- 1 Introduction
- 2 Technical Challenges
- 3 Whonix ™ Framework
- 4 Whonix ™ Concept
- 5 Security Overview
- 6 Does Whonix ™ / Tor Provide Protection from Advanced Adversaries?
- 7 Can Certain Activities Leak DNS and/or the Real External IP Address / Location?
- 8 Forensics
- 9 Images
- 10 Live Operating System
- 11 See Also
- 12 Footnotes
Whonix ™ aims to be safer than Tor alone. The main goal is, that no one can find out the user's IP and location.
The basic idea is, that all applications are untrustworthy. No application must be able to obtain the user's real external IP. Whonix ™ ensures that applications can only connect through Tor. Direct connections (leaks) must be impossible. This is the only way we know of, that can reliably protect your anonymity from client application vulnerabilities and IP/DNS and protocol leaks [archive].10 When the term protocol leak or "information leak" is used in the context of security and anonymity it is referring to an event that causes the release of secure or private information to an untrusted party or environment  .
Whonix ™ consists of two machines, which are connected through an isolated network. One machine acts as the client or Whonix-Workstation ™, the other as a proxy or Whonix-Gateway, which will route all of the Whonix-Workstation ™ traffic through Tor. This setup can be implemented either through virtualization and/or Physical Isolation (explained below).
The Whonix ™ Concept (see below) is agnostic about everything, the anonymizer, platform, etc. See Whonix ™ Framework below.
Whonix ™ Example Implementation: Anonymity setup built around Tor, two virtual machines using Qubes, KVM, VirtualBox or physical isolation and Debian GNU/Linux. Whonix ™ can be installed on every supported platform. (Supports Windows, OS X, Linux, BSD and Solaris.)
Physical Isolation describes installing Whonix-Gateway ™ and Whonix-Workstation ™ on two different pieces of hardware. It is more secure than VirtualBox / KVM virtual machines alone, requires more physical space, and hardware and electricity costs are higher. Keep in mind that you don't need very powerful dedicated servers or desktops. Unfortunately, using Qubes-Whonix ™ with physical isolation is unsupported. For more information, see Physical Isolation.
See Design for Technical Design and security of Whonix ™. For security introduction, see below.
The listed Features, advantages and disadvantages shall give you an overview, what Whonix ™ is useful for, what Whonix ™ can do for you, and what not.
System security, privacy and anonymity are dependent upon sensitive information or data not escaping the trusted environment, which is protected and under the user's control. This is a technically challenging task with a multitude of elements to be considered. The numerous applications and background processes running on a system at any given time exacerbate the difficulties encountered.
In the context of privacy and anonymity, sensitive information is any information that can be used to identify an individual. An inexhaustive list of sensitive information includes:
- Hardware serials [archive] - can be used to uniquely identify a computer and in turn be linked to the person who purchased or was using it.
- DNS leak [archive] - if DNS queries are leaking, an ISP or any on-path eavesdropper can log the sites that are visited.
- IP leaks [archive] - a user's external (ISP-facing) IP address can be used to identify an individual as well as their location.
- Personally identifiable information [archive] (PII) - information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context..
Origin of Leaks
Even if sensitive data is only a very small proportion of the total, it is extremely difficult to block all available leak avenues. Information leaks have several primary causes:
- Misbehaving applications (buggy software [archive]) - programs that do not function as intended, leading directly to data leakage or causing other applications they interact with to leak.
- Deliberate (Backdoors [archive]) - a backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, product, or embedded device (like a home router), or its embodiment which forms part of a cryptosystem, an algorithm, a chipset, or a "homunculus computer".
- Mis-configured applications - some applications can leak sensitive information if configured improperly. For instance, VPN clients can leak DNS queries [archive]. Other applications that can be used to block information leaks, such as iptables [archive], may be ineffective if configured improperly.
- Software vulnerability - a weakness which allows an adversary to reduce a system's integrity, availability, authenticity, non-repudiation and confidentiality of user data.
Whonix ™ Framework
The Whonix ™ Concept is agnostic about everything. With some development effort you can replace any component. The Whonix ™ developers would like to support each and any use case, but due to limited amount of developers this is impossible and we focus on the Whonix ™ Example Implementation.
