Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information




Alternative Operating Systems[edit]

Why isn't OpenBSD Used?[edit]

This FAQ entry addresses the suggestion that Whonix ™ should be based on OpenBSD rather than Debian. The opinion provided below is based on the perspective of Whonix ™ developers. [1]

The OpenBSD FAQ states: source (w)

OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit.

The landing page for OpenBSD also claims: [2]

Only two remote holes in the default install, in a heck of a long time!

These contentions are debatable and raises the question, "Who are those many security professionals and how thoroughly is the code reviewed?".

According to (w), OpenBSD has very few users. Although bsdstats is not representative of the total population of OpenBSD users due to the opt-in data collection program, 17 users at the time of writing is a very small figure. By comparison, TrueOS has 9,172 users in early 2018.

If OpenBSD cannot attract a critical mass of users, then ordinary crackers, hackers and the security research community are unlikely to gravitate to the distribution in contrast to more popular operating systems. At the same time targeted attacks become easier, because people who are paid to find exploits can find them more easily. Limited human resources inevitably means the code will remain more vulnerable to security flaws, since they are less likely to be identified.

As an example, see security vulnerability - NTP not authenticated. This six year old bug affects everyone using the distribution, but it does not appear anyone is stepping forward to fix it. The suggested solution was to authenticate the connection to the NTP server, but this would not be possible in Whonix ™ for several reasons. The Whonix ™ design focuses on distributing trust and not using only one NTP server. Further, Whonix ™ depends on free services which are available to anyone, ruling out a solution that requires a personal server. Even if Whonix ™ used authenticated NTP, it has been pointed out [3] that the clock could not be moved more than 600 seconds. This is better than nothing, but still inadequate for adversaries who are capable of moving the clock more than 600 seconds, harming anonymity/privacy in the process (see Dev/TimeSync for further details).

In addition, previously the OpenBSD website was not reachable over SSL. [4] Therefore, at that time users were unable to securely view the OpenBSD site, since a man-in-the-middle attack would have been trivial to perform.

OpenBSD simply lacks innovative security improvements which are available in modern platforms like Qubes OS, despite their grandiose claims.

Why isn't FreeBSD Used?[edit]

This FAQ entry addresses the suggestion that Whonix ™ should be based on FreeBSD rather than Debian. The opinion provided below is based on the perspective of Whonix ™ developers. [5]

It is difficult and time consuming to try and list all the disadvantages of using FreeBSD, such as highlighting non-existent security features. The onus is on FreeBSD proponents to manually search for relevant features (or lack thereof) and present an objective case for its adoption.

To avoid presenting information that will quickly become out-of-date or that may insult FreeBSD adherents, it is better to avoid definitive security statements and instead ask appropriate questions which might affect the usability, security, anonymity and wide-scale adoption of Whonix ™. For instance:

  • Does FreeBSD have a secure-by-default update mechanism?
  • By default, will every (new) user download come from an existing signed repository?
    • If not, what special settings are required?
    • Are users expected to run their own repository?
  • Does FreeBSD defend against outdated metadata; for example, can a man-in-the-middle use a roll back or freeze attack against the repository?
  • Does FreeBSD defend against various attacks on package managers? (w)
  • Does FreeBSD defend against attacks on the software update process by using the TUF threat model (w)?

Research which might provide a strong case for FreeBSD does not exclude the possibility of weaknesses or missing security features. The best way to determine the strength of the platform and its relative resilience is to directly ask the developers of that project. Honest replies can reasonably be expected from vibrant, open source communities.The only problem is, the Linux/BSD ecosystems have hundreds of distributions and it is a daunting prospect to rank their merits in this way.

Ultimately, the burden of proof falls on FreeBSD advocates (and not Whonix ™ developers) to prove that it is the most secure distribution available. Properly researched contributions that answer the questions above would be a good start, along with possibly approaching FreeBSD developers directly. Alternatively, research into why various aforementioned protections are not necessary to improve security would also be welcomed. Until claims about FreeBSD are substantiated, one should not take offense that it has not already been adopted.

Why isn't OpenWRT Used?[edit]

OpenWRT is not used for the same reasons outlined above. Further, in early 2018 OpenWRT does not have signed packages.

Why isn't SubgraphOS Used?[edit]

There are several reasons why Whonix ™ has decided not to use the Subgraph project platform.

Table: Whonix ™ Rationale

Domain Reasoning
  • Future Roadmap: Basing Whonix ™ on Subgraph would tie our future to the viability of another project. It is not ideal to rely on an OS in alpha status, particularly when the Debian alternative is rock solid and has decades of development behind it.
  • Features: Subgraph has some undesirable feature additions that add no value. Whonix ™ cannot benefit from Subgraph's manpower if the goals for the development roadmap are fundamentally different.
  • Bugs: The plentiful Subgraph bugs would become Whonix ™ bugs and developers would depend on them for fixes.
  • Programming Language: Subgraph chose different programming languages (like Golang) that are unfamiliar to lead Whonix ™ developers, making customization or modification very difficult.
  • Desktop Environment: Whonix ™ Developer HulaHoop has noted that Subgraph features completely rely on the GNOME desktop environment. This is undesirable because it is visually unappealing, has an over-simplified interface and would require any "cloud integration" elements to be removed. Configuring GNOME to approach the specifications already achieved in Whonix ™ would require a lot of effort. [6]
Source Code / Software
  • Code Availability: No full source code release to date (mid-2019). [7] [8]
  • Packaging: The publicly available software exists in a form that is not easily packaged. This would pose a significant maintenance burden for the Whonix ™ team.
  • Constraints: Arbitrary limitations are in place, such as repository choices. This can of course be changed, but it is an example of wasted effort in patching the base OS to adapt to our vision.
  • Meta-packages: There is no Subgraph meta package that can be installed using "sudo apt-get install subgraph-os" / "debootstrap Subgraph OS" in order to convert vanilla Debian into Subgraph OS. [9]
Collaboration To date, there has been no cooperation from the Subgraph project developers to correct any of the issues outlined in this section.

Clock Skew / Time Synchronization[edit]

How Do I Fix an Incorrect Host Clock?[edit]

As noted in the wiki:

When the user powers on Whonix-Gateway ™ and the host time is grossly inaccurate, it will not be able to connect to the Tor network. After booting Whonix-Gateway ™, it is recommended to check that the host time is no more than 1 hour in the past or more than 3 hours in the future, otherwise Tor cannot establish circuits.

In Whonix ™, a correct host time is also critical to prevent or partially mitigate TimeSync Attacks such as: [10]

  • Presenting outdated or vulnerable updates and https certificates.
  • Potential denanonymization when connected to more than one adversary controlled website.
  • Linking of all sessions to the same pseudonym.

Users experiencing Tor connection problems in Whonix ™ should follow these instructions to set a correct host and/or Whonix-Gateway ™ clock.

Compromise Indicators[edit]

Am I Compromised?[edit]

If the user notices trivial changes on their system - such as a duplicate deskop icon - it is not evidence of a hack or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in Arm, then it is more likely a harmless bug and/or usability issue rather than a compromise.

Skilled attackers do not leave such obvious traces of their breach. An infection by tailored malware is more plausible in this scenario and virtually impossible to detect by reading random messages in system logs. Even malware that is bought off-the-shelf (malware building toolkits) are unlikely to be discovered by cursory inspections. [11] Rootkit technology is no doubt a standard feature of the various programs.

Strange files, messages or other system behavior could feasibly relate to an attacker wanting the user to find something. However, the likelihood of this kind of harassment is considered low. Script kiddies ("skiddies") are unskilled attackers who uses scripts or programs to conduct attacks on computer systems and networks, most often with juvenile outcomes. For example, they might use programs to remotely control poorly-secured Windows desktops, trolling their victims from an open, forced chat window, opening their DVD drive and so on. It is improbable that skiddies can achieve similar exploits against Linux, Xen or BSD platforms. [12] Sophisticated attackers generally avoid detection, unless the user is unlucky enough to be a victim of Zersetzung (a psychological warfare technique).

Every forum post and support request requires time that could otherwise be directed to Whonix ™ development. Unless the user believes there is a serious and credible problem, there is no need for a new post. Developers and the Whonix ™ community at large do not have enough time to explain every message that Linux might report. In most cases, they are not important and outside the control of Whonix ™ developers.

