Thanks, this is great info. Yeah, when I was reading the Qubes web site and their blog, I got the sense that the devs knew what they were doing, which is a plus in Qubes' favor, but I wasn't sure how secure their configuration is, and the testing community seems kind of small. Ok, I guess you could call that Whonix with physical isolation and a Windows Workstation. It's the equivalent of Windows with an anon middle box. That wasn't one of the options I listed above, primarily because I consider Windows insecure, since it's the biggest target of malware by an order of magnitude over OS X and by two or three orders of magnitude over Linux, and because the vast majority of Windows installs are linked to people's real identities (the licenses are linked to the purchases). So you can still leak your identity even though the connection goes over Tor whenever there is a system update. I think even the default Whonix Workstation + Gateway on a Windows host is safer than that. That's good, but the VirtualBox configuration files point to the files in the encrypted container, so you are leaking their existence. You should run the portable version of VirtualBox and store it in the encrypted volume too.