The Tor network is Whonix ™ official and best supported anonymizing network. Whonix ™ can also potentially and optionally use other anonymizing networks (Such as JonDo, I2P, Freenet, RetroShare), either in addition (tunneled through Tor) or as a replacement for Tor. See the article for more information.
Other operating systems (e.g. Windows; *nix; BSD; etc.) can potentially be used as host and/or guest operating system. See the Other Operating Systems for more information.
A robust "security by isolation" model is incorporated into the Whonix ™ framework to counter the ever-present threat of information leaks. This model is composed of four (three when using physical isolation) unique, but essential components.
- Hypervisor - also referred to as a virtual machine monitor. This is software, firmware, or hardware that creates and runs virtual machines [archive]. Several elements are involved:
- The computer on which the hypervisor runs is called the host.
- The hypervisor in turn runs virtual machines which are called guest machines. The hypervisor provides hardware virtualization which hides the characteristics of a computing platform from the user, instead presenting an abstract computing platform.
- This platform virtualization -- creation of a virtual machine that acts like a real computer -- is performed on a given hardware platform by host software (a control program).
- The host software creates a simulated computer environment; a virtual machine (VM), for its guest software.
- The guest software executes as if it were running directly on the physical hardware.
- Due to these factors, Whonix ™ is able to isolate the the virtual machines from the actual computer hardware. This prevents the virtual machines from accessing sensitive information on the host OS or from each other.
- Whonix-Gateway - the first of two VMs that make up Whonix ™. The function of Whonix-Gateway ™ is to run Tor processes and force all traffic through the Tor network. This is done through a modest application of iptables [archive], which blocks network traffic from passing through any other channel besides the dedicated Tor gateway. As mentioned earlier, the hypervisor enforces the isolation between the two VMs used in Whonix ™. Consequently, any malware that might infect Whonix-Workstation ™ (the second VM) will not compromise Whonix-Gateway ™ or the host.
- Whonix-Workstation ™ - the second of two VMs, the Workstation is responsible for running user applications. This includes any pre-installed or custom-installed user applications. Since Whonix-Workstation ™ is isolated from both the Whonix-Gateway ™ and host OS, if an application misbehaves or is exploited by an adversary, this will be contained in the isolated Whonix-Workstation ™. Unless an advanced adversary is able to break out of the VM, there is no way for hardware serials or the externally-facing IP address to leak; Whonix-Workstation ™ is simply unaware of sensitive information. Moreover, DNS leaks are eliminated since all DNS requests are sent over the Tor network via the Whonix-Gateway ™.
- Tor -Tor [archive] is an anonymity network which helps users defend against traffic analysis, network surveillance and privacy threats. Tor protects users by bouncing their communications around a distributed network of relays.
Whonix ™ Concept
In layman's terms
Shut up or put up! Is Whonix ™ safe?
It is in the nature of security related software, that there is no 100% safety. Believe it or not, we use it ourselves and we keep maintaining and developing it. We believe that Whonix ™ is safer than other tools in some aspects, threat models, and use cases. There is detailed reasoning for such claims on the Whonix ™ Homepage.
If you are more paranoid or have higher security needs, read everything, full documentation and full technical design, you'll learn about physical isolation and build Whonix ™ from source code and so on.
And no, Whonix ™ does not claim [archive] to protect from very powerful adversaries, to be a perfectly secure system, to provide strong anonymity, or to provide protection from technically advanced surveillance and similar.
See also Whonix ™ is a work in progress.
At first glance this site may create the impression that Whonix ™ is completely insecure and everything is a lost cause. We are upfront with things we could do better and we are still working on and try to consider all possibilities and document all thinkable and future threats. You must judge for your own which risks are acceptable for your use cases.
With more technical terms
It is difficult to write a summary of Whonix ™ security features. Both anonymity and security consist of so many different aspects. That's why there is lots of Documentation and the whole Technical Design.
The Technical Design intends to document security philosophy, design, goals and current shortcomings of Whonix ™.
This chapter is only a short introduction. Please read the full Design.
Whonix ™ follows the principle of security by isolation. We know that making our currently used systems secure is a lost cause. They are too complex and too large to be trustworthy and verifiably free of any bugs. Whonix ™ can't solve this but it tries to minimize attack surfaces and limit what danger exploitable bugs in more exposed parts can do, one primary danger specific to Tor is the danger of exposing the public IP address of a system. Whonix ™ isolates client applications inside the Whonix-Workstation ™ from discovering the external IP address. Specifically, Whonix ™ is designed to prevent direct detection of the IP (not more!) even if an adversary has unrestricted access to the Whonix-Workstation ™.
