- 1 Alternative Operating Systems
- 2 Compromise Indicators
- 3 DNSCrypt
- 4 Live Operating System
- 5 Tor
- 5.1 Why Waste Network Bandwidth by Downloading Operating System Updates over Tor?
- 5.2 Can I Speed Up Tor or the Whonix-Gateway?
- 5.3 Does Whonix Modify Tor?
- 5.4 Why doesn't Whonix Improve Tor?
- 5.5 Can Whonix Improve Tor?
- 5.6 What is Clearnet?
- 5.7 check.torproject.org says "Sorry. You are not using Tor."
- 5.8 New Identity and Tor Circuits
- 6 Trust
- 7 User Support and Input
- 8 Virtualizers
- 9 Virtual Private Networks
- 10 Whonix-specific
- 10.1 Design and Development
- 10.2 Images
- 10.3 Patches
- 10.4 Security
- 10.4.1 Does Whonix Guarantee my IP Address and Location are Safe when Using Skype?
- 10.4.2 Full Disk Encryption Should be Added to Whonix!
- 10.4.4 Does Whonix / Tor Provide Protection from Advanced Adversaries?
- 10.4.5 Can Certain Activities Leak DNS and/or the Real External IP Address / Location?
- 10.4.6 Is there a Whonix Amnesic Feature / Live CD / Live DVD? What about Forensics?
- 10.5 Stability
- 10.6 Versioning
- 10.7 Whonix Gateway
- 11 Footnotes
Alternative Operating Systems
Why isn't OpenBSD Used?
This FAQ entry addresses the suggestion that Whonix should be based on OpenBSD rather than Debian. The opinion provided below is based on the perspective of Whonix developers. 
OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit.
The landing page for OpenBSD also claims: 
Only two remote holes in the default install, in a heck of a long time!
These contentions are debatable and beg the question, "Who are those many security professionals and how thoroughly is the code reviewed?".
According to bststats.org (w), OpenBSD has very few users. Although bdstats is not representative of the total population of OpenBSD users due to the opt-in data collection program, 17 users at the time of writing is a very small figure. By comparison, TrueOS has 9,172 users in early 2018.
If OpenBSD cannot attract a critical mass of users, then ordinary crackers, hackers and the security research community are unlikely to gravitate to the distribution in contrast to more popular operating systems. At the same time targeted attacks become easier, because people who are paid to find exploits can find them more easily. Limited human resources inevitably means the code will remain more vulnerable to security flaws, since they are less likely to be identified.
As an example, see security vulnerability - NTP not authenticated. This six year old bug affects everyone using the distribution, but it does not appear anyone is stepping forward to fix it. The suggested solution was to authenticate the connection to the NTP server, but this would not be possible in Whonix for several reasons. The Whonix design focuses on distributing trust, and not using only one NTP server. Further, Whonix depends on free services which are available to anyone, ruling out a solution that requires a personal server. Even if Whonix used authenticated NTP, it has been pointed out  that the clock could not be moved more than 600 seconds. This is better than nothing, but still inadequate for adversaries who are capable of moving the clock more than 600 seconds, harming anonymity/privacy in the process (see Dev/TimeSync for further details).
In addition, previously the OpenBSD website was not reachable over SSL.  Therefore, at that time users were unable to securely view the OpenBSD site, since a man-in-the-middle attack would have been trivial to perform.
OpenBSD simply lacks innovative security improvements which are available in modern platforms like Qubes OS, despite their grandiose claims.
Why isn't FreeBSD Used?
Last update: 27.07.2014
This FAQ entry answers from perspective of the Whonix distribution to people who suggest to base Whonix on top of FreeBSD instead of Debian.
It is difficult (very time consuming in this case) to prove a negative. Such as proving non-existent security features. Either a search results in "security feature implemented" or nothing.
To avoid getting out of date and hurting other people's feelings, it is better not to make any statements about non-existent security features, but just asking the appropriate questions.
Does FreeBSD have a secure-by-default update mechanism? Will every (new) user download by default from an already existing signed repository, or are special settings required, or is it required to run an own repository? Does it defend against outdated metadata, can a man-in-the-middle use a roll back or freeze attack against the repository? Does it defend this (w)? Does it cover the TUF threat model (w)?
Not finding anything doesn't mean there is not something. The best way to get confirmation about the absence of security features or in other words, the best way to get a confirmation about possible attacks due to missing security features is asking the developers of that project. (An honest reply from Open Source projects is assumed.) There are simply too many distributions to ask these things.
So, if you believe that FreeBSD is a secure distribution, if you are even advocating that standpoint, then the burden of proof is on the person making the claim (you). It is up to you to come up with references that these security features are implemented. It is not up to the Whonix developers to spend a lot time, proving that these security features are non-existent. Or it is up to you to create such references by asking the distribution's developers. Another way would be coming up with arguments why these security features are unnecessary (this is unlikely in the specific case of package manager security). Until the claim of being a more secure distribution gets substantiated, please do not take offense by not considering that distribution.
