- 1 Easy
- 2 GUI Applications with Root Rights
- 3 More Security
- 4 Whonix-Workstation is firewalled
- 5 Advanced
- 6 Foreign Sources
- 7 Footnotes
|Qubes-Whonix users would need to install persistent software in their Workstation TemplateVM(s). |
Using apt-get in an AppVM will install software for the current session only, and those changes will be lost when the VM is shut down.
One of the main goals of Whonix is to greatly reduce the risk through any (additional) software not exclusively designed to use with Tor.
You can install any software inside Whonix-Workstation using apt-get, since it's based on Debian.
Whonix is currently the safest method to run Tor-unsafe applications such as Adobe Flash (see the comparison).
This is not a recommendation for installing additional software.
On the Software page you'll find:
- Applications for different tasks, which are already installed on Whonix by default.
- Software recommendations for different tasks.
- Safety advice.
- Installation instructions.
Recommendation to Install Packages from Debian Stable Repository
If the rationale for installing new software outweigh the risks, it is preferred to install software from Debian's Stable repository rather than the Testing / Unstable or 3rd Party repositories. Also, manually installed packages, even trusted ones, do not tend to get updated by the user in a timely fashion.
Stable is rock solid. It does not break and has full security support. But it not might have support for the latest hardware.
If security or stability are at all important for you: install stable. period. This is the most preferred way.
Since there is typically over 1 year between releases you might find that stable contains old versions of packages. However, they have been tested in and out. One can confidently say that the packages do not have any known severe bugs, security holes etc., in them. The packages in stable integrate seamlessly with other stable packages. These characteristics are very important for production servers which have to work 24 hours a day, 7 days a week.
On the other hand, packages in testing or unstable can have hidden bugs, security holes etc., Moreover, some packages in testing and unstable might not be working as intended.
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
GUI Applications with Root Rights
Never login as root user (sudo su or run GUI applications using sudo application. This will fail. This is a limitation inherited by Debian. You will see error messages such as.
No protocol specified
cannot connect to X server :0
As KDE user (Whonix default) use kdesudo application. Otherwise use gksudo application. For example.
Open /etc/tor/torrc in an editor with root rights.
Installing additional software... (see the comparison)
- You can install your favorite software packages. Almost any application with a few exceptions listed under impossible to torify.
- You are protected from IP and DNS leaks. (Read above for details.)
- You have some, but no perfect Protocol-Leak-Protection and Fingerprinting-Protection.
- You should still try to prevent any other protocol leaks using the TorifyHOWTO (but most of those are mitigated by using Whonix).
- When you are updating using apt-get, you'll leak which software packages and versions you have installed, see Software updaters. This information can not be directly linked to any other activity, such as web browsing, because the Whonix apt-get uwt wrapper forces apt-get to go through its own circuit. But there are still risks for correlation to the same pseudonym.  
- If you install additional software, you always increase the attack surface.
You should update using the guidelines below.
Extra care is needed when adding extra custom repositories, especially PPA's (Personal Package Archives). Single developers may be pressured and/or turn malicious more easily than the main repositories.
Read Protocol-Leak-Protection and Fingerprinting-Protection first! (Many leaks, such as DNS and IP related leaks do not apply to Whonix; etc.)
Also see Transparent Proxy Leaks. (Mostly Microsoft Windows related)
How to install or update with most caution?
- Stop all your activities. 
- Change your circuit. 
- Update using apt-get after a random delay.
- Change your circuit again.
- Continue your activities later with a random delay.
Whonix-Workstation is firewalled
This is just an informational chapter if you are interested in server software or other advanced or otherwise uncommon applications.
- does not support incoming connections
- however, if you make outgoing connections, the following incoming connections are accepted (web browsing, irc, etc. works)
- so called server ports
- or also called open ports
- Ident Protocol / web server listening port is not reachable, unless you explicitly configure it
- you can host Hidden Services
- the firewall can be found on the Whonix-Gateway /usr/bin/whonix_firewall
- Standard DNS requests on UDP port 53 will be redirected to Tor's DnsPort. If you change the DNS server in /etc/resolv.conf in Whonix-Workstation, this will probably have no effect, since the firewall on Whonix-Gateway will redirect all those requests to Tor's DnsPort. (However, if you are tunneling/encrypting a DNS request, as per Secondary DNS Resolver (DNSCrypt, httpsdnsd) it will work.)
- Tor does not support UDP. This is not a Whonix issue.
- Tor does not support IPv6. This is not a Whonix issue.
- All traffic from Whonix-Workstation and Whonix-Gateway is routed over Tor.     (<-- read the footnotes)
Whonix's firewall on the Whonix-Gateway is very restrictive. You can make it even more restrictive by activating #OptionalFeatureNr.3# within the firewall script. It's possible to limit, which outgoing ports will be redirected to Tor's TransPort. Depending on what you want to achieve, it could be useful to remove all SocksPorts.
sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"
Apt-Pinning provides a safe mechanism to mix and match packages from different Debian repo branches without breaking your base distro.
A higher pin priority ensures that only the stable package version is preferred over any other when installing with apt. Note that these files have a .pref extension or none at all.
Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.
Package: * Pin: release a=stable Pin-Priority: 700 Package: * Pin: release a=jessie-backports Pin-Priority: 650 Package: * Pin: release a=testing Pin-Priority: 600 Package: * Pin: release a=unstable Pin-Priority: 550 Package: * Pin: release a=experimental Pin-Priority: 500
Update your package lists.
sudo apt-get update
sudo apt-get -t jessie-backports install packagename
packagenamewith the package you actually want to install.
