Introduction[edit]

This page documents how to build Whonix ™ VM (Virtual Machine) images for VirtualBox (.ova) or KVM (.qcow2) "from source code".

For Qubes-Whonix ™, see Qubes-Whonix ™ Build Documentation.

Building from source code as security advantages (see Trust).

The goal of this build documentation is to be usable by as many users as possible. Therefore written as easy as possible with no prior knowledge of tools used required.

The high level summary is:

Host preparation.
Get Whonix ™ source code (which includes Whonix ™ build script).
Run Whonix ™ build script.
Done, build of Whonix ™ has been completed.

Advanced users that already know how to use git and how to perform digital software verification using OpenPGP (gpg) do not need to strictly follow this documentation. See footnote(s) for details. ^[1]

Due to digital software verification instructions and Software Signature Verification Usability Issues these instructions might look more complicated then they actually are.

Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

Steps concerning digital software verification are pointed out as "This step is recommended for better security, but is not strictly required. (See Trust.)"

When verifying digital software signatures, these instructions will be slightly more complicated but therefore even more secure.

Host preparation.
Get Whonix ™ source code (which includes Whonix ™ build script).
Verify digital software signatures.
Run Whonix ™ build script
Done, build of Whonix ™ has been completed.

Host Preparation[edit]

You need to build on Debian bullseye, such as Whonix-Workstation ™ 16 or a Debian bullseye VM.
You need ~ 30 GB free disk space.
You need ~ 4 GB free RAM.
- Might actually work with a lot less RAM.
- Might actually work with less RAM if you have swap.
Do not build under user root. Login regular as user user and then use sudo as documented below.
You cannot build on Whonix-Gateway ™ (due to networking issues).
It is recommended to set your terminal (for example xfce4-terminal) to unlimited scrollback, so you can watch the full build log.
Short: Do not add private files to Whonix ™ source code folder! [...]

Long: [...] Unless you know what you are doing. Technically, it would work. This is recommended against. Those files would get managed by the respective package. When you later update Whonix ™ debian packages, your files would get deleted by the package manager. Also adding private files to Whonix ™ source code folder, later contributing to Whonix ™ development and accidentally pushing the wrong git branch would be a disaster. Better add your private files to Whonix ™ after building Whonix ™. Or add a custom build step adding your files, which then get copied from a folder outside of Whonix ™ source folder. See "Source Code Changes" in "Optional Build Configuration" below.

Short: Make sure there aren't any VMs in VirtualBox (inside your build machine) already called Whonix-Gateway ™ or Whonix-Workstation ™!

Long: Because the build script would fail, because it tries to create VMs either named Whonix-Gateway ™ or Whonix-Workstation ™. Running the clean script between builds will prevent this error.

Short: Do not try to build Whonix-Gateway ™ and Whonix-Workstation ™ at the same time!

Long: Building Whonix-Gateway ™ and Whonix-Workstation ™ at the same time is not supported due to limitations in the build script. In other words, do not try to run for example sudo ~/Whonix/whonix_build --flavor whonix-gateway -- --build --target virtualbox and sudo ~/Whonix/whonix_build --flavor whonix-workstation -- --build --target virtualbox at the same time. The build would probably fail.

Short: Do not use images created inside Continuous Integration (CI) environments for anything besides testing!

Usually you are not using CI environments without knowing.

You can find out if you are running inside a CI environment by running.

echo "$CI"

If it shows nothing, i.e.

Everything is fine.

Otherwise, if it were to show.

true

Then do not use these images for anything besides testing.

Reason: https://github.com/Whonix/Whonix/blob/master/build-steps.d/1100_prepare-build-machine#L577

Install build dependencies and get the source code.

Update the package lists.

sudo apt update

Install build dependencies.

sudo apt install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev fasttrack-archive-keyring

VirtualBox builds only: Install VirtualBox on the build machine as per recommended VirtualBox version. ^[2]

Choose Version[edit]

Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. Follow the Whonix ™ News Blog as it might contain information.

