Qubes/Install
< Qubes(Redirected from Qubes/Binary Install)
First time user?
 | Warning:
|
Installation
Use Qubes R3.2 or above.
1. Launch dom0 Terminal
Qubes App Launcher (blue/grey "Q")
Then go to:-
System Tools -> Konsole
2. Install Qubes-Whonix
3. Enable AppArmor (optional, testers-only security enhancement)
If you are interested, click on Expand on the right.
Proceed at your own risk!
 | If considering the use of Tor bridges, be aware that AppArmor has caused problems with obfsproxy in the past. [1] |
The following steps should be completed in dom0 for both whonix-gw and whonix-ws TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings. It is unnecessary for users to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from these new kernel parameters.[2] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
For Qubes R3.2, and later releases this will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the sys-whonix ProxyVM and confirm AppArmor is now active.
The output should show.
0
Whonix-Workstation
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
For Qubes R3.2, and later releases this will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the anon-whonix AppVM and confirm AppArmor is now active.
The output should show.
0
4. Update your Whonix-Gateway and Whonix-Workstation TemplateVMs
5. start Whonix-Workstation AppVM
For example, start the browser.
Qubes App Launcher (blue/grey "Q") -> Domain: anon-whonix -> Privacy Browser
6. Advanced information (Optional [security] information.)
If you are interested, click on Expand on the right.
- Read and apply the Post Installation Security Advice.
- Stay tuned!
DisposableVM
Stay tuned[edit]
Introduction[edit]
It is important to read the latest Whonix news to stay in touch with ongoing developments. This way, users also benefit from notifications about important security vulnerabilities and improved releases which address identified issues, like those found affecting the updater or other core elements.
Whonix News Forums[edit]
For user convenience, there are multiple avenues for receiving news. Choose the most suitable option from this list:
- Whonix Important News Forum Tag
- Only critical information is reported. This includes security vulnerabilities and new stable Whonix versions. It is best suited for people with very limited time and interest in Whonix development and news. - Whonix News Forums - This includes everything including important news and has a relaxed posting policy. Testers-only and developers Whonix versions are announced here, along with the publishing of news about updated articles, new features, future features, development, calls for testing, general project ideas and so on.
- Other choices. [3]
If time-constrained, users should at least read the Whonix Important News Forum Tag. Follow the Whonix News Forums if interested in learning about anonymity / privacy / security-related issues in detail, or to follow recent Whonix developments.
Operating System Updates[edit]
As strongly recommended in the Security Guide, it is necessary to regularly check for operating system updates on the host operating system, and both the Whonix-Workstation and Whonix-Gateway.
Tor Browser[edit]
Tor Browser's built-in update check mechanism also works in Whonix, so use it whenever updates become available. [4]
For additional information about Tor Browser updates see Tor Browser. Additionally, consider subscribing to https://blog.torproject.org for developments from The Tor Project.
Whonix Version Check and Whonix News[edit]
Whonixcheck will also automatically provide notifications about new Whonix versions and critical Whonix News updates. [5]
Running Whonixcheck[edit]
By default, Whonixcheck runs automatically from time to time whenever the user starts up a Whonix-Workstation (commonly called whonix-ws). Whonixcheck verifies that the Whonix system is up-to-date and that everything is in proper working order.
Even though Whonixcheck should run automatically and periodically, [6] users can also manually run Whonixcheck to check the system status by following the directions below.
How to Manually Run Whonixcheck[edit]
If you are using Qubes-Whonix, complete the following steps. [7]
Qubes App Launcher (blue/grey "Q") -> click on the Whonix VM you want to check -> whonixcheck / System Check
If you are using a graphical Whonix, complete the following steps.
Start Menu -> System -> whonixcheck
If you are using a terminal-only Whonix, complete the following steps.
Depending on the system specifications, Whonixcheck may take up to a few minutes to run. Assuming everything is working as intended, the output should highlight each "INFO" heading in green (not red). A successful Whonixcheck process results in output similar to the sample below.
Sample Whonixcheck Output[edit]
INFO: SocksPort Test Result: Connected to Tor. IP: 146.10.104.240 INFO: TransPort Test Result: Connected to Tor. IP: 91.89.96.88 INFO: Stream Isolation Test Result: Functional. INFO: Whonix News Result: √ Up to date: whonix-workstation-packages-dependencies 3.4.2-1 INFO: Debian Package Update Check Result: No updates found via apt-get. INFO: Whonix APT Repository: Enabled. When the Whonix team releases JESSIE updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.whonix.org/wiki/Trust to understand the risk. If you want to change this, use: dom0 -> Start Menu -> Template: whonix-ws -> Whonix Repository
Tor Bootstrap[edit]
Tor bootstrap refers to the process of attempting to connect to the Tor network (successfully or unsuccessfully). Familiar output related to this process includes: "Tor connecting xx percent...", "Tor not connected", "Tor connected" and so on. Bootstrapping does not refer to related concepts, such as whether connections are "secure", "not secure", "anonymous" or "not anonymous".
Social Media Profiles[edit]
There are some Whonix Social Media Profiles online, but please do not rely on them for the latest Whonix News or to contact Whonix developers (see Contact for contact information).
