Kasm: experimenting and working safely in an isolated environment

If you have some experience with Docker, you know how easily you can start and discard a container for a specific server service. These usually concern web-based applications, which you can access via a web interface via your browser. Kasm Workspaces goes a step further: it enables so-called streaming containers, allowing you to run, for example, a browser or even an entire Linux desktop in a container. The application is, as it were, streamed to the browser, which you can compare with remote desktop.

The application runs isolated from your own system. So you can play or work safely without the risk of breaking anything. Moreover, malware, ransomware and phishing don’t stand a chance. For example, use it to try out a new Linux distribution. Or set up a temporary browser, for example to test your self-developed website. You have the certainty that the browser history will be completely deleted afterwards. You can also create a safe browsing environment for your children for the online games they play. We explain how to install Kasm Workspaces and explore the possibilities for home use.

1 Versions

You can install Kasm Workspaces locally on your own server, but you can also purchase it as a service via the cloud. The cloud service is aimed at larger companies, because you must purchase it for at least 25 users. If you install the software yourself, you can choose from several editions. We are using the Community Edition for this article, which is completely free for personal use. This allows up to five simultaneous sessions, which is more than enough for home use. A light server may therefore already have reached its limit, although the system requirements are not very high. Reasonably priced licenses are available for an upgrade.

2 System requirements

Although Kasm Workspaces even works on a Raspberry Pi, a somewhat heavier server is certainly preferable. Suitable operating systems include Ubuntu 22.04 and Debian 12. You need at least a dual-core processor, 4 GB of RAM and 50 GB of storage. Each session requires approximately 1 to 3 GB of memory and 1 or 2 processor cores.

You can also install Kasm Workspaces in a Linux container or in a KVM-based virtual machine within Proxmox VE (see the section below: ‘Kasm Workspaces in Proxmox VE’. We previously wrote an article about the popular open source virtualization platform Proxmox VE, you can read it here. It then works isolated from the (rest of the) server. It also remains free of any additional software that is installed.

Users can simply use a modern browser such as Chrome, Edge, Firefox and Safari to access Kasm Workspaces. We will cover a fairly standard installation in this article. If you have special wishes, you will probably find an answer in the extensive online documentation.

3 Kasm Workspaces in Proxmox VE

For this article, we installed Kasm Workspaces in a Linux container within Proxmox VE using Ubuntu 22.04 as a template. You could also choose the latest TurnKey Core template based on Debian. When creating a container, leave it unchecked Unprivileged container stand and make sure the option Nested remains active, which is necessary for Docker. Start with, for example, 4096 MB memory, 1024 MB swap and 2 cores.

Before you start the container, click below Options on Features and activate next to Nesting also the option FUSE. Go to Console to open the shell and log in with your root account. Make sure the operating system is up to date with the following commands:

apt update

and:

apt upgrade

Install curl that is required for installation with:

apt install curl

Set the correct time zone with:

dpkg-reconfigure tzdata

You can now install Kasm Workspaces via the shell following the instructions in this article. Note that you will encounter an error message once: that problem is easily solved by running the installation script a second time. If the installation script asks to create a swap partition, you can skip it.

4 Installation

The installation takes some time, but is not difficult because an installation script takes all the work off your hands. Please check the commands below. Chances are you’ll need to adjust them slightly for newer versions.

A brief explanation of these commands: Before the installation, we first browse to the temporary folder (which is automatically emptied every time the operating system is restarted). We then retrieve the installation files with curlthey come out with tar, browse to the correct folder and start the installation. As a root user you can sudo otherwise omit.

Note that by default the https port 443 is used for installation. If there is a conflict, for example with a web server, you can change it to, for example, 8443 before installation with this command:

sudo bash install.sh -L 8443

After the installation, all created accounts will be shown. Keep this information safe!

5 Management environment

After installation you can use your administrator account ([email protected]) log in via https://ipaddress:port. We recommend that you change the password immediately. This can be done in your profile, which you can reach via the icon at the top right. Then log in with the new password. Then go to Access management / Users. Delete the default user created during installation [email protected]. Create a new user with at least a username and password.

