General Safety Advice[edit]

Recommended knowledge: Modes of Anonymity.

Note: Most existing instant messenger protocols are unsafe from a privacy point of view. This is not a Whonix specific problem. It is a general problem with instant messengers.

Tor Exit Node eavesdropping can happen if no encryption to the server is enabled. Some protocols have encryption disabled by default, some do not support encryption at all. See also Overview about Pidgin protocols and their encryption features[1]. If encryption to the server is enabled, the Tor Exit Node can no longer eavesdrop. This fixes one problem, however it also leaves another problem unresolved.

Even with encryption to the server enabled, the server could still gather interesting information. For example:

  • Account names
  • Buddy list (list of contacts)
  • Log login dates and times
  • Timestamp of messages
  • Who communicates with whom
    • If the recipient knows the sender and the recipient uses a non-anonymous account or the recipient ever logged in without Tor, this can be used as a hint for determining who the sender is.
  • Content of messages - Can be prevented using end-to-end encryption. This is covered in OTR encryption below.

Jabber/XMPP is a server-federation-based protocol designed with openness in mind. Its security depends on you making good use of OTR as you can never be sure if servers are properly encrypted between each other. Privacy with Jabber is limited, as it is visible to various kinds of attackers who your account is talking to. Tor only helps to pseudonymize your account and hide your current location, but your social graph may still expose your identity. For a good operational security guide on chatting anonymously see The Intercept's article.

Systems which do not require a server by design, i.e. serverless instant messengers are likely better from a privacy point of view. Such systems are #RetroShare and #Tox.

For IRC inside Whonix-Workstation, the Ident Protocol is automatically blocked because Whonix-Workstation is firewalled. The TorifyHOWTO/IrcSilc contains general IRC safety techniques and other tips.

Why prefer open protocols such as Jabber/XMPP over proprietary ones such as ICQ?


Update the package lists.

sudo apt-get update

Install gajim, gajim-omemo and gajim-httpupload.

sudo apt-get install gajim gajim-omemo gajim-httpupload

Start Gajim. From start menu or type in konsole.



Change the following settings for better security and privacy.

  • Edit -> Accounts -> uncheck Save conversation logs for all contacts

  • Preferences -> Status -> uncheck Away after [3]
  • Preferences -> Status -> uncheck Not available after

  • Preferences -> Advanced-> Privacy -> uncheck
    • Allow client / OS information to be sent
    • Allow local system time information to be sent
    • Log encrypted chat session
    • Allow my idle time to be sent

  • Preferences -> Advanced-> applications -> Custom -> clear fields for Browser, Mail Client and File Browser [4]

  • Preferences -> Advanced -> global proxy -> Tor
  • Preferences -> Advanced -> global proxy -> mange -> Tor -> check Use proxy authentication -> set username to gajim -> set password to gajim [5]

For Gajim to be installed by default in Whonix, there is more work TODO, see Dev/Gajim.


Tox Introduction[edit]

Tox [6] [7] looks like a promising solution for secure, encrypted communications. The official client implementation is based on the Toxcore protocol library, which is very feature-rich and has a variety of functions besides VOIP. By default, Tox does not attempt to cloak your IP address from authorized contacts. However, Tox connections can be tunneled through Tor, allowing communication with others even if they are not anonymous. [8] Desktop and mobile client versions have been developed for every major OS platform. [9]

In the Tox design, users are assigned a public and private key, with direct connections being established in a peer-to-peer network. Users can message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl crypto library, via libsodium. [10] [11]. Tox helps to protect your privacy by: [12]

  • Removing the need to rely on central authorities to provide messenger services
  • Concealing your identity (in the form of meta-data, e.g. your IP address) from people who are not your authorized friends
  • Enforcing end-to-end encryption with perfect forward secrecy as the default and only mode of operation for all messages
  • Making your identity impossible to forge without the possession of your personal private key, which never leaves your computer

As at April 2017, the following secure (encrypted) features had been implemented: [13]

  • Voice and video calls.
  • Instant messaging.
  • Desktop screen sharing / streaming.
  • File sharing.
  • Typing indicators.
  • Message read-receipts.
  • Profile encryption.
  • Group messaging, voice and video conferencing.

Additional features can be implemented by any client, so long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client. [14]

Tox Installation[edit]

Note: The following instructions will install the "qTox" graphical user client to your system. [15] To install the lightweight version with minimal dependencies ("uTox") or another Linux client like Ricin, Toxic or Toxygen, see here and here.

In the Whonix-Workstation (Qubes-Whonix: whonix-ws-14 TemplateVM), open a terminal (Konsole).

Download the Tox repository release key.

