Post-installation Security Advice
Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ Security Hardened by default and also provides extensive Documentation including a Security Hardening Checklist. The more you know, the safer you can be.
This page provides security advice, including steps that can be applied after installation of Whonix ™ for better security.
On Whonix-Gateway ™ and Whonix-Workstation ™
Increase Virtual Machine RAM
- Whonix-Workstation ™: No changes are required for most users.
- Whonix-Gateway ™: If you have enough RAM on the host, ideally the virtual RAM setting of Whonix-Gateway ™ should be increased to
2048MB RAM. 
- If it is infeasible to increase the virtual RAM setting, this is okay too. 
- Windows 10:
Task Manager in More details view→
Click/tap on the Performance tab→
Click/tap on Memory; or
Open a command prompt→
wmic MemoryChip get /format:list
About This Mac
Open a terminal→
- To add RAM in VirtualBox the VM must first be powered down.
Change Keyboard Layout
If you are using a keyboard layout other than
qwerty (US), you might want to change your keyboard layout. Refer to the dedicated Keyboard Layout article on how to do that.
Test Keyboard Layout
Start menu →
Open ~/testfile in an editor as a regular, non-root user.
Try typing the words
qwerty. Trying typing some more to make sure you are using the desired keyboard layout.
After Whonix ™ has finished installing, immediately change the passwords for both the user
user and user
When having issues gaining root consider using dsudo.
Another option is to boot into recovery mode and change passwords there.
Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.
Network Time Syncing
A reasonably accurate host clock required for many general security properties. An inaccurate clock can open up for many Time Attacks. Therefore it is recommended to have a reasonable accurate host clock at all times. An accuracy of up to ± 30 minutes should be sufficient. Days, weeks, months or even years slow or fast clocks can lead to many issues such as connectivity problems with Tor, inability to download operating system upgrades and inaccessible websites. 
Follow the platform-specific recommendations below to avoid Tor connectivity problems and to limit possible adverse anonymity impacts.
To protect against time zone leaks, the system clock inside Whonix ™ is set to UTC. This means it may be a few hours before or ahead of your host system clock. Do not change this setting!
If the host clock (in UTC!  ) is more than 1 hour in the past or more than 3 hours in the future, Tor cannot connect. In this case, manually fix the host clock by right-clicking on it, and also check for an empty battery. Then, power off and power on the Whonix-Gateway ™ (
sys-whonix) and Tor should be able to reconnect.
Non-Qubes-Whonix: It is strongly discouraged to use the pause / suspend / save / hibernate features.
Qubes-Whonix ™: It is strongly discouraged to use the pause feature of Qube Manager, but it is is safe to use the suspend or hibernate feature of dom0.
If you are interested in using the pause / suspend / save / hibernate features, please click the expand button for further instructions.
- It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Gateway ™, because it is difficult to restore the clock after resume. 
- It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Workstation ™. If this advice is ignored, restart sdwdate after resume.
- It is strongly discouraged to pause Whonix-Gateway ™ (
sys-whonix) using the pause feature of Qube Manager, because it is difficult to restore the clock after resume. 
- It is strongly discouraged to pause Whonix-Workstation ™ (
anon-whonix) using the pause feature of Qube Manager. If this advice is ignored, restart sdwdate after resume. 
- It is safe to use the suspend or hibernate feature of dom0 and a manual restart of sdwdate is unnecessary. 
Start Menu →
Time Synchronization Monitor (sdwdate-gui) →
Or in a terminal. 
Manually Set Clock Time and Date
Usually not required. See Troubleshooting, Clock Fix.
This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Time Attacks and Network Time Synchronization page.
How do I Check the Current Whonix ™ Version?
Open a terminal.
Open a terminal.
- Qubes has dynamic RAM assignment.
- This provides higher performance during upgrades and lowers the likelihood of issues [archive].
- Although non-ideal, swap-file-creator [archive] will create an encrypted swap file and the system is configured to swap as little as possible [archive].
- https://www.tenforums.com/tutorials/66809-determine-system-memory-size-speed-type-windows-10-a.html [archive]
- https://vitux.com/how-to-check-installed-ram-on-debian/ [archive]
- https://support.apple.com/en-us/HT201191 [archive]
- This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include:
cat /proc/meminfo |grep MemTotal,
- By default, Qubes VMs use the same keyboard layout as Qubes dom0.
- By default, Qubes does not require a password for superuser access.
- https://www.qubes-os.org/doc/vm-sudo/ [archive]
- Type the command in the terminal and press
- Due to invalid (not yet or no longer valid) TLS certificates.
To view the system time in UTC on Linux platforms, run.
- TODO: Show desktop clock in local time; keep system in UTC [archive]
- This is because the clock will be incorrect after system resume. A correct clock is important for anonymity (see Dev/TimeSync to learn more).
Qubes does not dispatch the
/etc/qubes/suspend-pre.dhooks upon pause / resume using Qube Manager.
- https://github.com/QubesOS/qubes-issues/issues/1764 [archive]
- This process was simplified in Whonix ™ 15 and only requires one command, instead of two, see: https://github.com/Whonix/sdwdate/blob/master/usr/lib/sdwdate/restart_fresh [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)