First time user?[edit]

The default username is: user The default password is: changeme

Warning: If you don't know what a metadata or a man-in-the-middle attack is. If you think nobody can eavesdrop on your communications because you are using Tor. If you have no idea about how Whonix works. Then, have a look at the About, Warning and Do Not pages to make sure that Whonix is the right tool for you and you understand well its limitations.

Download Whonix[edit]

Version: 9.6

Note: You need to download both Gateway and Workstation virtual machine images.

	Whonix-Gateway (1.5 GB)	Whonix-Workstation (1.6 GB)	Anonymous Download possible [1]	Download Security without Verification	Download Security with Verification
[2] [3]	Download Easy	Download Easy	Yes [1]	Very Low [4]	High [5]
	OpenPGP Signature ( sha512)	OpenPGP Signature ( sha512)	Yes [1]	-	-
	Verify the images using the Signing Key		Yes [1]	-	-
[6]	Torrent Download	Torrent Download	No	Medium [7]	High [5]
[8]	Onion Download	Onion Download	Yes [1]	Low	High [5]
	Build from source code		See Build Anonymity	Very High [9]	Best [9] [10]

Verify the Whonix images[edit]

It is important to check the integrity of the virtual machine images you downloaded to make sure no man-in-the-middle attack or file corruption happened. (See Download Security.)

Warning: Do not continue if verification failed! You risk using infected or erroneous files! The whole point of verification is to confirm file integrity.

Whonix virtual machine images are cryptographically signed using OpenPGP^[11] by Whonix developer Patrick Schleizer.

If you know how to use an OpenPGP key, download the Whonix Signing Key and the Whonix signatures straight away.

Otherwise, follow the instructions:

• For Linux: Ubuntu, Debian, Whonix, etc. using kgpg
• For Linux: using the command line
• For Windows
• For Mac

Install Whonix[edit]

Before installing[edit]

Read and apply the Security Advice.

Install[edit]

• Install VirtualBox.
  • Windows: Download VirtualBox and install. ^[12]
  • Linux and others: sudo apt-get install virtualbox linux-headers-$(uname -r) to install virtualbox.
• Download Whonix and import both Whonix images^[13] into VirtualBox. Do not change any settings when importing!

In case you need help[edit]

There is a tutorial with screenshots, see VirtualBox import instructions.

There are also Video Tutorials.

If you still need help, please check the Support page.

After installing[edit]

Read and apply the Post Install Advice.

Stay tuned[edit]

Introduction[edit]

Reading the latest news is important to stay on top of latest developments. Should security vulnerabilities ever be found in Whonix, any major issues (such as with the updater) happen or should an improved version be released, you should be informed.

Whonix News Blogs[edit]

For your convenience, there are multiple choices to get news. Choose at your preference.

1. Whonix Important Blog - Most important stuff only. Security vulnerabilities and new stable versions only. For people with very limited time and interest in Whonix development and news.
2. Whonix Feature Blog - Includes everything from Whonix Important Blog. Also testers-only and developers versions are announced. Has a relaxed posting policy. Also blog posts about updated articles, new features, future features, development, call for testing, general project thoughts and so on will be published.
3. Other choices. ^[14]

It's recommended at least to read Whonix Important Blog if you are in a hurry. Have a look into Whonix Feature Blog if you are generally interested to learn about anonymity/privacy/security related things or to see what's going on with Whonix.

Operating System Updates[edit]

You should regularly check for operating system updates on your host operating system, on Whonix-Workstation and on Whonix-Gateway as highly recommended in the Security Guide.

Tor Browser[edit]

whonixcheck

There is no auto-update feature for Tor Browser. You will be notified about new Tor Browser versions by whonixcheck. Tor Browser's built in update check mechanism also works in Whonix. For instructions how to update the browser, see Tor Browser. Additionally it might also be wise to subscribe to https://blog.torproject.org for news.

Whonix Version Check and Whonix News[edit]

Whonix Version Check (first rectangle in black) and
Whonix News
(second rectangle in green)

Furthermore you will be automatically notified about new Whonix versions by Whonix Version Check and about the most important occurrences^[15] by Whonix News, both of which are part of whonixcheck.