TODO: the following command is broken

curl-download TODO

Check the fingerprint before importing anything.

gpg --keyid-format long --with-fingerprint Release.key

Always check the fingerprint for yourself. [16]

At time of writing, the fingerprint was.

pub   rsa2048/F2AA0B1E5EF8303B 2014-09-04 [SC] [expires: 2019-01-21]
      Key fingerprint = 3EB5 027B 3CD8 D7CA AC30  EB6B F2AA 0B1E 5EF8 303B
uid home:antonbatenev OBS Project <>

Add the Tox signing key.

TODO: the following command needs testing

sudo apt-key --keyring /etc/apt/trusted.gpg.d/tox-pubkey.gpg add Release.key

Add the Tox apt repository.

TODO: the following command is broken

sudo sh -c 'echo deb / > /etc/apt/sources.list.d/qtox.list'

Update the package lists.

sudo apt-get update

Install qTox.

sudo apt-get install qtox

The Tox repository and qTox have now been installed.

TODO: Add instructions on how to use Tox with Stream Isolation without Tor over Tor.

IRC Client HexChat[edit]

See HexChat.

Ricochet IM[edit]

Ricochet IM[17] is a new successor of the unmaintained TorChat. [18]

It is a portable P2P python chat application that does not save chat history. It relies on Tor onion services for creating identities. Its encryption and authentication properties are as strong as Tor's. No metadata is ever collected because it is server-less. An OTF sponsored audit in early 2016 shows that there were a few minor problems (fixed since).[19][20]

Should work. Please test and report if it's working.

On Whonix-Gateway, onion-grater needs some adjustments.

Extend onion-grater Whitelist

On Whonix-Gateway.

Create a new directory. [21]

sudo mkdir -p /usr/local/etc/onion-grater-merger.d/

Symlink the onion-grater profile to the onion-grater settings folder.

sudo ln -s /usr/share/onion-grater-merger/examples/40_ricochet.yml /usr/local/etc/onion-grater-merger.d/

Restart onion-grater.

sudo service onion-grater restart

Modify Whonix-Workstation User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix, complete these steps.
In Whonix-Workstation AppVM.

Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Open /rw/config/whonix_firewall.d/50_user.conf with root rights.

kdesudo kwrite /rw/config/whonix_firewall.d/50_user.conf

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> User Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") -> Template: whonix-ws-14 -> Whonix Global Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu -> Applications -> Settings -> Global Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

nano /etc/whonix_firewall.d/30_default.conf




Reload Whonix-Workstation Firewall.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run.

sudo whonix_firewall

On Whonix-Workstation, start ricochet. Either through start menu or from the command line.



RetroShare is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. RetroShare has a very different audience and threat model.

RetroShare is in active development. Users can operate servers for themselves, but the architecture doesn't depend on them. Communications are encrypted end-to-end and provide for messaging, mail, forums, pubsub, file exchange and even telephony. The problems with RetroShare are the confused user interface, the necessity to have it run most of the time and contribute to the distributed hashtable (DHT, causing continuous CPU usage) and three relevant privacy aspects: You expose your social graph to a global passive adversary because friends connect to friends directly. Your public IP is available in the DHT, allowing to track your physical locations. And your visible user name is exposed in the TLS certificate when somebody connects to your RetroShare node.

Several of these problems can be solved by disabling the built-in DHT and hiding RetroShare behind a Tor onion service. People who scan Tor onion services will however still be able to connect the service and see the RetroShare user name in the self-signed certificate. This can be prevented by setting up Authenticated Onion Services and limiting connections only to trusted people.

On November 4, 2014, RetroShare scored 6 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It lost a point because there has not been an independent code audit.[22] A recent audit by the pen-testing group Elttam uncovered many bugs in the code (some remotely exploitable) that were promptly fixed. The auditor's opinion was that RetroShare's codebase lacked secure coding practice.[23]

Running RetroShare through Tor enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.) This is not a recommendation, just stating a possibility. You can exchange your key on dedicated chat servers at:

After adding tons of random "friends" from a public forum, connection to a very few people over TCP. [24] [25] Approximately only 5% were online. Although probably only a very small portion of the network could be seen, the content of the network looked pretty interesting.

RetroShare reports Right click -> DHT Details: NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD

There still may be some privacy caveats left with RetroShare trying to communicate outside of Tor, but that doesn't matter if Whonix makes any non-Tor traffic impossible.

Installation and Setup[edit]

WARNING: RetroShare packages are signed with weak 1024 bit keys. Until this is fixed we recommend using Ricochet IM with OnionShare instead.

RetroShare is currently available on Debian 7.0 Wheezy and 6.0 Squeeze for armel, armhf, i386 and amd64 architectures and for 8.0 Jessie.

