Actions

Post-installation Security Advice

From Whonix



Ball-63527-640.jpg

Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ Security Hardened by default and also provides extensive Documentation including a Security Hardening Checklist. The more you know, the safer you can be.

This page provides security advice, steps that can be applied after installation of Whonix ™ for better security.

On Whonix-Gateway ™ and Whonix-Workstation ™[edit]

Increase Virtual Machine RAM[edit]

Whonix ™ default password info box Qubes-Whonix ™ users can skip this section. [1]

  • Whonix-Workstation ™: No changes required for most users.
  • Whonix-Gateway ™: If you have enough RAM on the host, ideally users should increase the virtual RAM setting of Whonix-Gateway ™ to 2048 MB RAM. [2]
    • If this is not feasible, this is okay too. [3]

If you are unsure of how much RAM is available, follow these steps on the host: [4] [5] [6]

  • Windows 10:
    • Task Manager in More details viewClick/tap on the Performance tabClick/tap on Memory; or
    • Open a command promptRun wmic MemoryChip get /format:list
  • macOS: Apple menuAbout This Mac
  • Linux: Open a terminalRun free -h [7]

Related: Low RAM Issues

VirtualBox[edit]

  1. To add RAM in VirtualBox the VM must first be powered down.
  2. Virtual machineMenuSettingsAdjust Memory sliderHit: OK

KVM[edit]

1. Shutdown the virtual machine(s).

virsh -c qemu:///system shutdown <vm_name>

2. Increase the maximum memory.

virsh setmaxmem <vm_name> <memsize> --config

3. Set the actual memory.

virsh setmem <vm_name> <memsize> --config

4. Restart the virtual machine(s).

virsh -c qemu:///system start <vm_name>

Change Passwords[edit]

Whonix ™ default password info box Qubes-Whonix ™ users can skip this section. [8] [9]

After Whonix ™ has finished installing, immediately change the passwords for both the user user and user root accounts.

1. Open a terminal (such as Konsole).

Start menuApplicationsSystemTerminal

2. Login as root.

Run. [10]

sudo su

3. Read the note below regarding the username and password.

Whonix / Kicksecure default admin password is: changeme default username: user
default password: changeme

When typing the password it will not appear on the screen, nor will the asterisk sign (*) be visible. It is necessary to type blindly and trust the procedure.

4. Change the root password.

To change the root (superuser / administrator) password, run. [10]

passwd

5. Change the user password.

To change the user (Whonix ™ default user) password, run. [10]

passwd user

And follow the instructions.

Security Updates[edit]

Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.

Network Time Syncing[edit]

Warnings[edit]

Follow the platform-specific recommendations below to avoid Tor connectivity problems and to limit possible adverse anonymity impacts.

All Platforms[edit]

To protect against time zone leaks, the system clock inside Whonix ™ is set to UTC. This means it may be a few hours before or ahead of your host system clock. Do not change this setting!

If the host clock (in UTC! [11] [12]) is more than 1 hour in the past or more than 3 hours in the future, Tor cannot connect. In this case, manually fix the host clock by right-clicking on it, and also check for an empty battery. Then, power off and power on the Whonix-Gateway ™ (sys-whonix) and Tor should be able to reconnect. If the host clock is grossly inaccurate, the user might experience problems when updating the host operating system, so periodically check it is (roughly) correct.

Easy instructions[edit]

Non-Qubes-Whonix: It is strongly discouraged to use the pause / suspend / save / hibernate features.

Qubes-Whonix ™: It is strongly discouraged to use the pause feature of Qube Manager, but it is is safe to use the suspend or hibernate feature of dom0.

Advanced instructions[edit]

If you are interested in using the pause / suspend / save / hibernate features, please click the expand button for further instructions.

Non-Qubes-Whonix:

  • It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Gateway ™, because it is difficult to restore the clock after resume. [13]
  • It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Workstation ™. If this advice is ignored, restart sdwdate after resume.

Qubes-Whonix ™:

  • It is strongly discouraged to pause Whonix-Gateway ™ (sys-whonix) using the pause feature of Qube Manager, because it is difficult to restore the clock after resume. [13]
  • It is strongly discouraged to pause Whonix-Workstation ™ (anon-whonix) using the pause feature of Qube Manager. If this advice is ignored, restart sdwdate after resume. [14]
  • It is safe to use the suspend or hibernate feature of dom0 and a manual restart of sdwdate is unnecessary. [15]

Restart sdwdate[edit]

To restart sdwdate.

Start MenuApplicationsSystemTime Synchronization Monitor (sdwdate-gui)restart sdwdate

Or in a terminal. [16]

sudo /usr/lib/sdwdate/restart_fresh

Better Security[edit]

This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Network Time Synchronization page.

Appendix[edit]

How do I Check the Current Whonix ™ Version?[edit]

See /etc/whonix_version.

Whonix-Gateway ™[edit]

Open a terminal.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Xfce Terminal

If you are using a graphical Whonix with XFCE, run.

Start MenuXfce Terminal

cat /etc/whonix_version

Should show.

15

Whonix-Workstation ™[edit]

Open a terminal.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Xfce Terminal

If you are using a graphical Whonix with XFCE, run.

Start MenuXfce Terminal

cat /etc/whonix_version

Should show.

15

Footnotes[edit]

  1. Qubes has dynamic RAM assignment.
  2. Higher performance during upgrades, lower likelihood of issues [archive].
  3. Non-ideal but swap-file-creator [archive] will create an encrypted swap file and the system is configured to swap as little as possible [archive].
  4. https://www.tenforums.com/tutorials/66809-determine-system-memory-size-speed-type-windows-10-a.html [archive]
  5. https://vitux.com/how-to-check-installed-ram-on-debian/ [archive]
  6. https://support.apple.com/en-us/HT201191 [archive]
  7. This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include: cat /proc/meminfo |grep MemTotal, top, and vmstat -s.
  8. By default, Qubes does not require a password for superuser access.
  9. https://www.qubes-os.org/doc/vm-sudo/ [archive]
  10. 10.0 10.1 10.2 Type the command in the terminal and press <Enter>.
  11. To view the system time in UTC on Linux platforms, run.
    date --utc

  12. TODO: Show desktop clock in local time; keep system in UTC [archive]
  13. 13.0 13.1 This is because the clock will be incorrect after system resume. A correct clock is important for anonymity (see Dev/TimeSync to learn more).
  14. Qubes does not dispatch the /etc/qubes/suspend-post.d / /etc/qubes/suspend-pre.d hooks upon pause / resume using Qube Manager.
  15. https://github.com/QubesOS/qubes-issues/issues/1764 [archive]
  16. This process was simplified in Whonix ™ 15 and only requires one command, instead of two, see: https://github.com/Whonix/sdwdate/blob/master/usr/lib/sdwdate/restart_fresh [archive]


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.