Kasm Workspaces: Self-Hosted Browser Isolation and Virtual Desktops
Every time someone on your network visits a website, their browser executes arbitrary JavaScript from the internet on a machine connected to your internal network. Browser exploits, drive-by downloads, and credential phishing all start with that browser session. Enterprise solutions like Zscaler and Menlo Security address this with cloud-based browser isolation, but they cost a fortune and route your traffic through someone else's infrastructure.
Kasm Workspaces is a self-hosted platform that runs browsers and full desktops inside Docker containers, streaming the display to users over HTTPS. The browser runs on your server, isolated from the user's machine and your internal network. If a malicious site exploits the browser, it compromises a disposable container -- not a workstation.
What Kasm Actually Does
Kasm is a container orchestration platform optimized for streaming graphical applications. At its core:
- A user requests a workspace (browser, desktop, or application)
- Kasm spins up a Docker container with that application
- The container's display is streamed to the user's browser via KasmVNC (a fork of TigerVNC optimized for web streaming)
- When the user is done, the container is destroyed -- no persistent state, no leftover malware
This architecture supports three primary use cases:
- Browser isolation -- Run Firefox, Chrome, or Tor Browser in a disposable container
- Virtual desktops -- Full Ubuntu, Fedora, or Kali Linux desktops in the browser
- Application streaming -- Run specific applications (VS Code, LibreOffice, GIMP) without installing them locally
Use Cases in Practice
Secure Browsing
The most immediate use case. Route risky web activity through Kasm:
- Admin portals -- Access banking, cloud consoles, and admin panels from an isolated browser that cannot be keylogged by malware on the workstation
- Research -- Visit potentially malicious sites for security research without risking your machine
- Untrusted links -- Open links from emails or chat in an isolated browser before deciding if they are safe
- Privacy -- Each session starts clean. No cookies, no history, no fingerprinting carried between sessions
Remote Work and BYOD
Give employees access to a full desktop environment without managing their hardware:
- Contractor logs in through their personal laptop and gets a locked-down corporate desktop
- No corporate data ever touches the personal device -- it stays in the container
- Session recording and audit logging track what happened
- When the contractor leaves, disable their account. Nothing to wipe.
Development and Testing
- Spin up browser instances for cross-browser testing
- Run development environments without polluting your local machine
- Test applications in different Linux distributions
- Provide consistent development environments across a team
Installation
Kasm requires a Linux host with Docker. The installer handles the rest.
System Requirements
| Deployment | CPU | RAM | Disk | Notes |
|---|---|---|---|---|
| Single server (1-5 users) | 4 cores | 8 GB | 50 GB SSD | Minimum viable |
| Single server (10-20 users) | 8 cores | 32 GB | 200 GB SSD | Comfortable |
| Multi-server | Scales horizontally | Per-agent sizing | Shared storage | Production |
Each workspace container uses roughly 500 MB to 1.5 GB of RAM depending on the image (browser sessions use less, full desktops use more).
Single-Server Install
# Download the latest release
cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.16.0.06fdc8.tar.gz
tar xzf kasm_release_*.tar.gz
# Run the installer
cd kasm_release
sudo bash install.sh
The installer:
- Installs Docker if not present
- Sets up the Kasm database (PostgreSQL in a container)
- Configures the web application and API server
- Deploys the agent that manages workspace containers
- Generates an admin password (save this)
After installation, access the admin panel at https://your-server:443.
Docker Compose (Community Edition)
For a lighter deployment, Kasm offers a community edition that runs as a Docker Compose stack:
services:
kasm:
image: kasmweb/kasm:latest
restart: unless-stopped
ports:
- "443:443"
volumes:
- kasm_data:/opt/kasm
privileged: true
environment:
KASM_DEFAULT_ADMIN_PASSWORD: change-this-password
volumes:
kasm_data:
Note: Kasm requires privileged mode because it manages Docker containers internally (containers within containers).
Reverse Proxy Considerations
Kasm uses WebSockets heavily for display streaming. Your reverse proxy must support:
- WebSocket upgrades
- Long-lived connections
- Large frame sizes
Caddy configuration:
kasm.yourdomain.com {
reverse_proxy localhost:443 {
transport http {
tls_insecure_skip_verify
}
}
}
For Nginx, ensure you include proxy_set_header Upgrade and Connection "upgrade" headers, and set proxy_read_timeout to at least 3600 seconds to keep long-lived display streams alive.
Like what you're reading? Subscribe to Self-Hosted Weekly — free weekly guides in your inbox.
