Non-Whonix ™ Tor Browser

From Whonix

About this Non-Whonix ™ Tor Browser Page
Support Status stable
Difficulty easy
Contributor torjunkie [archive]
Support Support


Community Support Only!:

Community Support Only means Whonix ™ developers are unlikely to provide free support for wiki chapters or pages with this tag. See Community Support for further information, including implications and possible alternatives.

Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the Whonix ™ platform. This is useful in various cases:

  • Should Whonix ™ ever break, it is possible to search for a solution anonymously.
  • System-wide Tor problems can be easily detected by testing connectivity outside of Whonix ™.
  • Certain Tor / Tor Browser activities are difficult (or impossible) to configure in Whonix ™, but are much easier in the standard configuration. [1]

In Non-Qubes-Whonix ™, it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In Qubes-Whonix ™, it is recommended to install Tor Browser in a debian-11 or debian-11-minimal AppVM (advanced users).

Note: If an expired key signature message like below appears, the steps in this chapter must be performed again due to an update of the Whonix ™ signing key; see Expired key signature [archive].

The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer


All Platforms: Manual Tor Browser Download[edit]

Follow these instructions to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless Qubes-Whonix ™ users temporarily set sys-whonix as the NetVM for the non-Whonix ™ AppVM.

Debian Linux Hosts[edit]

Tor Browser can optionally be downloaded utilizing the tb-updater [archive] software package by Whonix ™ developers. By default the download does not occur over Tor, meaning it is not anonymous.

1. Download the Signing Key.


2. Optional: Check the Signing Key for better security.

3. Add Whonix ™ signing key.

sudo cp derivative.asc /usr/share/keyrings/derivative.asc

4. Whonix ™ APT repository choices.

Optional: See Whonix ™ Packages for Debian Hosts and Whonix ™ Host Enhancements instead of the next step for more secure and complex options.

5. Add Whonix ™ APT repository.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

5. Update the package lists.

sudo apt-get update

6. Install tb-updater.

sudo apt-get install tb-updater

Moderate: Qubes-Whonix ™[edit]

Ambox notice.png Qubes-Whonix ™ R4 only! This method is anonymous.

These instructions:

  1. Anonymously retrieve and verify the Whonix ™ signing key.
  2. Copy the Whonix ™ signing key to a debian-11 (debian-11-tor) or debian-11-minimal (debian-11-minimal-tor) TemplateVM clone.
  3. Add the Whonix ™ signing key to the list of trusted keys.
  4. Install apt-transport-tor in the debian-11-tor / debian-11-minimal-tor TemplateVM.
  5. Add the Whonix ™ stable APT repository.
  6. Install tb-updater from the Whonix ™ stable repository.
  7. Create a debian-tor-browser / debian-minimal-tor-browser AppVM based on the TemplateVM clone.

The debian-11-minimal template provides a smaller attack surface, but is recommended for advanced users. Several package prerequisites are required for full functionality; see footnote. [2]

Clone the TemplateVM[edit]

Info Prerequisite: The debian-11 or debian-11-minimal TemplateVM must be manually installed first if it not already available. In dom0, run either.

sudo qubes-dom0-update qubes-template-debian-11


sudo qubes-dom0-update qubes-template-debian-11-minimal

In Qube Manager: Right-click debian-11 or debian-11-minimal templateClone qubeRename to debian-11-tor or debian-11-minimal-tor

anon-whonix Steps[edit]

Run the following commands in anon-whonix terminal. Advanced users can utilize a Whonix ™ DispVM instead in this section.

1. Download the Whonix ™ signing key.

curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc

2. Display the key fingerprint.

gpg --keyid-format long --import --import-options show-only --with-fingerprint derivative.asc

3. Verify the Whonix ™ signing key fingerprint.

Compare the fingerprint to the one found here. The most important check is confirming the fingerprint exactly matches the output below. [3]

      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA

The message gpg: key 8D66066A2EEACCDA: 104 signatures not checked due to missing keys is related to the The OpenPGP Web of Trust. Advanced users can learn more about this here.

4. Rename the Whonix ™ signing key to a temporary derivative.asc file.

mv derivative.asc /tmp/derivative.asc

5. Copy the derivative.asc text file to the debian-11-tor or debian-11-minimal-tor TemplateVM.

qvm-copy /tmp/derivative.asc debian-11-tor


qvm-copy /tmp/derivative.asc debian-11-minimal-tor

TemplateVM Steps[edit]

Complete the following steps in debian-11-tor or debian-11-minimal-tor terminal.

1. Add the Whonix ™ signing key to the list of trusted keys.

sudo cp ~/QubesIncoming/anon-whonix/derivative.asc /usr/share/keyrings/derivative.asc

2. Add the Whonix ™ stable APT repository. [4] [5]

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

3. Update the package lists.

sudo apt-get update

4. Install tb-updater by Whonix ™.

sudo apt-get install tb-updater

Note: This step will correctly install tb-updater and should also automatically download Tor Browser. If that does not occur, complete steps 2 to 4 below after creating an AppVM.

AppVM Steps[edit]

1. Create an AppVM based on the debian-11-tor or debian-11-minimal-tor TemplateVM.

In Qube Manager: Left-click QubeCreate new qube

Use the following settings:

  • Name and label: debian-tor-browser or debian-minimal-tor-browser
  • Type: AppVM
  • Template: debian-11-tor or debian-11-minimal-tor
  • Networking: default (sys-firewall)

2. Optional: Temporarily set sys-whonix as the NetVM for the Debian AppVM.

If Tor Browser was not downloaded at step 5 in the previous section, complete steps 2 to 4.

In Qube Manager: Right-click debian-tor-browser or debian-minimal-tor-browserQube settingsNetworkingSelect sys-whonixOK

3. Optional: Download Tor Browser.

In terminal, run.

update-torbrowser --input gui

4. Optional: Revert the networking setting to sys-firewall in Qube Manager.

5. Launch Tor Browser from the AppVM menu and check it is functional.

Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the update-torbrowser command again.

Figure: Tor Browser in Qubes' debian-minimal-tor-browser AppVM



  1. For example, the Snowflake pluggable transport client is currently experimental in Whonix ™.
  2. At the time of writing the Qubes documentation [archive] and forums [archive] suggest the following packages:
    • qubes-core-agent-passwordless-root
    • qubes-core-agent-networking
    • qubes-core-agent-nautilus
    • nautilus
    • zenity
    • gnome-keyring
    • policykit-1
    • libblockdev-crypto2
    • pulseaudio-qubes
  3. Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
  4. Alternatively use the stable onion APT repository:
    echo "deb [signed-by=/usr/share/keyrings/derivative.asc] http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

  5. Note: tor+http does not work in this configuration.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Install Tor Browser Outside of Whonix&body= link= Tor Browser Outside of Whonix link= Tor Browser Outside of Whonix link= Tor Browser Outside of Whonix%20 Tor Browser Outside of Whonix

Please help in testing new features and bug fixes in Whonix ™.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.