Anonymous Cwtch Whonix.

Cwtch Introduction[edit]

upstream documentation: Running Cwtch on Whonix
Whonix forum discussion: Cwtch messaging

Notices[edit]

Testers only!

Security warning: Adding a third party repository and/or installing third-party software allows the vendor to replace any software on your system. Including but not limited to the installation of malware, deleting files and data harvesting. Proceed at your own risk! See also Foreign Sources for further information. For greater safety, users adding third party repositories should always use Multiple Whonix-Workstation^™ to compartmentalize VMs with additional software.

Documentation in the Whonix wiki provides guidance on adding third-party software from different upstream repositories. This is especially useful as upstream often includes generic instructions for various Linux distributions, which may be complex for users to follow. Additionally, documentation Whonix usually has a higher focus on security, digital software signatures verification.

The instructions provided here serve as a "translation layer" from upstream documentation to Whonix, offering assistance in most scenarios. Nevertheless, it's important to acknowledge that upstream repositories, software may undergo changes over time. Consequently, the documentation on this wiki might need occasional updates, such as revised signing key fingerprints, to stay current and accurate.

Please note, this is a general wiki template and may not apply to all upstream documentation scenarios.

Users encountering issues, such as signing key problems, are advised to adhere to the Self Support First Policy and engage in Generic Bug Reproduction. This involves attempting to replicate the issue on Debian bookworm, contacting upstream directly if the issue can be reproduced as such problems are likely unspecific to Whonix. In most cases, Whonix is not responsible for, nor capable of resolving, issues stemming from third-party software.

For further information, refer to Introduction, User Expectations - What Documentation Is and What It Is Not.

Should the user encounter bugs related to third-party software, it is advisable to report these issues to the respective upstream projects. Additionally, users are encouraged to share links to upstream bug reports in the Whonix forums and/or make edits to this wiki page. For instance, if there are outdated links or key fingerprints in need of updating, please feel free to make the necessary changes. Contributions aimed at maintaining the currentness and accuracy of information are highly valued. These updates not only improve the quality of the wiki but also serve as a useful resource for other users.

The Whonix wiki is an open platform where everyone is welcome to contribute improvements and edits, with or without an account. Edits to this wiki are subject to moderation, so contributors should not worry about making mistakes. Your edits will be reviewed before being made public, ensuring the integrity and accuracy of the information provided.

Installation[edit]

Cwtch Whonix-Gateway Installation Steps[edit]

This application requires incoming connections through a Tor onion service. Supported Whonix-Gateway^™ modifications are therefore necessary for full functionality; see instructions below.

For better security, consider using Multiple Whonix-Gateway and Multiple Whonix-Workstation^™. In any case, Whonix is the safest choice for running it. ^[2]

Extend the onion-grater whitelist.

On Whonix-Gateway (sys-whonix).

Add onion-grater profile.

sudo onion-grater-add 40_cwtch

^[3]

Cwtch Whonix-Workstation Installation Steps[edit]

Installation[edit]

1. Notice.

Non-Qubes-Whonix^™: Perform these steps inside Whonix.
Qubes-Whonix^™: Perform these steps inside Qubes whonix-workstation-17 Template.

2. Add the GPG key to the APT keyrings. ^[4]

Securely download the key.

If you are using Whonix-Workstation^™ (anon-whonix), run.

scurl-download https://deb.cwtch.im/F6E3CBE475D0929825F9FC363498D4989B3F602B.asc

If you are using a Qubes Template (whonix-workstation-17), run. ^[5] ^[6]

http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 scurl-download https://deb.cwtch.im/F6E3CBE475D0929825F9FC363498D4989B3F602B.asc

Display the key's fingerprint. ^[7]

gpg --keyid-format long --import --import-options show-only --with-fingerprint F6E3CBE475D0929825F9FC363498D4989B3F602B.asc

Verify the output.

Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
Optional, not required: Digital signatures are optional and not mandatory for using Whonix, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

The most important check is confirming the key fingerprint exactly matches the output below. ^[8]

Key fingerprint = F6E3 CBE4 75D0 9298 25F9 FC36 3498 D498 9B3F 602B

Warning:

Do not continue if the fingerprint does not match -- this risks using infected or erroneous files! The whole point of verification is to confirm file integrity.

