Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

How to Reinstall Qubes-Whonix Templates

On occasion, it is necessary to reinstall a Whonix template from the Qubes repository. ^[1]

This chapter usually applies when the Template is:

• Outdated: To upgrade to a newer Point Release or a testers-only version of Whonix.
• Broken: Templates can become broken and/or unbootable for a number of reasons, such as when removing meta-packages that Whonix "depends" on to function properly, or after mixing packages from a later Debian release.
• Misconfigured: Not all Template modifications are easily reversible. In some cases, it may be necessary to reinstall the Template.
• Compromised: Users may suspect their Template has been compromised. For further information on this topic, see Indicators of Compromise.
• Testing: To ensure high quality of future Whonix releases by becoming a Whonix tester.

The reason is that any App Qubes based on the affected Template will inherit the same issues. Disregarding this advice could lead to serious consequences. For example, a core component of the Whonix security model depends on sys-whonix to force all traffic through Tor or block it. If sys-whonix is based on a Template with a misconfigured or broken firewall, the Whonix security model would be broken. ^[3]

Qubes has its own template reinstallation guide; however, this Whonix wiki entry should be preferred when reinstalling Qubes-Whonix Templates. The reason is that this guide is Whonix-specific and contains instructions on how to properly configure all settings. ^[4]

Use one of the following methods:

• A) Uninstall Qubes-Whonix and then Install Qubes-Whonix; OR
• B) Follow the Reinstall the Whonix template instructions below.

Since only Fedora-based UpdateVMs support the --action=upgrade option for reinstalling the Template, it is recommended that you create a dedicated Qubes dom0 UpdateVM based on Qubes' Fedora template. Forcing dom0 updates over Tor is still possible by setting sys-whonix as the NetVM for the UpdateVM. ^[5]

1 Launch a dom0 terminal.
Click the Qubes App Launcher (blue/grey "Q") → Open the Terminal Emulator (Xfce Terminal)

2 Upgrade Qubes dom0. This step is mandatory. ^[9]

sudo qubes-dom0-update

3 Done.

The dom0 upgrade has been completed.

[qubes-templates-community-testing]
name = Qubes Community Templates repository
#baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing
metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink
enabled = 0
fastestmirror = 1
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-templates-community

In the instructions below, a check is first made for a newer version of the Template.

• Upgrade if available: If a newer Template version exists, install it (upgrade).
• Reinstall if not: If no newer Template version is available, reinstall the existing version (reinstall).

Unfortunately, there is no combined upgrade and reinstall command. ^[13]

qvm-template --enablerepo=qubes-templates-community upgrade <qubes-template-package>

qvm-template --enablerepo=qubes-templates-community reinstall <qubes-template-package>

Use salt to configure dom0 settings. ^[15]

sudo qubesctl state.sls qvm.anon-whonix

Qubes-Whonix Disposable Template can optionally be set up as a base for Disposables. ^[16]

In dom0, run.

sudo qubesctl state.sls qvm.whonix-workstation-dvm

To force all Template updates over Tor, use qubesctl in dom0. ^[17]

sudo qubesctl state.sls qvm.updates-via-whonix

To undo this setting, modify,

• Qubes R4.2: /etc/qubes-rpc/policy/qubes.UpdatesProxy
• Qubes R4.3: /etc/qubes/policy.d/50-config-updates.policy

in dom0. ^[18] See also How-to: Fix dom0 Qubes-Whonix^™ UpdatesProxy Settings.

To force dom0 updates over Tor, set Qubes' dom0 UpdateVM to sys-whonix. ^[19]

• Qube Manager → System → Global Settings → Dom0 UpdateVM: sys-whonix → OK

To revert this change, set Qubes' dom0 UpdateVM to sys-firewall or another preferred VM. ^[20]

• Qubes Manager → System → Global Settings → Dom0 UpdateVM: sys-firewall → OK

AppArmor is enabled by default. No extra steps required.

Any VMs based on the reinstalled Template must be restarted to reflect the updated file system.

Before starting applications in the Whonix-Workstation^™ App Qube, update both Whonix-Gateway^™ and Whonix-Workstation^™ Templates.

To launch an application like Tor Browser:

• Qubes App Launcher (blue/grey "Q") → Domain: anon-whonix → Tor Browser (AnonDist)

The process of reinstalling Qubes-Whonix Templates is now complete.

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!