Install Non-Whonix ™ Tor Browser using Tor Browser Downloader (by Whonix ™ developers)
|About this Non-Whonix ™ Tor Browser Page|
|Community Support Only!:|
Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the Whonix ™ platform. This is useful in various cases:
- Should Whonix ™ ever break, it is possible to search for a solution anonymously.
- System-wide Tor problems can be easily detected by testing connectivity outside of Whonix ™.
- Certain Tor / Tor Browser activities are difficult (or impossible) to configure in Whonix ™, but are much easier in the standard configuration. 
In Non-Qubes-Whonix ™, it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In Qubes-Whonix ™, it is recommended to install Tor Browser in a
debian-11-minimal App Qube (advanced users).
Note: If an expired key signature message like below appears, the steps in this chapter must be performed again due to an update of the Whonix ™ signing key; see Expired key signature.
The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer email@example.com
All Platforms: Manual Tor Browser Download
Follow these instructions to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless Qubes-Whonix ™ users temporarily set
sys-whonix as the NetVM for the non-Whonix ™ App Qube.
Debian Linux Hosts
Tor Browser can optionally be downloaded utilizing the
tb-updater software package by Whonix ™ developers. By default the download does not occur over Tor, meaning it is not anonymous.
1. Download the Signing Key.
2. Optional: Check the Signing Key for better security.
3. Add Whonix ™ signing key.
4. Whonix ™ APT repository choices.
Optional: See Whonix ™ Packages for Debian Hosts and Whonix ™ Host Enhancements instead of the next step for more secure and complex options.
5. Add Whonix ™ APT repository.
5. Update the package lists.
Moderate: Qubes-Whonix ™
Qubes-Whonix ™ R4 only! This method is anonymous.
- Anonymously retrieve and verify the Whonix ™ signing key.
- Copy the Whonix ™ signing key to a debian-11 (
debian-11-tor) or debian-11-minimal (
debian-11-minimal-tor) Template clone.
- Add the Whonix ™ signing key to the list of trusted keys.
- Install apt-transport-tor in the
- Add the Whonix ™ stable APT repository.
tb-updaterfrom the Whonix ™ stable repository.
- Create a
debian-minimal-tor-browserApp Qube based on the Template clone.
debian-11-minimal template provides a smaller attack surface, but is recommended for advanced users. Several package prerequisites are required for full functionality; see footnote. 
Clone the Template
In Qube Manager:
Right-click debian-11 or debian-11-minimal template →
Clone qube →
Rename to debian-11-tor or debian-11-minimal-tor
Run the following commands in
anon-whonix terminal. Advanced users can utilize a Whonix ™ DispVM instead in this section.
1. Download the Whonix ™ signing key.
2. Display the key fingerprint.
3. Verify the Whonix ™ signing key fingerprint.
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
4. Rename the Whonix ™ signing key to a temporary
5. Copy the
derivative.asc text file to the
Complete the following steps in
1. Add the Whonix ™ signing key to the list of trusted keys.
3. Update the package lists.
tb-updater by Whonix ™.
Note: This step will correctly install
tb-updater and should also automatically download Tor Browser. If that does not occur, complete steps 2 to 4 below after creating an App Qube.
App Qube Steps
1. Create an App Qube based on the
In Qube Manager:
Left-click Qube →
Create new qube
Use the following settings:
- Name and label: debian-tor-browser or debian-minimal-tor-browser
- Type: App Qube
- Template: debian-11-tor or debian-11-minimal-tor
- Networking: default (sys-firewall)
2. Optional: Temporarily set
sys-whonix as the NetVM for the Debian App Qube.
If Tor Browser was not downloaded at step 5 in the previous section, complete steps 2 to 4.
In Qube Manager:
Right-click debian-tor-browser or
Qube settings →
Select sys-whonix →
3. Optional: Download Tor Browser.
In terminal, run.
4. Optional: Revert the networking setting to
sys-firewall in Qube Manager.
5. Launch Tor Browser from the App Qube menu and check it is functional.
Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the update-torbrowser command again.
Figure: Tor Browser in Qubes'
debian-minimal-tor-browser App Qube
- For example, the Snowflake pluggable transport client is currently experimental in Whonix ™.
- At the time of writing the Qubes documentation and forums suggest the following packages:
- Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
Alternatively use the stable onion APT repository: echo "deb [signed-by=/usr/share/keyrings/derivative.asc] http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
tor+httpdoes not work in this configuration.