Jump to: navigation, search

Security Guide

About this Security Guide Page
support status stable
difficulty medium
maintainer Whonix team
support Support




You may skip this Motivation chapter.

If you need motivation to secure your computer, refer to these articles.

And if that's too much to read, just have a glimpse on the graphics.

Operating System[edit]


Important! Everything must stay current.

Make sure you know about CVE-2016-1252 secure apt-get upgrading.

1. Update your package lists.

Check at least at a daily base. Keep your host operating system updated. Update Whonix-Gateway and Whonix-Workstation packages lists.

sudo apt-get update

Should look similar to this.

Hit http://security.debian.org jessie/updates Release.gpg                                                                                                    
Hit http://security.debian.org jessie/updates Release                                                                                                        
Hit http://deb.torproject.org jessie Release.gpg                           
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release                                             
Hit http://security.debian.org jessie/updates/contrib i386 Packages    
Hit http://ftp.us.debian.org jessie Release                           
Hit http://security.debian.org jessie/updates/non-free i386 Packages  
Hit http://deb.torproject.org jessie/main i386 Packages               
Hit http://security.debian.org jessie/updates/contrib Translation-en  
Hit http://ftp.us.debian.org jessie/main i386 Packages                
Hit http://security.debian.org jessie/updates/main Translation-en                        
Hit http://ftp.us.debian.org jessie/contrib i386 Packages                                
Hit http://security.debian.org jessie/updates/non-free Translation-en                    
Hit http://ftp.us.debian.org jessie/non-free i386 Packages                               
Ign http://ftp.us.debian.org jessie/contrib Translation-en              
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists... Done

If you see something like this.

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org jessie Release.gpg
  Could not resolve 'ftp.us.debian.org'
Err http://deb.torproject.org jessie Release.gpg
  Could not resolve 'deb.torproject.org'
Err http://security.debian.org jessie/updates Release.gpg
  Could not resolve 'security.debian.org'
Reading package lists... Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg  Could not resolve 'security.debian.org'

W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg  Could not resolve 'ftp.us.debian.org'

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg  Could not resolve 'deb.torproject.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this.

500  Unable to connect

Then something went wrong. Could be a temporary Tor exit relay or server failure that should fix itself. Check if your network connection is functional, change your Tor circuit, then try again. Running whonixcheck might also help diagnosing the problem.

Sometimes if you see a message such as.

Could not resolve 'security.debian.org'

It helps to run.

nslookup security.debian.org

And then trying again.

2. Upgrade

sudo apt-get dist-upgrade

Please note that if you disabled the Whonix APT Repository (see Disable_Whonix_APT_Repository) you'll have to manually check for new Whonix releases and manually install them from source code.

3. Never install unsigned packages!

If you see something like this.

WARNING: The following packages cannot be authenticated!
Install these packages without verification [y/N]?

Don't proceed! Press N and <enter>. Running apt-get update again should fix it. If not, something is broken or it's a man-in-the-middle attack, which isn't that unlikely, since we are updating over Tor exit relays and some of them are malicious. Try to change your Tor circuit.

4. signature verification warnings

There should be none at the moment. If there was such a warning, it would look like this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

In that case, you should be careful. Even though, apt-get will automatically ignore repositories with expired keys or signatures, you will not receive upgrades from that repository. Unless the issue is already known/documented, it should be reported so it can be further investigated

There are two possible reasons why this could happen. Either there is an issue with repository that the maintainers of that repository have to fix or you are victim of a man-in-the-middle attack. [1] The latter would not be a big issue [2] and might go away after a while automatically [3] or try to change your Tor circuit.

In past various apt repositories were signed with expired key. If you want to see how the documentation looked at that point, please click on expand on the right.

The Tor Project's apt repository key was expired. You saw the following warning.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

It had already been reported. There was no immediate danger. You could have just ignored it. Just make sure, you never install unsigned packages as explained above.

See also the more recent Whonix apt repository keyexpired error.

If you were to see other signature verification errors, those should be reported, but it shouldn't happen at this time.