Social Media Profiles[edit]

There are some Whonix Social Media Profiles, but please don't rely on them for getting Whonix News and please don't use them to contact Whonix developers. (See Contact for contact information.)

Because some people will do so even though it is not recommended, messages from the Whonix Feature Blog will be automatically mirrored to Whonix Twitter Profile, to Whonix Facebook Profile and to Whonix Google+ Profile.

If you won't get into trouble by letting others learn about Whonix, feel free to follow or like those profiles (with your anonymous account) as a little way to Contribute. You can share this page on: Twitter | Facebook | Google+.

Source Code[edit]

In case you are interested in Whonix source code updates, subscribe to code changes.

Known bugs[edit]

Normal[edit]

KEYEXPIRED Error[edit]

You might see this error when attempting to update existing Whonix versions (build version 9.4 and below.)

W: GPG error: http://sourceforge.net wheezy Release: The following signatures were invalid: KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449064 KEYEXPIRED 1421449659

To fix this issue, open a terminal

fpr="916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA"
gpg --recv-keys "$fpr"
gpg --fingerprint "$fpr" 
gpg --export "$fpr" | sudo apt-key add -

Then update your system as usual.

After that you will be able to update Tor Browser as well.

It will be fixed out of the box in Whonix 9.6 and above.

Forum support thread:
https://www.whonix.org/forum/index.php/topic,892

Tor Browser Startup Issues[edit]

This has been fixed out of the box in Whonix 9.3 and above.

After the upgrade to Tor Browser 4.x, it can be no longer started.

Whonix's stable repository contains a fix. Upgrade. After upgrading, reboot is required. ^[16]

Forum discussion:
https://www.whonix.org/forum/index.php/topic,636.0.html

Connection Issues - Tor stops working after an Upgrade and needs a Workaround[edit]

This is fixed in Whonix 9.2 above.

In Whonix 9... When upgrading to Tor 0.2.5.8-rc-1~d70.wheezy+1 (using sudo apt-get dist-upgrade) in Whonix 9, your Tor connection may go down. There is a workaround.

Open /etc/apparmor.d/local/system_tor.

## If you are using a graphical Whonix-Gateway, use:
kdesudo kate /etc/apparmor.d/local/system_tor

## Or alternatively, if you are using a terminal-only Whonix-Gateway, use:
sudo nano /etc/apparmor.d/local/system_tor

Scroll down until you see.

/usr/bin/obfsproxy rix,

Comment out (by adding a # in front of it).

#/usr/bin/obfsproxy rix,

Then reboot.

sudo reboot

You should keep that in mind. When Whonix fixes that bug, you'll get an interactive dpkg conflict resolution dialog. This is explained in Security Guide#Updates. Just choose to install the new /etc/apparmor.d/local/system_tor file then.

Forum discussion:
https://www.whonix.org/forum/index.php/topic,559.0.html

Mounting (CD/DVD) Devices[edit]

You can use the following workaround.

sudo mkdir /mnt/cdrom

sudo mount /dev/cdrom /mnt/cdrom/

The following message.

mount: block device /dev/sr0 is write-protected, mounting read-only

Is expected. (It's normal that CD/DVD's are mounted read-only.)

Help fixing this bug is welcome! (github ticket)

VLC / Video Player Crash[edit]

You can use this workaround.

VLC -> Tools -> Preferences -> Video -> Output -> X11 -> Save

Minor[edit]

AppArmor Warning during Boot[edit]

If you wonder during boot about following warning.

Warning /etc/apparmor.d/... network rules not enforced.

This is not a security issue. Whonix installs AppArmor and the apparmor-profiles package by default, but does not enforce AppArmor by default. We are not there yet and Debian also does not enforce AppArmor by default yet either. The apparmor-profiles package gets installed by default for better usability, to make enforcing AppArmor easier. This warning only reflects, that the profile is not enforced by default.

Forum discussion dovecot:
https://www.whonix.org/forum/index.php/topic,668

Debian bug report:
please provide an option to hide or deactivate all the noisy, scary warnings during boot

libtorsocks Warning[edit]

During running apt-get dist-upgrade, you may see a warning similar to the following one.