Workspace Images
Kasm provides a registry of pre-built workspace images. The most commonly used:
Browsers
| Image | Description | RAM Usage |
|---|---|---|
kasmweb/firefox |
Firefox with privacy defaults | ~500 MB |
kasmweb/chrome |
Chromium-based browser | ~600 MB |
kasmweb/tor-browser |
Tor Browser for anonymous browsing | ~500 MB |
kasmweb/brave |
Brave browser | ~550 MB |
Desktops
| Image | Description | RAM Usage |
|---|---|---|
kasmweb/ubuntu-jammy-desktop |
Full Ubuntu 22.04 desktop | ~1.2 GB |
kasmweb/fedora-desktop |
Fedora with XFCE | ~1 GB |
kasmweb/kali-rolling-desktop |
Kali Linux for security testing | ~1.5 GB |
kasmweb/rocky-desktop |
Rocky Linux desktop | ~1 GB |
Applications
| Image | Description | RAM Usage |
|---|---|---|
kasmweb/vs-code |
Visual Studio Code | ~800 MB |
kasmweb/libre-office |
LibreOffice suite | ~700 MB |
kasmweb/gimp |
GIMP image editor | ~600 MB |
kasmweb/terminal |
Terminal-only workspace | ~200 MB |
Adding Custom Images
Build your own workspace images for specialized use cases:
FROM kasmweb/core-ubuntu-jammy:latest
USER root
# Install custom applications
RUN apt-get update && apt-get install -y \
your-custom-app \
additional-tools \
&& rm -rf /var/lib/apt/lists/*
# Copy configuration files
COPY --chown=1000:1000 config/ /home/kasm-user/.config/
USER 1000
Register the image in the Kasm admin panel under Workspaces > Add Workspace with the Docker image name, resource limits, and access policies.
Security Configuration
Network Isolation
The strongest security benefit of Kasm comes from network segmentation. Configure Docker networking so that workspace containers:
- Cannot access your internal network (LAN)
- Can only reach the internet through a controlled gateway
- Cannot communicate with each other
{
"docker_network": "kasm_isolation",
"dns_servers": ["1.1.1.1", "8.8.8.8"],
"restrict_internal_network": true
}
In the Kasm admin panel under Settings > Docker, configure:
- Subnet: Use a dedicated subnet for workspace containers
- DNS: Point to external DNS servers, not your internal resolver
- Network policy: Block RFC1918 ranges to prevent containers from reaching internal services
Session Policies
Configure per-group session policies:
- Session duration limits -- Auto-destroy sessions after a timeout (e.g., 8 hours)
- Idle timeout -- Destroy sessions after inactivity (e.g., 30 minutes)
- Clipboard control -- Disable copy/paste between the workspace and the local machine
- File transfer control -- Disable upload/download between the workspace and the user's device
- Audio -- Enable or disable audio streaming
- Persistent profiles -- Allow or deny saving session state between launches
For high-security environments, disable clipboard and file transfer. This creates a true air gap: users can see and interact with the browser, but data cannot leave the container.
Authentication
Kasm supports multiple authentication backends:
- Local accounts -- Built-in user management
- LDAP/Active Directory -- Integrate with existing directory services
- SAML 2.0 -- SSO with Okta, Azure AD, Keycloak, Authentik
- OpenID Connect -- SSO with any OIDC provider
- Two-factor authentication -- TOTP (Google Authenticator, Authy)
Audit Logging
Every session is logged:
- Who launched what workspace and when
- Session duration
- Source IP address
Enable session recording to capture full video of what happened inside each workspace. This is valuable for compliance and incident investigation but consumes significant disk space.
Scaling and Performance
For larger deployments, Kasm separates into Web App, Manager, Agent, and Database components. Agents run on dedicated servers that host workspace containers -- each agent can handle 20-40 concurrent browser sessions or 10-20 full desktops depending on hardware. Kasm also supports auto-scaling agents in cloud environments (AWS, Azure, GCP) to match demand.
Set per-workspace resource limits to prevent a single session from consuming the entire server. The docker_shm_size setting is particularly important -- Chrome and Firefox use shared memory for tab rendering, and sessions will crash on complex pages if it is set too low (512 MB is a good default).
Backup and Recovery
Kasm stores configuration in PostgreSQL and session data ephemerally. For disaster recovery:
# Backup the database
docker exec kasm_db pg_dump -U kasmapp kasm \
> /backup/kasm-db-$(date +%F).sql
# Backup the configuration directory
tar czf /backup/kasm-config-$(date +%F).tar.gz /opt/kasm/current/conf/
Workspace containers are ephemeral by design. No backup needed for session state unless you have persistent profiles enabled, in which case back up the profile storage volume.
Known Limitations
- Resource hungry -- Even a small deployment needs 8 GB of RAM. Each workspace session adds 500 MB to 1.5 GB. This is not a Raspberry Pi project.
- Privileged containers -- Kasm's agent needs Docker access and often runs privileged. Understand the security implications.
- Licensing -- The community edition is free for up to 5 concurrent sessions. Beyond that, you need a commercial license. Pricing is per concurrent session.
- Latency sensitive -- Display streaming adds latency. On LAN or fast connections it feels native. On slow connections with high latency, the experience degrades. Video playback inside workspaces is functional but not smooth.
- Storage for persistent profiles -- If you enable persistent profiles, each user's profile consumes disk space that grows over time.
The Bottom Line
Kasm Workspaces solves a real security problem: browsers are the largest attack surface on any network, and isolating them in disposable containers eliminates an entire class of threats. The VDI and application streaming capabilities make it useful beyond just security -- remote access, BYOD environments, and consistent development setups all benefit.
The resource requirements are significant, so this is not a tool for everyone's homelab. But for anyone running a small business, managing a team, or dealing with compliance requirements, the ability to provide isolated browsing and controlled desktop access from a self-hosted platform is worth the hardware investment. You get the security of enterprise browser isolation without routing your traffic through a third party's cloud.