Actions

Post-installation Security Advice

On Whonix-Gateway and Whonix-Workstation[edit]

Change Passwords[edit]


After Whonix has finished installing, immediately change the passwords for both the user user and user root accounts.

Open a terminal (such as Konsole).

Start menu -> Applications -> System -> Terminal

Login as root.

sudo su


Change the root and user passwords.

passwd
passwd user

And follow the instructions.

Security Updates[edit]

Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.

Network Time Syncing[edit]

Warnings[edit]

Follow the platform-specific recommendations below to avoid Tor connectivity problems and to limit possible adverse anonymity impacts.

All Platforms[edit]

  • To protect against time zone leaks, the system clock inside Whonix is set to UTC. This means it may be a few hours before or ahead of your host system clock. Do not change this setting!
  • If the host clock (in UTC! [1] [2]) is more than 1 hour in the past or more than 3 hours in the future, Tor cannot connect. In this case, manually fix the host clock by right-clicking on it, and also check for an empty battery. Then, power off and power on the Whonix-Gateway (sys-whonix) and Tor should be able to reconnect. If the host clock is grossly inaccurate, the user might experience problems when updating the host operating system, so periodically check it is (roughly) correct.

Easy instructions[edit]

  • Non-Qubes-Whonix: It is strongly discouraged to use pause / suspend / save / hibernate.
  • Qubes-Whonix: It is strongly discouraged to use the pause feature of Qube Manager, but it is is safe to use the suspend or hibernate feature of dom0.

Advanced instructions[edit]

If you are interested to use pause / suspend / save / hibernate, please click the expand button for further instructions.

  • Non-Qubes-Whonix:
    • It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Gateway, because it is difficult to restore the clock after resume. [3]
    • It is strongly discouraged to pause / suspend / save / hibernate the Whonix-Workstation, however if the user chooses to do so, restart sdwdate after resume.
  • Qubes-Whonix:
    • It is strongly discouraged to pause Whonix-Gateway (sys-whonix) using the pause feature of Qube Manager, because it is difficult to restore the clock after resume. [3]
    • It is strongly discouraged to pause Whonix-Workstation (anon-whonix) using the pause feature of Qube Manager, however if the user chooses to do so, restart sdwdate after resume. [4]
    • It is safe to use the suspend or hibernate feature of dom0 and a manual restart of sdwdate is unnecessary. [5]

Restart sdwdate[edit]

To restart sdwdate.

Start Menu -> Applications -> System -> Time Synchronization Monitor (sdwdate-gui) -> restart sdwdate

Or in a terminal.

sudo /usr/lib/sdwdate/restart_fresh

sudo systemctl restart sdwdate

Better Security[edit]

This chapter is intended to be a short and simple overview to provide basic protection for newcomers. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Network Time Synchronization page.

Footnotes[edit]

  1. In Linux, the user can view the system time in UTC by running:
    date --utc
  2. TODO: Show desktop clock in local time; keep system in UTC
  3. 3.0 3.1 This is because the clock will be incorrect after system resume. A correct clock is important for anonymity (see Dev/TimeSync to learn more).
  4. Qubes does not dispatch the /etc/qubes/suspend-post.d / /etc/qubes/suspend-pre.d hooks upon pause / resume using Qube Manager.
  5. https://github.com/QubesOS/qubes-issues/issues/1764

Random News:

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)