If you are reading this page, then it is safe to assume being anonymous (less unique), and remaining so is of great interest. Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result [13] is a false positive, regression, known or unknown issue.

To date, none of the various leak testing websites running inside Whonix-Workstation ™ were ever able to discover the real (external), clearnet IP address of a user during tests. This held true even when plugins, Flash Player and/or Java were activated, despite the known fingerprinting risks. Messages such as "Something Went Wrong! Tor is not working in this browser." [14] (from about:tor) or "Sorry. You are not using Tor." (from are in most cases non-issues. If the real, external IP address can be revealed from inside Whonix-Workstation ™, then this would constitute a serious and heretofore unknown issue (otherwise not).

It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Whonix development is hindered. Users valuing anonymity don't want this, otherwise this would violate the aforementioned assumption.

If something is identified that appears to be a Whonix ™-specific issue, please first read the Whonix Free Support Principle before making a notification.



Can I Use DNSCrypt in Whonix ™?[edit]

DNSCrypt is possible in Whonix; see Secondary DNS Resolver. [15]

Why not Use DNSCrypt by Default in Whonix ™?[edit]

DNSCrypt may have good use cases for clearnet activities. However, it is not useful in Whonix ™ and therefore should not be installed and activated by default for everyone. Although some users may have high expectations, DSNCrypt does not magically solve all DNS-related security issues, nor does it implement end-to-end DNS encryption to the destination server. [16] Most important of all, the server will still see all DNS requests in cleartext. [17]

There are several other reasons why DNSCrypt is not activated by default. Firstly, Tor distributes trust because the DNS server changes as circuits are rotated. For pre-installed applications, circuits are also stream-isolated and change every ten minutes by default. Notably, in early 2018 there are 78 open resolvers that support the protocol.

Public resolvers supporting DNSCrypt have not yet acted in a way to cause mistrust. However, even if the operators were absolutely trustworthy, complete confidence is also needed in their servers - it is unwise to let the DNS security for all Whonix ™ users depend on a few servers. Another consideration is load balancing. If Whonix ™ relied upon a DNSCrypt supporting server by default, DNS would break for all users if that server ever decided to forbid connections from the Tor network [18] or if the servers went down for maintenance.

For more detailed information about DNSCrypt, refer to these related forum posts.

Can I Use DNSCrypt on the Host or Router for Clearnet?[edit]

This configuration is possible; read the next section before proceeding.

Does DNSCrypt on the Host or Router Harm Anonymity when Using Tor / Whonix ™?[edit]

The short answer to this question is no. The longer answer is DNSCrypt on the host or in the router only affects clearnet activities. Tor assumes in advance that a user's local network and ISP are completely unsafe and untrustworthy. Tor and Whonix ™ are unaffected by DNS settings that are made on the host or in the router.

It is debatable whether DNSCrypt is useful or not for clearnet activities since there are various pros and cons. It is useful when using foreign or untrusted Wi-Fi networks that are shared with others, since DNS requests could potentially be modified or read. That said, trust is just shifted from the ISP to a DNSCrypt-supporting DNS server, such as OpenDNS. If the DNS server supporting DNSCrypt leaks a user's network address and/or logs queries as part of their business model, then it might actually be worse than using the ISP! It is hard to mount an argument for which party is more trustworthy, the ISP or a third party provider.

Linux Distributions[edit]

Is the Linux User Experience Comparable to Commercial Operating Systems?[edit]

When users interact with a Linux operating system like Whonix ™, they come with certain expectations in regards to their overall experience. For the majority, expectations are based on their familiarity with Windows or macOS, since they dominate the desktop and laptop markets. [19] These commercial platforms pre-install a wide variety of popular and fully-featured applications, while the graphical user interface (GUI) is easy to use and intuitive. As a consequence, the seamless integration of new system software packages is the rule rather than the exception.

Windows and macOS users are now accustomed to an integrated experience where "everything just works". Attempts to provide Linux users with an equivalent experience have proven to be very difficult and the problem seems insurmountable. Many find the Linux GUI difficult to use and counterintuitive. There are software applications that are similar in design to those found in Windows or macOS, but they often lack many of the same features [20] or do not fully integrate with other packages. For newcomers to Linux, it might be difficult to understand how applications with similar design goals can have vastly different cross-platform functionality. Only by comparing the structural differences between a typical corporate hierarchy and a Linux distribution's collaborative effort can the discrepancies be explained.

The following table provides a simplified comparison of the major organizational structural differences.

Table: Linux Distribution vs. Commercial Operating System

Linux Distributions Commercial Operating Systems
Software Based on packages from many independent projects which develop software according to their own design goals Centralized (in-house) development with unified design goals
Funding Sources Donations, volunteer payments, grants, corporate sponsorship, professional services Revenue from software licensing [21] [22]
Funding Amount Unprofitable, most are underfunded and depend on volunteers Profitable, billion dollar profits are the norm
Authority to Issue Directives None, can only ask third party projects nicely CEO issues directives
Human Resources Community-based volunteers (limited time and human resources) In Windows' case, over 120,000 employees [23]
Popularity ~ 1.7 per cent of the desktop operating system market [24] Windows: ~ 82 per cent of the desktop operating system market [24]

macOS: ~ 13 per cent of the desktop operating market [25]

User Experience Fragmented Unified

Software Comparison[edit]

As shown in the table, Linux distributions are based on many third party projects which develop software according to their own design goals. For instance, an application might be initially developed by a volunteer for Windows and optimized for that platform. Later on, another volunteer joins the project, forks the application and ports it to the Linux platform. When these projects develop software, they do not necessarily prioritize the design goals to suit compatibility with Linux distributions.

Linux distributions can only pick software packages that are already available, meaning the selected packages might fall short of the design goals. Moreover, unlike a traditional company, distributions are not structured with a large number of paid employees. Neither do they have the authority to issue directives to third party projects to make desirable software changes. If a distribution needs package changes from an independent project, there are a few options but they all require time and patience: [26]

  • Try to understand the perspective of the third party project.
  • Politely ask the project if they would be willing to make the changes.
  • Submit code that makes sense from their point of view.
  • Patch and/or fork their software.
  • Use an alternative package from a different project.

In contrast, commercial operating systems are based on software expressly designed to provide a fully-unified user experience. While Linux distributions rely on third party packages, commercial platforms are developed in large companies with a strict corporate hierarchy. In these companies, the CEO can issue a directive to developers to make any change needed to improve the integrated experience. Any developer who lacks the necessary skills or refuses to make changes is likely to be terminated for non-compliance. The human resources department (representing the CEO) will not tolerate delays in software development, as it might threaten profits.

Funding Comparison[edit]

Linux distributions are based on Freedom Software which can be used freely by anyone. Without a software licensing fee, options to generate a reliable funding stream for development are severely limited. Unless funding is available to hire a large contingent of full-time employees, it is nearly impossible to provide users with a unified experience. Instead, distributions rely primarily on the goodwill of developers who volunteer their time to integrate and maintain software packages. Without a salary, the time developers can devote to the task is necessarily reduced. Although this problem is attributable to the restricted funding sources available, it has less impact for sizeable or popular distributions due to:

  • Donations or volunteer payment-based funding.
  • Selling professional services such as technical support, training and consulting.
  • Developmental grants.
  • Corporate sponsorship.

On the other hand, proprietary operating systems like Windows are funded through the sale of software licenses and are not limited in their ability to generate funding. Licensing generates billions of dollars in revenue which is used to employ a large number of full-time developers. This in turn allows these employees to focus on developing the software packages from the ground up, while remaining focused on the primary design goal: maintaining and improving the "Windows user experience" that the community has come to expect.

Unified Linux Experience[edit]

Based on the preceding sections, it is unrealistic to expect any Linux distribution to provide a user experience identical to Windows or macOS. Linux has gradually improved the quality and consistency of the user experience on various devices, particularly for larger and more popular distributions like Debian, Fedora and Ubuntu. However, it is impossible for most (if not all) distributions to replicate the quality found on commercial platforms. In the case of smaller distributions like Whonix ™, very limited human resources mean it is out of the question. Instead, developers must spend a large portion of their time on core functionality development.


