Actions

HowTo: Install the Stable Version of Qubes-Whonix ™ 15

From Whonix

< Qubes



Introduction[edit]

FREE

First time user?[edit]

Whonix first time users warning Warning:

  • If you do not know what metadata or a man-in-the-middle attack is.
  • If you think nobody can eavesdrop on your communications because you are using Tor.
  • If you have no idea how Whonix works.

Then read the Design and Goals, Whonix ™ and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix is the right tool for you based on its limitations.

Installation[edit]

Remove Old Versions[edit]

This is section Remove Old Versions as above headline indicates.

Info Note: If you have Qubes-Whonix ™ 14 installed and want to get Qubes-Whonix ™ 15 there is no need to uninstall Qubes-Whonix ™ before proceeding. [1] In other words, in that case, the remaining text below in this very section (Remove Old Versions) can be ignored.

If you are already running any version of Qubes-Whonix ™, it must be uninstalled before a complete (re-)installation is performed. This applies to those who:

Before re-installation, back up any existing data stored in Whonix VMs.

In summary, three options are available (listed in order of preference):

  1. Uninstall Qubes-Whonix ™ and then Install Qubes-Whonix ™; OR
  2. Reinstall the Whonix TemplateVM; OR
  3. Upgrade Whonix 14 to 15

Update dom0[edit]

To launch a dom0 terminal, click the Qubes App Launcher (blue/grey "Q") and then open the Terminal Emulator (Xfce Terminal).

Qubes-whonix1.png

Upgrade Qubes dom0. This step is mandatory. [2]

sudo qubes-dom0-update

Adjust Whonix Version Number[edit]

In dom0.

Open file whonix.jinja with root rights. [3]

sudo nano /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja

Change 14 to 15.

Save.

Please report if this step was necessary or unnecessary for you!

Download Whonix ™ Templates and Configure sys-whonix and anon-whonix[edit]

Ambox warning pn.svg.png Before you execute the call in this section, keep in mind it can take a long time to execute. It is dependent on your internet connection. The time it will take can range from a few minutes, to twenty or more. It will take longer over Tor. No progress indicator is shown. Do not interrupt the salt process once it has started or this can lead to an unstable system [archive]. [4]

The following qubesctl command [5] will:

  • Download both Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs.
  • Configure sys-whonix and anon-whonix safely. [6]

In dom0, run.

sudo qubesctl state.sls qvm.anon-whonix

For troubleshooting please see the footnotes. [7] [8] [9]

Optional Whonix ™ DVM Template VM[edit]

In Qubes R4 and above, a whonix-ws-15-dvm DVM Template can optionally be set up as a base for Disposable VMs. [10]

In dom0, run.

sudo qubesctl state.sls qvm.whonix-ws-dvm

Optional Updates over Tor[edit]

TemplateVMs[edit]

To force all TemplateVM updates over Tor, [11] use salt in dom0.

sudo qubesctl state.sls qvm.updates-via-whonix

To undo this setting, modify /etc/qubes-rpc/policy/qubes.UpdatesProxy in dom0. [12] See also Qubes/UpdatesProxy.

dom0[edit]

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. [13]

Qube ManagerSystemGlobal SettingsDom0 UpdateVM: sys-whonixOK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. [14]

Qubes ManagerSystemGlobal SettingsDom0 UpdateVM: sys-firewallOK

Optional: Enable AppArmor[edit]

If you are interested, click on Expand on the right.

The following steps should be completed in dom0 for both whonix-gw-15 and whonix-ws-15 TemplateVMs. [15] After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[16] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-gw-15 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.

For example.

qvm-prefs -s whonix-gw-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-gw-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-ws-15 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.

For example.

qvm-prefs -s whonix-ws-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-ws-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the anon-whonix AppVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Update and Launch Applications[edit]

Before starting applications in the Whonix-Workstation ™ AppVM, update both Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs.

To launch an application like Tor Browser:

Qubes App Launcher (blue/grey "Q")Domain: anon-whonixTor Browser (AnonDist)

To learn about known bugs affecting this release, see here.

Additional Information[edit]

It is recommended to refer to these additional references:

Footnotes[edit]

In Qubes R4.0, after uninstalling old Whonix ™ templates and attempting reinstallation via:

[user@dom0 ~]$ sudo qubesctl state.sls qvm.anon-whonix

The result is.

'state.sls' is not available.
DOM0 configuration failed, not continuing

Solution: Restarting after uninstalling old Whonix ™ versions.

  1. This is because the name of the TemplateVMs changed from:
    • whonix-gw-14 to whonix-gw-15
    • whonix-ws-14 to whonix-ws-15
  2. add salt download progress indicator [archive]
  3. If an error message appears stating that qubesctl does not exist or the command is not recognized, then it is necessary to enable the testing repository and install salt.
    sudo qubes-dom0-update --best --allowerasing --enablerepo=qubes-dom0-current-testing qubes-mgmt-salt-dom0-virtual-machines
    Please report if this step was necessary for you!
  4. Sometimes the Qubes Community Templates repository must also be enabled by editing Qubes dom0 repository definition files.

    In dom0.

    1) Open file /etc/yum.repos.d/qubes-templates.repo with root rights.

    sudo nano /etc/yum.repos.d/qubes-templates.repo

    2) In section [qubes-templates-community] set

    enabled = 1

    3) Save.

    Please report if step this was necessary for you!

  5. If qubesctl still does not work, try shutting down Qubes OS and rebooting the machine. Please report if this step was necessary for you!
  6. https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/whonix-ws-15-dvm.sls [archive]
  7. https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/_jI2uWPPMMA#!topic/qubes-users/_jI2uWPPMMA [archive]
  8. Or manually set the torified UpdateVM in dom0 terminal.
    qubes-prefs updatevm sys-whonix
  9. To revert this change in dom0 terminal, run.
    qubes-prefs updatevm sys-firewall
  10. While Debian enabled AppArmor by default since Debian buster, Fedora does not. This matters since Qubes, which is Fedora based, by default uses dom0, not VM kernel. Therefore this is still required even though Whonix 15 is Debian buster based.
  11. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM [archive].


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Join us in testing our new AppArmor profiles [archive] for improved security! (forum discussion [archive])

https [archive] | (forcing) onion [archive]

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.