Copy the signing key to the APT keyring folder. ^[9]

sudo cp F6E3CBE475D0929825F9FC363498D4989B3F602B.asc /usr/share/keyrings/deb.cwtch.im-keyring.gpg

3. umask hardening workaround.

This may no longer be required in a future version.

sudo chmod o+r /usr/share/keyrings/deb.cwtch.im-keyring.gpg

4. Add the cwtch repository.

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/deb.cwtch.im-keyring.gpg] https://deb.cwtch.im/cwtch.im/ stable main' | sudo sttee /etc/apt/sources.list.d/cwtch.im.list

^[10]

5. Install cwtch.

Install package(s) cwtch following these instructions

Platform specific notice.

Non-Qubes-Whonix: No special notice.
Qubes-Whonix: In Template.

Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

Install the cwtch package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends cwtch

Platform specific notice.

Non-Qubes-Whonix: No special notice.
Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

Done.

The procedure of installing package(s) cwtch is complete.

6. Done.

Installation of cwtch has been completed.

Firewall Settings[edit]

Modify the Whonix-Workstation (anon-whonix) user firewall settings and reload them.

Modify Whonix-Workstation^™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix^™, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu → Applications → System → User Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

Also see: Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu → Applications → Settings → Global Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add.

EXTERNAL_OPEN_PORTS+=" $(seq 15000 15378) "

Save.

Reload Whonix-Workstation^™ Firewall.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu → Applications → System → Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall

Cwtch Usage[edit]

Inside Whonix-Workstation.

To start Cwtch. ^[11]

env CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true cwtch

Footnotes[edit]

↑
- Cwtch announced Whonix support.
↑
Security considerations:
- By using Whonix, additional protections are in place for greater security.
- This application requires access to Tor's control protocol.
- In the Whonix context, Tor's control protocol has dangerous features. The Tor control command GETINFO address reveals the real, external IP of the Tor client.
- Whonix provides onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands.
- When this application is run inside Whonix-Gateway with an onion-grater whitelist extension, this will limit Whonix-Workstation application rights to Tor control protocol access only. Non-whitelisted Tor control commands such as GETINFO address are rejected by onion-grater in these circumstances. In this event, Whonix-Workstation cannot determine its own IP address via requests to the Tor Controller, as onion-grater filters the reply.
- In comparison, if the application is run on a non-Tor focused operating system like Debian, it will have unlimited access to Tor's control protocol (a less secure configuration).
- If the (non-)Whonix platform is used to host onion services, then running applications are more vulnerable to attacks against the Tor network compared to when Tor is solely used as a client; see also Onion Services Security.
In conclusion, Whonix is the safest and correct choice for running this application.
↑ These instructions use the /usr/share/doc/onion-grater-merger/examples/40_cwtch.yml onion-grater profile packaged for Whonix. In the future it is conceivable that the upstream cwtch-whonix.yml onion-grater profile is more recent. In that case it might be necessary to replace /usr/share/doc/onion-grater-merger/examples/40_cwtch.yml with upstream's cwtch-whonix.yml until onion-grater in Whonix is upgraded to contain the new onion-grater profile.
↑ Unfortunately not installable from Debian package repositories at time of writing. RFP: cwtch -- Privacy Preserving Infrastructure for Asynchronous, Decentralized, Multi-Party, and Metadata Resistant Applications
↑ Using Qubes UpdatesProxy (http://127.0.0.1:8082/) because Qubes Templates are non-networked by Qubes default and therefore require UpdatesProxy for connectivity. (APT in Qubes Templates is configured to use UpdatesProxy by Qubes default.)
↑ Even more secure would be to download the key Disposable and then qvm-copy it to the Qubes Template because this would avoid curl's attack surface but this would also result in even more complicated instructions.
↑ Even more secure would be to display the key in another Disposable because this would protect the Template from curl's and gpg's attack surface but this would also result in even more complicated instructions.
↑ Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
↑ https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302
↑ sudo overwrite /etc/apt/sources.list.d/cwtch.im.list 'deb [arch=amd64 signed-by=/usr/share/keyrings/deb.cwtch.im-keyring.gpg] https://deb.cwtch.im/cwtch.im/ stable main'
↑
The following environment variables might be set by default in a future Whonix version.
```
env CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true
```

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] 
Cwtch announced Whonix support.

[2] Cwtch announced Whonix support.

