Veracrypt allows you to create encrypted containers that can be mounted as additional drives. You can probably already see where this is going. Here is the thing, SSDs make actual data deletion difficult which for privacy can be a bad thing for certain situations (Whistle blowing, actual reporting, inside regimes, etc) which is where this setup comes in. Please chime in if you think I’m wrong or if you have extra information.
Veracrypt encrypted containers can be mounted with the Read Only setting, which Whonix itself says is best for OpSec which should be used if possible on the drive it is used on. This combined with Whonix’s own Live Mode should make any data being saved to the SSD unlikely.
The basic process - Create the Veracrypt container with a solid password with a minimum of I would say 15 GB of space (It is generally 12GB or so but extra just because), mount the container, install Whonix inside of the container, update Whonix Gateway/Workstation fully, add any bookmarks you want to save on the Workstation, close Whonix, dismount Veracrypt container.
At this point you shouldn’t need to update for awhile and if the container is deleted it is still encrypted when recovered on an SSD. You can also simply not select Read Mode/Live Mode if you wish to update.
From now on when opening the Veracrypt container select Mount Volume As Read Only in the options (Under >options after you click Mount on bottom right) followed by selecting Live Mode when you start both Whonix stations. As said previously nothing now should be saved on your actual hard drive to be recovered, even on an SSD, and if some thing is it will be inside of the encrypted container.
Periodically you may want to delete the container as a just in case precaution, my advice is to then use the Change Password inside of Veracrypt to a 20+ characters/numbers/special characters, select Show Password, copy it, paste in the confirm password. Now you can delete the container then fully Restart your device. I say restart as that option generally fully shuts down for a moment which should remove any data in the RAM from being recovered such as the copy/paste randomized password. This should make it nearly impossible to open the container even if recovered by a government agency and as such what you were doing should be safe.
Please Note - if you are in a situation where you may be tortured for what is inside the container I would not change the password. They will not care or beleive you “Don’t know the password!”. But that is up to you.
Did I miss any thing? Or get some thing wrong? Clearly this isn’t needed for every person or all the time but for more extreme cases I don’t see why this wouldn’t work very well. More so since Whonix is so good against malware deanonymizing you.