15:36:37 libtorsocks(12225): sendmsg: Connection is a UDP or ICMP stream, may be a DNS request or other form of leak: rejecting.
Cannot talk to rtnetlink: No such file or directory
acpid: error talking to the kernel via netlink

Sounds scary, but is of no concern. See footnote for technical explanation. ^[17]

"apt-get source package" will show "dpkg-source: warning: failed to verify signature"[edit]

This is not a security issue. It is only a warning. More info here (and in the following mails).

If you want, you can get rid of it with the following workaround.

1. Modify /etc/dpkg/origins/default.

sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/debian /etc/dpkg/origins/default

2. apt-get source package

3. Undo afterwards to prevent unexpected issues.

sudo unlink /etc/dpkg/origins/default
sudo ln -s /etc/dpkg/origins/whonix /etc/dpkg/origins/default

Proxychains Tor Browser Issue[edit]

Want to use proxychains for the connection scheme user -> Tor -> proxy? This currently won't work. For more information, see Tunnel_Proxy_or_SSH_or_VPN_through_Tor#Tor_Browser.

Footnotes[edit]

1. ↑ ^{1.0 1.1 1.2 1.3 1.4} By using the Tor Browser Bundle (TBB). For an introduction, see Tor Browser. See also Hide Tor and Whonix from your ISP.
2. ↑ Unencrypted, unauthenticated http.
3. ↑ Fallback mirror if the current one is unaccessible, try this one: http://whonix.thecthulhu.com
4. ↑ Man-in-the-middle attacks could poison the download.
5. ↑ ^{5.0 5.1 5.2} It does not matter if you did the bulk download over an insecure channel, if you use OpenPGP verification at the end.
6. ↑ Torrent clients known to work: transmission, Vuze, Deluge. Check this clients table. If nobody is seeding at the time, only clients with the "as" feature can be used, because we are providing a webseed.
7. ↑ It's at least as secure as SSL and SHA-1, better than plain http. This is because you get the torrent file or magnet link over https and the torrent/magnet client checks the SHA-1 checksum at the end. Using OpenPGP verification would be safer.
8. ↑ You to download over Tor to be able to download using .onion.. For example, using either the Tor Browser Bundle, Whonix, Tails, etc. for download.
9. ↑ ^{9.0 9.1} When you build from source code, audit the source code for being non-malicious and reasonably bug free, you do not have to Trust the developers, the website or the SSL certificate authorities.
10. ↑ By additional verification that you got the source code from the original authors and by ensuring you're using the same source code as others you get better security.
11. ↑ OpenPGP is a standard for data encryption that provides cryptographic privacy and authentication through the use of keys owned by its users.
12. ↑ You could alternatively search for Portable VirtualBox.
13. ↑ You need both Whonix-Gateway.ova and Whonix-Workstation.ova images. Whonix is a two machine setup.
14. ↑ Other choices.
    • Whonix Important Blog RSS
    • Whonix Feature Blog RSS
    • subscribe to Whonix Blog by e-mail (when you are registered at Whonix Blog, you can choose to which categories you want to subscribe)
    • Whonix Blog posts are mirrored to Whonix User Forum You could subscribe by e-mail or by rss (recent posts or recent topics [more rss options]).
    • Whonix Blog posts are mirrored to Whonix Development Mailing List
    • Whonix Social Media Profiles
15. ↑ Such as when a version becomes unsupported, if manual action is required, if major features break, or if security vulnerabilities are found. The policy is to use Whonix News as rarely as possible.
16. ↑ So anon-ws-disable-stacked-tor environment variables changes take effect to fix the ControlPort quotes warning.
17. ↑ This is because in order to implement Stream Isolation, Whonix's apt-get uwt wrapper forces apt-get through torsocks. Unfortunately, not only apt-get is forced through Tor, but also sysvinit and subsequently all daemons sysvinit is restarting. acpi_fakekey daemon uses local connections. Those will be rejected by torsocks. The worst that can happen is that acpi_fakekey won't operate until manually restarted. This is a bigger issue for web servers and alike, because those may not function until manually restarted. This will likely be fixed as soon Whonix will be based on Debian jessie, because that uses systemd, that is not effected by this as well as torsocks 2.0 may solve this.

License[edit]

Whonix Download wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Download wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.