Reinstallation of Packages
Mostly as per free support principle. Normal Debian.
Explained using the iceweasel package. You can substitute iceweasel with many other packages, that do not have too many dependencies. Do not try this with any packages that are required for connectivity such as tor, as reinstallation would be very difficult and unsupported.
Only complication sometimes is, such as in the example of the iceweasel package that the anon-workstation-packages-recommended package depends on iceweasel. And the whonix-workstation package depends on anon-workstation-packages-recommended.
Update your package lists and upgrade before you start. See Update for instructions.
Purge the package you want to reinstall.
sudo apt-get purge iceweasel
Will show something like this.
Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: anon-workstation-packages-recommended* iceweasel* whonix-workstation* 0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded. After this operation, 90.8 MB disk space will be freed. Do you want to continue? [Y/n] (Reading database ... 100681 files and directories currently installed.) Removing whonix-workstation (3:2.9-1) ... Removing anon-workstation-packages-recommended (3:2.9-1) ... Removing iceweasel (38.4.0esr-1~deb8u1) ... Removing 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by iceweasel' Purging configuration files for iceweasel (38.4.0esr-1~deb8u1) ... Processing triggers for hicolor-icon-theme (0.13-1) ... Processing triggers for menu (2.1.47) ... Processing triggers for man-db (126.96.36.199-5) ... Processing triggers for desktop-file-utils (0.22-1) ... Processing triggers for qubes-core-agent (3.0.20-1+deb8u1) ... Processing triggers for mime-support (3.58) ...
The packages anon-workstation-packages-recommended and whonix-workstation have been inadvertently uninstalled due to technical limitations.  We will reinstall them later.
Delete user config folder if that is what you want. In the example of iceweasel, that would be the following. (Differs depending on package.)
rm -r ~/.mozilla
Reinstall. (You could also drop the
--no-install-recommends as a matter of preference.)
sudo apt-get install --no-install-recommends iceweasel anon-workstation-packages-recommended whonix-workstation
Related to: Whonix Debian Packages.
In most cases, the programs of the official Debian repositories is enough. Thousands of programs can be installed in a couple of steps. These packages are constantly maintained for bug/security fixes and tightly integrated to provide a stable distribution. However, the Linux software scene is very dynamic and sometimes you will want to use software that has not been packaged in Debian yet.
In these cases it may be necessary to install software from a separate sources, either from third party repositories, as a stand-alone precompiled .deb or directly compiled source programs.
The use of foreign sources should be kept to a minimum, as it could cause problems. Note that this is not an absolute outcome of installing third party software, but a warning about possible worst case scenarios.
Keep in mind that there are important security implications for the system. Installing software on your computer is tantamount to granting root privileges to the developers. When installing software from dubious sources it is in fact possible that important system components are replaced with malicious versions to install backdoors or "Trojan horses" on the system.
In general, the installation of software is a matter of trust. The fact is that you have to trust every source from which you installed software. Trust has to be present on two levels. First, you have to trust that the developers have integrity and secondly you have to place your trust in the community to notice anything suspicious in the code which could be a result of the developers machines being compromised. With reproducible package builds on the horizon, the security risk will be minimal.
Manually installed packages can contain library versions not available in the standard repositories. This messes up dependency resolution when installing additional software from the official repository. Individual applications are to be considered less critical in this context, but when it comes to important system libraries in the third-party software, complications are inevitable.
Depending on how severe, upgrades to the next version of the operating system might fail and it could become non bootable or have other stability issues.
- For example, if you announced somewhere, that you are an X user and have a specific set of x, y, and z installed, this information may be available to an adversary. If you run apt-get (which goes through its own circuit) through any exit relays, mirrors or ISP's controlled by the adversary, it's possible for the adversary to guess, that it's the same pseudonym, which is running it. In that case the adversary gets your list of installed packages, can run stale mirror attack (only if you are using a custom build using Ubuntu, see About Ubuntu), or can try other attacks against apt-get.
- Another example, if you run a hidden service with a specific set of server software, let's say apache, mediawiki, phpbb, x, y, z... it's similar to the previous note.
- One way to do it is using Arm (see Tor Controller): Go to your Whonix-Gateway and start
arm. Press m for menu, go down to New Identity and press enter.
- Maybe not, if you're running a hidden service?
- Since Whonix 0.2.1 also the Whonix-Gateway traffic is routed over Tor. This prevents telling the world that the user is a Whonix user.
- To preserve anonymity of activities the user is doing inside Whonix-Workstation, it would not be required to torify Whonix-Gateway's own traffic.
- For your interest: if you were to change DNS settings on Whonix-Gateway in Stream Isolation). , this would only affect Whonix-Gateways's own DNS requests issued by applications using the system's default DNS resolver. Actually, by default, no applications issuing network traffic on Whonix-Gateway use the system's default DNS resolver. All applications installed by default on Whonix-Gateway issuing network traffic (apt-get, whonixcheck, timesync) are explicitly configured (or forced by uwt wrappers) to use their own Tor SocksPort (see
- Whonix-Workstation's default applications are configured to use separate Tor SocksPort's (see Stream Isolation), thus not using the system's default DNS resolver. Any applications on Whonix-Workstation, not configured for stream isolation (for example ), will use the default DNS server configured in Whonix-Workstation in , which is Whonix-Gateway. Those DNS requests will be redirected to Tor's DnsPort by Whonix-Gateway's firewall. (Therefore Whonix-Gateway's does not affect Whonix-Workstation's DNS requests.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.