Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Post-installation Security Advice

On Whonix-Gateway ™ and Whonix-Workstation ™[edit]

Change Passwords[edit]


After Whonix ™ has finished installing, immediately change the passwords for both the user user and user root accounts.

1. Open a terminal (such as Konsole).

Start menu -> Applications -> System -> Terminal

2. Login as root.

Run. [3]

sudo su

3. Read the note below regarding the username and password.


When typing the password it will not appear on the screen, nor will the asterisk sign (*) be visible. It is necessary to type blindly and trust the procedure.

4. Change the root password.

To change the root (superuser / administrator) password, run. [3]

passwd

5. Change the user password.

To change the user (Whonix ™ default user) password, run. [3]

passwd user

And follow the instructions.

Security Updates[edit]

Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.

Network Time Syncing[edit]

Warnings[edit]

Follow the platform-specific recommendations below to avoid Tor connectivity problems and to limit possible adverse anonymity impacts.

All Platforms[edit]

To protect against time zone leaks, the system clock inside Whonix ™ is set to UTC. This means it may be a few hours before or ahead of your host system clock. Do not change this setting!

If the host clock (in UTC! [4] [5]) is more than 1 hour in the past or more than 3 hours in the future, Tor cannot connect. In this case, manually fix the host clock by right-clicking on it, and also check for an empty battery. Then, power off and power on the Whonix-Gateway ™ (sys-whonix) and Tor should be able to reconnect. If the host clock is grossly inaccurate, the user might experience problems when updating the host operating system, so periodically check it is (roughly) correct.

Easy instructions[edit]

Non-Qubes-Whonix: It is strongly discouraged to use the pause / suspend / save / hibernate features.

Qubes-Whonix ™: It is strongly discouraged to use the pause feature of Qube Manager, but it is is safe to use the suspend or hibernate feature of dom0.

Advanced instructions[edit]

If you are interested in using the pause / suspend / save / hibernate features, please click the expand button for further instructions.

Non-Qubes-Whonix:

  • It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Gateway ™, because it is difficult to restore the clock after resume. [6]
  • It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Workstation ™. If this advice is ignored, restart sdwdate after resume.

Qubes-Whonix ™:

  • It is strongly discouraged to pause Whonix-Gateway ™ (sys-whonix) using the pause feature of Qube Manager, because it is difficult to restore the clock after resume. [6]
  • It is strongly discouraged to pause Whonix-Workstation ™ (anon-whonix) using the pause feature of Qube Manager. If this advice is ignored, restart sdwdate after resume. [7]
  • It is safe to use the suspend or hibernate feature of dom0 and a manual restart of sdwdate is unnecessary. [8]

Restart sdwdate[edit]

To restart sdwdate.

Start Menu -> Applications -> System -> Time Synchronization Monitor (sdwdate-gui) -> restart sdwdate

Or in a terminal. [9]

sudo /usr/lib/sdwdate/restart_fresh

sudo systemctl restart sdwdate

Better Security[edit]

This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Network Time Synchronization page.

Footnotes[edit]

  1. By default, Qubes does not require a password for superuser access.
  2. https://www.qubes-os.org/doc/vm-sudo/
  3. 3.0 3.1 3.2 Type the command in the terminal and press <Enter>.
  4. To view the system time in UTC on Linux platforms, run.
    date --utc
  5. TODO: Show desktop clock in local time; keep system in UTC
  6. 6.0 6.1 This is because the clock will be incorrect after system resume. A correct clock is important for anonymity (see Dev/TimeSync to learn more).
  7. Qubes does not dispatch the /etc/qubes/suspend-post.d / /etc/qubes/suspend-pre.d hooks upon pause / resume using Qube Manager.
  8. https://github.com/QubesOS/qubes-issues/issues/1764
  9. Editors note: Simplified in Whonix 15. Run /usr/lib/sdwdate/restart_fresh only. https://github.com/Whonix/sdwdate/blob/master/usr/lib/sdwdate/restart_fresh

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Anonymous user #1

3 months ago
Score 0 You

Hello guys I am new to this community I’ve just downloaded Whonix gateway and everything was going fine. The problem I am having is that it download a bit then ask for user@ghost: I typed in “sudo apt-get update first, then the user@host comes again, but this time I typed “sudo apt-get dist-upgrade. And it came back again.

Does anyone know the right thing to type or I am doing something wrong here?

Patrick

3 months ago
Score 0++
This is expected. Happens on most if not all Linux distributions. It's called linux shell prompt.

Anonymous user #1

one month ago
Score 0 You

once after restarting the VM files still exist in Guest OS, how can I change that setting to delete automatically as nothing will remain same in it.

thanks in advance

Patrick

one month ago
Score 0++
Not sure what you're asking. Please try asking in https://forums.whonix.org.

Anonymous user #1

14 days ago
Score 0 You
i cant type anything after i type "passwd"

Patrick

13 days ago
Score 0++

Password is not shown on the screen when you type it. You have to type blindly. No asterisk sign (*) will be shown either. Just type. It will work.

We will document this.
Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.