5. Changed Configuration Files

If you see something like the following.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Be careful. If the updated file isn't coming from Whonix specific package (some are called whonix-...), then press n. Otherwise anonymity/privacy/security settings deployed with Whonix might get lost. If you are an advanced user and know better, you can of course manually check the difference and merge them.

How could you find out if the file is coming from a Whonix specific package or not?

  • Whonix specific packages are sometimes called whonix-.... In the example above it's saying "Setting up ifupdown ...", so the file isn't coming from a Whonix specific package. In this case, you should press n as advised in the paragraph above.
  • If the package name does include whonix-..., it's a Whonix specific package. In that case, your safest bet should be pressing y, but then you would loose your customized settings. You can re-add them afterwards. Such conflicts will hopefully rarely happen, if you use Whonix modular flexible .d style configuration folders.

6. Restart Services after Upgrading

After upgrading either (easy) reboot.

sudo reboot

Or (harder) if you want to omit rebooting, use needrestart. If you are interested in the latter, please click on expand on the right side.

Do once. Install needrestart.

sudo apt-get update
sudo apt-get install needrestart

Run needrestart.

sudo needrestart

It will provide some advice.

Run it again after applying advice.

sudo needrestart

If nothing else has to be restarted, it should show.

No services need to be restarted.

This might become more usable and automated in future. (T324)

7. Restart after Kernel Upgrades

When linux-image-... was upgraded, reboot is required to profit from security updates.

Whonix-Gateway Security[edit]


You should never use Whonix-Gateway for anything other than running Tor on it!

In case the Whonix-Gateway is compromised the identity (public IP), all destinations and all clear-text (and hidden service) communication over Tor is available to the attacker.

If you feel you need to install any extra packages on the Gateway please consult the developers first to ask if that is really necessary/wise.

Warning: Bridged Networking[edit]

You shouldn't change the Whonix-Gateway's first or second network interface to bridged network. This is untested. It should not be necessary. If you feel it is necessary, please get in contact.

If you are interested, here is a discussion thread, and another one, with arguments whether NAT or bridged network is more secure.

Host Security[edit]


Please read the Computer Security Education about Host Security.

Power Saving Considerations[edit]

Upon system suspend/standby Full Disk Encryption keys are still in RAM - avoid leaving the machine in this state if in high risk situation or on the go. Hibernating the system locks all system partitions to a safe state and is the recommended power mode to use even if there is a small trade-off in startup time.

On GNU/Linux hosts, its not a given that standby means having LUKS keys in memory. Some experimental projects[4] and custom setups with systemd+scripting are able to erase the keys before system suspend to avoid mistakes.

The network fingerprint for a Tor on Whonix-Gateway is no different than a standard Tor instance on the host that's gone through standby. There are some old connections that go stale and need renewal - but nothing seen by a network adversary because time leak identifiers have been stripped out of Tor's protocol/OpenSSL and TCP Timestamps are gone. Manual time adjustment has to be done however to be able to reconnect. Alternatively, an easy method would be to power off and power on the VM. This will no longer be necessary once hypervisor specific post resume hooks will be used because guest clocks will be seamlessly updated upon power state changes from the host.

Risks through hardware components[edit]

Assumption: an adversary managed to break out of Whonix-Workstation's Virtual Machine using an exploit.

Hardware components, either built in or extra components, such as CPU or hdd temperature sensors, microphones and cameras introduce risks.

Whonix with Physical Isolation is affected:

  • User's IP address is still safe, but the temperature sensors can be used for anonymity set reduction. Different CPU or hdd models will have a different sensor information, depending on climate and weather. If you can, you are advised to remove or to obfuscate the sensors result.
  • Camera and microphones can be covertly activated by the adversary. At least remove them (external ones) or disable them in BIOS if possible. Better cover them or ideally remove them.

Whonix Default version is affected, although it does not matter:

  • Same as above applies. If the assumption is true, the adversary can already find out the user's real IP address.

Thanks to Robert Ransom for pointing out this issue.

Anonymous 3G modem[edit]

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or Whonix is compromised. An adversary just has to pressure your provider and can very easily find out your identity. This is not the case here.

