Previous Page

nihilist - 2025 / 04 / 06

Sensitive Critical Data Backup Procedure

In this tutorial we're going to cover how to backup the critical data that you would normally store inside of your Sensitive use VM, in order to make sure that your critical data (meaning your keepass .kdbx file, your SSH keys, your PGP keys, your Monero seed files) can still be accessed and reused, even if the adversary were to seize and destroy your devices in multiple takedowns.

Sidenote: Help us improve this tutorial by letting us know if there's anything missing or incorrect on this git issue directly!

Why is this setup important ?

As we have covered previously, we need a specific setup in order to be able to maintain deniability regarding the sensitive activies that are conducted from inside the Sensitive VM. Due to the nature of those activities, you need to be ready for the worst, including having your main computer being seized and destroyed by the adversaries.

The problem here is that if the adversary were to seize and destroy your laptop, including the non-system harddrive, you'd permanently loose your critical sensitive data (which includes your PGP key, your SSH key, your monero wallet seed phrase, and your accesses that were stored in your Keepass .KDBX file)

Therefore we need a way to backup the critical data from your sensitive VM, while still maintaining deniability about what it contains if ever found by the adversary.

What is the Critical Data backup procedure ?

From inside the Sensitive Use Whonix Workstation VM, we'll need a small veracrypt volume (which is 10Mb big) to simultaneously store a decoy volume containing some textfiles, and to store a small hidden volume (which is 5Mb big) which will contain your critical data:

This small veracrypt volume will be called "diary" and it's decoy partition will simply contain a text-based diary of yours. However we need to be careful as we're going to save that file in places that the adversary may access, We need to make sure that the decoy volume data changes, every time the hidden volume changes. This is because otherwise we wouldn't have a way to justify why the overall veracrypt volume changed while the decoy volume didn't change (which would then prove the existance of the hidden volume).

Therefore, to meet the deniability requirements, we have the following backup procedure:

1) open the diary Veracrypt hidden volume to save the critical data in it
2) after saving the critical data in it, close the hidden volume
3) open the diary veracrypt decoy volume to write a new diary text file in it. (as otherwise you wouldnt be able to justify why the overall VC volume changed)
4) close the decoy volume (ONLY NOW the overall veracrypt volume is ready to be backed up elsewhere)
5) backup the veracrypt diary volume on a cheap remote VPS that was rented anonymously (accessed via SSH, via the .onion domain only)
6) backup the VC volume in USB keys that are scattered in physical locations that you can access easily, and that can hide USB keys.
	

So let's see how this looks like in action:

How to perform the Backup Procedure

First, boot the Host OS in live mode:

Then open up the non-system veracrypt hidden volume:

Then run script.sh (using the Super+S shortcut) to setup your sensitive whonix VMs:

Before starting the Workstation however, make sure that the VM's USB controller is set to "USB 2" mode by editing the settings like so in the XML directly:

[user ~]% cd /run/media/private/user/sda
[user /run/media/private/user/sda]% vim Whonix-Workstation.xml    
[user /run/media/private/user/sda]% cat Whonix-Workstation.xml    

[...]

<controller type="usb" index="0" model="ich9-ehci1">

[...]

Once done, you can create the "diary" veracrypt volume inside the sensitive VM, (we'll use it to backup our critical data into it's hidden volume):

Now that the diary veracrypt volume has been created we can start to use it to backup our important data into it:

How to perform the Backup Procedure

First, plug in your 3 usb keys into your computer and then make sure that they are attached to the Whonix Workstation VM:

Then once you verified that the USB sticks are detected from the VM, you can start to backup your critical data inside the veracrypt volumes:

And then after backing up your critical data, you can unmount the hidden volume, to mount the decoy volume instead, where you'll write a diary entry (that way you'll be able to justify why the overall veracrypt volume changed):

Now that's done, unmount the decoy volume, and use the following backup.sh script to backup your diary veracrypt volume to the 3 usb sticks:

[user ~]% vim backup.sh 
[user ~]% cat backup.sh 

#!/bin/bash

echo 'creating all 3 usb mount directories...'
sudo mkdir /mnt/usb1
sudo mkdir /mnt/usb2
sudo mkdir /mnt/usb3

echo 'mounting all 3 usb sticks...'
sudo mount /dev/sda1 /mnt/usb1
sudo mount /dev/sdb1 /mnt/usb2
sudo mount /dev/sdc1 /mnt/usb3

echo 'copying the diary file on all 3 usb sticks...'
sudo cp -r  /home/user/diary /mnt/usb1/diary
sudo cp -r  /home/user/diary /mnt/usb2/diary
sudo cp -r  /home/user/diary /mnt/usb3/diary

echo 'copying completed, hence unmounting all 3 usb sticks...'
sudo umount /mnt/usb1
sudo umount /mnt/usb2
sudo umount /mnt/usb3

echo 'remote backup to a VPS rented anonymously...'
torsocks scp /home/user/diary user@yourremotevpsaddress.onion:/root/diary:

[user ~]% chmod +x backup.sh 
[user ~]% ./backup.sh 

Run the script, and you'll now have your critical data backed up on your Remote VPS, and it's on the 3 usb keys.

And now you can unplug the 3 usb keys, and scatter them in 3 different places that you can easily access. You can hide them in your bag, in your car, and bury one in your garden for example. Get creative, but make sure that you can easily retrieve those usb keys back for next week's backup.

However be careful if you intend to hide those usb keys in public places that are not yours (where you normally never go to either), you need to make sure that you are going there without a cellphone on you. As otherwise the adversary would see that your phone has gone to a novel place that you have never been to before, And that gives them hints regarding where you might've hidden the usb keys.

Here for instance, the adversary wouldn't see your movements in pink, the only clues they'd have are the movements in red that they can anyway see from their dashboards. However it doesn't stop there, if you actually are a high value target you should instead backup to remote VPSes exclusively, as the authorities will most likely find every physical clues you might leave behind, (you might need to take into account satellite and public covert surveillance too)

If you don't want to leave any physical clues behind and stick to digital backups alone, you're going to need to rent 3 cheap remote VPSes in 3 different datacenter locations, from 3 different cloud providers, by using 3 different non-KYC cloud reseller accounts. To know how to rent a VPS anonymously, check out this tutorial:

Hence your backup.sh script would look like so:

[user ~]% vim backup.sh 
[user ~]% cat backup.sh 

#!/bin/bash

echo 'remote backup to VPSes rented anonymously...'
torsocks scp /home/user/diary user@remotevpsaddressA:/root/diary:
torsocks scp /home/user/diary user@remotevpsaddressB:/root/diary:
torsocks scp /home/user/diary user@remotevpsaddressC:/root/diary:

[user ~]% chmod +x backup.sh 
[user ~]% ./backup.sh 

With this second approach, the adversary will only be able to find your laptop, and they'll get the impression that you didn't try to make any backups.

Emergency Scenario

So now let's suppose the following emergency scenario: You made an opsec mistake somewhere along the way, and the chinese authorities are now aware that you've been playing video games after 7 PM, and they are now raiding your appartment again:

You manage to hit the correct key combination (right Alt to focus out of the VM, and right CTRL to trigger the emergency reboot script) Which closes the sensitive VM and reboots your computer just in time.

Then they seize your devices, keep you in custody for just 1 month, and due to not having any further incriminating evidence on you (they only found the non-sensitive files in the non-system drive, and the diary textfiles in the usb keys they seized), you avoid the concentration camp life sentence, and thus they release you. But they're not giving back your devices because they destroyed them.

So your primary data source has been destroyed (including the sensitive VMs and the main diary VC volume), you also realize that they seized and destroyed the usb key you had in your backpack, and in your car. However upon checking further you realize that they didn't get the USB key that you hid in your garden.

Too bad for them, because they didn't find that one usb key you had buried in your garden, so you dig it up, retrieve it, you purchase a new laptop, you set up your sensitive VMs once again, and then you simply plug the usb back in the sensitive VM, and with it you can restore your critical sensitive data (which includes your Keepass accesses, your pgp keys, your ssh keys and monero wallet seed) by copying the files back into your new sensitive use VM.

In a worse scenario, you could've had all physical backups being seized and destroyed, leaving you with only the remote VPSes that you rented to retrieve your backups. In this usecase All you need to remember is how to access those VPSes via SSH, you need to remember the IP addresses, the username, and the password to SSH back into the VPSes:

[user ~]% scp root@256.51.123.1:/root/diary ~/diary

to make it easier to remember the addresses of the remote VPSes (since remembering IP addresses off the top of your head isn't trivial) you could also use a clearnet domain alias (that you also rent anonymously) to easily access those VPSes again.

[user ~]% scp root@your.clearnetdoma.in:/root/diary ~/diary

And once restored you can resume your sensitive activities as usual, minus the opsec mistakes you made that led up to your arrest obviously.