Why isn't OpenWRT Used?
Same reasons as above for FreeBSD.
OpenWRT do not have signed packages.
Why isn't SubgraphOS Used?
- Basing on Subgraph ties Whonix's future with the viability of the Subgraph project. Not good. Debian is rock solid and should be used directly.
- Bugs in Subgraph (of which there is plenty) become "Whonix bugs" and we have to rely on them for fixes.
- They chose different programming languages that are not known to lead developers here at Whonix which makes customizing/modification very difficult.
- No full source code release to date (Oct 2016). Nough said.
- The software that is publicly available exists in a form that's not easily packaged. Read: Maintenance nightmare.
- Arbitrary limitations like repo choices - can be changed but its an example of something requiring patching effort on our part to adapt the base OS to our vision = wasted effort.
- Undesirable feature additions that add no value. No benefit from their manpower to tackle our roadmap since views diverge.
- No cooperation from the project devs to correct any of the points above.
- Opinion by HulaHoop: 
Am I Compromised?
Trivial changes (such as a duplicate deskop icon) are not evidence of a hack or leak. If you see some warning or error message that you do not understand, in most cases there is no need for panic... If you see something unexpected such as a "htaccess file in home directory" or graphical glitches in Arm it is unlikely the result of a compromise and more likely a harmless bug and/or usability issue.
Any slightly skilled attacker would not leave such obvious traces. Should you have been targeted and infected by tailored malware, you would very most likely not able to detect that by reading some random message that Linux reports. Even malware building toolkits for off-the-shelf malware, are not remotely as obviously detectable as this. See also introduction on Malware. (You can verify that by learning about off-the-shelf malware building toolkits. It is certainly dangerous to install (sadly only if you do not know what you are doing) and use such software, but researching textual, screenshots and video tutorials should be safe.)
It is more likely, that rootkit technology is already a standard feature of malware build toolkits.
What might have happened is an attacker wanting you to find something. But how likely is that? Script kiddies do stuff like remote controlling random Windows user victims and then troll them opening a forced chat window, opening their dvd driver and other stuff.
For linux however, it is unclear if that kind of script kiddie stuff even exists. And sophisticated attackers would avoid, unless perhaps Zersetzung is their strategy.
Every forum post and support request takes energy from the community. If there is no problem, there is no need for a new post. There is not enough time to explain every message that Linux reports. Most of those we have no control over and are not important.
Whonix is not perfect. There are few volunteers seriously challenging and resolving anonymity, privacy and security issues. The key word is seriously.
If you are reading this page, then it is safe to assume being anonymous (less unique), and remaining so is of great interest. Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result  is a false positive, regression, known or unknown issue.
To date, none of the various leak testing websites running inside Whonix-Workstation were ever able to discover the real (external), clearnet IP address of a user during tests. This held true even when plugins, Flash Player and/or Java were activated, despite the known fingerprinting risks. Messages such as "Something Went Wrong! Tor is not working in this browser."  (from about:tor) or "Sorry. You are not using Tor." (from check.torproject.org) are in most cases non-issues. If the real, external IP address can be revealed from inside Whonix-Workstation, then this would constitute a serious and heretofore unknown issue (otherwise not).
It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Whonix development is hindered. Users valuing anonymity don't want this, otherwise this would violate the aforementioned assumption.
If something is identified that appears to be a Whonix-specific issue, please first read the Whonix Free Support Principle before making a notification.
Can I Use DNSCrypt in Whonix?
Yes, see Secondary DNS Resolver.
Why not Use DNSCrypt by Default in Whonix?
DNSCrypt may have good use cases for clearnet. In context of Whonix it is not useful and should not be installed and activated by default for everyone. It does not do what you may think, does not magically solve all DNS related security issues, does not implement end-to-end DNS encryption to the destination server. (That conceptually cannot work. If you knew the IP of the destination server in advance, you wouldn't require DNS in the first place.) The server will still see all DNS requests in cleartext. This is only a short version for the many reasons, why it should not be activated by default for everyone.
More reasons: Tor is about distributing trust. Tor's DNS server change as circuits change, thus trust is distributed. Circuits are stream isolated (for pre-installed applications) and change every ten minutes. As far as I know, there are 27 open resolvers supporting the protocol.
Public resolvers supporting DNSCrypt have not given reasons to distrust them yet. Even we trusted the people running DNSCrypt servers, their servers would have to be trusted as well and that's not wise to let DNS security for all Whonix users depend on few servers. It is also about load balancing. If Whonix was to use a DNSCrypt supporting server by default and that server decides to forbid connections from the Tor network (due to the Tor network used to abuse their servers with DDOS or for whatever reasons) or if the servers go down for maintenance, DNS would break for all Whonix users.