  • Non-physical isolation users: Either 1) Plugged or integrated into the host as host internet connection replacement (easier) or 2) plugged into Whonix-Gateway and only routing Whonix-Gateway's traffic through it, not the host's one (undocumented, therefore harder).
  • Physical Isolation: Same as 2) above. (While there is no host in that sense.)
  • Buy the 3G modem anonymously (in a store, second hand, on street, no personal data).
  • Be sure to have never used it for non-anonymous use before.
    • Because in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
  • Also be sure to buy the SIM-card anonymously.
  • Prepaid is better.
  • Buy cash codes in different stores anonymously.
  • Be sure, to never have used this anonymous SIM-card with a non-anonymous phone or 3G modem.
    • Because in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
    • Optionally, always get a fresh, distant, random, non-circle spot. (security vs. comfort)
    • Check of cameras and witnesses.
  • 3G users often get only a shared IP. Due to scarcity of IPv4 IP's, thousands of users share the same external IP (IPv4). Some providers do not log yet user's (NAT) ports. Consequently they can not identify them, when they are given an IP and timestamp. Nice to have, but don't rely on it! (Some providers assign additional IPv6 IP's to their users, which are unique. Tor does not use IPv6 yet.)

Anonymous WiFi adapter[edit]

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or Whonix is compromised. An adversary just has to pressure your provider and can very easily find out your identity. This is not the case here.

  • Plugged or integrated into Whonix-Gateway.
  • Buy the wifi adapter anonymously (In a store, second hand, on street, no personal data).
  • Be sure to have never used it for non-anonymous use before.
    • Because a few providers or hotspot providers log the MAC address and the username (for paid hotspots) for each dial up.
  • Use only free hotspots or pay them anonymously (if that's possible, otherwise abstain from paid hotspots).
    • Optionally, always get a fresh, distant, random, non-circle spot. (security vs. comfort)
    • Check cameras and witnesses.


Whonix does not yet improve host security. You are advised to use a secure host operating system.

Mandatory Access Control[edit]


Check out Whonix's AppArmor profiles. Not that difficult and considerable security enhancement.


Consider enabling secomp.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc


Sandbox 1




According to the Firejail project page:[5]

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.

Firejail has built-in profiles for a large number of popular Linux programs - many of which are used in Whonix. A small sample of the 100+ profiles includes: Chromium, CryptoCat, Dolphin, Evince, Firefox, HexChat, Icedove, LibreOffice, Okular, Thunderbird, Transmission, VirtualBox, VLC and wget.[6]

Installing Firejail[edit]

Works in both Qubes-Whonix as well as Non-Qubes-Whonix.

1. Boot your Whonix-Workstation (commonly called whonix-ws) TemplateVM.

2. Add jessie-backports to your sources.list

   sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Or alternatively use the .onion mirror:

   sudo su -c "echo -e 'deb http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

3. Use apt-pinning before installing dependencies.

Apt-Pinning provides a safe mechanism to mix and match packages from different Debian repo branches without breaking your base distro.

A higher pin priority ensures that only the stable package version is preferred over any other when installing with apt. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref


Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500


4. Update your package lists.

   sudo apt-get update

5. Install firejail.

   sudo apt-get -t jessie-backports install firejail

6. Use firejail.

To run sand-boxed applications, simply prefix your program command with "firejail" in a terminal, for example:

   firejail evince
   firejail vlc

There is no secure and reliable way to create start menu entries / desktop shortcuts using firejail. In meanwhile, you are better off starting firejailed applications from the command line.

For a further technical discussion of Firejail, see: https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment

Sandboxing Tor Browser[edit]

Do not use Firejail for this purpose. Instead, follow the instructions to use the recently released alpha Tor sandbox which has already been successfully tested in Whonix 13, see Tor_Browser#Tor_Browser_Sandboxed.

Due to a bug[7] bubblewrap cannot be used in Qubes-Whonix. Until that issue is solved, users should consider restricting the Tor Browser process with Firejail. It makes sense to mitigate the risk of security breaches because Tor Browser is an untrusted application with a huge attack surface; it is frequently and successfully attacked in the wild.

