Host Operating System Selection

From Whonix


Info Linux, Xen or BSD are the only serious options for a host operating system that respects privacy. Interested readers should review the rest of this chapter to find out why.

Info This article is heavily disputed [archive].

Windows Hosts[edit]

Info This Windows Hosts chapter might need some improvements. ticket [archive]

Windows Backdoors[edit]

Table: Windows Backdoors

Category Description
Encryption Microsoft has backdoored its disk encryption [archive]. Quote:

But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.

“When a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key,” a Microsoft spokesperson told me. “The recovery key requires physical access to the user device and is not useful without it.”

Software Choice and Deletion

Windows User Freedom Restrictions[edit]

A number of conscious decisions by Microsoft severely limit user freedoms.

Table: Windows User Freedom Threats

Category Description
Trust The German government wrote: (DeepL translated)

From the point of view of the BSI, the use of Windows 8 in combination with a TPM 2.0 is accompanied by a loss of control over the operating system and hardware used. This results in new risks for users, especially for the federal administration and critical infrastructures. In particular, on hardware operated with a TPM 2.0, with Windows 8, unintentional errors by the hardware or operating system manufacturer, but also by the owner of the IT system, can lead to error conditions that prevent further operation of the system. This can lead to the situation that in case of an error, not only the operating system but also the hardware used is permanently unusable. Such a situation would be unacceptable neither for the Federal Administration nor for other users. Furthermore, the newly implemented mechanisms can also be used for acts of sabotage by third parties. These risks must be countered.

For certain user groups, the use of Windows 8 in combination with a TPM can certainly mean a security gain. These include users who, for various reasons, cannot or do not want to worry about the security of their systems, but trust the system manufacturer to provide and maintain a secure solution. This is a legitimate usage scenario, but the manufacturer should provide sufficient transparency about the possible limitations of the provided architecture and possible consequences of its use.

see full statement [archive].

Forced Updates Microsoft has a history of updating software without permission [archive]. While configurable update reminders are good for those who forget to regularly update, forced updates are problematic for those that do not wish to.
Forced Upgrades
User Freedoms

Windows Sabotage[edit]

The following table highlights Microsoft technical actions that harm users of specific hardware or software.

Table: Windows Sabotage

Category Description
Adversary Collaboration

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government "an early start" on risk assessment and mitigation.

See also this opinion analyzing this, How Can Any Company Ever Trust Microsoft Again? [archive].

Tiered Stability (Updates Testing) Windows forces lower-paying customers to install new updates and gives higher-paying customers the option of whether or not to adopt them. Quote [archive]:

Windows 10 Enterprise does allow users to postpone any update indefinitely but it is only available in bulk licensing.

Windows Interference[edit]

Microsoft often releases proprietary programs or updates that destabilize or reduce the utility of the user's system:

Windows Surveillance[edit]

Table: Windows Surveillance Threats

Category Description
Adversary Collaboration

Microsoft pretty much admits it has a keylogger in its Windows 10 speech, inking, typing, and privacy FAQ [archive]: “When you interact with your Windows device by speaking, writing (handwriting), or typing, Microsoft collects speech, inking, and typing information—including information about your Calendar and People (also known as contacts)…”

Quoting 2015 version of Windows 10 speech, inking, typing, and privacy FAQ [archive]:

Can I clear the speech, inking, and typing data Microsoft has collected about me?

Yes, you can clear your speech, inking, and typing data from your device and from the cloud.

  • [...]
  • To clear data stored on the cloud, go to Start, then Settings > Privacy > Speech, inking, & typing, and then select the Go to Bing and manage personal info for all your devices link.

When you use the Microsoft cloud-based speech recognition service, Microsoft collects and uses your voice recordings to create a text transcription of the spoken words in the voice data.

This means Windows is recording the voice of the user and storing it on servers owned by Microsoft. The same website mentions this can be disabled.

You can use device-based speech recognition without sending your voice data to Microsoft.

But disabling this requires awareness of the issue, skills of using search engines and finding documentation how to do so, and technical skills to disable this privacy intrusion. This is often not the case for non-technical users.