Once there is a vulnerability found in Tor (ex: exploiting Tor's ports) or a successful attack against Tor, Whonix ™ fails.
Same goes for iptables. Whonix ™ is a setup based on Linux, iptables, Tor, etc. If any of the underlying projects has a vulnerability, which we can not rule out, of course, Whonix ™ will fail as well.
In summary, Whonix ™ does not claim to be a perfectly secure system or able to provide anonymity if one faces a very powerful adversary, and so on.
Whonix-Workstation ™ has no access to the internet without going through Tor. You can look into our setup. It is all Open Source and well documented.
Whonix ™ uses multiple security layers.
- IP-forwarding is disabled.
- IPv6 is disabled.
- The firewall fails "closed": when Tor is disabled, loses connection, or the Whonix-Gateway ™ crashes, no network connections are possible.
- Iptables redirects any traffic from Whonix-Workstation ™ to Tor's ports. Local network connections are dropped. No leaks are possible, assuming the TCB is trustworthy.
- Applications are configured correctly using latest suggestions (correct application and proxy and other privacy settings, Stream Isolation).
- Firewall rules are enforced and prevent accessing the internet directly, thus leaks are prevented in case some application leaks.
- Optionally, Physical Isolation is documented.
- Protocol-Leak-Protection and Fingerprinting-Protection.
- Whonix ™ Secure And Distributed Time Synchronization Mechanism.
- Check.torproject.org is checked (see whonixcheck) anyway, even though we are sure, that there are no leaks.
- Built in update notification for operating system updates, Tor Browser version and Whonix ™ version (see whonixcheck).
- Comprehensive, growing Documentation.
- Comprehensive, growing Technical Design.
- Openness about weaknesses, shortcomings, etc.
- Cryptographically signed binary builds and git source code tags.
Whonix ™ was tested for leaks, see Dev/Leak Tests. All went negative. Additionally, Skype, which is known for it is ability to punch through firewalls, was not able to establish non-torified connections. Also BitTorrent doesn't leak the IP (there is an online bittorrent leak tester), which of course should never be used through Tor (because it chokes Tor nodes), but for leak testing it was welcome. Right now we don't know of any leak tests which leaks the real IP.
Whonix ™ is safe (not affected) from Protocol leaks [archive], like this the ones listed on Security in Real World, Skype, Flash or BitTorrent. This already justifies to use a "no non-Tor connections possible" approach.
See also Security Reviews and Feedback.
When you go ahead now, and ask in a hacker forum, they probably won't spread a simple method to get the real IP of Whonix-Workstation ™. On the other hand, if you run an intelligence service and have 100.000 $ left over, you can announce something like "find a new exploit in Tor's SocksPort and get 100.000 $". Qualified people start looking into it and might find something.
Does Whonix ™ / Tor Provide Protection from Advanced Adversaries?
Whonix ™ cannot provide protection against advanced attack tools [archive] which have the capability to penetrate all types of OSes, firewalls, routers, VPN traffic, computers, smartphones and other digital devices. Implants are capable of surviving across reboots, software / firmware upgrades and following the re-installation of operating systems. 
Once infected in this way, it is virtually undetectable and no solution can be readily found, except throwing away the hardware and moving on from the targeted physical / network location. Encryption, Tor / Tor Browser, other anonymity tools, "secure" hardware configurations and so on are helpless against these attacks, which are increasingly automated and being scaled up in size. For example, the American IC prefers using the TURBINE [archive] system for this purpose.
- Exfiltrate or modify information / data including removable flash drives (SALVAGERABBIT).
- Log keystrokes or browser history (GROK, FOGGYBOTTOM).
- Surreptitiously turn on cameras or microphones (CAPTIVATEAUDIENCE, GUMFISH).
- Exploit VPN and VOIP data (HAMMERCHANT, HAMMERSTEIN).
- Block certain websites (QUANTUMSKY).
- Corrupt downloads (QUANTUMCOPPER).
- Present fake or malware-ridden servers (FOXACID, QUANTUMHAND). 
- Launch malware attacks (SECONDDATE).
