Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.
Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call
Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.
Download Whonix for VirtualBox
Download Whonix for KVM / QEMU / Qubes
This is only useful if you have a testers mindset!
Instructions for KVM:
Instructions for QEMU:
Instructions for Qubes:
Call for Help
– If you know shell scripting (/bin/bash) and linux sysadmin, please join us! There are plenty of ways to make Whonix safer.
– We are also looking for download mirros.
– For https://www.whonix.org we need some help with css, html, mediawiki, wordpress, webdesign.
– Contribute: https://www.whonix.org/wiki/Contribute
– Donate: https://www.whonix.org/wiki/Donate
If you want to upgrade existing Whonix version using Whonix’s APT repository
Upgrading Whonix 8 to Whonix 9
– You cannot upgrade using apt-get dist-upgrade or you will break the packaging system!
– You can upgrade using these instructions: https://www.whonix.org/wiki/Upgrading_Whonix_8_to_Whonix_9
If you want to upgrade existing Whonix version from source code
If you want to build images from source code
Physical Isolation users
Changelog between Whonix 8 and Whonix 9
– Modding Whonix, extending Whonix, such as installing a different desktop environment is now much simpler, because Whonix has been split into smaller packages https://github.com/Whonix/Whonix/issues/40. Therefore also understanding Whonix internals got simpler.
– added testers-only libvirt (kvm, qemu) support
– providing xz archives with sparse .qcow2 images
– added experimental Qubes support
– A new feature for VPN lovers has been added. VPN’s can now also be easily installed on Whonix-Gateway. Previously, many VPN users who wanted to route Tor through a VPN (user -> VPN -> Tor), preferred to install VPNs on the host and had little different choice. Some in conjunction with VPN-Firewall, to avoid connecting without the VPN, if the VPN (software) breaks down. Physical isolation users could not easily use a VPN on Whonix-Gateway and naturally had no host. VPN-Firewall features have been added to Whonix-Gateway’s firewall in. network-manager-kde and OpenVPN is now being installed by default to aid users who want to hide Tor and Whonix from their ISP.
– Lots of AppArmor profiles are now installed from Whonix’s APT Repository, thanks to troubadoour for creating them!
– fixed Tor restart bug when updated by apt-get
– updated Debian packages including Heartbleed OpenSSL bug fix
– VirtualBox version: no longer recommending to use VirtualBox’s snapshot feature in VirtualBox’s VM import text due to data loss bug in VirtualBox
– Breaking change: Changed Whonix-Gateway internal IP address to 10.152.152.10 and netmask to 255.255.192.0 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
– Breaking change: Changed Whonix-Workstation internal IP address to 10.152.152.11, netmask to 255.255.192.0 and gateway to 10.152.152.10 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
– use logrotate for bootclockrandomization, sdwdate, control-port-filter, timesanitycheck
– fixed timezone question during upgrade for Whonix build version 9 and above
– encrypt swapfile on boot with random password, create swap file on boot using init script instead of postinst script (package: swap-file-creator)
– Whonix-Gateway firewall: reject invalid outgoing packages
– added spice-vdagent to anon-shared-packages-recommended for better kvm support
– ram adjusted desktop starter (package: rads): fixed lightdm (/usr/sbin/…) auto detection
– Physical Isolation: automated ‘Install Basic Packages’ (‘sudo apt-get install $(grep -vE “^\s*#” grml_packages | tr “\n” ” “)’) build step
– Changed keyserver (suggested by tempest @ https://www.whonix.org/forum/index.php/topic,140.0.html) from hkp://2eghzlv2wwcq7u7y.onion to hkp://qdigse2yzvuglcix.onion as used by torbirdy and https://raw.github.com/ioerror/torbirdy/master/gpg.conf.
– Whonix-Gateway: Re-enabled AppArmor for System Tor. Removed workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 (USE_AA_EXEC=”no”) by removing Whonix’s displaced (config-package-dev) /etc/default/tor since that bug has been fixed upstream.
