Tor sessions on Qubes - do different qubes share Tor session?

I’m trying to learn more about Tor and Qubes. On Tails website, they say it’s good practice to start new Tor/Tails session for each activity/identity. That makes sense to me, you don’t wanna link different identities together.

How does Tor on Qubes work? If I’m running two qubes/VMs at the same time, both using sys-whonix for networking, do both qubes share the same Tor session? If so, is there any way to create different session per qube?

I know that you can still correlate sessions, for instance, by time (ie. if two sessions are always active at the same time), but seems like that would be good practice anyways.

Appreciate anyone who can clarify this for me, or point to good reading material.

This speaks to ‘stream isolation’ with different Qubes options, which is the term relevant to your question:

For Tor generally:

To see what Tor circuit your app qube is using, see Sys-whonix > Tor control panel > Utilities > Onion Circuits.

1 Like

An alternative you can do is to have one application workstation and gateway
pair dedicated to a given task. Won’t have to worry about stream isolation
when there’s only one Tor stream from a Qube.

1 Like

→ ‘User Support’

I assume you mean at the very top right corner, which is I believe global Tor status. How do I know which circuit is used by specific app qube?

I read those, so now I know a bit more about Tor and circuits. Thank you.

But I’m still not confident about my original question: does Qubes, when using just Tor (sys-whonix) without VPN, isolate streams? Ie. does every request, no matter what qube it goes from, use different Tor circuit? Does it use Whonix’s SocksPort?

It’s my understanding that sys-whonix/tor doesn’t do anything specific to isolate streams. Although I believe Tor does is through requests to ensure that similar requests aren’t always using the same entry/exit nodes.
(I am not a TOR expert, but if you truly want to differentiate streams further than what TOR already does, I would create multiple TOR networking qubes to route traffic through for different identities/purposes. )

1 Like

That’s a great idea!

1 Like

This page provides a great breakdown for whonix stream isolation.

" Whonix ™ configures most applications that come preinstalled with Whonix ™ to use a different SocksPort , thus no identity correlation is at risk. Whonix ™ uses either socks proxy settings to direct various applications to different SocksPort s or uwt (more information below)."

1 Like

@behemothwerecat Thanks for that link!

1 Like

I will take this as “yes”, Qubes by default, using Whonix-Tor for networking does stream isolation (assuming you are not running VPN over it). Anyone, please correct if that’s not true.