6 User rights

It is advisable to check what rights users have. For that go to Access control / GroupsOpen All Users and click on the brush. Then go to the tab Institutions. Here you can choose what the default permissions for users should be. In recent versions, the most important options are already active by default, but it is good to check this.

For example, you can ensure that users can hear the audio from a workspace, such as a YouTube video in a browser. You can also choose which hardware can be passed on to a workspace, such as a webcam, microphone or game controller. Furthermore, you can enable the use of the clipboard for cutting and pasting text.

You will also see options for downloads and uploads, for example to transfer files downloaded with a browser to your own PC. Many of the options mentioned are discussed later in this article.

7 Create workspaces

A workspace essentially means an application that you can start, which can also be a complete operating system. There are no workspaces available by default, so a user cannot do much yet. That’s why we’re going to make a few first. For that, go to Images / Register. (Note that ‘images’ is a very sloppy translation of ‘images’. This will probably be fixed in a future version. You can also set the language to English via your profile.)

An image is in fact the basis for a workspace. As an example, we include the Brave browser. Just find it in the list, click on it and choose to install. The image is then downloaded in the background and Brave becomes available as a workspace. We are also adding Chrome, Ubuntu Jammy, Discord and Doom. For each image you can see approximately how much space is required. Especially with larger workspaces, you should keep an eye on the available storage space. A full Linux operating system quickly requires about 7 GB.

8 View workspaces

In the previous section we added some workspaces. If you go to the top bar Workplaces you will see this in a kind of dashboard. If you currently see a red exclamation mark next to a workspace, it means that that workspace has not yet been (completely) downloaded.

If you log in as a regular user, for example with the user account we created in an earlier step, you will not see any management options, but you will see all workspaces. This means you can only open and use workspaces. This is certainly recommended for housemates whom you would rather exclude from the administrative environment. If there are active sessions due to open workspaces, you will also see them on your dashboard, as shown on the left in the image.

9 Open workspace

When you open a workspace, you can choose whether it should open in the current tab, a new tab or a new window of your current browser. A session is now started in the background. As mentioned, you will see a reference to this and any other active sessions in the dashboard.

By default, a session ends after one hour. You can also manually pause, stop, or delete a session on your dashboard. If you choose to pause or stop, you can resume the session at a later time in the state in which you left it. If you delete a session, you can of course start a new session, but you start with a clean slate.

10 Brave browser

If we take the Brave browser as an example, you will see that with a new session you are always presented with a fresh installation. This also means that you always have the option to set Brave as the default browser and import settings. To avoid such questions, you can choose to stop the session instead of deleting it.

What you should also pay attention to is that files that you download using, in this case, the Brave browser, are normally stored in the container in question – they are actually ‘trapped’ there. There is a special menu with additional options that you can access via an icon on the left side of your screen. If you go To download you will see all the files you downloaded with that browser. You can also upload files from your PC to the container via upload. In that menu you will also see other options, such as switching the webcam, sound and microphone on or off.

11 Linux desktop

We also tried a full desktop, in this case Ubuntu Jammy. The workspace appears to start quickly and you immediately get a large number of applications, including GIMP, OnlyOffice, Visual Studio Code and Zoom.

If you prefer, you can display the desktop in full screen via the menu.

We also installed Kali Linux. This operating system is popular among ethical hackers, who will appreciate the extra isolation of Kasm Workspaces.

You can customize the configuration of each workspace to use a VPN connection by default. However, it is easier to set up a separate VPN container. The documentation calls this a ‘VPN sidecar’. By adjusting the configuration for a specific workspace, you ensure that the traffic for that workspace goes through the VPN from now on.

12 Open in Kasm

You can use Kasm Workspaces excellently for unsafe links that you encounter while browsing in your regular browser. You can even have it open automatically in an isolated browser with a simple action. To do this, install the extension called Kasm – Open in Isolation in your browser (this is available in the Chrome Web Store).

Right-click on the extension to open its options. Enter the https address of your server. In our example it is https://10.0.10.57. If you come across a link while browsing with your regular browser, right-click on the link and choose the option from the menu Open link in Kasm.

The first time you have to set which workspace should be used by default, in the option Standard workspace image. You can also find this option in your profile.