One obvious impact is that Whonix ™ developers have limited time to answer support requests. Therefore, users are recommended to follow the advice outlined in the Free Support Principle chapter before asking for specific help. In addition, users are asked to document any steps that were used to solve problems in the forums and/or wiki, thereby supporting the co-developer concept which has been adopted by the Whonix ™ project. [27]

Live Operating System[edit]

Why not Use a Live CD/DVD as the Whonix-Workstation ™ Operating System?[edit]

This option was previously discussed in depth and it was decided that Live CD/DVDs are not suitable for Whonix-Workstation ™.


  • Often actively maintained.
  • Stabilized.
  • Hardened GNU/Linux distribution.
  • Advanced features.


  • No timely security updates.
  • Limited persistence.
  • Inflexible design.

Another serious disadvantage of Live CD/DVDs in the context of an anonymity-oriented OS is that they often have their own method of Tor enforcement included. In Whonix ™, this would result in a Tor over Tor scenario.

Will there be a Whonix ™ Live CD or DVD?[edit]

Qubes-Whonix ™[edit]

Another promising long term possibility may be running Qubes-Whonix ™ on Qubes OS Live DVD/USB, which is currently in Alpha. [28] Unfortunately, at the time of writing Live-mode is no longer supported or maintained by Qubes. [29] Nevertheless, if this is further developed in the future, only limited changes are required on the Whonix ™ side. The primary responsibility for hardware support and Live operating system development rests upon Qubes developers, with whom the Whonix ™ team has a strong, collaborative, working relationship.

For something roughly similar see Qubes DisposableVMs.


This will not be available in the near future unless a developer steps forward, joins the Whonix ™ team and begins contributing code. Lead Whonix ™ developer Patrick Schleizer has limited knowledge about Live CD/DVD creation and deployment, meaning project completion would be difficult, particularly for hardware support. At the moment Whonix ™ is a rather simple project and many things are delegated upstream. For instance, there are various supported platforms, Debian provides a fine operating system, hardware support is delegated to the host operating system and supported platform, and Tor is providing a world class anonymizer. Another related problem is the large size of the Whonix ™ images at present, making it very difficult to fit neatly on a Live CD/DVD. [30]

A workable alternative for testers is outlined in the next section below.

Is there Something like Whonix ™ Live?[edit]

Qubes-Whonix ™ users can look into something roughly similar, see Qubes DisposableVMs.

Non-Qubes-Whonix ™ users can optionally run Whonix ™ as a live system. Booting into live mode will make all writes go to RAM instead of the hard disk. Everything that is created / changed / downloaded in the VM during that session will not persist after shutdown. This also holds true for malicious changes made by malware, so long as it did not break out of the virtual machine.

Alternatively, users can follow the recommendations to run Whonix ™ with the dedicated host operating system installed on external media.


How do I Configure a Bridge?[edit]

Instructions for configuring a bridge in Whonix ™ can be found here.

Whonix ™ has Slowed Tor Connections Dramatically![edit]

This is likely an incorrect assumption. Since Whonix ™ does not modify the Tor package directly, nor attempt to improve the Tor routing algorithm, any sudden drop in network speed is almost certainly related to:

  • User (mis)configurations relating to a VPN, proxy or other relevant settings.
  • Tor network anomalies.
  • Tor entry guards which are:
    • Malicious.
    • Overloaded.
    • Under attack.
    • Misconfigured.
  • A change in the Tor guard selection which has resulted in poor throughput due to capacity issues.

Before posting about the issue in forums, first use one of the following two methods to create a test Whonix-Gateway ™ with a different set of guards.

Easy: Whonix-Gateway ™ Clone[edit]

This procedure is less useful for Whonix ™ debugging:

  • Create a clone of the slow Whonix-Gateway ™ (sys-whonix) and name it Whonix-Gateway ™-test VM (sys-whonix-test-vm). [31]
    • Virtualbox: follow these instructions to create a VM snapshot.
    • Qubes-Whonix ™: Right-click on sys-whonixClone VM
  • Regenerate the Tor State File.
  • Retest the speed of Tor connections.

Moderate Difficulty: Manual Regeneration of the Tor State File[edit]

This is more useful for Whonix ™ debugging.

Copy the Whonix-Gateway ™ Tor state folder to a temporary folder by running the following Konsole commands.

sudo systemctl stop tor@default
sudo mv /var/lib/tor /tmp
sudo systemctl restart tor@default

Retest the speed of Tor connections. Afterwards, to restore the Tor state folder to its original settings, run the following Konsole commands.

sudo systemctl stop tor@default
sudo rm -r /var/lib/tor
sudo mv /tmp/tor /var/lib
sudo systemctl restart tor@default

Interpreting the Test Results[edit]

There is no guarantee the test VM / new Tor state will be faster. However, if there is a significant difference in speed between the test and normal Whonix-Gateway ™ VMs / Tor state, then this can be attributed to the Tor guards that are normally in use. This also means there is no bug in Whonix ™.

If the test VM / new Tor state does not speed up, the user may have selected Tor guards with poor throughput, or it could be a bug in Whonix ™. Before reporting the problem in the forums, regenerate the Tor state file and test the Tor throughput again. If it is still slow, then this may indicate a Whonix ™ bug or other issue.

It is strongly discouraged to use the Whonix-Gateway ™-test VM / new Tor state (with a new Tor guard set) for activities other than testing, even if it is faster. It is feasible that adversaries might try to induce the user to switch their guards. By switching, the probability that a new chosen guard set is adversary-controlled increases, aiding end-to-end correlation attacks that deanoymize connections.

Whonix ™ is Preventing Tor from Bootstrapping![edit]

See the entry above. Bootstrapping problems can relate to nation state or ISP censorship of Tor, or relate to the Tor guard in operation. In the latter case, temporarily changing the Tor guard might resolve the issue.

If that is ineffective, users can also:

Why Waste Network Bandwidth by Downloading Operating System Updates over Tor?[edit]

The short answer is this option was discussed with The Tor Project and Whonix ™ was granted permission to do so.

Interested readers who want to learn more should review the following:

Can I Speed Up Tor or the Whonix-Gateway ™?[edit]

Is there a way to configure the number of nodes in a circuit and to allow selection according to their speeds?

Users who already know how to configure Tor in this fashion using the command line in vanilla Debian can follow the same procedure in Whonix-Gateway ™. This is not an endorsement for making these manual Tor changes because it is not recommended by Tor developers and thus the Whonix ™ team. [33] This is also the reason there are no instructions in the Whonix ™ documentation to manipulate Tor nodes in this way.

That said, if general instructions were found describing how to achieve this on the host, then the same procedure could simply be repeated in Whonix-Gateway ™.

Does Whonix ™ Modify Tor?[edit]

Although Whonix ™ does not modify Tor, the configuration file has been adapted for Whonix ™. To inspect the relevant files, check the following on Whonix-Gateway ™: [34]

  • /etc/tor/torrc/ file.
  • /etc/torrc.d folder.
  • /usr/local/etc/torrc.d/ folder.
  • /usr/share/tor/tor-service-defaults-torrc file.

Tor is not patched and the normal Tor deb package is used in Whonix ™ from

Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on [35] If proposed changes are not adopted by The Tor Project, then the option to create a Tor fork [36] is available. Tor has already been forked at least once.

A general Whonix ™ design principle is to keep the Tor process as uniform as possible, in order to simplify any security audits. Diverging from this practice would introduce unnecessary complexity, possibly worsen fingerprinting or degrade anonymity, and limit Whonix ™ discussions to the security impacts of the modified routing algorithm. For these reasons, the Whonix ™ team is strongly disinclined to make any direct changes to the Tor package.

Can Whonix ™ Improve Tor?[edit]

As outlined in the previous section, Whonix ™ will not implement any changes to Tor directly and any suggested improvements or bug fixes are proposed upstream on This has already happened on occasion. Creating Whonix ™ is a difficult and time consuming endeavor, so Tor improvements are better left to dedicated, skilled developers who are more knowledgeable in this area.

Skilled coders can always provide upstream patches to Tor, or as a last resort, fork [36] it. Hypothetically, if a fork [36] developed a greater following than the original project due to proven security / anonymity benefits, then Whonix ™ would seriously consider making a switch.

