Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

How to Reinstall Qubes-Whonix Templates

Introduction[edit]

On occasion, it is necessary to reinstall a Whonix template from the Qubes repository. ^[1]

This chapter usually applies when the template is:

• Outdated: To upgrade to a newer Point Release or testers-only version of Whonix.
• Broken: Templates can become broken and/or unbootable for a number of reasons, such as when removing meta-packages that Whonix "depends" on to function properly, or after mixing packages from a later Debian release.
• Misconfigured: Not all Template modifications are easily reversible. In some cases, it may be necessary to reinstall the Template.
• Compromised: Users may suspect their Template has been compromised. For further information on this topic, see: Indicators of Compromise.
• Testing: To ensure a high quality of future Whonix releases by becoming a Whonix tester.

Warning[edit]

The reason is that any App Qubes based on the affected Template will inherit the same issues. Disregarding this advice could lead to serious consequences. For example, a core component of the Whonix security model depends on sys-whonix forcing all traffic through Tor or blocking it. If sys-whonix is based on a Template with a misconfigured or broken firewall, the Whonix security model would be broken. ^[3]

Reinstallation Methods[edit]

Qubes has its own template reinstallation guide, however, this Whonix wiki entry should be preferred for reinstallation of Qubes-Whonix. The reason is that this guide is Whonix-specific and contains instructions on how to properly configure all settings. ^[4]

Use one of the following methods:

• A) Uninstall Qubes-Whonix and then Install Qubes-Whonix; OR
• B) Follow the Reinstall the Whonix template instructions below.

Reinstall the Whonix template[edit]

UpdateVM Setting[edit]

Since only Fedora-based UpdateVMs support the --action=upgrade option for reinstalling the Template, it is recommended to create a dedicated Qubes dom0 UpdateVM based on Qubes' Fedora template. Forcing dom0 updates over Tor is still possible by setting sys-whonix as the NetVM for the UpdateVM. ^[5]

Update dom0[edit]

1. Launch a dom0 terminal.
Click the Qubes App Launcher (blue/grey "Q") → Open the Terminal Emulator (Xfce Terminal)

2. Upgrade Qubes dom0.

This step is mandatory. ^{[9] [10]}

sudo qubes-dom0-update --show-output --console

3. Done.

The dom0 upgrade has been completed.

Configure salt using Qubes dom0 Community Testing Repository[edit]

[qubes-templates-community-testing]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
enabled = 0
fastestmirror = 1
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-templates-community

Adjust Whonix Version Number[edit]

1. Introduction.

If the previous sudo qubes-dom0-update was completed, it should not be necessary to verify the version number. However, this is mentioned because many users fail to update dom0 packages beforehand.

2. View local salt Whonix version number.

In dom0.

View contents of file /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja.

sudo cat /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja

3. Example output.

{% set whonix_version = salt['pillar.get']('qvm:whonix:version', '17') %}
{% set whonix_repo = salt['pillar.get']('qvm:whonix:repo', '[omitted for brevity]') %}

4. Interpretation.

Verify whonix_version is 17.

If it shows something else, then Qubes dom0 is outdated. In that case, it is not possible to continue. ^{[14] [15] [16]}

5. Done.

Version number verification has been completed.

Reinstall[edit]

In the instructions below, a check is first made for a newer version of the Template.

• If a newer Template version exists, install it (upgrade).
• If no newer Template version is available, reinstall the existing version (reinstall).

Unfortunately there is no combined upgrade and reinstall command. ^[17]

qvm-template --enablerepo=qubes-templates-community upgrade <qubes-template-package>

qvm-template --enablerepo=qubes-templates-community reinstall <qubes-template-package>

Settings[edit]

Use salt to configure dom0 settings. ^[19]

sudo qubesctl state.sls qvm.anon-whonix

Optional Steps[edit]

Whonix Disposable Template[edit]

In Qubes R4 and above a whonix-workstation-17-dvm Disposable Template can optionally be set up as a base for Disposables. ^[20]

In dom0, run. ^[21]

sudo qubesctl state.sls qvm.whonix-workstation-dvm

Updates over Tor[edit]

Templates[edit]

To force all Template updates over Tor, use qubesctl in dom0. ^[22]

sudo qubesctl state.sls qvm.updates-via-whonix

To undo this setting, modify /etc/qubes-rpc/policy/qubes.UpdatesProxy in dom0. ^[23] See also How-to: Fix dom0 Qubes-Whonix^™ UpdatesProxy Settings.

dom0[edit]

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. ^[24]

• Qube Manager → System → Global Settings → Dom0 UpdateVM: sys-whonix → OK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. ^[25]

• Qubes Manager → System → Global Settings → Dom0 UpdateVM: sys-firewall → OK

Enable AppArmor[edit]

AppArmor is enabled by default. No extra steps required.

Final Steps[edit]

Restart App Qubes[edit]

Any VMs based on the reinstalled Template must be restarted to reflect the updated file system.

Update and Launch Applications[edit]

Before starting applications in the Whonix-Workstation^™ App Qube, update both Whonix-Gateway^™ and Whonix-Workstation^™ Templates.

To launch an application like Tor Browser:

• Qubes App Launcher (blue/grey "Q") → Domain: anon-whonix → Tor Browser (AnonDist)

Done[edit]

The process of reinstalling Qubes-Whonix Templates is now complete.

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!