Actions

Whonix ™ for macOS: Download and Installation

From Whonix



Whonix ™ Whonix old logo.png for Apple macOS Rsz osx.png inside VirtualBox Virtualbox logo.png (Intel Macs only, for Apple Silicon support please read section M1 below).

1. Install VirtualBox

Recommended VirtualBox version: 6.1.26

Download VirtualBox [archive] by clicking on 'OS X hosts' and when prompted decide to either open or save the Apple disk image file (e.g. VirtualBox-5.2.22-126460-OSX.dmg). After it mounts, install it by double-clicking on the blue VirtualBox logo.

2. Download Whonix ™ Whonix old logo.png XFCE for macOS Rsz osx.png FREE


Ambox warning pn.svg.png By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.

Version: 16.0.3.1

Type Connection Link Download Security
without Verification 		Download Security
with Verification
Download.png Https long.png

Download (TLS)

Medium High [1]
Download.png Iconfinder tor 386502.png

Download (Onion)

Medium High
Button sig.png Https long.png - -
Button sig.png Iconfinder tor 386502.png - -
Crypto key.png Verify images using this Signing Key


Verify the Whonix ™ Images Whonix ™ virtual machine images are cryptographically signed by Whonix developer Patrick Schleizer using OpenPGP. [2]

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

If you know how to use an OpenPGP key, download the Whonix ™ Signing Key and the Whonix ™ signatures straight away.

Otherwise, use the following instructions:

Download Whonix ™ XFCE

3. Import Whonix ™ Whonix old logo.png into VirtualBox Virtualbox logo.png

For Whonix ™ VirtualBox import instructions, please press on expand on the right.

Start VirtualBox
Open The virtualbox1.png

Click on Filethen choose Import Appliance...
Select Import Applience2.png

Navigate and select the Whonix ™ image and press next
Select whonix image and press next3.png

Do NOT change anything! Just click on Import
Press import4.png

Then press Agree
Press agree5.png

Wait until Whonix-Gateway.ova has been imported
Wait for importing6.png

Repeat the import step for Whonix-Workstation.ova
Do the same for whonix workstation7.png

Miscellaneous

Video Tutorials are also available.

If you still need help, please check the Support page.

After the Whonix ™ .ova files are imported they can be removed. VirtualBox will make a new directory with the live virtual machines Whonix-Gateway.vbox and Whonix-Workstation.vbox, and they are contained in directories of the same name. By default this is /Users/(yourusername)/VirtualBox VMs

4. Start Whonix

Starting Whonix ™ is simple. Start VirtualBox, and then double-click on Whonix-Gateway ™ and Whonix-Workstation ™.

Start both Whonix-Gateway ™ and Whonix-Workstation ™
Start both of them8.png

First time user?

Whonix / Kicksecure ™ default admin password is: changeme default username: user
default password: changeme

Whonix first time users warning Warning:

  • If you do not know what metadata or a man-in-the-middle attack is.
  • If you think nobody can eavesdrop on your communications because you are using Tor.
  • If you have no idea how Whonix works.

Then read the Design and Goals, Whonix ™ and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix is the right tool for you based on its limitations.

Miscellaneous macOS Advice

If the same VMs will be used on multiple systems like Boot Camp or even two different physical machines, then they can be moved to a shared or external hard drive:

  1. Copy the VirtualBox VMs folder mentioned earlier to the new location.
  2. Select the VMs you moved and then click remove.
  3. When prompted, select "Delete files".
  4. Re-add the VMs from their new location by selecting Machine=>Add, then navigating to the new folder.

exFAT [archive] is the easiest format for cross platform file sharing with Windows and Linux. exFAT is an option built into Apple's "Disk Utility.app" when initializing or reformatting a storage device. Select exFAT from the drop down menu that appears when you click "Erase". The default option is HFS+ on 10.13 "High Sierra" and earlier and APFS on 10.14 "Mojave".

Note that with its POSIX [archive] kernel and BSD roots, many issues that arise on macOS hosts can be addressed using strategies similar to other Unix-like OSes.

Virtualization on non-Apple Hardware

Virtualization on osx86 aka "Hackintosh" machines with unmodified "vanilla" kernels works well, but some additional BIOS/UEFI settings need to be confirmed to ensure system stability. As of November 2018 Intel VT-d [archive] is not recommended, although some systems may function if it is enabled. Later BIOS revisions from American Megatrends Inc. (AMI) seem to have improved support compared to earlier releases.

AMD-Vi [archive] is not supported, since kernel modifications violating Apple Inc.'s End User License Agreement (EULA) are required to run macOS on platforms other than Intel. It is also recommended to disable the Integrated Graphics Processing Unit (IGPU) if PCIe graphics [archive] are in use, as well as disabling any SuperIO/Serial Port options if listed in BIOS. If virtualization problems related to unsupported architectures or features are encountered, please first consult appropriate community forums and wikis available on the Internet.

Running Whonix ™ Whonix old logo.png on Apple Silicon (WIP)


About this For Whonix ™ on Apple Silicon Chapter
Support Status Testing, advanced users only!
Difficulty hard
Contributor Gavin Pacini [archive]
Support Whonix on Mac M1 (ARM) [archive]

First things first

  • This is in active development. Right now, you need to build Whonix to get it running on Apple Silicon.
  • This can be improved in the future. If you want to help, please visit this forum thread [archive].
  • Please understand that this is only for advanced users for now!