What is Clearnet?[edit]

This term has two meanings:

  1. Connecting to the regular Internet without the use of Tor or other anonymity networks; and/or
  2. Connecting to regular servers which are not onion services, irrespective of whether Tor is used or not. says "Sorry. You are not using Tor."[edit]

See Browser Tests.

New Identity and Tor Circuits[edit]

The behavior of "New Identity" in the context of TorButton and Arm is often misunderstood. First of all, there are various ways to issue a "New Identity":

In all cases, the "New Identity" function sends the protocol command "signal newnym" to Tor's ControlPort. This clears the browser state, closes tabs and obtains a fresh Tor circuit for future requests. [37]

The impact of "signal newnym" on Tor circuit lifetimes is often misunderstood. "signal newnym" uses a fresh circuit for new connections. Sometimes Tor only replaces the middle relay while using the same Tor exit relay. This is by design and the Tor default. Further, "signal newnym" does not interfere with long-lived connections like an IRC connection.

Interested readers can verify the effect of "signal newnym" as follows:

  1. Open in Tor Browser.
  2. Issue "signal newnym" using Arm.
  3. Reload
  4. In some cases it will still show the same IP address, probably because the browser did not close the connection to in the first place.

Now repeat this experiment with a small modification which should result in a new Tor exit IP address:

  1. Open in Tor Browser.
  2. Issue "signal newnym" using Arm.
  3. Close Tor Browser, then restart it.
  4. Open again and a new Tor exit relay IP address is (likely) visible.

New Identity is not yet perfect and there are open bugs; this is not a Whonix ™-specific issue. "signal newnym" is not a guaranteed method of unlinking various protocol states (like the browser) so the user absolutely appears to be a different identity. [38] Tor Browser's TorButton New Identity feature attempts this, but it is not yet perfect.

In general for greater security, it is better to completely close Tor Browser and restart it. In Qubes-Whonix ™, the safest option is using a Whonix-Workstation ™ DisposableVM and closing it and recreating a new one after critical activities.


Why Should I (not) Trust Whonix ™?[edit]

See Trust for a long answer.

User Support and Input[edit]

Feedback and Suggestions[edit]

The Whonix ™ project is highly receptive to genuine feedback and suggested improvements from users. Software projects flourish from community input and every suggestion is noted and considered.

The Whonix ™ community is asked to remain patient. The development cycle involves a number of competing priorities and challenges which must be overcome to achieve ambitious roadmap goals. Further, there is also an existing backlog of unresolved bugs and feature requests to address.

As Whonix ™ resources grow over time, development activity and responsiveness to user input will increase in kind.

Privacy on the Whonix ™ Website[edit]

The Whonix ™ website [39] is using popular web applications (web apps) like MediaWiki, Phabricator and Discourse (forum software). [40] These are Freedom Software projects which are developed by third parties and not the Whonix ™ team. As an end user of web apps, has no control over changes made by the respective developers, whom do not necessarily (seldom in fact) prioritize privacy and security.

The Whonix ™ platform is similarly based on many third party projects. For a simple (approximate) overview of the Whonix ™ organizational structure, see: Is the Linux User Experience Comparable to Commercial Operating Systems?. In essence, many independent projects provide their software and source code for free, and they can be modified or used in their default state. Due to the structure of Freedom Software development and the limited funding available to Whonix ™, it is infeasible to try and tackle usability, privacy and security issues posed by these web apps.

Consider the Discourse software for example:

Based on the preceding information, it is clear websites can at best only provide privacy by policy, which is equivalent to a promise. For detailed information on the Whonix ™ privacy policy, see here. [41]

In contrast, the main project activities undertaken by Whonix ™ include research, development and maintenance of privacy by design software. This is achieved via technological enforcement, remaining free, [42] and utilizing Freedom Software which encourages external contributions, enhancements and audits.

Non-Responsiveness to Concerns[edit]

Effective December 1, 2018, the policy concerning responses to support requests and concerns has changed. Whonix ™ developers will generally only respond if they are convinced an actual technical, privacy or security-related problem has been identified.

In the past, Whonix ™ developers provided answers to a wide range of reported oddities, such as console output messages that were difficult for users to understand. Unfortunately this level of attention is no longer possible, for reasons outlined in this FAQ entry.

Sample Non-issue[edit]

For example, if a user reported that the following console message appeared during an update, Whonix ™ developers would be unlikely to respond.

70 signatures not checked due to missing keys

The reason is because developers are aware this is not symptomatic of a technical problem, but rather a minor usability issue. If the user reporting the problem conducted simple Internet research, they would quickly realize the cause of the error is not Whonix ™-specific. [43]

As a reminder, most anomalies are generally harmless rather than an indication of a compromise:

If the user notices trivial changes on their system - such as a duplicate deskop icon - it is not evidence of a hack or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in Arm, then it is more likely a harmless bug and/or usability issue rather than a compromise.

Reporting Guidelines[edit]

Before developers take time to answer concerns, the reporter should make a reasonable attempt to demonstrate it is an actual issue. Whonix ™, Qubes OS and most other software projects expect thorough reports to include: [44]

  • Whonix ™ version and platform.
  • Affected component(s) or functionality.
  • Steps to reproduce the behavior.
  • Expected behavior.
  • Actual behavior - including detailed console output.
  • Context - How has this issue affected you? What are you trying to accomplish? Providing context helps us come up with a solution that is most useful in the real world.
  • Relevant Documentation that was consulted.
  • Any related, non-duplicate issues (bugs).

The following example report would be considered wholly insufficient by Whonix ™ developers:

  • Steps to reproduce the behavior: Update the system.
  • Expected behavior: No error messages appear.
  • Actual behavior: See the message "70 signatures not checked due to missing keys".
  • Context: Curiosity.

Instead, further indicators are necessary in order to meet the threshold of a bug report. In many cases only developers, developers-alike and very technical users will be able to report an actual issue based upon console output. A sample, thorough bug report is given below. [45]

Table: Example Whonix ™ Bug Report

Indicator Description
Whonix ™ version All Whonix ™ 14 variants (Non-Qubes-Whonix ™ and Qubes-Whonix ™).
Affected component(s) or functionality Whonix-Gateway ™ (sys-whonix) firewall.
Steps to reproduce the behavior Enable the fail closed firewall mechanism in Whonix-Gateway ™ (sys-whonix). [46] Later on when a whonix-firewall package upgrade becomes available, networking is no longer functional after installation.
Expected behavior An upgrade of the whonix-firewall package should not break networking.
Actual behavior An upgrade of the whonix-firewall package breaks networking.
Context Running standard ("everyday") upgrade instructions.
Relevant Documentation that was consulted See below.
Any related, non-duplicate issues (bugs) None, but these resources are directly relevant:

A detailed answer to a reported issue is more likely if both conditions below are met:

  1. Reporters exert more effort, provide detailed analysis, perform multiple web searches, and read the source code beforehand.
  2. The reporter is a Whonix ™ contributor or developer.

Policy Rationale[edit]

There are several reasons for this policy shift:

  • Developer Time: Providing answers for each and every reported non-issue costs time, which could be otherwise dedicated to core development and the backlog of existing bugs.
  • Personal Initiative: Whonix ™ is Freedom Software, which means every aspect of the source code is available for review. This level of transparency allows those who spend enough time or monetary resources to analyze everything in detail. In the spirit of Freedom Software, Whonix ™ is purposefully opposed to artificial boundaries which make analysis unnecessarily more difficult. [47]
  • Feature Richness: Since Whonix ™ is based on Debian there are thousands of software packages available for use, and not all oddities can be explained due to time constraints.
  • Usability Issues: In the main, most usability issues will remain out of scope for developer attention. The reason is two-fold: either they are outside the control of the Whonix ™ project and/or it is not economically viable due to the very structure of Freedom Software development; see Is the Linux User Experience Comparable to Commercial Operating Systems? for further information.

There are several reasons for this FAQ entry. Firstly, a link to this FAQ entry can be posted when and where necessary, thereby saving developers significant time and effort in addressing non-issues. This demonstrates acknowledgement of the report, but also signals it is not considered a serious problem at this time. Secondly, answering with a FAQ link is better than a non-answer. A nil response makes it unclear if the report has been seen or whether project development is even active.