- Upload and download data from an infected machine (VALIDATOR).
- Detect certain targets for attack (TURMOIL). 
- Collect images of computer screens (VAGRANT).
- Collect from LAN implants (MINERALIZE).
- Image the hard drive (LIFESAFER).
- Jump air-gaps (GENIE).
- Inject ethernet packets onto targets (RADON).
- And much, much more [archive].
The take-home message is that current hardware and software solutions provide multiple attack vectors which are impossible to completely close. Air-gapped solutions which have never been connected to the Internet may provide security for targeted individuals, but Internet-connected devices should be considered completely unsafe.
Users should be aware that passive surveillance systems will attempt to intercept, record, categorize and attribute all data that can be feasibly collected, including straight off the Internet backbone. These systems are designed to hoover up everything, irrespective of whether it is browsing history, emails, chat / video, voice data, photographs, attachments, VoIP, file transfers, video conferencing, social networking, logins, or user activity meta-data.
Consistent use of anonymous handles, strong encryption, Tor / Tor Browser and world class open source anonymity tools and platforms may provide partial protection against passive surveillance programs [archive], such as:
Be aware that this claim comes with an important caveat - it depends on whether Tor (and other software / hardware solutions) provide adequate protection or not [archive]. The answer to that question is not clear. Whonix ™ has adopted a skeptical mindset and only makes conservative claims, because it is impossible to prove a negative. For a related statement about advanced adversaries, refer to the following technical introduction.
Can Certain Activities Leak DNS and/or the Real External IP Address / Location?
No activity conducted inside Whonix-Workstation ™ can cause IP/DNS leaks so long as Whonix-Gateway ™ is left unchanged or only documented changes are made like configuring bridges, establishing onion services and running updates.
However, certain behaviors can degrade anonymity or inadvertently expose a user's real identity or location. For instance:
- Do not confuse pseudonymity with anonymity.
- Avoid activities that risk de-anonymization.
- Avoid major networking changes like using non-Tor, secondary DNS resolvers or establishing permanent Tor exit relays. 
In the past, a number of ideas have been put forward to try and make Whonix ™ an amnesic system:
- Shredding the Whonix ™ hard disk images.
- Having a zip archive of Whonix ™ hard disk images and restoring them every time Whonix ™ is used.
- Restoring a fresh snapshot every time Whonix ™ is used.
- Running Whonix ™ completely in ramdisks [archive].
- Using full disk encryption.
- And so on.
Unfortunately, none of these methods are a substitute for a true amnesic system. Amnesic live systems have a superior design insofar as sensitive (or unencrypted) data is never stored on storage media in the first place. It is manifestly unsafe to try and deal with data by wiping it after it has already been stored, so this is a poor design principle to implement.
Using full disk encryption is still useful to protect against forensic analysis, but in some parts of the world this is illegal or draws unwanted attention. Therefore, full disk encryption is not an applicable stopgap for some Whonix ™ users and this cohort requires an amnesic version of Whonix ™ in all instances.
The reader should always be cautious regarding claims made about the ability to defeat disk forensics. For example, the Whonix ™ team are not experts in matters related to:
- HDD/SSD swap space.
- Computer forensics [archive]. 
- Data remaining on USBs and SSDs after "secure" erasing [archive].
- Wear leveling [archive].
- The possibility of ordinary hard disks sometimes marking sectors as bad and never releasing their data. 
- Data traces that may be left on disk by Tor Browser [archive] on the macOS, Linux and Windows platforms.
- Other related forensic capabilities [archive].
Even carefully designed setups fail to approach the efficiency of an amnesic system. At a bare minimum, before any strong claims can be made about anti-forensics, the following steps should be undertaken:
- Make an image of the HDD/SSD.
- Run Whonix ™ and perform a range of normal user activities.
- Make another image of the HDD/SSD.
- Compare the images.
Unless these basics steps are performed, the setup may seem ingenious but fail against contemporary forensic tools. Users concerned about local forensics should at least use full disk encryption. When established open source encryption solutions like Linux dmcrypt are used correctly, they live up to their promises. However, always remember this approach is inferior to an amnesic system, particularly if the user can be forced to surrender their password under certain circumstances. If that is a legitimate concern, then Whonix ™ may not be the right tool and alternatives like Tails [archive] should instead be investigated.