As some users will disregard this advice, messages from the Whonix Feature Blog are automatically mirrored to the Whonix Twitter Profile and the Whonix Facebook Profile. However, they are not mirrored to the Whonix Google+ Profile.
Soon:
If it is safe to inform others about Whonix, feel free to Contribute via an anonymous account that follows or likes these profiles. This page can be shared on: Twitter | Facebook.
Source Code[edit]
If Whonix source code updates are of interest, subscribe to code changes.
Known bugs[edit]
All Platforms[edit]
"apt-get source package" will show "dpkg-source: warning: failed to verify signature"[edit]
This is not a security issue, but only a warning. Read the entire thread here for more information.
This warning message can be removed with the following workaround below.
1. Modify /etc/dpkg/origins/default
2. Download the source package
3. Undo afterwards to prevent unexpected issues
Proxychains Tor Browser Issue[edit]
Using Tor Browser in conjunction with proxychains for the connection scheme: User -> Tor -> Proxy -> Internet
doesn't currently work. For more information, see here.
Non-Qubes-Whonix[edit]
Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.
Suspend / Hibernate Issues[edit]
Short: Avoid suspending or hilbernating the computer or Whonix VMs while Whonix is running.
Long: Network Time Syncing, Troubleshooting#Clock Fix. [8]
Mounting (CD / DVD) Devices[edit]
If the device auto mounter is broken, see if Start menu -> System Settings -> Removable Media helps.
The following workaround can be used.
Using the ro flag will mount the CD / DVD in read-only mode. If a CD / DVD is not being mounted, then drop the "-o ro" parameter.
Forum discussion:
https://forums.whonix.org/t/workstation11-doesnt-mount-hdds/1313
Help fixing this bug is welcome! (ticket)
VLC / Video Player Crash[edit]
The following workaround can be used.
VLC -> Tools -> Preferences -> Video -> Output -> X11 -> Save
Network Manager Systray Unmanaged Devices[edit]
Short answer: Unmanaged devices are unrelated to Whonix functioning and shouldn't concern the user.
Long answer: [9]
Qubes-Whonix[edit]
Unexpected timedatectl NTP Result[edit]
When sys-whonix launches in Qubes-Whonix 13, a false positive warning appears stating:
ERROR: Systemd Clock Check Result: Unexpected results by timedatectl. timedatectl_output_pretty: Local time: Fri 2018-01-12 14:04:59 UTC Universal time: Fri 2018-01-12 14:04:59 UTC RTC time: Fri 2018-01-12 14:04:06 Time zone: Etc/UTC (UTC, +0000) NTP enabled: yes NTP synchronized: no RTC in local TZ: no DST active: n/a It is generally recommended to keep the default as per Whonix Design. [1] If you did not change timezone related settings, please report this Whonix bug. If you know what you are doing and changed this on purpose, feel free to disable this check. [2] [1] https://www.whonix.org/wiki/Dev/Design-Shared#timezone [2] Create a file /etc/whonix.d/50_whonixcheck_user and add: whonixcheck_skip_functions+=" check_systemd_clock "
Although NTP is enabled, it is inactive (dead) and does not pose any threat to anonymity. This problem has been rectified in the Whonix 14 release.
[edit]
In Qubes R3.2, anon-whonix in Whonix 14 does not have Qubes appmenus (start menu) entries by default. These must be manually added:
Qubes appmenu -> anon-whonix -> Add more shortcuts
This issue has been fixed in Qubes R4. [10]
Footnotes[edit]
- ↑ https://github.com/Whonix/Whonix/issues/67
- ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
- ↑
Other choices:
- Whonix Important News Forum Tag RSS .
- Whonix News Forums RSS .
- Subscribe to the Whonix News Forums by e-mail. When registered at the Whonix Forums, specific categories of interest such as the Whonix News Forums can be selected.
Whonix News Forums posts are mirrored to the Whonix Development Mailing List(broken)- Whonix Social Media Profiles
- Whonix Important News Forum Tag RSS
- ↑ The only exception is Tor Browser running in a DisposableVM in Qubes-Whonix, since the update will not persist.
- ↑ For example: When a version becomes unsupported, if manual user action is required, if major features break, or if security vulnerabilities are found. The policy is to use Whonix News sparingly.
- ↑ This does not happen every time the user starts a Whonix-Workstation.
- ↑
Qubes VM Manager->right-click on the Whonix VM you want to check->select "Run command in VM"
Type the following. Then press.<ENTER>
Type the following.
Then press.
<ENTER>
- ↑ https://github.com/QubesOS/qubes-issues/issues/1764
- ↑
Whonix doesn't use network manager to manage either eth0 or eth1.
- In Non-Qubes-Whonix, networking is managed by ifupdown.
- Qubes-Whonix uses a custom /lib/systemd/system/qubes-whonix-network.service and is unaffected by this issue.
All attempts to fix this long-standing issue have failed. Help is welcome to fix it.
Fix Unmanaged Devices Network Manager
- ↑ To fix this in Qubes R3.2, developers would need to backport Qubes-Whonix salt:
Interested in becoming an author for the Whonix blog or writing about anonymity, privacy and security? Please get in touch!
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)