Users are welcome to report whatever they like, but it is strongly recommended to first search the forums and Internet as per The Free Support Principle to see if it was already reported - this is often the case.

What does Unsupported Mean?[edit]

This feature is either undocumented, untested, or unsupported. Please help us implement this feature by becoming a maintainer.

Consider Free Support Principle.

It might be possible to get this feature documented, tested or supported by purchasing Professional Support.


Is VirtualBox an Insecure Choice?[edit]


Although VirtualBox is not an ideal choice, fortunately other platforms are supported:

For greater security, users with suitable hardware and sufficient skill are recommended to prefer Qubes-Whonix ™ (a bare-metal hypervisor) over Type 2 hypervisors like VirtualBox.

The primary reason Whonix ™ supports VirtualBox is because it is a familiar, cross-platform virtualizer which can attract more users to open source (free/Libre) software, Tor and Linux in general. By remaining highly accessible, Whonix:

  • Increases the scope of potential growth in the user base.
  • Attracts greater attention as a suitable anonymity-focused operation system.
  • Increases the likelihood of additional human resources and monetary contributions.
  • Allows novice users to easily test Whonix ™ and learn more about security and anonymity practices.
  • Improves the relative security and anonymity of Tor / Tor Browser users by offering a virtualized solution.

Old statement:

If you would like to see the old statement, please press on expand on the right.

Whonix ™ in VirtualBox vs Tor / Tor Browser / Torified Applications on the Host[edit]

It is recognized that VirtualBox is not an ideal choice; see Dev/Virtualization Platform. However, there are different goals to bear in mind - Whonix ™ is primarily focused on protecting a user's IP address / location.

A common refrain of critics is that VirtualBox is "too weak". This is a theoretical concern and does not have any practical implications at present, since Whonix ™ in VirtualBox is actually more secure than running Tor, Tor Browser or torified applications on the host in many cases; see Whonix ™ Security in the Real World.

It must be remembered that there are no alternatives for a large segment of the population who do not have sufficiently powerful hardware to run Qubes-Whonix ™, or who are technically incapable of running KVM. In this case, it is safer for them to run Whonix ™ in VirtualBox, rather than continuing to utilize Tor on the host. For example, Whonix ™ helps to protect against future proxy bypass bugs or software which does not honor proxy settings.

The strength of Whonix ™ and virtualization in general is adherence to the security by isolation principle. VirtualBox critics need to objectively consider how many exploits currently exist for VirtualBox and the track record of exploits. Admittedly, virtual machine exploits may become far more problematic in the future, but at present Whonix ™ is considered to provide more security out of the box running in VirtualBox, than not.

Platforms with Improved Security[edit]

Anybody seriously considering Whonix ™ for improved security should refer to the Documentation, particularly the Security Guide and Advanced Security Guide entries, as well as supported platforms other than VirtualBox. Whonix ™ is a poster child for the Isolating Proxy Concept and Security by Isolation.

Many users still default to running Tor on their Windows or Linux host. Whonix ™ is immediately available to this cohort to substantially improve their real world security. Indeed, Whonix ™ is the only up-to-date OS designed to be run inside a VM and paired with Tor, which is actively maintained and developed. Other similar projects like JanusVM are seriously outdated and no longer actively maintained. [48]

Whonix ™ cannot serve all target audiences. Users seeking a higher security solution will prefer other supported platforms, like Qubes-Whonix ™. "Hardcore" users may prefer to build their own custom hardened solutions, while still profiting from Whonix ™ research and source code. Hardened solutions like the Hardened Gentoo Whonix-Gateway ™ are more difficult to use and therefore cannot be set as the default installation for Whonix ™.

Virtual Private Networks[edit]

Should I Install a VPN on the Host or Whonix-Gateway ™?[edit]

This entry assumes the user has already decided to utilize a VPN. If not, this FAQ entry may be skipped.

VPN Installed on the Host VPN Installed on Whonix-Gateway ™ VPN Installed on both the Host and Whonix-Gateway ™
All Whonix Traffic Routing User → Host's VPN → Tor → Internet User → Gateway's VPN → Tor → Internet User → Host's VPN → Gateway's VPN → Tor → Internet
All Host Traffic Routing User → Host's VPN → Internet User → Internet User → Host's VPN → Internet
Whonix-Gateway ™ Compromise Host's VPN Affords Protection Nil Protection Host's VPN Affords Protection

To decide the best configuration in your circumstances, consider:

  • Is it necessary to hide all traffic from the ISP? [49] Then install the VPN on the host.
  • Should the VPN provider be able to see all traffic? [49] Then install the VPN on the host.
  • Should the VPN provider be limited to seeing Tor traffic, but not clearnet traffic? Then install the VPN on Whonix-Gateway ™.

Whonix ™-specific[edit]

Design and Development[edit]

32-bit or 64-bit?[edit]

From Whonix ™ 14 onward, only 64-bit builds are available for download. [50] This decision is based on several factors:

  • Distributions are increasingly dropping support for 32-bit systems (including Debian). [51]
  • Only a small minority of users are stuck with older hardware that will not support 64-bit builds. [52]
  • It is a significant maintenance burden for Whonix ™ to maintain both 32-bit and 64-bit builds. [53]
  • Non-Qubes-Whonix 13 users (deprecated) who rely on 32-bit (i686) hardware are still able to use Whonix ™ 14, by using the upgrade instructions instead of downloading new images. [54] [55] [56]
  • Users could attempt to build a 32-bit version of Whonix ™ from source code, by appending the Whonix ™ build script parameter --arch i386.

How is Whonix ™ Different from Tails?[edit]

See Comparison with Others.

Why not Merge with Tails and Collaborate?[edit]

The following is a subjective opinion by lead Whonix ™ developer Patrick Schleizer. [57] Feedback, corrections and suggested improvements are welcome.

Tails is a respected project with similar goals to Whonix ™ - improved anonymity, privacy and security. Tails has existed for many years and has multiple developers, significant experience and a complete working infrastructure. Whonix ™ and Tails developers already cooperate to some degree and discuss things of mutual interest to both projects on various developers mailing lists like whonix-devel, tails-devel and secure-os.

Whonix ™ and Tails Collaboration[edit]

Several parts of Whonix ™ are based on Tails. For example, the development of sdwdate in Whonix ™ was reliant upon Tail's invention of tails_htp. Whonix ™ also profits from Tails' previous efforts to upstream packaging and other changes in Debian, current and historical discussions in various forums, Tails research, design documents, experience, feedback and so on.

Other examples of Tails and Whonix ™ cooperation include:

  • onion-grater - a whitelisting filter for dangerous Tor control protocol commands - was developed by Tails developer anonym with Whonix ™ in mind. Whonix ™ then forked the Python code to add a few necessary improvements. [58]
  • Tails has expressed interest in using Anon Connection Wizard in the future.

Why Whonix ™ is a Separate Project[edit]

Even though Tails is highly valued by Whonix ™ developers, it may not be clear to the reader why Whonix ™ remains a separate project and not just a contributor to Tails. There are several reasons for this decision: Whonix ™ cannot be merged into Tails by the Whonix ™ team on technical, skill and political grounds; implementing features or changes in Tails is an unfamiliar process; and it is unknown when/if Whonix ™ priorities will be implemented in Tails -- but it is known how to solve these in a separate project (at least with appropriate user documentation).

Further examples are outlined in the table below. Note that some of these items are partially or nearly solved in Tails, but it is has been kept to justify the prior decision not to merge projects.

Table: Whonix ™ and Tails Design and Functionality Comparison

Tails Issue Tracker (TODO) Whonix ™ Design / Instructions
Remember installed packages By design, everything persists [59]
Applications Audit By design, protocol leaks cannot lead to deanonymization
Two-layered, virtualized system By design, this is achieved by either software compartmentalization (VMs) or Physical Isolation
VPN support VPN / Tunnel support
JonDo over Tor JonDonym
Freenet over Tor Freenet
obfsproxy [60] Bridges
Can I hide the fact that I am using Tails? Hide Tor and Whonix ™ from your ISP
I2P over Tor [61] I2P
Transparent Proxy as a fallback mechanism By design, everything not configured to use a SocksPort will automatically use Tor's TransPort
Use Tor Browser Tor Browser
Stream Isolation [62] Stream Isolation
Evaluate web fingerprint [63] Same as Tor Browser
Unsafe browser fingerprint Logging in to captive portals
Location Hidden/IP Hidden Servers Location/IP Hidden Servers
... ...

