-
Notifications
You must be signed in to change notification settings - Fork 390
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a user-guide for qubes+whonix wallet and daemon isolation #405
Add a user-guide for qubes+whonix wallet and daemon isolation #405
Conversation
This PR includes the following: - Add file resources/user-guides/wallet-daemon-isolation-qubes-whonix.md. - Modify resources/user-guides/index.md to add guide to "Wallets" section.
|
||
Qubes gives us the flexibility to easily create separate VMs for different purposes. We first create a Whonix gateway which routes all traffic over Tor. Next a Whonix workstation for the wallet with no networking. Lastly, another Whonix workstation for the daemon which will use our Whonix gateway as it's NetVM. For communication between the wallet and daemon we will make use of Qubes [qrexec](https://www.qubes-os.org/doc/qrexec3/). | ||
|
||
This is a safer approach than other guides I've seen which route the wallets rpc over a Tor hidden service, or that use physical isolation but still have networking to connect to the daemon. In this way we don't need any network connection on the wallet at all, we preserve resources of the Tor network, and there is less latency. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
other guides I've seen
we will make use
our Whonix gateway
...
Being a bit nitpicky here but I think that the first person should be avoided.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem, I can edit the intro to avoid first person. I'll have a revised intro to review some time today when I get a break from work.
Please hold on merging this PR for now because I've found a better method for the qrexec call that doesn't require ssh. I have some questions for the Monero team before I continue. Should I change the install process to use the binaries instead of building from source? Should I change the I already plan to change the user:group from Any other suggestions? |
@0xB44EFD8751077F97 ping |
I was kinda waiting on some answers to the the questions I posted, but I guess I really don't need them. I'm closing this PR for now while I rework the guide. In short: no build from source, minimal changes to systemd file, and new qrexec method. I'll resubmit soonish. |
Please review, comment, and critique.