- Automatically mounts a USB device in a sandbox
- Rejects mount attempts on host using usbguard (https://usbguard.github.io/)
- Disconnects host from all network interfaces by default (optionally you can specify particular interfaces)
- Optionally mounts USB in a pre-configured Whonix sandbox (starts gateway + workstation)
- Note: Does not replace a proper air-bridged sandbox. Should only serve as an emergency sandboxing solution if no other options are available.
- VirtualBox (https://www.virtualbox.org/wiki/Downloads) including the VirtualBox Extension pack
- A VM image file e.g. Ubuntu 21.04 (https://releases.ubuntu.com/21.04/)
- Enable USB Controller in VirtualBox (Sandbox -> Settings -> USB)
- Download and install the latest usbguard release on your machine (https://github.com/USBGuard/usbguard/releases)
- Follow the usbguard installation instructions (https://usbguard.github.io/documentation/compilation.html)
You can display your VM UUID by running
$ vboxmanage list vms
# clone the repo
$ git clone https://github.com/thomasgruebl/mount-usb-in-sandbox.git
# navigate into the repo
$ cd mount-usb-to-sandbox
# install
$ pip3 install .
Alternatively, if pip installation does not work you can run the main:
# run
$ python3 main.py [options]
$ mount-usb-in-sandbox --help
usage: mount-usb-in-sandbox [options]
required arguments:
-s SANDBOX, --sandbox SANDBOX Specify the name or uuid of your virtual box (name needs to be without space)
optional arguments:
-h, --help Show help information
-v, --verbose Display verbose information
-r, --restore Restore system to its original state (bringing network interfaces back up removing usb device from allowed usbguard list)
-i INTERFACE, --interface INTERFACE Specify interface names to disconnect from (space-seperated). Disconnects all interfaces by default.
-w, --whonix Specify the whonix flag to mount the USB device in your whonix workstation (needs whonix gateway as well)
In order to avoid privacy leaks, you can additionally setup Whonix by following the steps below:
- Download and setup the Whonix Workstation + Gateway (https://www.whonix.org/wiki/VirtualBox/XFCE)
- Configure Whonix by following the provided manuals (https://www.whonix.org/wiki/Documentation)
- Enable auto-mount for USB in the Whonix Workstation under Settings->Removable Drives and Media and check the first 2 options
$ mount-usb-in-sandbox --whonix --sandbox Whonix-Workstation-name-or-uuid Whonix-gateway-name-or-uuid -i wlp0s20f2
- Fork the repository
- Create a new feature branch (
git checkout -b my-feature-branch-name
) - Commit your new changes (
git commit -m 'commit message' <changed-file>
) - Push changes to the branch (
git push origin my-feature-branch-name
) - Create a Pull Request