Before adding the repo[26], fetch the key and verify[27] fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  1024D/0x9418A47921691F91 2011-08-16 home:AsamK OBS Project <>
      Key fingerprint = E2CE 3677 C801 5772 D097  B0AA 9418 A479 2169 1F91

Download key with curl to home folder.

curl -o retroshare-pubkey.asc

Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint retroshare-pubkey.asc

If it looks good import into trusted.gpg.d.[28]

sudo apt-key --keyring /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg add retroshare-pubkey.asc

For stable builds:

sudo su -c "echo -e 'deb /' > /etc/apt/sources.list.d/retroshare06.list"

For nightly builds:

sudo su -c "echo -e 'deb /' > /etc/apt/retroshare06-git.list"

Update the package lists.

sudo apt-get update

Install Retroshare.

sudo apt-get install retroshare06

For the latest nightly package name install retroshare06-git instead.


RetroShare setup:

  • Pick a pseudonym and password. Don't use real name or location obviously. Move your mouse to generate enough entropy.
  • Check Advanced Options -> Create a hidden node
  • Change key-length to 4096 bits for adequate security then generate the new profile.



Follow the steps in this guide to connect to others over I2P.


INCOMPLETE - Depends on unimplemented features for Whonix[30] [31]

On your Whonix-Gateway.

If you want to read an introduction about onion services and to learn about about onion service security, see Onion Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Onion Services basics), see Onion Services.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> /usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

Add. [32]

HiddenServiceDir /var/lib/tor/retroshare/
HiddenServicePort 7812<Local Address port>


Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> Reload Tor

If you are using a terminal-only Whonix-Gateway, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

Reminder: To get your onion service url.

sudo cat /var/lib/tor/retroshare/hostname

Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.



Use the usual Qubes tools. The following example shows how to copy the /var/lib/tor/retroshare/private_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy-to-vm.

sudo qvm-copy-to-vm vault /var/lib/tor/retroshare/private_key

The above step copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.


Consider moving the file from the QubesIncoming folder to another preferred location.

Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.


TODO document
Also see: File Transfer.

Deprecated Chat Clients[edit]

Tor Messenger[edit]

No longer use! Deprecated by upstream developers. [33]


Pidgin supports most protocols. However do not use it. It has a very bad security track record with many remotely exploitable bugs - a result of being written in C and containing many legacy protocols. [34]


Unfortunately, since time of writing (September 2015) TorChat can not be recommended. This is because the TorChat developer currently does not respond to other people, see TorChat issues. Communication and support is crucial for anonymity related projects. TorChat is an unofficial project. Unaffiliated with The Tor Project. A modern and maintained alternative is Ricochet IM.

In 2015 security analysis[35] of TorChat protocol and its Python implementation was conducted. It was found that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks.[36]

Other Software[edit]

If it is not listed here, it for now is recommended against. You can search Whonix forums to see if that chat client has been discussed in past or if you think a privacy respecting chat client is missing on this page.

Footnotes / References[edit]

  2. anon-apps-config which is installed by default will deactivate gajim plugin installer / updater because it's not secure.
  3. To prevent needlessly leaking your activity to the server.
  4. For better security, we better do not risk automatically starting these applications from the chat client.
  5. To get Stream Isolation.
  11. Tox employs curve25519 for its key exchanges, xsalsa20 for symmetric encryption, and poly1305 for MACs.
  13. Depending on the mobile / desktop client in use.
  15. This repository is directly referenced on the Tox Download webpage, see: Anton Batenev is a Tox developer.
  16. The list of GPG fingerprints currently in use by qTox developers can be referenced at
  21. Using /usr/local/etc/onion-grater-merger.d/ because that onion-grater settings folder is persistent in Qubes-Whonix TemplateBased ProxyVMs, i.e. Whonix-Gateway (commonly called sys-whonix). Non-Qubes-Whonix users could also use /etc/onion-grater-merger.d/. Qubes-Whonix users could also use /etc/onion-grater-merger.d/ but then users would have to make /etc/onion-grater-merger.d/ persistent, which would require doing this inside the Whonix-Gateway TemplateVM (commonly called whonix-gw-14) and restart their Whonix-Gateway ProxyVM or to use bind-dirs. Both is more more complicated than simply using /usr/local/etc/onion-grater-merger.d/ which is persistent either way and even allows multiple Whonix-Gateway ProxyVMs based on the same Whonix-Gateway TemplateVM for lets say one Whonix-Gateway ProxyVM extending and relaxing onion-grater's whitelist and the other Whonix-Gateway ProxyVM with the default more restricted onion-grater whitelist.
  24. Chance of working better (untested): Tunnel UDP over Tor.
  25. Note, in case you are using the previous footnote, Other Anonymizing Networks over Tor UDP Tunnel applies.
  28. To import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.
  29. RetroShare .deb Packages installation instructions from RetroShare's third party repository
  31. This task is up for grabs:
  32. Arbitrary choice of port to avoid conflicts with custom RetroShare setups.
  34. Security Analysis of Instant Messenger TorChat


Whonix Chat wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Chat wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

There are five different options for subscribing to Whonix source code changes.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)