Non-Whonix Tor Browser


Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the Whonix platform. This is useful in various cases:

  • Should Whonix ever break, users can search for a solution anonymously.
  • System-wide Tor problems can be easily detected by testing connectivity outside of Whonix.
  • Certain Tor / Tor Browser activities are difficult (or impossible) to configure in Whonix, but are much easier in the standard configuration. [1]

In non-Qubes-Whonix, it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In Qubes-Whonix, it is recommended to install Tor Browser in a debian-9 AppVM.


All Platforms: Manual Tor Browser Download[edit]

Follow these instructions to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless Qubes-Whonix users temporarily set sys-whonix as the NetVM for the non-Whonix AppVM.

Debian Linux Hosts[edit]

Tor Browser can optionally be downloaded with tb-updater by Whonix. This method is not anonymous.

1. Add the Whonix signing key.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp:// --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

2. Add the Whonix APT repository.

echo “deb stretch main” | sudo tee /etc/apt/sources.list.d/whonix.list

3. Update the package lists.

sudo apt-get update

4. Install tb-updater.

sudo apt-get install tb-updater

Moderate: Qubes-Whonix[edit]

The Qubes-Whonix R4 instructions using Whonix's tb-updater are a little more difficult because TemplateVMs are non-networked by default. Qubes R3.2 users should use one of the Easy methods outlined above.

These instructions:

  1. Anonymously retrieve and verify the Whonix signing key.
  2. Copy the Whonix signing key to a debian-9 TemplateVM clone (debian-9-tor).
  3. Add the Whonix signing key to a list of trusted keys.
  4. Install apt-transport-tor in the debian-9-tor TemplateVM.
  5. Add the Whonix onion repository.
  6. Install tb-updater from the Whonix stable repository.
  7. Create a debian-tor-browser AppVM based on the debian-9 TemplateVM clone.
  8. Complete the anonymous installation of Tor Browser in the non-Whonix VM.

Clone the debian-9 TemplateVM[edit]

In Qube Manager: Right-click debian-9 template -> Clone qube -> Rename to debian-9-tor

anon-whonix Steps[edit]

Run the following commands in anon-whonix Konsole.

1. Add the Whonix signing key.

sudo apt-key adv --keyserver jirk5u4osbsr34t5.onion --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

2. Display the key fingerprint.

sudo apt-key adv --fingerprint 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

3. Verify the Whonix signing key fingerprint.

Compare the fingerprint to the one found here.

4. Copy the Whonix signing key to a temporary whonix.key file.

sudo apt-key export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA > /tmp/whonix.key

5. Copy the whonix.key text file to the debian-9-tor TemplateVM.

qvm-copy /tmp/whonix.key debian-9-tor

debian-9-tor TemplateVM Steps[edit]

Complete the following steps in debian-9-tor Konsole.

1. Add the Whonix signing key to the list of trusted keys.

sudo apt-key add ~/QubesIncoming/anon-whonix/whonix.key

2. Install apt-transport-tor from the Debian repository. [2]

sudo apt-get install apt-transport-tor

3. Add the Whonix stable onion APT repository.

Note: tor+http does not work in this configuration.

echo "deb http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

4. Update the package lists.

sudo apt-get update

5. Install tb-updater by Whonix.

sudo apt-get install tb-updater

Note: This step will correctly install tb-updater, but when it tries to automatically download Tor Browser it will fail because the download attempt from The Tor Project is blocked by default.

debian-tor-browser AppVM Steps[edit]

1. Create an AppVM based on the debian-9-tor TemplateVM: debian-tor-browser.

In Qube Manager: Left-click Qube -> Create new qube

Use the following settings:

  • Name and label: debian-tor-browser
  • Type: AppVM
  • Template: debian-9-tor
  • Networking: default (sys-firewall)

2. Download Tor Browser.

In Konsole, run.

update-torbrowser --input gui

3. Launch Tor Browser from the AppVM menu and check it is functional.

Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the update-torbrowser command again.


  1. For example, the Snowflake pluggable transport client is currently unavailable in Whonix.
  2. For support in downloading APT packages anonymously via the Tor network.

Random News:

Don't mind having your name connected to Whonix? Follow us on Twitter / Facebook / g+.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.