Can I Use DNSCrypt on the Host or Router for Clearnet?
Yes, if you want. Also read the entry below.
Does DNSCrypt on the Host or Router Harm Anonymity when Using Tor/Whonix?
Short answer: No.
Long answer: No, DNSCrypt on the host or in your router only affects your clearnet activities. Tor assumes your local network and ISP to be totally unsafe and untrustworthy. Neither Tor nor Whonix are affected by DNS settings on your host or in your router.
Whether DNSCrypt is useful for your clearnet activities or not - that is not clear. There are pro and contra arguments. It is useful when using foreign or untrusted Wifi networks (shared with others), since they could modify and/or read your DNS requests. Other than that, you will just shift the trust from one party (ISP) to another (DNSCrypt supporting DNS server, ex: OpenDNS). If the DNSCrypt supporting DNS server leaks your network address and logs your queries as part of their business, then it might be worse than your ISP. Which one should be trusted more, your ISP or a 3rd party provider - you tell me.
Live Operating System
Why not Use a Live CD/DVD as the Whonix-Workstation Operating System?
We discussed this and came to the decision, that Live CD/DVDs are not suited as Whonix-Workstation.
- often actively maintained
- hardened GNU/Linux distribution
- with advanced features.
- no timely security updates
not persistentlimited persistence
- not flexible enough
anonymity orientated Live CD/DVD's negative in context of this FAQ:
- anonymity orientated Live CD/DVD's often have their own Tor enforcement included, which would lead into a Tor over Tor scenario
Will there be a Whonix Live CD or DVD?
- Qubes-Whonix: The most promising mid term possibility may be running Qubes-Whonix on Qubes OS Live DVD/USB which is currently in Alpha. Since there is already cooperation between Qubes OS and Whonix, i.e. Qubes-Whonix and since hardware support and Live operating system development is up to the Qubes developers, there is not much that needs to be done on the Whonix side.
- Non-Qubes-Whonix: Unless someone joins the project and contributes, this won't happen in near future. Whonix developer Patrick Schleizer has limited knowledge about Live CD/DVD creation. At the moment Whonix is a rather simple project. Many things, get delegated to upstream. There are various supported platforms, Debian provides a fine operating system, hardware support is delegated to the host operating system and supported platform, Tor is providing a fine anonymizer. Creating a Live CD/DVD would be difficult, especially the hardware support. Whonix is also too big and that would be very difficult to fix, see #Why are the Whonix images so big? above. Patrick Schleizer lacks experience about Live CD/DVD deployment.
- Maybe this will change in future. Faster if you help. Check back later here - https://forums.whonix.org/t/whonix-live-mode
For an alternative also see the next question below.
Is there Something like Whonix Live?
Whonix runs fine when the host operating system is installed on external media.
It is the user's responsibility to honor that advice.
Why Waste Network Bandwidth by Downloading Operating System Updates over Tor?
Short answer: We discussed this with torproject.org and were allowed to do so.
Long answer: We had a thread about this issue, updates over Tor, should not waste Tor bandwidth. Discussed thoroughly. We speculated a lot and thought about solutions until we finally did what we should have done in the first place. We asked torproject.org, see tor-talk Operating system updates / software installation behind Tor Transparent Proxy. Click here for an overview of all answers. Andrew Lewman (Executive Director, Director, press contact), too, downloads a lot of updates over Tor and did not complain.
Can I Speed Up Tor or the Whonix-Gateway?
Is there a way to configure the number of nodes in a circuit and to allow selection according to their speeds?
Remember, Whonix is based on Debian,Tor etc. It is nothing very special. Therefore Whonix does not limit Tor and your options in any way.
If you learn how to configure Tor in such a way in Debian command line, you also learned how to do it in Whonix-Gateway. While it is possible to learn it yourself and do manually, this is not recommended in Whonix-Gateway since also the Tor developers don't recommend it.
For these reasons there are no instructions in Whonix documentation how to do it. If you find general instructions the only thing changing would be that you do it in Whonix-Gateway instead on the host.
Please also see the next question below.
Does Whonix Modify Tor?
Tor's configuration file has been adapted for Whonix, you can check it on Whonix-Gateway in
/usr/share/tor/tor-service-defaults-torrc. (This is done by the anon-gw-anonymizer-config package.) There are no patches to Tor. The normal Tor deb package is being used in Whonix, installed from deb.torproject.org or sdscoq7snqtznauu.onion if the user has "onionized" Tor Project updates.
Whonix tries to be as less special as possible to ease security auditing of Whonix.
Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork could be created. Tor has already been forked at least once.
Doing such changes directly in Whonix would limit discussions about Whonix to the security of the modified routing algorithm. To allow further exploration of Whonix's security, Whonix developer Patrick Schleizer believes, it is required to be as agnostic as possible about all parts of Whonix.
