Comparison of Different Whonix Variants
The security and usability of the Whonix platform is significantly affected by the hardware and virtualization configuration, and whether a Whonix-Custom-Workstation is created. Qubes-Whonix is currently recommended as providing the best combination of security and usability, although it has strict hardware requirements.
Virtualization and Hardware Configurations
Table: Whonix Platform Comparison
|Name||Number of systems||Security||Usability|
|Standard Binary Download||host+VM+VM=3||Basic||Easy to redistribute and install|
|Physical Isolation with Bare-metal Gateway||host+VM+host=3||Equivalent to the standard binary download||Difficult to install and for advanced users only|
|Physical Isolation with Virtualized Gateway||host+VM+host+VM=4||Higher attack surface||Easier to deploy. Four operating systems must be kept updated|
|Physical Isolation without any Virtualization||host+host=2||Nearly the same as standard Physical Isolation.  Without virtual machines, there is no protection against hardware fingerprinting||Difficult to install and for advanced users only|
|Qubes||dom0+VM+VM=3||Better compartmentalization. See Why use Qubes over other Virtualizers?||Best|
Virtual machines can provide the following security-related features:
- Network isolation: Connections can easily be forced through Tor.
- Hardware isolation: Unique hardware serials can be hidden.
- Roll back feature: Users can revert to clean and/or working snapshots.
- Multi-level security: Multiple clones / VMs / DisposableVMs provide significant protection.
In comparison, live CDs provide:
- Non-persistence: This increases safety in the event of a software compromise. 
- Anti-forensics capability and plausible deniability: If the computer is powered down and RAM has faded or been wiped, remnants of critical information like encryption keys should be impossible to retrieve.
- Update issues: It is difficult to roll out security updates and maintain a fully up-to-date system.
Operating System Configurations
Whonix provides multiple operating system options:
- Debian stretch GNU/Linux: The Default-Download-Version is recommended for most users.
- Other Operating Systems: Windows, FreeBSD, other GNU/Linux, and Android Custom-Whonix-Workstations are possible.
Users should refer to Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation before choosing this option. A number of anonymity protections must be manually configured in Whonix-Custom-Workstation.
There is also a Hardened Gentoo-based Whonix-Gateway. This is not recommended as it is outdated, requires a maintainer, and is for experts only.
Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation
See Security Comparison: Whonix-Download-Workstation vs. Whonix-Custom-Workstation. Unless otherwise stated, the documentation and design refers to the Default-Download-Version.
- For further discussion of this issue, see: More or Less Protection inside a VM?
- Unless sophisticated and targeted malware manages to leverage the exploit, leading to a compromise of firmware or other persistent systems (like BIOS).
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.