From Whonix


Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!


Recommended to be installed inside an offline VM (vault). [1] When you want to keepassxc as replacement for Google Authenticator (actually TOTP, Time based One Time Password) Two Factor Authentication (2FA)) then a Debian based VM is more suitable than a Whonix-Workstation ™ based VM. [2]

Packages yubikey-personalization yubikey-personalization-gui are YubiKey related. Users not using YubiKey can skip installation of these packages and install keepassxc only.

Install keepassxc yubikey-personalization yubikey-personalization-gui.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the keepassxc yubikey-personalization yubikey-personalization-gui package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends keepassxc yubikey-personalization yubikey-personalization-gui

The procedure of installing keepassxc yubikey-personalization yubikey-personalization-gui is complete.



Optional. If you like to autostart keepassxc.

Create folder ~/.config/autostart/.

mkdir -p  ~/.config/autostart/

Open ~/.config/autostart/keepassxc.desktop in an editor as a regular, non-root user.

If you are using a graphical environment, run.

mousepad ~/.config/autostart/keepassxc.desktop

If you are using a terminal, run.

nano ~/.config/autostart/keepassxc.desktop

Paste the following content.

[Desktop Entry]


The process is now complete.


1. Use of an offline VM (vault) is recommended.

2. Make sure clock is correct.

Whonix-Workstation ™ is unsuitable due to Boot Clock Randomization and sdwdate clock randomization. (Unless disabled and offline.)

3. To start.


4. Create a new database.

5. Default file name Passwords.kdbx is ok.

If you are using Full Disk Encryption you might want to use a very easy password. Up to you.

6. Left click on root.

7. Menu → EntriesAdd new entry → under Title: write any name name (such as test) → OK.

8. Right click on the new entry (such as test) → Time-based one-time passwordset up TOTPDefault RFC 6238 token settings → paste 2FA code → OK.

9. Right click on the new entry (such as test) → Time-based one-time passwordshow TOTP.

Time Fix[edit]

  • Non-Whonix

2FA TOTP code changes every 30 seconds. So clock needs to be reasonable correct.

Troubleshoting only. If code does not match.

Set timezone to UTC for simplicity.

sudo cp /usr/share/zoneinfo/Etc/UTC /etc/localtime

Go to [archive] or any other similar source to find out the time in UTC.

Fix the clock. Change the date and time accordingly!

sudo date -s "26 SEPT 2018 11:54:25"

Check if the clock is correct now.


  • Whonix (Offline WorkStation)

Since whonix use sdwdate then there will be a delay in the 30 seconds, Meaning if the TOTP code showed up at 30 and you copy/paste it to the website or service which require the TOTP it wont work until the timer will reach to 8 seconds and below, This mean we have 22 seconds delay. (The result is tested in offline whonix-ws standaloneVM within Qubes OS)

If you want to fix this delay then disable sdwdate and bootclockrandomization by running this command:

sudo service sdwdate stop && sudo service bootclockrandomization stop

Getting the Browser Extension To Work[edit]

Community Support Only!:

Community Support Only means Whonix ™ developers are unlikely to provide free support for wiki chapters or pages with this tag. See Community Support for further information, including implications and possible alternatives.

Install the browser addon from [archive]

(OPTIONAL) Install a more recent version of keepassxc (See [archive])

Create the following symlink to get the proxy to work:

cd ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/.mozilla

ln -s /home/user/.mozilla/native-messaging-hosts native-messaging-hosts

Notes: If the .mozilla folder does not exist, create it.

Also take a look at [archive]


    • In Qubes, apt-get package installation could be done in TemplateVM.
    • In Qubes, download and verification could be done in a temporary TemplateBased AppVM, ideally Qubes/DisposableVM. Then move to offline vault VM.
    • In Non-Qubes-Whonix ™: install first, then disconnect internet and never re-enable internet access. TODO document
  1. Because accurate time required for TOTP and due to Boot Clock Randomization and sdwdate anonymizing time.
  2. [archive]

Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Please help in testing new features and bug fixes in Whonix ™.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.