According to tecChannel, the information sent to Microsoft includes details of all the software installed in a machine, not only Microsoft applications.

Telemetry and Personal Data

Summing up these 45 pages, one can say that Microsoft basically grants itself very broad rights to collect everything you do, say and write with and on your devices in order to sell more targeted advertising or to sell your data to third parties. The company appears to be granting itself the right to share your data either with your consent “or as necessary”.

By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example “web browser history, favorites, and websites you have open” as well as “saved app, website, mobile hotspot, and Wi-Fi network names and passwords”. Users can however deactivate this transfer to the Microsoft servers by changing their settings.

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to”, for example, “protect their customers” or “enforce the terms governing the use of the services”.

Windows Error Reporting (WER) and Core Dumps Privacy Issues

Although Microsoft has made privacy assurances, they acknowledge that personally identifiable information]could be contained in the memory and application data compiled in the 100-200 KB "minidumps" that Windows Error Reporting compiles and sends back to Microsoft. They insist that in case personal data is sent to Microsoft, it won't be used to identify users, according to Microsoft's privacy policy.[1][2] But in reporting issues to Microsoft, users need to trust Microsoft's partners as well. About 450 partners have been granted access to the error reporting database to see records related to their device drivers and apps.[3]

In December 2013, an independent lab found that WER automatically sends information to Microsoft when a new USB device is plugged to the PC.[4]

According to Der Spiegel, the Microsoft crash reporter has been exploited by NSA's Tailored Access Operations unit to hack into the computers of Mexico's Secretariat of Public Security. According to the same source, Microsoft crash reports are automatically harvested in NSA's XKeyscore database, in order to facilitate such operations.[5]

Trying to disable the lenghty of privacy invasive features [archive] is a huge task similar to playing "whack-a-mole". Being unaware of some spyware feature could result in unwanted surveillance.

Forfeited Privacy Rights[edit]

By now the reader should be convinced that just by using any version of Windows, the right to privacy is completely forfeited. Windows is incompatible with the intent of Whonix and the anonymous Tor Browser, since running a compromised Windows host shatters the trusted computing base which is part of any threat model. Privacy is inconceivable if any information that is typed or downloaded is provided to third parties, or programs which are bundled as part of the OS regularly "phone home" by default [archive].

Inescapable Telemetry[edit]

The fact that there is no way to completely remove or disable telemetry requires further consideration. For instance, non-enterprise editions do not permit anyone to completely opt-out of the surveillance "features" [archive] of Windows 10. Quote Even when told not to, Windows 10 just can’t stop talking to Microsoft [archive]. Quote Windows 10 Sends Your Data 5500 Times Every Day Even After Tweaking Privacy Settings [archive]

CheesusCrust also disabled every single tracking and telemetry features in the operating system. He then left the machine running Windows 10 overnight in an effort to monitor the connections the OS is attempting to make.

Eight hours later, he found that the idle Windows 10 box had tried over 5,500 connections to 93 different IP addresses, out of which almost 4,000 were made to 51 different IP addresses belonging to Microsoft.

Even if some settings are tweaked to limit this behavior, it is impossible to trust those changes will be respected. Even the Enterprise edition was discovered to completely ignore privacy settings and anything that disables contact with Microsoft servers.[6]

Any corporation which forces code changes on a user's machine, despite Windows updates being turned off many times before, is undeserving of trust. [7] [8] [9] [10] [11] Windows 10 updates have been discovered to frequently reset or ignore telemetry privacy settings. [12] Microsoft backported this behavior to Windows 7 and 8 [archive] for those that held back, so odds are Windows users are already running it.

Opinion by GNU Project[edit]

The GNU Project opinion [archive] is that Windows is "Malware", due to the threats posed to personal freedoms, privacy and security, meaning the software is designed to function in ways that mistreat or harm the user.

Opinion by Free Software Foundation[edit]

The Free Software Foundation (FSF) writes [archive] quote:

Microsoft uses draconian law to put Windows, the world's most-used operating system, completely outside the control of its users. Neither Windows users nor independent experts can view the system's source code, make modifications or fixes, or copy the system. This puts Microsoft in a dominant position over its customers, which it takes advantage of to treat them as a product [archive].