Why doesn't Whonix Improve Tor?
Please see the question above.
Creating Whonix is difficult and time consuming enough. Improving Tor is left to the people who are better at this job. Any bugs/suggestions related to torproject.org will of course be reported. Happens.
Can Whonix Improve Tor?
Any improvements to Tor should be proposed upstream. If Patrick Schleizer finds a bug or has a suggestion it will be proposed upstream on torproject.org. Happens.
For reasons why there is not an improved version of Tor in Whonix see the question #Does Whonix modify Tor? above.
Anyone unhappy with Tor should provide patches upstream and as last resort fork it. Hypothetically, if the fork gets better respected than the original project, then Whonix will of course seriously consider switching.
What is Clearnet?
This term has two meanings.
- Connecting to the regular internet not using Tor (or other anonymity networks), and/or
- Connecting to regular servers (which are not Tor hidden services) (using Tor or not)
check.torproject.org says "Sorry. You are not using Tor."
See Browser Tests.
New Identity and Tor Circuits
The behavior of "New Identity" in context of TorButton and arm often misunderstood. First of all, there are various ways to issue a issue a "new identity". Here is a list:
- Tor Browser - TorButton
- Tor Browser - Get New Identity without Tor ControlPort Access
- and probably others
They got one in common. They send a Tor ControPort protocol command "signal newnym" to Tor's ControlPort. Tor circuit lifetimes the result of "signal newnym" is it often misunderstood. "signal newnym" uses a fresh circuit for new connections.
Note, although chances are good that you are getting a new Tor exit relay, a new IP, a new circuit does not guarantee a new Tor exit relay. Tor may only have replaced the middle relay while using the same Tor exit relay. This is by design and Tor default.
"signal newnym" won't interfere with long living connections such as for example an IRC connection.
When you open https://check.torproject.org in your browser, then issue "signal newnym" using Arm, then reload https://check.torproject.org it may still show the same IP. This is probably because the browser didn't close the connection to https://check.torproject.org in the first place. When you repeat that experiment with a small modification, chances are good you might see a new Tor exit IP. Open https://check.torproject.org in your browser, then issue "signal newnym" using Arm, then close Tor Browser, then start Tor Browser again. then open https://check.torproject.org again, you might see a new Tor exit relay IP.
Please note, "new identity" in most cases really only means "signal newnym". There are no guarantees about unlinking all sorts of protocol (browser etc.) states so you appear as a different identity. Tor Browser's TorButton New Identity Feature attempts this, but it is not perfect yet, for details see Tor Browser - TorButton New Identity Feature documentation.
Why Should I (not) Trust Whonix?
See Trust for a long answer.
User Support and Input
Feedback and Suggestions
Thank you! Software projects flourish on community feedback. We hear and consider every suggestion.
Please be patient as we address the competing priorities and challenges of our ambitious goal. As Whonix's resources grow, we'll be able to get more done.
What does Unsupported Mean?
This feature is either undocumented, untested, or unsupported. Please help us implement this feature by becoming a maintainer.
Is VirtualBox an Insecure Choice?
VirtualBox is not the only supported platform. There is also Qubes-Whonix and Whonix for KVM / Virt-Manager. The primary purpose of Whonix for VirtualBox is to get more users in touch with Free/Libre Software, Open Source, Linux and Tor. To give them a chance to try out Whonix and to learn more.
If you would like to see the old statement, please press on expand on the right.
VirtualBox is not an ideal choice, see: Dev/Virtualization Platform.
It is about different goals. Whonix's main goal is to protect the user's IP/location.
At the moment Whonix is practically more secure in many cases, see Whonix Security in Real World.
Saying VirtualBox is too weak, is theoretical and does not have any practical implications at the moment. What are the alternatives? Continue running Tor and torified applications on the host? Running Tor Browser and running into another proxy bypass bug? People failing to correctly torify software? Software not honoring proxy settings?
On the other hand, how many known exploits exist for VirtualBox? What's the track record of exploits?
Admittingly virtual machine exploits may become a problem in future. Right now, Whonix provides more security out of the box. Whonix right now, advertises and educates the security by isolation principle.
Anyone seriously looking into Whonix for security will read the Documentation, the Security Guide and the Advanced Security Guide and find out about other supported platforms. Whonix is an appetizer for the Isolating Proxy Concept and Security by Isolation.
Many users are still on Windows or Linux. Whonix can right now fill the void and improve real world security. They are better using Whonix, which is up to date, actively maintained and developed than any seriously outdated projects like JanusVM.
Whonix can not serve all target audiences. The more security educated/interested people will use other supported platforms. Hardcore security educated/interested people will probably build their own custom hardened solutions, but can still profit from Whonix's research and source code. Those more hardened solutions, such as the Hardened Gentoo Whonix-Gateway are more difficult to use and can therefore not be the default for Whonix.