This documentation will be using 16.0.3.7-stable as an example. Replace 16.0.3.7-stable with the actual version chosen for the build.

Git tags by convention:

have one of the following appendixes stable, testers-only or developers-only version.
For example:
- 16.0.3.7-stable
- 16.0.3.7-testers-only
- 16.0.3.7-developers-only
all represent the very same source code. ^[3]

If there is only git tag 16.0.3.7-developers-only available but a stable release announcement has been published, then there is no need to wait for the creation of 16.0.3.7-stable since it actually has already been blessed stable, would contain the identical source code anyhow but just have a different git tag name.

Get the Signing Key[edit]

This step is recommended for better security, but is not strictly required. (See Trust.)

Get the Whonix ™ Signing Key.

Get the Source Code[edit]

FREE

Note: By proceeding, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.

Install git.

sudo apt update && sudo apt install git

Get the source code including git submodules. ^[4] ^[5]

Note: Replace 16.0.3.7-stable with the actual tag you want to build.

git clone --depth=1 --branch 16.0.3.7-stable --jobs=4 --recurse-submodules --shallow-submodules https://gitlab.com/whonix/Whonix.git

Change Directory[edit]

Get into Whonix source code folder because later on package build commands using ./whonix_build are expected to be run from the root of the source folder.

cd Whonix

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required. ^[6]

Git fetch. ^[7]

git fetch

Verify the chosen tag to build. Replace with tag you want to build.

Note: Replace 16.0.3.7-stable with the actual tag you want to build.

git verify-tag 16.0.3.7-stable

The output should look similar to this.

object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit tag 16.0.3.7 tagger Patrick Schleizer <adrelanos@whonix.org> 1392320095 +0000
. gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@whonix.org>" [ultimate]

Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2021 and now see a signature from 2020, then this might be a targeted rollback (downgrade) or indefinite freeze attack. ^[8]

The warning.

gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.

Is explained on the Whonix ™ Signing Key page and can be safely ignored.

By convention, git tags should point to signed git commits. ^[9] (forum discussion) It is advisable to verify the signature of the git commit as well (replace 16.0.3.7 with the actual git tag being verified).

git verify-commit 16.0.3.7-stable^{commit}

The output should look similar to this.

commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48 gpg: Good signature from "Patrick Schleizer <adrelanos@whonix.org>" [ultimate] Author: Patrick Schleizer <adrelanos@whonix.org> Date: Sun Dec 7 01:22:22 2014 +0000
.

Checkout Version[edit]

Retrieve a list of available git tags.

git --no-pager tag

Use git checkout to select the preferred version to build.

Note: Replace 16.0.3.7-stable with the actual tag you want to build.

git checkout --recurse-submodules 16.0.3.7-stable

Check Git[edit]

Check if you really got the version you want.

git describe

The output should show.

16.0.3.7-stable

Check if the source folder is pristine.

git status

The output should show nothing.

HEAD detached at 16.0.3.7-stable nothing to commit, working tree clean

If it shows something else, do not continue.

VM Creation[edit]

Mandatory. The following build targets are available.

--target virtualbox
creates VirtualBox VMs.
--target qcow2
creates .qcow2 images for KVM and QEMU.
--target raw
creates .raw images.
--target root
is for Physical Isolation Build Documentation.
--target utm
, preliminary support, tested on Mac M1 (--arch arm64) with QEMU. ^[10]
--target virtualbox
,
--target qcow2
, and
--target raw
can be combined to build multiple images at once.

Mandatory. Choose a flavor.

--flavor whonix-gateway-cli
--flavor whonix-gateway-xfce
--flavor whonix-workstation-cli
--flavor whonix-workstation-xfce

Optional. Choose a target CPU architecture.

--arch amd64 default, best tested.
--arch i386 is untested. ^[11]
--arch arm64
Potentially others. ^[12]

Optional. Enable Whonix ™ APT repository inside the images. ^[13] See Trust. This is done for official Whonix ™ redistributeable builds.