Windows Insecurity[edit]

Microsoft's willingness to consult with adversaries and provide zero days [archive] before public fixes are announced logically places Windows users at greater risk, especially since adversaries buy security exploits from software companies [archive] to gain unauthorized access [archive] into computer systems. [13] Even the Microsoft company president has harshly criticized adversaries for stockpiling vulnerabilities [archive] that when leaked, led to the recent ransomware crisis world-wide.

Windows is not a security-focused operating system [archive]. Due to Microsoft's restrictive, proprietary licensing policy for Windows, there are no legal software projects that are providing a security-enhanced Windows software fork [archive]. There are security-enhanced Windows software fork(s) but these are not legal and provided by anonymous developers. In contrast, the Linux community has multiple Freedom Software Linux variants that are strongly focused on security, like Qubes OS [archive].

Windows Historic Insecurity[edit]

Microsoft updates also use weak cryptographic verification methods such as MD5 and SHA-1. In 2009, the CMU Software Engineering Institute stated that MD5 "...should be considered cryptographically broken and unsuitable for further use". [14] In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature. [15]

Before Windows 8, there was no central software repository comparable to Linux where software could be downloaded safely. This means a large segment of the population remains at risk, since many Windows users [archive] are still running Windows 7. [16]

Windows Software Sources[edit]

On the Windows platform, a common way to install additional software is to search the Internet and install the relevant program. This is risky, since many websites bundle software downloads with adware, or worse malware. Even if software is always downloaded from reputable sources, they commonly act in very insecure ways. For example, if Mozilla Firefox is downloaded from a reputable website like, [17] then until recently, the download would have taken place over an insecure, plain http connection. [18] In that case, it is trivial for ISP level adversaries, Wi-Fi providers and others to mount man-in-the-middle attacks and to inject malware into the download. But even if https is used for downloads, this would only provide a very basic form of authentication.

To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.

Tools for software digital signature verification are not installed by default on the Windows platform. Neither SignTool nor gpg4win are installed by default on the Windows platform. These could be manually installed but there is a bootstrap issue. These tools itself would have to be downloaded over https, i.e. only with a very basic form of authentication. In contrast, on the Linux platform usually the GnuPG software digital signature verification tool is installed by default.

For these reasons it is safe to assume that virtually nobody using a Windows platform is regularly benefiting from the strong authentication that is provided by software signature verification.

Windows 10 App Store does not suffer from this issue and does software signature verification but many applications are not available form Windows App Store. In the Windows ecosystem, the culture is software signature verification is less widespread.

In contrast, most Linux distributions provide software repositories. For example, Debian and distributions based on Debian are using apt-get. This provides strong authentication because apt-get verifies all software downloads against the Debian repository signing key. Further, this is an automatic, default process which does not require any user action. Apt-get also shows a warning should there be attempts to install unsigned software. Even when software is unavailable in the distribution's software repository, in most cases OpenPGP / gpg signatures are available. In the Linux world, it is practically possible to always verify software signatures.

No Security From Diversity[edit]

The popularity of Windows platforms on desktops actually the risk, as attackers target the near monocultural operating system environment with regularity, for example:

Windows cannot provide security form diversity.


There is no public issue tracker for Microsoft Windows. In comparison for Open Source projects, issue tracker are most often public for everyone (with exception of security issues under embargo until fixed).

It is effectively impossible to directly talk to developers for most people. In comparison for Open Source projects, developers will react to users. For huge protect, at least summary replies to popular issues happen. Often it's possible to talk directly to developers at Open Source meetups, conferences.

When users are having issues and searching for advice, often the advice is to "reinstall Windows". Due to the closed source nature of windows, it's far more difficult to analyze issues and provide bug fixes and workarounds.

It's hard to modify Windows. For example, Qubes Windows Tools for Windows 10 are still not ready.

Windows is less flexible. While with Linux distribution it's easily possible to install them on USB or to swap a hard drive installed in one computer and boot it inside a replacement computer, these are major challenges for Windows users.