Virtual Private Networks
Should I Install a VPN on the Host or Whonix-Gateway?
This entry assumes, you already decided to use a VPN.
If you did that after reading the VPN / Tunnel Support documentation, and decided you want to use a VPN, continue reading, otherwise you can skip this FAQ entry.
|VPN Installed on the Host||VPN Installed on Whonix-Gateway||VPN Installed on both the Host and Whonix-Gateway|
|All Whonix Traffic Routing||User -> Host's VPN -> Tor -> Internet||User -> Gateway's VPN -> Tor -> Internet||User -> Host's VPN -> Gateway's VPN -> Tor -> Internet|
|All Host Traffic Routing||User -> Host's VPN -> Internet||User -> Internet||User -> Host's VPN -> Internet|
|Whonix-Gateway Compromise||Host's VPN Affords Protection||Nil Protection||Host's VPN Affords Protection|
To decide the best configuration in your circumstances, consider:
- Is it necessary to hide all traffic from the ISP?  Then install the VPN on the host.
- Should the VPN provider be able to see all traffic?  Then install the VPN on the host.
- Should the VPN provider be limited to seeing Tor traffic, but not clearnet traffic? Then install the VPN on Whonix-Gateway.
Design and Development
Why Use a 32-bit Operating System Instead of 64-bit?
We do not. At least not for all supported platforms.
- Is 64 bit by default.
- Qubes-Whonix exists to suit recent, compatible hardware.
- Is 32 bit by default.
- Exists for compatibility. 32bit software runs without problems on 32bit and 64bit hosts. 64bit software not so much. We generally don't control for Non-Qubes-Whonix what host operating system people use. Therefore, 32bit has been chosen as base for official Whonix releases. Secondly, 64bit software needs more RAM, we already run 3 operating systems on a system which, eats RAM. Let's better minimize that. 
- VirtualBox: A critical VirtualBox bug: VirtualBox ticket #10853: Mouse position repeatedly reset to top and/or left of screen. - TODO: Still current?
- You can build Whonix from source code and use
--arch amd64as per build documentation to create 64 bit builds.
- If a maintainer steps up to contribute it might be possible in future to have 32 and 64 bit downloads for Non-Qubes-Whonix in future.
How is Whonix Different from Tails?
Why not Merge with Tails and Collaborate?
This is a subjective statement of opinion by Whonix developer Patrick Schleizer. (Still open for feedback, corrections, improvements!)
Tails is a respected project with similar goals (anonymity, privacy and security), which exists for many years and which has multiple developers, experience and a working infrastructure. The Whonix and the Tails developers cooperate to some degree and are discussing things, which are related to the projects on various developers mailing lists, i.e. whonix-devel, tails-devel and secure-os. Parts of Whonix are based on Tails. For example tails_htp was invented by Tails which lead to the development of sdwdate. Whonix also profits from their previous (Debian) upstream efforts (packaging and so on), their old and current discussions, their research, design documents, experience, feedback and so on.
Examples of Tails and Whonix cooperation:
- onion-grater was developed by Tails developer anonym with Whonix in mind. Then forked to add a few improvements required for Whonix on top.
- Anon Connection Wizard might be used by Tails in the future.
Even though Patrick Schleizer highly values Tails, why is Whonix a separate project and not a contribution to Tails?
Whonix can not be merged into Tails by Patrick Schleizer. There are technical, skill and political reasons.
Patrick Schleizer doesn't/didn't know how to implement various things into Tails, and don't/didn't know when the Tails developers will add them, which are Patrick Schleizer's priorities, but knew how to solve them in a separate project (Whonix), at least as in a way, that users are provided with instructions how to do it. Some examples.
Some of these items may already be either partially or fully solved in Tails by now. Kept for historic purposes to justify the decision at the time.
TODO Broken since migration to whonix.org. Ignore for now.
|(Previous) Tails Todo||Whonix Instructions|
|remember installed packages||By design, everything persists. |
|Applications Audit||By design, protocol leaks can not deanonymize.|
|Two-layered virtualized system||Done by design, either using VMs or using Physical Isolation.|
|VPN support||Features#VPN / Tunnel support|
|JonDo over Tor||JonDonym|
|Freenet over Tor||Freenet|
|hide Tor from your ISP||Hide Tor and Whonix from your ISP|
|I2P over Tor||I2P|
|Transparent Proxy as fallback mechanism||Done by design, everything not configured to use a SocksPort will automatically use Tor's TransPort.|
|use Tor Browser||Tor Browser|
|Stream Isolation||Stream Isolation|
|evaluate web fingerprint||Same as Tor Browser.|
|unsafe browser fingerprint||Logging in to captive portals|
|Location Hidden/IP Hidden Servers||Location/IP Hidden Servers|
Also political and design decisions differ too much.