--repo true

VM Build Result[edit]

VirtualBox: The newly created VMs can be seen in VirtualBox user interface and in the usual VirtualBox data folders.
KVM, QEMU, raw images: The resulting .qcow2 and/or .raw images can be found in ~/whonix_binary folder.

Most users have completed the build process at this point, can start using Whonix ™ and skip the rest of this page.

Unified Images[edit]

Optional: Creation of (unified) .ova image(s) for Whonix ™ VirtualBox or libvirt.xz archives for Whonix ™ KVM. This might only be interesting if the goal is Redistribution of images to third parties such as the public.

There are two options.

A) Automated, a bit difficult (since it expects preexisting signing keys), using prepare_release script, OR
B) Manually.
- VirtualBox: Using the VirtualBox graphical or command line interface VM export feature could be used. ^[14]
- KVM: Manually.

Prepare Release[edit]

prepare_release is useful for:

Creation of a unified .ova image or libvirt.xz archive
Creation of torrent files.
Creation of hash sum files.
Creation of digital software signatures.
- OpenPGP (gpg) signatures
- signify signatures
- soon Codecrypt signatures
Adding the license agreement.
Adding the disclaimer.
Redistribution.
Example:
sudo -E /home/user/Whonix/packages/whonix-developer-meta-files/release/prepare_release --build --target virtualbox --flavor whonix-workstation-xfce

For private builds, i.e. for builds which are not supposed to be redistributed to others, none of this is important. If any of this was important, it could also be done manually.

Footnotes[edit]

↑ For example, these instructions fetch only a specific git tag. If you know how to use git, you are of course free to git clone the whole repository and then use git verify-tag, git verify-commit, git checkout --quiet and git generally as per usual. The reason why more specific commands are being used on this page is to simplify the process for laymen, to make these instructions as fail-safe as possible.
↑ Due to technical challenges, see VirtualBox Installation Challenges.
↑
git diff 16.0.3.7-stable 16.0.3.7-developers-only
↑
Optional git parameters:
- --depth=1: Used to speed up download.
- --branch 16.0.3.7-stable Usability. Used to speed up download.
- --jobs=4: Used to speed up download.
- --recurse-submodules --shallow-submodules: Usability.
Knowledgeable git users are free to drop any of these optional parameters.
↑ Alternatively, this can be achieved with the following commands in several steps. This is useful if network issues arise.
git clone --depth=1 --branch 16.0.3.7-stable https://gitlab.com/whonix/Whonix.git

cd Whonix

git submodule update --init --recursive --progress --jobs=4
↑ See Trust.
↑ Optional. [...]
↑
As defined by TUF: Attacks and Weaknesses:
- https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
- https://www.webcitation.org/6F7Io2ncN
↑ Beginning from git tag 9.6 and above.
↑
- MacOS#M1
- https://forums.whonix.org/t/whonix-on-mac-m1-arm/11310
↑ 32-bit or 64-bit?
↑
- Build script parameter --arch results in setting the BUILD_TARGET_ARCH build variable. If you inspect (grep tip) the build scripts for the variable name you can see other architectures might work but are untested.
- porting Whonix ™ to other platforms
↑
--repo true will set export build_remote_repo_enable="true" which results in setting
```
DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $whonix_build_apt_stable_release"
export DERIVATIVE_APT_REPOSITORY_OPTS
```
whonix_build_apt_stable_release defaults to bullseye and could optionally through a build configuration set to bullseye-proposed-updates, bullseye-testers or bullseye-developers.
↑ This is sane since important VM settings were already configured in https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm. prepare_release VM export does nothing special/important for privately used builds.

Whonix ™ The most watertight privacy operating system in the world.

Donate

FREE · PLUS · PREMIUM Support

At Whonix we believe in freedom and trust. That's why we fully support Open Source and Freedom Software. Learn more.

Whonix ™ is supported by Evolution Host DDoS Protected VPS.