Political and Design Considerations[edit]

There are also significant differences in political and design decisions which prohibit a merger:

  • As a code contributor to Tails, Patrick Schleizer would need to accept decisions made via internal Tails decision-making processes. Whonix ™ would lose the autonomy to simply modify anything in line with personal preferences or favored solutions. [64] At the time Whonix ™ was created, Schleizer did not favor a Live DVD/USB approach and personally found improving Tails to be far more difficult than starting a fresh project.
  • Source Code Merge Policy:
    • Whonix: A comprehensive merge policy has not yet been developed. This would be ideal, but it is not compulsory to formulate such a design or associated documentation.
    • Tails: In Schleizer's opinion, the Tails merge policy is too strict. This is not a complaint or critique. No doubt there are good reasons for that decision and it should be noted that Tails is still a popular and effective solution for many users. Anyone who does not agree has the freedom to contribute to another project or to start a new project, leading Schleizer to make use of that freedom.
  • Another major design difference is Tails' reliance on a Live DVD/USB which inherits some restrictions and limitations. Tails must fit on a DVD/USB, while Whonix ™ does not have this requirement. Whonix ™ also has higher hardware requirements, but therefore more space to implement features. As a consequence, initially fewer people are able to use Whonix ™, but this situation will improve in the future as available hardware improves. The Whonix ™ design is fluid and new designs (both theoretical and practical) are being discovered over time. Depending on user feedback and general interest, eventually a Live DVD or Blu-ray might be created in Whonix ™.
  • Schleizer has found it easier to cooperate with the security by isolation focused operating system Qubes OS, which resulted in Qubes-Whonix ™.

How is Whonix ™ Different from Tor Browser?[edit]

See Comparison with Others.

How Difficult is Whonix ™ Development?[edit]

The following information is an opinion expressed by lead developer Patrick Schleizer, which is based on several years of Whonix ™ development and related activities.

Consider the following comparison table. Whonix ™ source code is relatively simple when compared with activities like the development of cryptographic algorithms and hand written binary code.

Legend: One star (*) = very easy; 10 stars (**********) = very difficult.

* Using a computer.
** Writing Whonix bash scripts.
** Writing Whonix documentation.
*** Whonix-related anonymity and privacy research.
**** Scripting language.
***** Using Hardened Gentoo.
****** Programming languages such as C/C++.
******* Core Tor development.
******** Reverse engineering software.
******** Kernel development.
******** Assembly language.
********* Compiler development.
********* Aeronautical science.
********* Cryptographic algorithms development.
********** Hand written binary code.

Why not Replace grml-debootstrap with 'X'?[edit]

Whonix ™ developers are not remotely close to exhausting grml-debootstrap's extensive feature-set yet. [65]

There are two sorts of VM image creation tools:

   [A] Those that use virtualization, boot the image and perform actions.
   [B] Those that use chroot (or maybe systemd-spawn).

[A] is incompatible with Whonix ™ design principles due to files being created during boot, such as entropy seeds. This is a less clean method and is not suitable for redistribution.

In either case it would be necessary to diff:

   The image created by grml-debootstrap versus the new tool.
   Create an image twice using the new tool and inspect the diff.



Why are Whonix ™ Images so Large?[edit]

From Whonix ™ 14:

This is still larger than other "Tor-VM" or "Tor-LiveCD/DVD" projects, which sometimes depend on specially "stripped-down" or minimal distributions like TinyCore, DSL and Puppy Linux.

Minimal Distribution Disadvantages[edit]

The primary reason for the large size of the images is that small/er distributions do not meet Whonix ™ requirements; namely the upstream distribution must have a proactive security policy. In addition:

  • Most minimal distributions are small projects. Consequently, there is no dedicated security team that audits packages and quickly releases security patches.
  • Whonix ™ requires a distribution that cryptographically signs all updates. [67]
  • The security of minimal distributions is premised on reducing the potential attack surface and not much else. Whonix ™ also has a small attack surface, due to only installing a few select applications and not having any network listening services by default. However, on the upside a full distribution supports MAC, kernel patches, IDS and much more.
  • Large, established projects have many users and developers - the many eyeballs on the code implies greater trustworthiness.
  • Debian has a significant number of security features that are unavailable in smaller distributions.
  • For further reading on this topic, see Operating System.

Maintenance and Usability Concerns[edit]

Since Whonix ™ is based on Debian, it is a complete, anonymity-oriented, general purpose operating system. This greatly improves usability in comparison to minimal systems which lack a host of features.

There are several other benefits of relying on Debian, rather than a minimal distribution:

  • A wider range of use cases is supported, such as hosting onion services. In contrast, small distributions usually have limited repositories.
  • Debian has comprehensive documentation about topics like security and hardening, unlike many small distributions.
  • Creating a slim system increases the maintenance burden, because it is difficult and requires significant development time. This is not and should not be the primary focus of the Whonix ™ team.
  • Minimal projects do not usually focus on anonymity, privacy and security-related matters; the core competence of the Whonix ™ project.
  • Attempts to slim down systems inevitably results in numerous "strange bugs". Users who are familiar with Debian or Ubuntu would then question why Whonix ™ is broken or lacks full functionality.

It should be noted that by increasing usability, Whonix ™ actually improves security over time. This stems from a larger user pool, a more prominent profile in the press, increased development activity and additional security audits and research. On the contrary, a slimmed down system would only attract specialists or experts. [68]

An interesting analogy is Mixminion, which was once touted as an alternative to Tor. [69] Due to Mixminion being a high latency remailer, with cover traffic and protection against traffic confirmation (end-to-end correlation attacks), it should theoretically have been more secure than Tor. The only problem was that Mixminion did not attract a critical mass of users. Without a sizable population to help disguise traffic, the putative anonymity benefits were seriously degraded - making it no more or less (in)secure than Tor. [70]

Absence of a Live Whonix ™ CD/DVD[edit]

The final reason Whonix ™ images are large is that the project has not (yet) focused on the anonymity-oriented Live CD/DVD market. Without the restriction of needing to fit on a CD/DVD, there is no necessity to balance functionality with available space and security. Being a general purpose anonymous operating system has its benefits - default or optional functionality can be increased at whim. For example, integrating Bitcoin into Whonix ™ would be quite simple, apart from the documentation burden.


Patches are Welcome[edit]

Volunteer contributions to Whonix ™ are most welcome. All proposed patches are carefully reviewed and merged if appropriate. Volunteers with the requisite coding ability should refer to the current backlog of open Whonix ™ issues and consult with developers before undertaking any significant body of work.

Often, proposed improvements or fixes to the Whonix ™ platform are awaiting implementation due to differing developer priorities, limited human resources and/or the inordinate amount of time required to develop a particular feature or solution. In a minority of cases, the Whonix ™ team is unsure how to resolve a bug or implement a specific change / feature. [71]

It is generally unhelpful to debate the priorities laid out in the future Whonix ™ roadmap, as this diverts energy from core development. Some major suggestions might become available in the long-term or might never eventuate, such as the availability of a Live Whonix ™ CD/DVD.


Does Whonix ™ Guarantee my IP Address and Location are Safe when Using Skype?[edit]

This answer has been moved to the VoIP page.

Full Disk Encryption Should be Added to Whonix![edit]

This assumption is incorrect. In short, it is more effective to add Full Disk Encryption to the host to protect against theft or robbery of personal information or data.

The interested reader can refer to Encrypted Guest Images for further details.

You Should Disable JavaScript by Default![edit]

Whonix ™ has not changed default JavaScript settings in Tor Browser for several reasons:

  • Whonix ™ is not a "secure browser" project - the focus is on creating a stable, reliable anonymity distribution which aligns with best practice security and privacy principles, informed by educated researchers in the field.
  • Possible fingerprinting or security issues with default settings in Tor Browser are the domain of core Tor developers.
  • Whonix ™ has limited manpower, meaning the resources do not exist to create a more secure browser, even if it was desirable. [72]
  • Tor Browser is not significantly modified for the same reasons Whonix ™ does not modify or attempt to improve Tor. [73]
  • Having Whonix ™ share the fingerprint of other Tor Browser users is good for anonymity.