- As a code contributor to Tails, Patrick Schleizer would have to accept decisions made by the Tails decision making process and couldn't simply modify anything as personally desired, preferred or believed to be the best solution. That's the great thing about Free Software. You are free to disagree and to create a fork. Since Patrick Schleizer motivation was not about a Live DVD and personally found improving Tails much more difficult than starting fresh, a new project, Whonix, was created.
- Source Code Merge Policy:
- Whonix: does not yet have a comprehensive merge policy. It is welcome, but not compulsory to write a design or documentation.
- Tails: In Patrick Schleizer's opinion, Tails merge policy is too strict. This is not a complaint or critique. They will have their reasons for that and it has to be noted, that Tails is still doing well and useful for many people. Anyone who does not agree has the freedom to contribute to another project or to start a new project. Patrick Schleizer just made use of that freedom.
- One big difference is, that Tails is a Live DVD and therefore inherits some restrictions and limitations. Tails must fit on a DVD, while Whonix does not have such a requirement. Whonix has higher hardware requirements, but therefore more space to implement features. That means that initially fewer people will be able to use Whonix, but over the years available hardware to people will (hopefully) improve. Whonix is discovering both, theoretically and practically, new designs. Over time, depending on user feedback and general interest, a Live DVD or Live Blu-ray might be created.
- Patrick Schleizer found it easier to cooperate with the security by isolation focused operating system Qubes OS which resulted in Qubes-Whonix.
How is Whonix Different from Tor Browser?
How Difficult is Whonix Development?
This is just Patrick Schleizer's opinion and feeling.
Whonix source code is not rocket science. In comparison to other things it is very simple.
I think it is best to make a comparison table.
Legend: 10 * equals very difficult.
1 * equals very easy.
********** Hand written binary code. ********* Cryptographic algorithms development ********* Rocket science ********* Compiler development ******** Assembly language ******** Kernel development ******** Reverse engineering ******* Tor core development ****** Programming languages such as C/C++. ***** Using Hardened Gentoo **** Scripting language *** Whonix related anonymity/privacy research ** Writing Whonix documentation ** Writing Whonix bash scripts * Using a computer
Why are Whonix Images so Large?
Compared to other "Tor-VM" or "Tor-LiveCD/DVD" projects which sometimes use special minimal or stripped down Linux distributions (e.g. TinyCore, DSL, Puppy) Whonix is larger, both VMs together are currently almost 2 GB.
One reason for that is, that small distributions do not meet our requirements, namely: upstream needs to have a proactive security policy.
- Most "minimal" distributions are small projects that do not have a dedicated security team that audits packages and releases security patches quickly.
- We need a distribution that fully signs updates (this is always desirable but especially so when updating over untrusted exit relays).
- For such distributions security consist in a small attack surface , but that's about it. A full distribution supports MAC, kernel patches, IDS...
- "Big" projects with many users and developers (many eyeballs) are inherently more trustworthy.
- Debian has loads of Security Features, see (Ubuntu article, but mostly true for Debian) Ubuntu Security Features. Small distributions don't have it.
- See also Dev/Operating_System.
There are maintenance and usability reasons:
- We want to support a wide range of user cases such as hosting hidden services, small distributions usually have limited repositories.
- Whonix, since based on Debian, is a complete operating system. An anonymous general purpose operating system, not a stripped down minimal system. Features, Design
- Debian has much more documentation than small distributions, also about topics such as Security and Hardening.
- Creating a slim system is difficult and requires a lot of of development time. This should not be Whonix's core competence. There are projects which do not focus on anonymity/privacy/security, but which are dedicated to a slim system.
- Slimming down the system will result in many "strange bugs". People who are used to Debian or Ubuntu will wonder why some things do not work or why Whonix is broken.
Another reason is that Whonix does not play in the anonymity oriented Live CD/DVD market:
Whonix is a new category of anonymity tools. Whonix does not have the requirement to fit on a DVD. (Although in future we may develop a Whonix Live DVD.) While anonymity oriented Live CD/DVD's have to balance between functionality they want to provide available space and security; Whonix, as an anonymous general purpose operating system can by default or optionally provide any functionality and doesn't has to care so much about space. For example, integrating Bitcoin into Whonix would be, except for documentation, quite simple.
Last but not least reason, not putting security over usability:
- Short: Not putting security over more users.
- Long: For example, this interesting statement from Tor developer Roger Dingledine: Mixminion vs Tor. Similar applies here. Mixminion is a high latency remailer, with cover traffic, protection against traffic confirmation (end-to-end correlation), theoretically more secure than Tor. The problem is "theoretically". They couldn't attract enough users and without enough users it is equally (in)secure as Tor. That's why they decided, to no longer work on Mixminion. Whonix also needs lots of users, to 1) get press/publicity 2) more developers 3) more research and audits. 2 and 3 will result in more security. Creating the most secure and most slim system, would only attract a few geeks. The geeks get hopefully satisfied, because Whonix is highly customizable. Nothing prevents from optionally slimming, hardening and customizing.