Whonix is the most watertight privacy operating system in the world

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Whonix ™ © ENCRYPTED SUPPORT LP, 2022

Please help us to improve the Whonix ™ Wikipedia Page. Also see the feedback thread.

[1] For example, these instructions fetch only a specific git tag. If you know how to use git, you are of course free to git clone the whole repository and then use git verify-tag, git verify-commit, git checkout --quiet and git generally as per usual. The reason why more specific commands are being used on this page is to simplify the process for laymen, to make these instructions as fail-safe as possible.

[2] Due to technical challenges, see VirtualBox Installation Challenges.

[3] 
git diff 16.0.3.7-stable 16.0.3.7-developers-only

[4] Optional git parameters:
--depth=1: Used to speed up download.

--branch 16.0.3.7-stable Usability. Used to speed up download.

--jobs=4: Used to speed up download.

--recurse-submodules --shallow-submodules: Usability.
Knowledgeable git users are free to drop any of these optional parameters.

[5] --depth=1: Used to speed up download.

[6] --branch 16.0.3.7-stable Usability. Used to speed up download.

[7] --jobs=4: Used to speed up download.

[8] --recurse-submodules --shallow-submodules: Usability.

[5] Alternatively, this can be achieved with the following commands in several steps. This is useful if network issues arise.
git clone --depth=1 --branch 16.0.3.7-stable https://gitlab.com/whonix/Whonix.git

cd Whonix

git submodule update --init --recursive --progress --jobs=4

[6] See Trust.

[7] Optional. [...]

[8] As defined by TUF: Attacks and Weaknesses:
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md

https://www.webcitation.org/6F7Io2ncN

[13] ttps://github.com/theupdateframework/tuf/blob/develop/SECURITY.md

[14] ttps://www.webcitation.org/6F7Io2ncN

[9] Beginning from git tag 9.6 and above.

[10] 
MacOS#M1

https://forums.whonix.org/t/whonix-on-mac-m1-arm/11310

[17] MacOS#M1

[18] ttps://forums.whonix.org/t/whonix-on-mac-m1-arm/11310

[11] 32-bit or 64-bit?

[12] 
Build script parameter --arch results in setting the BUILD_TARGET_ARCH build variable. If you inspect (grep tip) the build scripts for the variable name you can see other architectures might work but are untested.

porting Whonix ™ to other platforms

[21] Build script parameter --arch results in setting the BUILD_TARGET_ARCH build variable. If you inspect (grep tip) the build scripts for the variable name you can see other architectures might work but are untested.

[22] rting Whonix ™ to other platforms

[13] --repo true will set export build_remote_repo_enable="true" which results in setting
DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $whonix_build_apt_stable_release" export DERIVATIVE_APT_REPOSITORY_OPTS

whonix_build_apt_stable_release defaults to bullseye and could optionally through a build configuration set to bullseye-proposed-updates, bullseye-testers or bullseye-developers.

[14] This is sane since important VM settings were already configured in https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm. prepare_release VM export does nothing special/important for privately used builds.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

Whonix ™ VM Build Documentation

Contents

Introduction[edit]

Host Preparation[edit]

Choose Version[edit]

Get the Signing Key[edit]

Get the Source Code[edit]

Change Directory[edit]

OpenPGP Verify the Source Code[edit]

Checkout Version[edit]

Check Git[edit]

VM Creation[edit]

VM Build Result[edit]

Unified Images[edit]

Prepare Release[edit]

Footnotes[edit]

Navigation menu

Whonix ™ VM Build Documentation

Introduction[edit]

Host Preparation[edit]

Choose Version[edit]

Get the Signing Key[edit]

Get the Source Code[edit]

Change Directory[edit]

OpenPGP Verify the Source Code[edit]

Checkout Version[edit]

Check Git[edit]

VM Creation[edit]

VM Build Result[edit]

Unified Images[edit]

Prepare Release[edit]

Footnotes[edit]

Navigation menu

Search