– bootclockrandomization: randomizing milliseconds (anonymous, unlink from the host)
– Whonix-Workstation: added password manager fpm2 as per https://www.whonix.org/forum/index.php/topic,187.15.html
– removed –onion feature from update-torbrowser and its man page because torproject took its .onion domain permanently offline (https://trac.torproject.org/projects/tor/ticket/11567) thanks got z (https://www.whonix.org/forum/index.php?action=profile;u=94) for the report (https://www.whonix.org/forum/index.php/topic,277.msg1827.html#msg1827)
– help_check_tor_bootstrap.py: – suggestions by Damian Johnson from — https://lists.torproject.org/pipermail/tor-dev/2014-May/006799.html — https://lists.torproject.org/pipermail/tor-dev/2014-May/006804.html – troubadour advised on implementation https://www.whonix.org/forum/index.php/topic,278.0 – controller.authenticate(“password”) isn’t required, controller.authenticate() works – more robust method to parse Tor bootstrap percent
– removed obsolete whonix_gateway/usr/bin/armwrapper (user “user” is now member of group “debian-tor”, so no longer required to start arm as user “debian-tor”)
– removed backgroundd, was replaced by gateway first run notice https://www.whonix.org/forum/index.php?topic=207
– added machine readable copyright files
– better output, better formatting, clickable links, thanks to https://github.com/troubadoour for working on msgcollector
– kde-kgpg-tweaks: added gnupg-agent to dependencies because we’re using it in the config and because otherwise kgpg would complain about using use-agent while having no agent installed
– Refined whonixlock.png. Thanks to nanohard (https://www.whonix.org/forum/index.php?action=profile;u=248) for the edit!
– added apt-transport-https to anon-shared-packages-dependencies
– added openvpn to anon-shared-packages-recommended
– added network-manager-kde to anon-shared-desktop-kde
– changed displace extension from .apparmor to .anondist, thanks to http://mailman.mit.edu/pipermail/config-package-dev/2014-May/000018.html
– control-port-filter: Added “lie feature”, i.e. when getting asked “GETINFO net/listeners/socks” answer ‘250-net/listeners/socks=”127.0.0.1:9150″‘; configurable by CONTROL_PORT_FILTER_LIMIT_GETINFO_NET_LISTENERS_SOCKS variable. Enabled by default.
– control-port-filter: Limit maximum accepted command string length to 128 (configurable) as done by Tails (https://mailman.boum.org/pipermail/tails-dev/2014-February/005041.html). Thanks to HulaHoop (https://www.whonix.org/forum/index.php?action=profile;u=87) for suggesting this (https://www.whonix.org/forum/index.php/topic,342.0.html).
– control-port-filter: added GETINFO status/circuit-established to whitelist
– control-port-filter: replaced netcat-traditional dependency with netcat-openbsd as per https://www.whonix.org/forum/index.php/topic,444.0.html
– sdwdate: implemented options –no-move-forward and –no-move-backwards (disabled by default)
– sdwdate implemented option to update hardware clock –systohc (disabled by default)
– sdwdate: no more clock jumps. Gradually adjust clock as NTP does. Sclockadj has been written by Jason Ayala (Jason@JasonAyala.com) (@JasonJAyalaP) – https://github.com/Whonix/Whonix/issues/169 – Sclockadj helps sdwdate gradually adjusting the clock instead of producing clock jumps, which can confuse Tor, i2p, servers, logs and more. – It can add/subtract any amount of nanoseconds. – It supports waiting an interval of min/max nanoseconds between iterations, which will be randomized if min/max differs. – It supports slewing the time for min/max nanoseconds, which will be randomized if min/max differs. – It supports to wait before its first iteration. – It can run either verbose or quite. – It supports either really changing the time or running in debug mode.
– sdwdate: use median instead of average as suggested in https://www.whonix.org/forum/index.php/topic,267.0.html
– whonixcheck: don’t check just if Tor is fully bootstrapped, also check if Tor was actually able to create a circuit.