Patches are Welcome
Volunteer contributions are happily considered for review and merge.
We might be able to implement this ourselves, but we have different priorities. Please do not debate priorities as this only contributes of making no progress at all. We might implement this ourselves at some point but it could take a long time. Don't hold your breath. Or we might never implement it.
Contributions are happily considered.
We might want to implement this, but we either would require too much time for it or don't know how and seemingly no one else knows either.
Does Whonix Guarantee my IP Address and Location are Safe when Using Skype?
This answer has been moved to the Voip page.
Full Disk Encryption Should be Added to Whonix!
Short: No, you should add Full Disk Encryption to your host!
Long: See Encrypted Guest Images.
No, this is not a good idea for many reasons.
Whonix is an anonymity distribution gluing together concepts, which are generally respected by educated people and known to work reliably. It is not a browser project trying to create a secure browser such as "Privacy Browser - solves all browser fingerprinting problems". Whonix does not have the manpower to create such a browser. In theory, and even if it had, it would make more sense to create a new project "Privacy Browser" and when it gets better than Tor Browser to use, re-configure Whonix to use "Privacy Browser" instead of Tor Browser.
Whonix includes Tor Browser and with only minor differences.
Last, but definitively not least, Whonix shares the same Fingerprint as other Tor Browser users, which is good for anonymity.
Does Whonix / Tor Provide Protection from Advanced Adversaries?
If you are under active surveillance:
Whonix can do nothing against miniature cameras or microphones in your room etc.
If you are under passive surveillance just like anyone (PRISM):
That depends if Tor protects from such threats. The answer to that is not clear:
And even if Tor was a whole lot better, you can never prove a negative. So it is better to hesitate to any broad claims as it would be skeptical if any other project claimed that.
Also Whonix does not make such broad claims. For a related statement about advanced adversaries, also see: Technical Introduction#With more technical terms
Can Certain Activities Leak DNS and/or the Real External IP Address / Location?
Nothing you do inside Whonix-Workstation can cause IP/DNS leaks as long you leave Whonix-Gateway unchanged (besides documented stuff, which goes ok, such as bridges, hidden services, updates).
However, there are still ways you could shoot your own foot. It might be pseudonymous rather than anonymous, you may de-anonymize yourself by doing things you should not do, things like Secondary_DNS_Resolvers may lead to DNS related identity correlation or the application you are using may be hostile to you, such as in the example of Skype.
Is there a Whonix Amnesic Feature / Live CD / Live DVD? What about Forensics?
Many people suggested workarounds such shredding Whonix's hard disk images, having a zip archive of Whonix's hard disk images and restoring them every time they are using Whonix, restoring a fresh snapshot every time they use Whonix, running Whonix completely in ramdisks, using Full Disk Encryption and so forth.
These aren't substitutes for having an amnesic system. Not storing sensitive data on hard disks in the first place is much safer than dealing with it after the fact. In that regard, amnesic live systems are superior, because they do exactly this by design.
Never storing data unencrypted in the first place is much safer than trying to wipe it later. Using Full Disk Encryption is very useful. Still, this is not an applicable stopgap as long as Whonix doesn't offer an amnesic version for every person in all cases. In some areas in the world, having encrypted disks is not wise.
You should be very cautious about disk forensics claims. We don't know about swap or other strange things operating systems and harddrives are doing nowadays. We are not experts in forensics. Just have a basic understanding of it and know to be cautious. Check out Data Remains on USB and SSDs After Secure Erase and wear leveling. Ordinary hard disks also sometimes mark sectors as bad an never release their data. (?) See also forensics wiki to learn some more about the possibilities of forensics.
See also Forensic Analysis of the Tor Browser Bundle on OS X, Linux, and Windows to get an idea of what kinds of disk traces may be leftover.
No matter how clever the setup sounds, nothing can beat an amnesic system. At bare minimum, before making any claims:
- Make an image of the hard drive.
- Run Whonix, do some stuff.
- Make again an image of the hard drive.
- Compare the images.
Without performing these basics steps, the setup may sound clever, but may not work out so well against actual forensics. So if you are concerned about local forensics, at bare minimum, use full disk encryption. When established Open Source encryption solutions such as Linux dmcrypt are rightly used, they usually hold their promises. Again, it is not as good as an amnesic system. If being forced to surrender the password is of concern to you, Whonix may not be the right tool for you. Again, without anyone doing actual forensics, be careful with any claims or assumptions how well data may be gone.
Whonix Crashes because of PAE?
See PAE crash.
What is the Difference between Alpha, Beta, Stable, Development, testers-only, developers-only?
Is Alpha, Beta or Stable related to security? No, our design makes security issues inherently less likely to occur.