1. Environment Setup

The below has only been tested on Debian buster running under QEMU [archive] on a Mac M1. Firstly, we need to use patches on top of QEMU. This Brew repository [archive] has those patches baked in thus it is advisable to use that.

Note: getting Debian running on Apple Silicon is a bit out of scope of this documentation, however we have referenced below some helpful links.[3]

2. Initial Build

Follow the build documentation here and be sure to set --arch arm64 when running the build script as part of the Dev/Build_Documentation/VM#VM_Creation step. This means your build commands should look as follows: 

sudo ./whonix_build --target raw --flavor whonix-workstation-xfce --build --arch arm64

sudo ./whonix_build --target raw --flavor whonix-gateway-xfce --build --arch arm64

Notes on the above:

  • For now, you will need to build from master which means running git checkout master after cloning the repo and adding --allow-untagged true to the end of the build command. Once arm64 support is in a new git tag, this will not be necessary.

Thus, much more sensible build commands for macOS on Apple Silicon are as follows: 

sudo ./whonix_build --target raw --flavor whonix-workstation-xfce --build --arch arm64 --allow-untagged true

sudo ./whonix_build --target raw --flavor whonix-gateway-xfce --build --arch arm64 --allow-untagged true

Provided you have built correctly, you will now have two .raw files in the ~/whonix_binary (they will look something like Whonix-<flavour>-XFCE-15.0.1.7.3-XX-<git commit hash>.raw), one for the Workstation and one for the Gateway.

You'll need to get these files onto your host Mac. It is recommended to tar them with the S option, this means that sparse files will be archived correctly [archive]. You can run: 

tar -zcvSf whonix.workstation.tar.gz Whonix-Workstation-XFCE-15.0.1.7.3-XX-<git commit hash>.raw
tar -zcvSf whonix.gateway.tar.gz Whonix-Gateway-XFCE-15.0.1.7.3-XX-<git commit hash>.raw

to do this (your files may have slightly different file names, but should follow the same format).


3. Running the VM

1. Copy the two tar files into some directory on your host Mac.
2. Run the below to extract them (notice the S flag again which respects sparse files and thus doesn't count the holes in the files towards your disk usage [archive]). 

tar -zxvSf whonix.workstation.tar.gz
tar -zxvSf whonix.gateway.tar.gz

3. Run the below command to run the gateway: 

qemu-system-aarch64 \
         -machine virt,accel=hvf,highmem=off \
         -cpu cortex-a72 -smp 4 -m 2G \
         -device intel-hda -device hda-output \
         -device virtio-gpu-pci \
         -device usb-ehci \
         -device usb-kbd \
         -device usb-tablet \
         -device virtio-net-pci,netdev=external \
         -device virtio-net-pci,netdev=internal \
         -netdev user,id=external,ipv6=off,net=10.0.2.0/24 \
         -netdev socket,id=internal,listen=:8010 \
         -display cocoa \
         -drive "if=pflash,format=raw,file=./edk2-aarch64-code.fd,readonly=on" \
         -drive "if=virtio,format=raw,file=./Whonix-Gateway-XFCE.raw,discard=on"


4. In another terminal, run the below command to run the workstation: 

qemu-system-aarch64 \
         -machine virt,accel=hvf,highmem=off \
         -cpu cortex-a72 -smp 8 -m 4G \
         -device intel-hda -device hda-output \
         -device virtio-gpu-pci \
         -device usb-ehci \
         -device usb-kbd \
         -device usb-tablet \
         -device virtio-net-pci,netdev=external \
         -device virtio-net-pci,netdev=internal \
         -netdev user,id=external,ipv6=off,net=10.0.2.0/24 \
         -netdev socket,id=internal,listen=:8010 \
         -display cocoa \
         -drive "if=pflash,format=raw,file=./edk2-aarch64-code.fd,readonly=on" \
         -drive "if=virtio,format=raw,file=./Whonix-Workstation-XFCE.raw,discard=on"


Notes on QEMU:

  • The edk2-aarch64-code.fd file in the QEMU commands is a BIOS file. It's packaged with QEMU, so you can easily copy it into your directory with cp $(dirname $(which qemu-img))/../share/qemu/edk2-aarch64-code.fd ..
  • -smp X -m YG controls CPU count (X) and RAM amount (Y in gigabytes). You can change these to better suit your needs.
  • Currently we are using the default cocoa display type for QEMU. This has issues such as no copy and paste and poor HDPI scaling. It is possible to connect via VNC or Spice which solves those issues. Active development is occuring here and we hope this wiki can be updated with those details soon.

At this point two QEMU windows should open up which lead you into the wonderful world of Whonix.

  1. It does not matter if the bulk download is done over an insecure channel if software signature verification is used at the end.
  2. OpenPGP is a standard for data encryption that provides cryptographic privacy and authentication through the use of keys owned by its users.
Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Footnotes

Retrieved from "https://www.whonix.org/w/index.php?title=MacOS&oldid=67720"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information