As noted in the Tor Browser chapter, disabling JavaScript by default may worsen fingerprinting:

The take-home message is disabling all JavaScript with white-list based, pre-emptive script-blocking may better protect against vulnerabilities (many attacks are based on scripting), but it reduces usability on many sites and acts as a fingerprinting mechanism based on the select sites where it is enabled. On the other hand, allowing JavaScript by default increases usability and the risk of exploitation, but the user also has a fingerprint more in common with the larger pool of users.

Experienced Tor developer Mike Perry has provided justification for enabling JavaScript by default in a tor-talk mailing list topic; see "Tor Browser disabling Javascript anonymity set reduction". In summary, Tor Button and Tor Browser patches handle the most serious JavaScript concerns, such as IP address / location bypass problems. [74]

Due to the loss in functionality, disabling JavaScript by default might place Whonix ™ users in a small subset of the Tor Browser population. The JavaScript behavior of the broader Tor Browser population is an open research question, so it safest to avoid a possible reduction in the anonymity set of Whonix ™ users. Users should remember that the fingerprinting potential is also dependent on Tor Browser's security slider settings. Ultimately the user is free to turn JavaScript on or off, depending on their security, anonymity and usability preferences.

Does Whonix ™ / Tor Provide Protection from Advanced Adversaries?[edit]

Targeted Surveillance[edit]

Whonix ™ cannot provide protection against advanced attack tools which have the capability to penetrate all types of OSes, firewalls, routers, VPN traffic, computers, smartphones and other digital devices. Implants are capable of surviving across reboots, software / firmware upgrades and following the re-installation of operating systems. [75]

Once infected in this way, it is virtually undetectable and no solution can be readily found, except throwing away the hardware and moving on from the targeted physical / network location. Encryption, Tor / Tor Browser, other anonymity tools, "secure" hardware configurations and so on are helpless against these attacks, which are increasingly automated and being scaled up in size. For example, the American IC prefers using the TURBINE system for this purpose.

The following is just a small sample of the hundreds of advanced implants and tools currently in use. Needless to say, advanced adversaries can achieve almost any outcome they like: [76] [77] [78]

  • Exfiltrate or modify information / data including removable flash drives (SALVAGERABBIT).
  • Log keystrokes or browser history (GROK, FOGGYBOTTOM).
  • Surreptitiously turn on cameras or microphones (CAPTIVATEAUDIENCE, GUMFISH).
  • Block certain websites (QUANTUMSKY).
  • Corrupt downloads (QUANTUMCOPPER).
  • Present fake or malware-ridden servers (FOXACID, QUANTUMHAND). [79]
  • Launch malware attacks (SECONDDATE).
  • Upload and download data from an infected machine (VALIDATOR).
  • Detect certain targets for attack (TURMOIL). [80]
  • Collect images of computer screens (VAGRANT).
  • Collect from LAN implants (MINERALIZE).
  • Image the hard drive (LIFESAFER).
  • Jump air-gaps (GENIE).
  • Inject ethernet packets onto targets (RADON).
  • And much, much more.

The take-home message is that current hardware and software solutions provide multiple attack vectors which are impossible to completely close. Air-gapped solutions which have never been connected to the Internet may provide security for targeted individuals, but Internet-connected devices should be considered completely unsafe.

Passive Surveillance[edit]

Users should be aware that passive surveillance systems will attempt to intercept, record, categorize and attribute all data that can be feasibly collected, including straight off the Internet backbone. These systems are designed to hoover up everything, irrespective of whether it is browsing history, emails, chat / video, voice data, photographs, attachments, VoIP, file transfers, video conferencing, social networking, logins, or user activity meta-data.

Consistent use of anonymous handles, strong encryption, Tor / Tor Browser and world class open source anonymity tools and platforms may provide partial protection against passive surveillance programs, such as:

Be aware that this claim comes with an important caveat - it depends on whether Tor (and other software / hardware solutions) provide adequate protection or not. The answer to that question is not clear. Whonix ™ has adopted a skeptical mindset and only makes conservative claims, because it is impossible to prove a negative. For a related statement about advanced adversaries, refer to the following technical introduction.

Can Certain Activities Leak DNS and/or the Real External IP Address / Location?[edit]

No activity conducted inside Whonix-Workstation ™ can cause IP/DNS leaks so long as Whonix-Gateway ™ is left unchanged or only documented changes are made like configuring bridges, establishing onion services and running updates.

However, certain behaviors can degrade anonymity or inadvertently expose a user's real identity or location. For instance:

Is there a Whonix ™ Amnesic Feature / Live CD / Live DVD? What about Forensics?[edit]

As noted in the Whonix ™ Live entry, Whonix ™ allows Non-Qubes-Whonix ™ users to optionally run Whonix ™ as a live system. Writes go to RAM instead of the HDD/SSD, meaning everything that is created, changed or downloaded in the VM during that session does not persist after shutdown. However, neither Non-Qubes-Whonix ™ or Qubes-Whonix ™ is an amnesic system by default.

For reasons why a Whonix ™ Live CD/DVD is currently unavailable, refer to these earlier entries.

Forensic Considerations[edit]

In the past, a number of ideas have been put forward to try and make Whonix ™ an amnesic system:

  • Shredding the Whonix ™ hard disk images.
  • Having a zip archive of Whonix ™ hard disk images and restoring them every time Whonix ™ is used.
  • Restoring a fresh snapshot every time Whonix ™ is used.
  • Running Whonix ™ completely in ramdisks.
  • Using full disk encryption.
  • And so on.

Unfortunately, none of these methods are a substitute for a true amnesic system. Amnesic live systems have a superior design insofar as sensitive (or unencrypted) data is never stored on storage media in the first place. It is manifestly unsafe to try and deal with data by wiping it after it has already been stored, so this is a poor design principle to implement.

Using full disk encryption is still useful to protect against forensic analysis, but in some parts of the world this is illegal or draws unwanted attention. Therefore, full disk encryption is not an applicable stopgap for some Whonix ™ users and this cohort requires an amnesic version of Whonix ™ in all instances.

Anti-forensic Claims[edit]

The reader should always be cautious regarding claims made about the ability to defeat disk forensics. For example, the Whonix ™ team are not experts in matters related to:

Even carefully designed setups fail to approach the efficiency of an amnesic system. At a bare minimum, before any strong claims can be made about anti-forensics, the following steps should be undertaken:

  1. Make an image of the HDD/SSD.
  2. Run Whonix ™ and perform a range of normal user activities.
  3. Make another image of the HDD/SSD.
  4. Compare the images.

Unless these basics steps are performed, the setup may seem ingenious but fail against contemporary forensic tools. Users concerned about local forensics should at least use full disk encryption. When established open source encryption solutions like Linux dmcrypt are used correctly, they live up to their promises. However, always remember this approach is inferior to an amnesic system, particularly if the user can be forced to surrender their password under certain circumstances. If that is a legitimate concern, then Whonix ™ may not be the right tool and alternatives like Tails should instead be investigated.


Whonix ™ Crashes caused by PAE[edit]

See PAE crash.


What is the Difference Between the stable, stable-proposed-updates, testers and developers Repositories?[edit]

See Whonix ™ APT Repository Overview.

How do I Check the Current Whonix ™ Version?[edit]

See /etc/whonix_version.

Whonix-Gateway ™[edit]

Open a terminal.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Konsole

If you are using a graphical Whonix with KDE, run.

Start MenuApplicationsSystemKonsole

If you are using a graphical Whonix with XFCE, run.

Start MenuXfce Terminal

cat /etc/whonix_version

Should show.


Whonix-Workstation ™[edit]

Open a terminal.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Konsole

If you are using a graphical Whonix with KDE, run.

Start MenuApplicationsSystemKonsole

If you are using a graphical Whonix with XFCE, run.

Start MenuXfce Terminal

cat /etc/whonix_version

Should show.


