Usage of AppVm with whonix

Hi qubes forum,

Let say you have a normal working environment with Qubes OS 4.0 (R4) with whonix templates installed and configured. You want to install an application and take advantage of whonix tor security for that application.

I can see two ways of doing this
First one is

• clone a debian or fedora template (minimal or not)
• install your application in template
• create an AppVM based on that template and use sys-whonix as network VM

Second one would be

• clone whonix workstation template
• install your application in template
• create and AppVM based on that template and use sys-whonix as network VM

What would be the main differences and the pro / con of those two methods ?

I was always using the first method until I noticed that when using the whonix workstation, the tor icon toolbar include a specific sub-menu for my VM…

Some of my thoughts are that from a surface of attack pov the minimal template with sys-whonix is better but from a tor integration / efficiency the second option is better…maybe

first thing you need know is whonix is based on kicksecure based on debian so package is quite similar
imo, i don’t see any advantage of using whonix as templatevm to install software

Thanks @ppc !

Regarding packages it is understood.

Would you say that from a network perspective using whonix workstation template doesn’t bring anything more than just any template with sys-whonix (whonix gateway) as network VM ?

Whonix comes with many extra security features including protection against de-anonymization attacks. Using a Debian or Fedora AppVM with sys-whonix for networking just routes all the network traffic through Tor, but does not have any of the additional protection that Whonix provides. If anonymity is the goal, using an AppVM based on a whonix-ws template (the second option that you listed) is the best solution. See also: Whonix - Superior Internet Privacy.