The terms alpha, beta lost their meaning. Too many applications which are working fine for years are called alpha or beta and have version numbers below 1.0. Users are not taking these terms serious anymore. Therefore Whonix avoids these terms. Rather, Whonix uses different terms which mean what they say.
- stable versions
- testers-only versions
Why can't I Ping the Whonix-Gateway?
Whonix-Gateway is firewalled (see /usr/bin/whonix_firewall or in Whonix source code) and does not answer to ping (-like) commands for security reasons. In most cases, you don't need to ping the Gateway.
If you really want to ping the Gateway or really want some uber special setup you can test wise clear all firewall rules with the dev_clearnet script or try Dev/Firewall_Unload (or hack Whonix's firewall to not load at all). It is only for experts and you need to comment out the exit 0 at the beginning.
Does not apply.
|Whonix-Gateway can work with as little as 256 MB RAM.|
If a user believes the Whonix-Gateway is using too much RAM or generally prefers a terminal version of Whonix-Gateway, the allocated RAM can be reduced to 256 MB and RAM Adjusted Desktop Starter will automatically boot into a terminal version of Whonix-Gateway.
When Whonix is used in combination with KVM, dynamic memory management of the RAM overhead might be a non-issue. By manually enabling these features it is possible to immediately profit. Eventually when Whonix 10 or a later version is released and KVM is in use, Whonix will enable this by default.
Whonix aims to be as accessible and usable as possible. Linux experts who were content with the older non-graphical version of Whonix-Gateway  may not appreciate the change, but Whonix is aimed at a broad audience. Whonix is also an attempt to recruit more casual users  to Tor, because the more people who use Tor, the better the anonymity that is provided.
In the older, non-graphical version of Whonix-Gateway  it was difficult for users who had never used Linux before to complete tasks like upgrading or configuring obfuscated bridges. Many activities are simpler and easily accessible in a graphical desktop environment, such as:
- Setting up bridges / flashproxies.
- Auditing logs.
- Auditing iptables.
- Auditing the system architecture in general.
- Running Tests.
- Running Leak Tests.
- Editing the Tor configuration file /etc/tor/torrc.
- Editing the firewall settings folder /etc/whonxi_firewall.d.
- Reading status messages (whonixcheck and timesync).
- Changing the Tor circuit.
- Copying and pasting (configuration) commands, (error) messages and logs.
- Running tshark / wireshark.
- Tunneling only Whonix-Gateway's traffic through a VPN.
A black, text-only window (terminal) is intimidating for normal users. A graphical desktop environment is also a prerequisite for further planed improvements, such as a Whonix Controller. The proposed graphical Whonix Controller will provide buttons such as:
- "Create hidden blog", which creates a pre-configured blog.
- "Backup hidden service keys".
- A Better Circumvention User Interface.
- And more.
Also, terminal-only environments are often unusable for users with disabilities. This is another reason why recent Whonix versions  feature an optional graphical desktop environment.
Users do not have many options if they believe the graphical Whonix-Gateway uses too much disk space and/or they want to achieve activities that Whonix was not designed for, such as running Whonix completely in RAM. Whonix was never developed with low installation size, low RAM, or low system requirements in mind. See also #Why are the Whonix images so big? and #Will there be a Whonix Live CD or DVD?.
Advanced users can build Whonix from source code and use a build configuration to create a terminal-only version of Whonix-Gateway; refer to Build Documentation if that is of interest.
Last but not least, a terminal-only version of Whonix-Gateway could be easily provided if the role of Release Manager was filled. This requires someone willing to build terminal-only versions of Whonix-Gateway, which is not strictly about development since it only requires running the build script and uploading it. Until more people are contributing to The Whonix Project, this won't be possible due to resource constraints.
See also Other Desktop Environments for workarounds and alternatives.
- Lasted updated in January 2018.
- A Tor onion service is still not available.
- Features rely totally on GNOME. I hate GNOME, however we reject GNOME as a desktop environment for many reasons. Its appearance is known to induce eye hemorrhages. Their dumbed down interface is irritating to use. They have a lot of "cloud integration" junk that we would have to tear out. Configuring GNOME to the KDE level that we have now will require a lot of effort just to reach the same point we're at. Wayland and Flatpak will reach KDE just a matter of time.
- From a browser test website, in a log file and so on.
- All traffic generated by the host and all applications running on the host. For example, Firefox, NTP, and anything else. This also includes traffic generated by Whonix.
- KVM and improves RAM usage through page sharing, however as documentation states there are good reasons for not enabling it by default. VirtualBox does not have such a feature.
- This is actually also a disadvantage, because that is the opposite of an amnesic system, which also many users prefer.
- Our attack surface is still very small, no network listening services, just a few selected applications.
- See linked comment.
[...] Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!
- Since Whonix 6 and above
Impressum | Datenschutz | Haftungsausschluss
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.