– whonixcheck: increased Tor socks port reachability test timeout from 5 to 10 as per https://www.whonix.org/forum/index.php/topic,129.0.html
– whonixcheck: fixed apt-get –simulate parsing code, whonixcheck can now also report how many packages could be upgraded when using non-English languages
– whonixcheck: There is no general “Whonix Debian Version” anymore, because Whonix has been split into multiple packages that now all have their own version number. What whonixcheck can figure out is if the whonixcheck version is up to date and if there is a Whonix news file for that whonixcheck version. There is currently no notification for packages by the Whonix team in whonixcheck for packages other than whonixcheck for users who do not use Whonix’s APT repository.
– whonixcheck: check_virtualizer, no longer warn if Qubes (https://www.whonix.org/wiki/Qubes) is detected; improved output, improved html tags
– anon-shared-build-apt-sources-tpo: updated The Tor Project’s apt signing key as per https://trac.torproject.org/projects/tor/ticket/12994#comment:9
– whonixcheck: refactoring, use /usr/lib/msgcollector/striphtml rather than sed in usr/lib/whonixcheck/check_tor_socks_or_trans_port
– added VPN_FIREWALL feature to Whonix-Gateway’s firewall – https://www.whonix.org/wiki/Next#Tunnel_Tor_through_VPN
– Whonix-Firewall: make variables overwrite able by /etc/whonix_firewall.d config folder
– Whonix-Firewall: renamed variable NON_TOR_WHONIXG to NON_TOR_GATEWAY
– added empty Whonix-Custom-Workstation
– Added extra log file /var/run/tor/log that won’t survive reboot. (Existing log file /var/log/tor/log that survives reboot will continue to exist.) And added necessary AppArmor rules. Thanks to @troubadoour who figured out the AppArmor rules (https://www.whonix.org/forum/index.php/topic,372.0/topicseen.html). This is useful, so whonixcheck can in future grep the log for clock specific warnings (https://github.com/Whonix/Whonix/issues/244).
– sdwdate: log time/date before and after running sclockadj
– swap-file-creator: timeout when reading from /dev/random
– when whonixsetup is automatically started, support automatically maximizing window in other terminals than konsole
– disable TCP-Timestamps (implemented #247)
– New alternative option name –install-to-root. This is an alternative to –bare-metal. Since some users liked to use “–bare-metal in a VM”, which sounds like an oxymoron. Now we can talk about “using –install-to-root in a VM”.
– Drop all incoming ICMP traffic by default. All incoming connections are dropped by default anyway, but should a user allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should still be dropped to filter for example ICMP time stamp requests.
– Removed geoclue-ubuntu-geoip and geoclue from anon-banned-packages because those are not evil by definition, those are only providing an API. Not allowing them to be installed would not allow users installing gnome-desktop-environment.
– vbox-disable-timesync: added compatibility with Debian jessie
– whonix-gw-firewall: Added 10.0.2.2/24 to NON_TOR_GATEWAY and LOCAL_NET to prevent spamming syslog with: host dhclient: DHCPREQUEST on eth0 to 10.0.2.2 port 67 | host dhclient: send_packet: Operation not permitted
– rads: made compatible with systemd / debian testing by adding tty1 autologin drop-in config
– tb-updater: update tbb version url as per https://trac.torproject.org/projects/tor/ticket/8940#comment:21
– tb-updater: compatibility with new recommended tbb versions format as per https://trac.torproject.org/projects/tor/ticket/8940#comment:28
– tb-updater: Whonix’s Tor Browser updater: download from torproject’s clearnet domain instead of torproject’s onion domain by default, because the onion domain is too slow/can’t handle the load. Downloading form the onion domain is possible using –onion.
– tb-updater: break when endless data attack is detected (max file size 100 mb for torbrowser, 1 mb for other files)
– anon-ws-disable-stacked-tor: Set environment variable “export TOR_SKIP_CONTROLPORTTEST=1″ to skip TorButton control port verification as per https://trac.torproject.org/projects/tor/ticket/13079. Will take effect as soon as The Tor Project merges the TOR_SKIP_CONTROLPORTTEST patch.