Using Earlier Windows Versions is no good Alternative[edit]

When users learn about shortcoming, anti-features, spyware features of Windows they often consider as an alternative to not upgrade to a newer version of Windows or to downgrade to an earlier version of Windows. [19] This is not a solid plan for the future since security support for older versions of Windows is being dropped.

This is also made difficult due to forced upgrades which are mentioned above.

Freedom Software Superiority[edit]

Based on the preceding section and analysis, it is strongly recommended to learn more about GNU/Linux and install a suitable distribution to safeguard personal rights to security and privacy. Otherwise, significant effort is required to play "whack-a-mole" disabling Windows anti-features, which routinely subjects users to surveillance, limits choice, purposefully undermines security, and harasses via advertisements, forced updates, and so on.

Open Source software [archive] like Qubes, Linux [archive] and Whonix ™ [archive] is more secure than closed source [archive] software. The public scrutiny of security by design [archive] has proven to be superior to security through obscurity [archive]. This aligns the software development process with Kerckhoffs' principle [archive] - the basis of modern cipher [archive]-systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Freedom Software projects are much more open and respectful of the privacy rights of users. Freedom Software projects also encourage security bug reports, open discussion, public fixes and review.

macOS Hosts[edit]

Info This macOS Hosts chapter might need some improvements. ticket [archive]

In a fashion similar to Windows platforms, Apple operating systems also pose many security and privacy threats.

Table: macOS Threats [20]

Category Description
  • Files on devices can be deleted if they were downloaded from sources competing with Apple companies.
  • Intentional backdoors allow remote root privileges, wipes and deletion of applications.
Design Flaws
  • An insecure design allows execution of malicious code by applications and the extraction of messaging history.
Device Bricking
  • Devices are bricked if fixed by an "unauthorized" repair shop.
  • Devices are bricked that were unlocked without permission.
Personal Information
  • Biometric markers like fingerprints are used for device authorization.
  • Extensive personal information is sent to Apple servers, such as:
    • Automatic uploads of photos and videos used by certain applications; and
    • Unsaved documents and program files (without permission).
  • Search terms and location information are sent to Apple.
  • System files are scanned.
  • OSX phones home with info about the Date, Time, Computer, ISP, City, State and Application Hash when any program is executed, by default.[21][22]
User Control and Freedoms
  • Allowable programs like media, political, bitcoin and health-focused applications, and games are censored.
  • Arbitrary limits are imposed on the use of software.
  • Digital restrictions mechanisms are imposed.
  • System upgrades are forced without consent.
  • Older versions of operating systems cannot be installed.
  • It is impossible to manually fix system security bugs that Apple have not addressed.
  • User interfaces are designed to make specific options hard to find and enable/disable.

See this write-up [archive] by the FSF for further detailed information. [23]

In public talks, ex-Tor developer Jacob Appelbaum who had access to the Snowden files, hinted that Apple devices in particular were easy to infiltrate by the Intelligence Community.


Based on the preceding sections and analysis, it is strongly recommended to learn more about Linux and install a suitable distribution that safeguards rights to secure and private computing. Otherwise, significant effort is required to play "whack-a-mole" with Windows and malware, which routinely subjects users to surveillance, limits choice, purposefully undermines security, and harasses via advertisements, forced updates, remote removal of applications without consent, and so on.

Linux Hosts[edit]

A Free Software [archive] OS that respects user freedom is the only practical choice when it comes to privacy and security. It also comes with many advanced anti-exploit mechanisms built-in.

Use Linux on the host and prefer in-repository software that is automatically gpg-signed and installed from the distributor's repositories by the package manager. This is far safer than downloading programs from the Internet like Windows adherents are required to do.

Recommended Linux Distribution[edit]

Info If it is infeasible to install Qubes as a high-security solution, then Debian Linux [archive] version buster is recommended since it provides a reasonable balance of usability, security and user freedom.

Interested readers can find a complete list of reasons to use Debian here [archive]. For download, verification and installation instructions, see Debian Tips.

