Design Documentation
Jump to navigation
Jump to search
Donate
Technical Design and Conception of the Whonix Anonymous Operating System.
Upstream[edit]
Redirection to Kicksecure Documentation
- Introduction: Whonix Documentation Introduction, User Expectations, Footnotes and References, User Expectations - What Documentation Is and What It Is Not
- Whonix is based on Kicksecure™: Whonix is built on top of Kicksecure. This means it uses many of the same security tools, design concepts, and configurations.
- Kicksecure is based on Debian: Kicksecure is developed using Debian as its base. Debian is a widely used, stable, and free Linux operating system.
- Inheritance: As a result, Whonix is also based on Debian.
- Debian is GNU/Linux-based: Debian is built using the GNU/Linux operating system. GNU provides essential tools and Linux is the system’s kernel (core).
- Shared documentation benefits: Since each system is based on the one below it, a lot of documentation and guides are shared. This reduces the need to duplicate information.
- Inherited documentation: Most instructions and explanations are inherited from Kicksecure or Debian, unless otherwise specified.
- Shared principles: The systems share similar security goals and setup instructions. In most cases, users can follow Kicksecure documentation when using Whonix.
- Keep using Whonix: This does not mean users should switch to Kicksecure. This page only points to related, helpful information.
- Where to apply the instructions: Follow the instructions inside Whonix unless specifically stated otherwise.
- Wiki editors notice: This information is pulled from a reusable wiki template: upstream_wiki. (See which pages use this.)
- Comparison: Whonix versus Kicksecure
- Documentation compatibility: Because Whonix is based on Kicksecure, you can often follow Kicksecure’s instructions as long as you apply them in the right place.
- Summary: Whonix is built on top of Kicksecure, which itself is based on Debian. Debian is a GNU/Linux operating system. This layered design means Whonix inherits many features, tools, and documentation from both Kicksecure and Debian.
- Click here: Visit the related page in the Kicksecure wiki for full documentation and background:
- Note: Re-interpretation...
Kicksecure: Perform these steps inside Kicksecure.
Instead, apply the steps inside Whonix-Workstation.
Kicksecure for Qubes: Perform these steps inside Qubes
kicksecure-17Template.
Instead, use the whonix-workstation-17 Template for these steps.
Technical Design[edit]
- Dev/Technical Introduction, Whonix Framework, Security Overview
- Comparison of Whonix, Tails, Tor Browser, TorVM and corridor
- Comparison of different Whonix variants
- Comparison Of Tor Proxies CGI proxies Proxy Chains And VPN Services
- Protocol-Leak-Protection and Fingerprinting-Protection
- Time Synchronization Mechanism
- Stream Isolation
- systemcheck
- SSL
- LeakTests to check everything is properly set up
- Anonymity Network
- Dev/About Computer (In)Security
- Dev/Threat Model
- Dev/Operating System, Debian, Ubuntu, ...
- Dev/Virtualization Platform
- Whonix-Gateway™ / Graphical Whonix-Gateway™ benefits over Headless Whonix-Gateway™
- Dev/Host
- Whonix-Host
- Fingerprint
- Dev/Entropy
- Whonix Whonix against Real Attacks
- Security Reviews and Feedback, Press, Media
- (encrypted) (authenticated) Connection Between Whonix-Gateway and Whonix-Workstation™
- Dev/Build Anonymity
- Dev/Expected Build Warnings
Relationship With Upstream
- About Infrastructure
- Trusting Whonix
- Verified Boot (Secure Boot)
- Verifiable Builds (as in reproducible, but not exactly reproducible)
- Factory Reset, Stateless Systems, Reproducible Systems, Verifiable Systems, Clear Linux, NixOS, Fedora Silverblue
- NEXT: In development for next Whonix version
- onion-grater (Control Port Filter Proxy)
- Automatic Updates (APT) - to Use or Not Use Them
- Package Manager Graphical
- One Click Update Script - Simplified, Assisted Updates
- Dummy Tor package on Whonix-Workstation (anon-ws-disable-stacked-tor)
- About Debian Packaging
- Criteria for installing applications by default in Whonix, Default Application Policy, package sources, software sources, Debian software package repository packages.debian.org, deb.debian.org, deb.torproject.org, software from non-APT repository software sources (Tor Browser)
- Tor Config Files torrc / Why Waste Network Bandwidth by Downloading Operating System Updates over Tor?
- Dev/setup-dist
- Disclaimer in setup-dist - Background of it
- anon-ws-disable-stacked-tor, prevents Tor over Tor
- Versioning Format Conventions for packages developed under the Whonix hat
- Comparison Of Package Managers
- Advanced Deanonymization Attacks, Covert Channels
- Dev/Advanced Deanonymization Attacks, Covert Channels
- Stable Version User Experience
- Coding Style
- Latency Obfuscator
- RAM Wipe, cryptsetup suspend
- non-freedom, proprietary, closed source firmware, CPU microcode and drivers
Detailed Design[edit]
Future Technical Design[edit]
- Permanent Takedown Attack Defender, proposal to defend a permanent takedown threat
- Project / Emergency News
- controversy of anonymous MAC addresses
- apt revoker
- vanguards notification graphical user interface (GUI)
- Dev/remount-secure - Secure Mount Options
- Confidential Computing, Cloud Considerations
General Developer Pages[edit]
- First-Time Source Code Contributor Policy
- Documentation Guidelines
- Documentation Markup Format Converters
- Developer Portal
- Dev/Archived Discussions, development discussions, old and recent, bugs, features, etc.
