Actions

Post-installation Security Advice

From Whonix



Ball-63527-640.jpg

Introduction[edit]

Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ Security Hardened by default and also provides extensive Documentation including a Security Hardening Checklist. The more you know, the safer you can be.

This page provides security advice, including steps that can be applied after installation of Whonix ™ for better security.

On Whonix-Gateway ™ and Whonix-Workstation ™[edit]

Increase Virtual Machine RAM[edit]

Whonix ™ default password info box Qubes-Whonix ™ users can skip this section. [1]

  • Whonix-Workstation ™: No changes are required for most users.
  • Whonix-Gateway ™: If you have enough RAM on the host, ideally the virtual RAM setting of Whonix-Gateway ™ should be increased to 2048 MB RAM. [2]
    • If it is infeasible to increase the virtual RAM setting, this is okay too. [3]

If it is unknown how much RAM is available, follow these steps on the host: [4] [5] [6]

  • Windows 10:
    • Task Manager in More details viewClick/tap on the Performance tabClick/tap on Memory; or
    • Open a command promptRun wmic MemoryChip get /format:list
  • macOS: Apple menuAbout This Mac
  • Linux: Open a terminalRun free -h [7]

Related:

VirtualBox[edit]

  1. To add RAM in VirtualBox the VM must first be powered down.
  2. Virtual machineMenuSettingsAdjust Memory sliderHit: OK

KVM[edit]

1. Shutdown the virtual machine(s).

virsh -c qemu:///system shutdown <vm_name>

2. Increase the maximum memory.

virsh setmaxmem <vm_name> <memsize> --config

3. Set the actual memory.

virsh setmem <vm_name> <memsize> --config

4. Restart the virtual machine(s).

virsh -c qemu:///system start <vm_name>

Change Keyboard Layout[edit]

Whonix ™Change Keyboard Layout info box Qubes-Whonix ™ users can skip this section. [8]

If you are using a keyboard layout other than qwerty (US), you might want to change your keyboard layout. Refer to the dedicated Keyboard Layout article on how to do that.

Test Keyboard Layout[edit]

Whonix ™Test Keyboard Layout info box Qubes-Whonix ™ users can skip this section. </ref>

Start menuAccessoriesMousepad

Or...

Open ~/testfile in an editor as a regular, non-root user.

If you are using a graphical environment, run.

mousepad ~/testfile

If you are using a terminal, run.

nano ~/testfile

Try typing the words user, changeme and qwerty. Trying typing some more to make sure you are using the desired keyboard layout.

Change Passwords[edit]

Whonix ™ default password info box Qubes-Whonix ™ users can skip this section. [9] [10]

After Whonix ™ has finished installing, immediately change the passwords for both the user user and user root accounts.

1. Make sure you did Change Keyboard Layout and Test Keyboard Layout before you proceed. Otherwise you might run into issues proceeding further.

2. Open a terminal (such as Xfce Terminal Emulator).

Start menuApplicationsSystemTerminal

3. Run a test command as root by using sudo.

Run. [11]

sudo systemd-detect-virt

4. Read the note below regarding the username and password.

Whonix / Kicksecure default admin password is: changeme default username: user
default password: changeme

When typing the password it will not appear on the screen, nor will the asterisk sign (*) be visible. It is necessary to type blindly and trust the procedure.

5. Change the root password.

To change the root (superuser / administrator) password, run. [11]

sudo passwd root

And follow the instructions.

6. Change the user password.

To change the user (Whonix ™ default user) password, run. [11]

sudo passwd user

7. Done.

The procedure of changing passwords is complete.

When having issues gaining root consider using dsudo.

Another option is to boot into recovery mode and change passwords there.

Security Updates[edit]

Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.

Network Time Syncing[edit]

This is a short summary of the Network Time Synchronization wiki page which is recommended reading.

1. Timezone information.

Ambox warning pn.svg.png Warning: The system clock inside Whonix ™ is set to UTC to prevent against timezone leaks. This means it may be a few hours ahead or behind the user's host system clock. It is strongly recommended not to change this setting.

2. reasonably accurate host clock required

A reasonably accurate host clock is required for many general security properties because an inaccurate clock can lead to

Therefore, at all times it is recommended to have a host clock with accuracy of up to ± 30 minutes.

3. pause / suspend / save / hibernate

Simplified, for most users, for most VMs it is strongly discouraged to use the pause / suspend / save / hibernate features. For details, in what situation this is possible see Network Time Synchronization.

Better Security[edit]

This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Time Attacks and Network Time Synchronization page.

Appendix[edit]

How do I Check the Current Whonix ™ Version?[edit]

See /etc/whonix_version.

Whonix-Gateway ™[edit]

Open a terminal.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Xfce Terminal

If you are using a graphical Whonix with XFCE, run.

Start MenuXfce Terminal

cat /etc/whonix_version

Should show.

15

Whonix-Workstation ™[edit]

Open a terminal.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Xfce Terminal

If you are using a graphical Whonix with XFCE, run.

Start MenuXfce Terminal

cat /etc/whonix_version

Should show.

15

Footnotes[edit]

  1. Qubes has dynamic RAM assignment.
  2. This provides higher performance during upgrades and lowers the likelihood of issues [archive].
  3. Although non-ideal, swap-file-creator [archive] will create an encrypted swap file and the system is configured to swap as little as possible [archive].
  4. https://www.tenforums.com/tutorials/66809-determine-system-memory-size-speed-type-windows-10-a.html [archive]
  5. https://vitux.com/how-to-check-installed-ram-on-debian/ [archive]
  6. https://support.apple.com/en-us/HT201191 [archive]
  7. This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include: cat /proc/meminfo |grep MemTotal, top, and vmstat -s.
  8. By default, Qubes VMs use the same keyboard layout as Qubes dom0.
  9. By default, Qubes does not require a password for superuser access.
  10. https://www.qubes-os.org/doc/vm-sudo/ [archive]
  11. 11.0 11.1 11.2 Type the command in the terminal and press <Enter>.


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Post Install Advice&body=https://www.whonix.org/wiki/Post_Install_Advice link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Post_Install_Advice&title=Post Install Advice link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Post_Install_Advice&t=Post Install Advice link=https://mastodon.technology/share?message=Post Install Advice%20https://www.whonix.org/wiki/Post_Install_Advice&t=Post Install Advice

Did you know that anyone can edit the Whonix ™ wiki to improve it?

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.