forum:
Qubes-Whonix - Whonix Forum

1 Like