{{Header}}
{{Title|
title=Read-Only: Setting Hard Drives to Read-Only
}}
{{#seo:
|description=When using live mode, no changes are made to the disk. For added security, consider setting your disk to read-only mode, if possible.
|image=whonixlive.jpg
}}
{{live}}
{{grub-live}}
[[File:whonixlive.jpg|250px|thumb]]
{{intro|
Depending on the user's use case. Choose one.

* '''A)''' ISO users installing {{project_name_short}}: Using the [[ISO]] just to install {{project_name_short}}? This does not matter. The user can ignore any live mode related warnings. These are not applicable.
* '''B)''' Interested in live mode? See below.

When using [[Live Mode|live mode]] ([[grub-live]] or [[ISO Live Mode]]), no changes are made to the disk. For added security, consider setting your disk to read-only mode, <u>if possible</u>.

Sometimes it is possible to optionally set the disks to read-only. This increases the security of live mode because otherwise malware running as root could theoretically mount the image read-write and gain persistence in this way.
}}
= Introduction =
The emphasis is on <u>if possible</u>.

This is platform-specific.

Unfortunately, read-only mode is not easily available on all platforms.

Write protection can refer to very different security proprieties. See [[Verified_Boot#Write_Protection]].

= VMs =
== VirtualBox ==
Step-by-step guide on implementing the Immutable Disk Method for Virtual Machine (VM) Live Mode in VirtualBox, focusing on secure, read-only VM configurations.

This option is the official method for setting VMs to read-only in VirtualBox. It will only work with the <code>grub-live</code> package, which is installed by default. <ref>
This option will not work with the <code>ro-mode-init</code> package.
</ref>

{{Box|text=
'''1.''' Make the [[VirtualBox]] disk immutable / read-only.

This step is crucial. Otherwise, contents might be recoverable from the host drive. <ref>
VirtualBox implements hard disk write protection differently. If an immutable virtual machine is booted, VirtualBox will always create a snapshot where data is written. After shutting down and booting the VM again (a soft reboot is inadequate), the old snapshot will be deleted and a new one created. Consequently, data will not persist in the VM, even if Live-mode is not selected. However, since the data is written to the hard disk of the host (instead of memory), it is easily recoverable. Therefore, selecting Live-mode is essential for safety. A snapshot file is still created, but it will not store any altered content from the VM.
</ref>

Follow these steps:

{{Box|text=
# Power off the VM.
# In the VirtualBox main window, navigate to: <code>File</code> &rarr; <code>Tools</code> &rarr; <code>Virtual Media Manager</code>.

[[File:vbox-livemode1.png|500px]]

# Select the disk to write-protect and release it.
# Then on <code>Type</code> &rarr; <code>set it to Immutable</code>.

[[File:vbox-livemode2.png|800px]]

# In the VirtualBox main window, navigate to the settings of the VM.
# Under storage, select the top controller and add the existing hard disk there.
}}

'''2.''' Launch live-mode.

Follow the documentation on the [[Live Mode]] wiki page.

'''3.''' Done.

The process of enabling read-only mode has been completed.
}}

== KVM ==
{{Box|text=
'''1.''' Set the VM disks to read-only.

Follow these steps:

* Power off the machine.
* Set the hard disk to read-only in the virt-manager GUI before booting into live mode.

'''2.''' Launch live-mode.

Follow the documentation on the [[Live Mode]] wiki page.

'''3.''' ''Optional:'' Revert the read-only change.

To boot into normal mode again, revert the change from step 1 and choose the normal boot option in the GRUB menu.

'''4.''' Done.

The process of enabling read-only mode has been completed.
}}

== Qubes ==

<code>grub-live</code> is currently [[unsupported]] on [[Qubes]]. <ref>
Nothing came out from [https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/31 forum discussion].
</ref> This issue is [[unspecific|unspecific to {{project_name_short}}]]. Qubes issue: [https://github.com/QubesOS/qubes-issues/issues/4982 implement live boot by porting grub-live to Qubes - amnesia / non-persistent boot / anti-forensics]

In Qubes, Disposables are a suitable alternative.

= Host Operating System =
This would require a hard drive that comes with a physical read-only switch.

This is [[undocumented]] and [[unspecific|unspecific to {{project_name_short}}]].

= Comparison with Tails =
[[Grub-live#Comparison_between_grub-live_and_Tails|Comparison between grub-live and Tails]]

= Alternative Configurations =
{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    =
Platform specific notice.

* [[KVM]]: Skip this section if the [[#KVM|KVM Live-mode]]
* [[VirtualBox]]: Skip this section if [[#VirtualBox|VirtualBox Live-mode]] configuration steps above have already been completed.
}}

VirtualBox and KVM: [[VM_Live_Mode/ro-mode-init|VM Live Mode: Alternative ro-mode-init Configuration]]

= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.