Can I Install the Previous Stable Whonix ™ Version?[edit]

It is not uncommon for Linux Distributions to support multiple release versions. [84] [85] The popular Debian Linux distribution on which Whonix ™ is based not only supports the stable, testing and unstable versions, but also maintains support for the old-stable version. The main reason is because it can take a long time for some organizations to plan, test and upgrade all computers when a new stable version is released. [86]

Supporting the old-stable version with continued security updates for a period of time provides flexibility when migrating to the stable version. However, even for distributions like Debian that have a large number of developers, it can be very difficult to support both the stable and old-stable versions. This is evident by the limited time that the old-stable version is supported after the new stable is released - currently around one year on average. [87]

Providing extended support for previous stable versions is preferred for both large and small projects alike, but this is infeasible for Whonix ™ due to limited human resources. The reason is the vast majority of developer time must be focused on core components of the stable release version, otherwise providing support for both stable and old-stable would unduly stall its development. Therefore, without a significant increase in funding or manpower, the maintenance of two stable release versions is unlikely in the near or distant future.

Whonix ™ Gateway[edit]

Why can't I Ping the Whonix-Gateway ™?[edit]

The Whonix-Gateway ™ does not respond to ping or similar commands because it is firewalled for security reasons; see /usr/bin/whonix_firewall or refer to the Whonix ™ source code. In most cases it is unnecessary to ping the Whonix-Gateway ™ anyhow.

If a user insists on pinging the Whonix-Gateway ™ or has a unique setup that requires it, then this can be tested by clearing all firewall rules with the dev_clearnet script. Alternatively, a script can be run to try and unload / remove every iptables rule, or the Whonix ™ firewall can be hacked to not load at all. The latter method is only for experts and it is necessary to comment out the exit 0 at the beginning.

Headless / CLI (Terminal) Whonix-Gateway ™[edit]

If a user believes the graphical Whonix-Gateway ™ is using too much RAM, or if a terminal version of Whonix-Gateway ™ is generally preferred, then headless Whonix ™ is available: see Whonix ™ for VirtualBox with CLI.

Alternatively, Whonix ™ for VirtualBox with XFCE RAM can be reduced to 256 MB and RAM Adjusted Desktop Starter will automatically boot into a terminal version of Whonix-Gateway ™.

Graphical Whonix-Gateway ™ benefits over Headless Whonix-Gateway ™[edit]

In the non-graphical version of Whonix-Gateway ™, it is difficult for users who have never used Linux before to complete tasks like upgrading or configuring obfuscated bridges. Many activities are simpler and easily accessible in a graphical Whonix-Gateway ™, such as:

A black, text-only window (terminal) is intimidating for normal users. A graphical desktop environment is also a prerequisite for further planed improvements, such as the proposed graphical Whonix ™ Controller which will provide buttons such as:

  • "Create hidden blog", which creates a pre-configured blog.
  • "Backup onion service keys".
  • A Better Circumvention User Interface.
  • And more.
  • Also, terminal-only environments can be impractical for users with disabilities.


  1. Last updated in January 2018.
  4. A Tor onion service is still not available.
  5. Last updated in January 2018.
  6. Previously, the future availability of Wayland and Flatpak in KDE was listed as a Whonix ™ advantage, however XFCE is now the default desktop environment.
  9. Subgraph is a Debian derivative.
  10. Unfortunately Whonix ™ cannot prevent against attacks which replay an old Tor consensus or which attempt to reveal onion services.
  11. Interested readers can verify these claims by researching off-the-shelf malware building toolkits. They are dangerous to install for inexperienced users, but there is a wealth of information online such as screenshots and video tutorials.
  12. It is unclear if script kiddie programs are readily available for attacking non-Windows users.
  13. From a browser test website, in a log file and so on.
  15. This is not a recommendation to use it.
  16. Conceptually, end-end DNS encryption is illogical. If the IP address of the destination server was known in advance, then DNS would not be required in the first place.
  18. Due to the Tor network abuse such as DDOS attacks on their servers.
  19. Around 95 per cent combined.
  20. Like Skype.
  21. For example, recent Windows earnings can be found here.
  22. Most desktop computers sold worldwide come with Windows pre-installed, generating significant revenue from licensing.
  23. [1]
  25. If options or features require a substantial time investment, it may be infeasible for a distribution with limited resources to implement the desired changes.
  26. Users can contribute in a range of ways, such as by helping to answer questions in the forums.
  27. See also:!topic/qubes-users/IQdCEpkooto
  29. This situation might change in future if additional human resources become available. Check this wiki entry at a later date and also read:
  30. Alternatively follow the instructions to use Multiple Whonix-Gateway ™.
  31. Click here for an overview of all answers.
  32. Deferring to their expertise on the possible adverse anonymity effects.
  33. Changes to the configuration file are made by the anon-gw-anonymizer-config package.
  34. This means changes occur for all Tor users and not a subset relying on a particular distribution.
  35. 36.0 36.1 36.2
  37. See tbb-linkability and tbb-fingerprinting.
  38. Clearnet address: and v3 onion address: dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion
  39. This is common practice. For example Free Software Foundation (FSF) also uses discourse.
  40. This includes any type of information that is collected and recorded, and how it may be used. The processing of any personal information is subject to the General Data Protection Regulation (GDPR).
  41. Free in terms of price, while also respecting user and developer freedoms.
  42. For example, see:
  43. This recommended format is taken directly from the Qubes OS bug tracker; for an example, see this bug.
  45. So that networking is blocked if whonix-firewall.service fails to load.
  46. By comparison, generally the architects of complex structures like buildings or hardware (and a myriad of other professions) do not explain any technical details for free to the general public.
  47. In response to whether JanusVM was safe to use, Roger Dingledine of The Tor Project stated in 2011: "No, not safe. Probably has been unsafe to use for years."
  48. 49.0 49.1 All traffic generated by the host and all applications running on the host. For example, Firefox, NTP, and anything else. This also includes traffic generated by Whonix ™.
  51. For example in Tails, less than 10% of users had 32-bit kernels in late 2016.
  52. That is, Whonix ™ would need to maintain 10 images instead of the current 6 images.
  53. This is because none of the Whonix ™ packages were made 64-bit only.
  56. Last updated in September 2018.
  58. This is actually a disadvantage for anonymity because it is the opposite of an amnesic system, which many users prefer.
  59. Bridges were not natively supported by Tails when Whonix ™ was founded.
  60. The I2P feature was removed in Tails 2.11 due to the developer effort required.
  61. Tails has basic stream isolation functionality compared to Whonix ™.
  62. See also: The bundling of uncommon extensions in Tor Browser like uBlock Origin increase the likelihood of fingerprinting Tails users specifically.
  63. One major advantage of free software is developers are free to disagree about a project's direction, leading to the creation of a fork.
  66. This is always desirable, particularly when updating over untrusted exit relays.
  67. This does not mean Whonix ™ cannot be significantly hardened, customized or reduced in size by those with specialist knowledge.
  68. Consider this interesting statement from Tor developer Roger Dingledine: Mixminion vs Tor.
  69. This is also the reason development was discontinued.
  70. Some of these relate to cross-platform problems which are not Whonix ™-specific.
  71. Even if the manpower existed, it would make more sense to establish a new "Privacy Browser" project, rather than merge its development with Whonix ™. At a later stage, the theoretically more secure browser could then be bundled with the Whonix ™ platform.
  72. Whonix ™ includes Tor Browser by default, with only minor differences.
  73. Although there are unresolved tbb-fingerprinting and tbb-linkability issues.
  74. For example, BIOS is a favorite target of IC operatives for persistence.
  78. A popular attack against Tor Browser users.
  79. This relies on selector types like machine IDs, attached devices, cipher keys, network IDs and various user-specific leads such as cookies.
  80. Both of these methods shift trust to a single provider, rather than distributing it. In the case of the DNS resolver, it may lead to identity correlation or weaken safeguards against potentially hostile applications; for example, see Skype.
  81. Developers have a basic understanding and just know to be cautious.
  82. This issue requires further investigation.
  83. At the time of writing, Fedora supports 2 release versions - Fedora {28,29}; see
  84. Debian supports "stretch" stable, "buster" testing, and "sid" unstable; see

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Please contribute by helping to answer Whonix questions.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.