[2] Security considerations:
By using Whonix, additional protections are in place for greater security.

This application requires access to Tor's control protocol.

In the Whonix context, Tor's control protocol has dangerous features. The Tor control command GETINFO address reveals the real, external IP of the Tor client.

Whonix provides onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands.

When this application is run inside Whonix-Gateway with an onion-grater whitelist extension, this will limit Whonix-Workstation application rights to Tor control protocol access only. Non-whitelisted Tor control commands such as GETINFO address are rejected by onion-grater in these circumstances. In this event, Whonix-Workstation cannot determine its own IP address via requests to the Tor Controller, as onion-grater filters the reply.

In comparison, if the application is run on a non-Tor focused operating system like Debian, it will have unlimited access to Tor's control protocol (a less secure configuration).

If the (non-)Whonix platform is used to host onion services, then running applications are more vulnerable to attacks against the Tor network compared to when Tor is solely used as a client; see also Onion Services Security.
In conclusion, Whonix is the safest and correct choice for running this application.

[4] By using Whonix, additional protections are in place for greater security.

[5] This application requires access to Tor's control protocol.

[6] In the Whonix context, Tor's control protocol has dangerous features. The Tor control command GETINFO address reveals the real, external IP of the Tor client.

[7] Whonix provides onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands.

[8] When this application is run inside Whonix-Gateway with an onion-grater whitelist extension, this will limit Whonix-Workstation application rights to Tor control protocol access only. Non-whitelisted Tor control commands such as GETINFO address are rejected by onion-grater in these circumstances. In this event, Whonix-Workstation cannot determine its own IP address via requests to the Tor Controller, as onion-grater filters the reply.

[9] In comparison, if the application is run on a non-Tor focused operating system like Debian, it will have unlimited access to Tor's control protocol (a less secure configuration).

[10] If the (non-)Whonix platform is used to host onion services, then running applications are more vulnerable to attacks against the Tor network compared to when Tor is solely used as a client; see also Onion Services Security.

[3] These instructions use the /usr/share/doc/onion-grater-merger/examples/40_cwtch.yml onion-grater profile packaged for Whonix. In the future it is conceivable that the upstream cwtch-whonix.yml onion-grater profile is more recent. In that case it might be necessary to replace /usr/share/doc/onion-grater-merger/examples/40_cwtch.yml with upstream's cwtch-whonix.yml until onion-grater in Whonix is upgraded to contain the new onion-grater profile.

[4] Unfortunately not installable from Debian package repositories at time of writing. RFP: cwtch -- Privacy Preserving Infrastructure for Asynchronous, Decentralized, Multi-Party, and Metadata Resistant Applications

[5] Using Qubes UpdatesProxy (http://127.0.0.1:8082/) because Qubes Templates are non-networked by Qubes default and therefore require UpdatesProxy for connectivity. (APT in Qubes Templates is configured to use UpdatesProxy by Qubes default.)

[6] Even more secure would be to download the key Disposable and then qvm-copy it to the Qubes Template because this would avoid curl's attack surface but this would also result in even more complicated instructions.

[7] Even more secure would be to display the key in another Disposable because this would protect the Template from curl's and gpg's attack surface but this would also result in even more complicated instructions.

[8] Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.

[9] ttps://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302

[10] sudo overwrite /etc/apt/sources.list.d/cwtch.im.list 'deb [arch=amd64 signed-by=/usr/share/keyrings/deb.cwtch.im-keyring.gpg] https://deb.cwtch.im/cwtch.im/ stable main'

[11] The following environment variables might be set by default in a future Whonix version.
env CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

Cwtch

Contents

Cwtch Introduction[edit]

Notices[edit]

Installation[edit]

Cwtch Whonix-Gateway Installation Steps[edit]

Cwtch Whonix-Workstation Installation Steps[edit]

Installation[edit]

Firewall Settings[edit]

Cwtch Usage[edit]

Footnotes[edit]

Navigation menu

Cwtch

Cwtch Introduction[edit]

Notices[edit]

Installation[edit]

Cwtch Whonix-Gateway Installation Steps[edit]

Cwtch Whonix-Workstation Installation Steps[edit]

Installation[edit]

Firewall Settings[edit]

Cwtch Usage[edit]

Footnotes[edit]

Navigation menu

Search