Why are Whonix ™ Images so Large?
From Whonix ™ 14:
- zerofree has been used to reduce the size of the Whonix-Gateway ™ from 1.7 GB to 850 MB, while the Whonix-Workstation ™ is reduced from 2 GB to 1.1 GB. 
- A headless, cli-only version of Whonix ™ is available.
This is still larger than other "Tor-VM" or "Tor-LiveCD/DVD" projects, which sometimes depend on specially "stripped-down" or minimal distributions like TinyCore [archive], DSL [archive] and Puppy Linux [archive].
Live Operating System
Is there Something like Whonix ™ Live?
Non-Qubes-Whonix ™ users can optionally run Whonix ™ as a live system. Booting into live mode will make all writes go to RAM instead of the hard disk. Everything that is created / changed / downloaded in the VM during that session will not persist after shutdown. This also holds true for malicious changes made by malware, so long as it did not break out of the virtual machine.
Is there a Whonix ™ Amnesic Feature / Live CD / Live DVD? What about Forensics?
As noted in the previous entry, Whonix ™ allows Non-Qubes-Whonix ™ users to optionally run Whonix ™ as a live system. Writes go to RAM instead of the HDD/SSD, meaning everything that is created, changed or downloaded in the VM during that session does not persist after shutdown. However, neither Non-Qubes-Whonix ™ or Qubes-Whonix ™ offers an amnesic system at the time of writing. This might change in future.
Will there be a Whonix ™ Live CD or DVD?
This might change in future with the availability of a Whonix ™ host operating system and Live DVD / USB. 
Another promising long term possibility may be running Qubes-Whonix ™ on Qubes OS [archive] Live DVD/USB, which is currently in Alpha [archive].  Unfortunately, at the time of writing Live-mode is no longer supported or maintained by Qubes.  Nevertheless, if this is further developed in the future, only limited changes are required on the Whonix ™ side. The primary responsibility for hardware support and Live operating system development rests upon Qubes developers, with whom the Whonix ™ team has a strong, collaborative, working relationship.
For something roughly similar see Qubes DisposableVMs.
- https://en.wikipedia.org/wiki/Information_leakage [archive]
- https://en.wikipedia.org/wiki/Data_breach [archive]
- Since Whonix 0.2.1, Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
- To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
For reader interest: If DNS settings on Whonix-Gateway ™ are changed in
/etc/resolv.conf, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt-get, whonixcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own Tor
SocksPort(see Stream Isolation).
Whonix-Workstation ™ default applications are configured to use separate Tor
SocksPorts(see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for example
nslookup- will use the default DNS server configured in Whonix-Workstation ™ (via
/etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™
/etc/resolv.confdoes not affect Whonix-Workstation ™ DNS requests.
-  [archive]
- https://en.wikipedia.org/wiki/Personally_identifiable_information [archive]
- [https://en.wikipedia.org/wiki/Backdoor_(computing) [archive] https://en.wikipedia.org/wiki/Backdoor_(computing) [archive]
- https://en.wikipedia.org/wiki/Vulnerability_(computing) [archive]
-  [archive]
- Whonix ™ uses three components when using physical isolation, non-virtualization. Whonix-Workstation ™, Whonix-Gateway ™ and Tor
- https://en.wikipedia.org/wiki/Hypervisor [archive]
- https://en.wikipedia.org/wiki/Platform_virtualization [archive]
- https://en.wikipedia.org/wiki/Tor_(anonymity_network) [archive]
- For example, BIOS is a favorite target of IC operatives for persistence.
- https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/ [archive]
- https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html [archive]
- https://www.schneier.com/blog/archives/2013/10/code_names_for.html [archive]
- A popular attack against Tor Browser users.
- This relies on selector types like machine IDs, attached devices, cipher keys, network IDs and various user-specific leads such as cookies.
- Both of these methods shift trust to a single provider, rather than distributing it. In the case of the DNS resolver, it may lead to identity correlation or weaken safeguards against potentially hostile applications; for example, see Skype.
- Developers have a basic understanding and just know to be cautious.
- This issue requires further investigation.
- https://phabricator.whonix.org/T790 [archive]
- See also: https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/IQdCEpkooto#!topic/qubes-users/IQdCEpkooto [archive]
- https://www.qubes-os.org/downloads/ [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)