- Git branches
- APT Repository (Whonix Debian Package Maintenance) (.deb), reprepro
- Some random thoughts about a future GNOME desktop, GNOME proxy
- Introduction into the Whonix build method and source code
- Whonix News File Format
- SSL certificate pinning
- development discussion if JonDo(Fox) could be pre-installed in Whonix-Workstation
- Whonix Host operating system or even VM operating system - development discussion
- Network Manager (NM) in Whonix instead of ifupdown - development discussion
- Dev/Other Virtualization Platforms
- Continuous Integration (CI)
- Consideration running a DHCP server on Whonix-Gateway and running a DHCP client in Whonix-Workstation
- Dev/Permissions
- Hosting a Whonix Mirror
- Why we should avoid APT Pinning / preferences / backports by default
- Comparing Password Managers, finding out best choice as default installed one
- Dev/Porting
- Dev/Logo
- The Tor Project (TPO) Trademark
- 32bit vs 64bit - How effort would multiply when 64bit images (same for other desktop environments such as Gnome)
- Firefox Add-On, debugging, "live" edits
- tor-launcher add-on screenshots
- whonix.org backup script, to make a backup of most whonix.org content
- Firewall Unloading / flush iptables
- Dev/Qubes
- Qubes Split GPG
- Firewall Refactoring
- Dev/Test - How to "UnWhonix" - Instructions on how to remove Whonix Tor default networking for Whonix-Gateway. After applying these instructions, Whonix-Gateway will connect to clearnet.
- Firejail
- grsecurity
- Whonix-Linux-Installer
- Whonix Windows Installer
- Dev/Whonix-Windows-User-Interface
- Whonix Windows Installer - Testers Only Version
- Whonix Cooperation with Researchers
- Host Keys in various Virtualizers / special keys
- Gajim - TODO for installing Gajim by default in Whonix
- Ledger Hardware Wallet Development Notes
- AEM - anti evil maid
- Boot Clock Randomization
- user-sysmaint-split, Boot Modes
- Dev/mobile
- Dev/yubikey
- Non Anonymous NAT Traversal
- Whonix friendly applications best practices
- Dev/Licensing
- Tor Browser without Tor
- VirusForget - deactivate malware after reboot from non-root compromise
- bash proper whitespace handling
- wallpaper
- certification / audit
- Windows 10 Issues collection
- Polls Collections (Surveys)
- Automated Tests
- Warrant Canary Draft
- Dev/Astra Linux
- Dev/Torified Wi-Fi Hotspot (WiFi)
- Xfce Desktop Environment Notes, xfconfd, desktop background image, configuration files
- Open Source Business Models
- audio, ALSA, PulseAudio, PipeWire
Website Developer Pages[edit]
- website and wiki HTML / CSS improvements
- Issue, Bug, Feature Request Tracker, phabricator
- mediawiki CSS
- Whonix.org Site Security
- OpenPGP Signed Website
- Hompage of Whonix, Experiments with Browser Load Speed and Content
- Web Backend, CMS vs non-CMS, vs github-pages, etc.
- mediawiki, codeselect, select code, short / long / recommended / detailed buttons
- Transparency, Guidelines for Advertising on whonix.org, Affiliate Policy
- web.archive.org snapshot using command line interface (CLI)
- Privacy Policy Technical Details of the Whonix Website
Download / Installation - Developer Pages[edit]
- Download Security
- Statistics on Downloads and OpenPGP verification and how we can improve that
- Dev/Download Wizard
- Software Verification (OpenPGP / gpg) Usability Issues / Secure Downloader to Download Whonix Images
- Installation from Whonix repository - "sudo apt install whonix"
- VM image download from repository - "sudo apt install whonix-gateway-ova"
Other Related[edit]
- Documentation
- whonix-devel mailing list archive
- Build Documentation, How to build Whonix from Source Code, How to update Whonix from Source Code
- Whonix Source Code
- Whonix Developer Meta Files, Scripts for managing the Whonix GNU/Linux Distribution
- Maintenance, The Tor Project (TPO) apt repository package mirroring to whonix.org repository, Tor Browser hardcoded version file
- Redistribution Pre Building (Only required if you want to redistribute (official) Whonix release builds.)
- Redistribution Post Building (Only required if you want to redistribute (official) Whonix release builds.)
- Essential Whonix Functionality Tests
- Whonix² Project Vision
- Project Philosophy
- Community Survey, collecting feedback for the future direction of Whonix
[edit]
Deprecated[edit]
- OneVM - Whonix implementation with just a single VM (Tor runs on host)
- Installing I2P on Whonix-Gateway (I2PBOX)
- JonDonym as Tor replacement (JonDoBOX)
- VPN, VPN's as a Tor replacement (VPNBOX)
- Proxy, Proxies as a Tor replacement (ProxyBOX), Transparent Proxying Method, Proxy Settings Method / ProxyBOX
- Freenet on the Whonix-Gateway (FreenetBOX)
- RetroShare as Anonymizer
- Dev/Zerobox (ZeroNet)
TODO[edit]
- https://forums.whonix.org/search?expanded=true&q=%23status_open_issue_todo%20%23component_security
- https://packages.debian.org/bookworm/tiger
- https://packages.debian.org/bookworm/tiger-otheros
Whonix
The most watertight privacy operating system in the world.
The most watertight privacy operating system in the world.
Follow us on social media
Supported by Power Up Privacy
Whonix is proudly supported until 2025 by
Power Up Privacy,
a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place.
(Strictly subject to our sponsorship policy.)
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements:
Terms of Service,
Privacy Policy,
Cookie Policy,
E-Sign Consent,
DMCA,
Imprint
2012-
2025 ENCRYPTED SUPPORT LLC
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!