– sdwdate: curl, use –head rather than –include as per https://github.com/Whonix/Whonix/issues/315
– sdwdate: Breaking change: pool variable names were renamed. SDWDATE_POOL_PAL, SDWDATE_POOL_NEUTRAL, are now called SDWDATE_POOL_ONE, SDWDATE_POOL_TWO, SDWDATE_POOL_THREE. If you were using custom pools, you should update your config according to the new variable names. As per https://github.com/Whonix/Whonix/issues/310.
– sdwdate: no longer using pal/neutral/foe pool design. Using three pools instead, that only contain servers of the type “pal”. As per https://github.com/Whonix/Whonix/issues/310. Thanks to https://github.com/HulaHoopWhonix for suggesting it.
– uwt: all temporary files are now in /tmp/uwt
– anon-base-files /usr/lib/pre.bsh: all temporary files are now in /tmp/prepost
– whonixcheck / sdwdate / timesync / tb-updater / whonix-repository / control-port-filter: fix, clean up temporary files/directory
– whonixcheck / timesync / update-torbrowser: correct exit codes on signal sigterm and sigint
– whonixcheck / timesync: output
– whonix-gw-kde-desktop-conf: no longer use custom wallpaper (mountain mist) for Whonix-Gateway. Only use wallpapers from Debian repository for security reasons. (https://github.com/Whonix/Whonix/issues/318) Will now default to KDE’s default wallpaper. (Thanks to https://github.com/HulaHoopWhonix for suggesting it)
– build script: Added deletion of /boot/grub/device.map for VM builds during build process to prevent hard drive serial of build machine leaking into image. System also boots without /boot/grub/device.map. https://github.com/Whonix/Whonix/issues/249
– build script: verifiable builds: now using fixed disk identifiers to make verification easier
– build script: updated frozen repository
– build script: improved error handling, when error is detected, wait until builder presses enter before cleanup and exit to make it simpler to read error messages when building in cli
– build script: whonix_build now acts differently for –clean option depending on –virtualbox, –qcow2 and –bare-metal
– build script: removed Whonix’s grml-debootstrap fork, because Whonix’s patches were merged upstream
– build script: Renamed “img” to “raw”, because “img” was a poor name for raw images.
– build script: made variables overrideable by build config
– build script: set DEBUILD_LINTIAN_OPTS to “–info –display-info –show-overrides –fail-on-warnings”, to show more verbose lintian output and to break the build should lintian find an error such as a syntax error in a bash script
– build script: Workaround for a bug in kpartx, which fails to delete the loop device when using very long file names as per https://www.redhat.com/archives/dm-devel/2014-July/msg00053.html
– build script: implemented –testing-frozen-sources, installs from Debian testing frozen (snapshot.debian.org) sources. This is useful for compatibility test of Whonix’s Debian packages with Debian testing. There is no official support for Debian testing.
– build script: Use SAS rather than SATA as virtual hard disk controller for VirtualBox hdds to work around a VirtualBox upstream bug that causes filesystem corruption on high disk I/O (https://www.virtualbox.org/ticket/10031). Thanks to @Neurodrive for the bug report (https://github.com/Whonix/Whonix/issues/274).
– whonix-repository tool, anon-shared-build-apt-sources-tpo, anon-apt-sources-list: use wheezy rather than stable as per https://www.whonix.org/forum/index.php/topic,445.msg3640.html
– build script: makefile: added new feature “make deb-chl-bumpup” – Bump upstream version number in debian/changelog.
– build script: added support for –vram, –vmram, –vmsize switches
– build script: added –file-system (var: whonix_build_file_system)
– build script: added –hostname (var: whonix_build_hostname)
– build script: added –os-password (var: whonix_build_os_password)
– build script: added –debopt (var: whonix_build_debopt)