In the past, virtually any Linux distribution could be recommended in order to protect privacy, however Ubuntu's history of data-mining [archive] makes it an unsuitable choice. [24] Ubuntu's February 2016 Privacy Policy allowed search terms entered into the dash to be sent to Ubuntu and selected third parties to "complement" search results, along with the IP address. Fortunately this text has now been removed in the latest iteration of the document [archive].

For additional reasons to avoid Ubuntu or Ubuntu-derived distributions, expand this section.

Ubuntu's paltry contributions to the upstream Libre projects they heavily rely upon is a policy decision and not a coincidence. Canonical founder Mark Shuttleworth has stated: "It is absolutely true we have no interest in the core fundamentals of the Linux kernel, none whatsoever." [25]

Canonical only bothers to majorly contribute in any way when forking significant projects; for example, Wayland into Mir, GNOME into Unity [26], and .deb packages incompatible with Debian because of zstd compression. [27] This appears to be a consistent attempt to fragment the software stack to lock in users and put pressure on competing distributions and vendors. [28] [29]

The Ubuntu Contributor License Agreement gives them complete power over patents that cover contributed code. Essentially they are granted the right to re-license this code under any license of their choice, including a proprietary one.

Ubuntu also has a history of treating staff in a hostile fashion. For example, the Kubuntu spin project lead was unilaterally removed without warning and contrary to wishes of his team members. [30] Canonical also pilfered donation funds originally meant for desktop spin projects (Kubuntu, Lubuntu and others). In Kubuntu's case, after funding was abruptly dropped, Blue Systems had to step in to save the popular project. [31] [32]

Canonical has also been applying an absurd intellectual property (IP) policy over packages in its repositories for years. This resulted in claims that Canonical owns the copyright over any binaries compiled by their servers. After the FSF stepped in and arranged a resolution over a period of two years, the policy was amended to state that Canonical’s IP policy cannot override packages with GPL licenses. However, this now means that any package with a permissive license is now copyrighted by Canonical. [33] [34]

Unfortunately, downstream forks based on Ubuntu cannot be relied upon either. For example, the popular Linux Mint distribution was threatened with being cut off from access to Ubuntu infrastructure unless they caved in to Canonical's binary licensing terms. [35] Since then, Linux Mint has developed a version based on Debian instead. Canonical's vague trademark and IP policy has become toxic for downstream distributions. Many have made the smart choice to re-base on Debian instead of Ubuntu over the years including Kali, Whonix ™ [36] and others. [37]

A final major concern is Canonical's friendly relationship with Microsoft. This should make all Linux users uncomfortable, given Microsoft's strategy of "Embrace, Extend, Extinguish" with respect to Free Software. [38]

There are of course other options. See "Why don't you use <your favorite most secure operating system> for Whonix ™?" for analysis of alternatives.

See Also[edit]


  1. Microsoft Privacy Statement for Error Reporting [archive]
  2. Description of the end user privacy policy in application error reporting when you are using Office [archive]
  3. [archive]
  4. [archive]
  5. Inside TAO: Documents Reveal Top NSA Hacking Unit [archive]
  6. [archive]
  7. [archive]
  8. [archive]
  9. [archive]
  10. [archive]
  11. [archive]
  12. [archive]
  13. This is especially true for users of Tor, who are regularly targeted in this fashion.
  14. [archive]
  15. [archive]
  17. [archive] [archive]
  18. In 2019, now enforces https for its entire website.
  19. Example quote [archive]:

    I doubt microsoft is telling everything, im sticking with W7 indefinitely.

    Example quotes [archive]:

    Hmm, guess I'm going back to windows 7.

    This is why I went from using the beta build as my primary OS back to Windows 8.1.

    And now myself and everyone in my family will be staying with their current OS (Windows XP, Vista, 7 and 8.1).

  20. [archive]
  21. [archive]
  22. [archive]
  23. [archive]
  24. [archive]
  25. [archive]
  26. [archive]
  27. [archive]
  28. [archive]
  29. [archive]
  30. [archive]
  31. [archive]
  32. [archive]
  33. [archive]
  34. [archive]
  35. [archive]
  36. Dev/Operating_System#Switch_from_Ubuntu_to_Debian
  37. [archive]
  38. [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.