Important notes:

  • Consider cloning your Whonix-Workstation-TemplateVM prior to installing Firejail. It requires a number of dependencies that you may not want in your default template;
  • Once you have installed Firejail in the TemplateVM and created a new Whonix-Workstation AppVM, Tor Browser can be launched sand-boxed from the terminal with the command "firejail torbrowser".

1. Boot your Whonix-Workstation TemplateVM.

2. Follow the steps to install Firejail from jessie-backports.

  • Advanced users can create a custom profile for Tor Browser by following these steps;

3. Create a new Whonix-Workstation-AppVM based on your modified template.

Qubes VM Manager -> VM -> Create AppVM

Create Qubes-Whonix-Workstation AppVM.png

4. Test Tor Browser is sand-boxed.

Start Tor Browser in anon-whonix AppVM. Then open a terminal and run:

   firejail --tree

The output should show Tor Browser is running in a Firejail container:

   XXXX:user:firejail torbrowser
   XXXX:user:/bin/bash /usr/bin/torbrowser
   XXXX:user:bash /home/user/.tb/tor-browser/Browser/start-tor-browser --all
   XXXX:user:./firefox --class Tor Browser -profile TorBrowser/Data/Browse

Running Firefox-ESR in a Firejail Sandbox (Qubes Debian-8 Template only)[edit]

Note: preferably clone your Debian-8 TemplateVM prior to taking these steps below, as some dependencies are required. Do NOT use Firefox-ESR in a Whonix template - it is easily fingerprinted and less secure than Tor Browser.

1. Boot your Debian-8 TemplateVM.

2. Follow the steps to install Firejail from jessie-backports.

Once you have installed Firejail in the TemplateVM and created a new Debian-8 AppVM, Firefox-ESR can be launched sand-boxed from the terminal with the command "firejail firefox".

3. Create a new Debian-8-AppVM based on your modified template.

4. Test Firefox-ESR is sand-boxed.

Start Firefox-ESR in your Debian-8-AppVM. Then open a terminal and run:

   firejail --tree

The output should show Firefox-ESR is now running in a firejail container:

   XXXX:user:firejail /usr/lib/firefox-esr/firefox-esr

Virtualization Platform[edit]

VirtualBox Hardening[edit]

For an overview on security risks of VMs in general: How secure are Virtual Machines really?

The less features, the smaller the attack surface. Here are some suggestions for features which you can remove and not impact core functionality:

  • Disable Audio
  • Do not enable Shared Folders
  • Do not enable video acceleration
  • Do not enable 3d acceleration [9] [10]
  • Do not enable Serial Port
  • Remove Floppy drive
  • Remove CD/DVD drive
  • Do not attach USB devices
    • Disable USB controller (enabled by default). Requires setting Pointing Device to "PS/2 Mouse" or changes will revert
  • Do not enable Remote Display server
  • Do not enable IO APIC, EFI? (questionable)
  • Enable PAE/NX? (NX is a security feature)

Whonix-Workstation Security[edit]


If this VM is compromised all data it has access to, all credentials, browser data, passwords... the user has entered can be compromised. The IP is never leaked but these information can still result in identity disclosure.

The best practice is to back up the VM and "roll back" after risky activity and whenever the user suspect the integrity of the system could have been compromised, see the Recommendation to use multiple VM Snapshots below.

Whonix Example Implementation is currently based on Debian.

For Technical Design notes, see Dev/Operating System. For information on how to use other operating systems, see Other Operating Systems.

VM Snapshots[edit]

Apart from offering protection against hardware serial leaks, VMs got another great advantage: the ability to quickly discard and restore a system.

It is recommended that you keep a master copy of Whonix-Workstation, keep it updated, make regular "clean" snapshots but do not edit any settings or install additional software or use it directly for any activity. Instead make a clone or use snapshotting (but never mix up clean and unclean states!) for activities that require anonymity.

After importing the VMs, do a first run of the Whonix-Gateway and Whonix-Workstation virtual machines. Securely update it. After that stop and do not browse anywhere or open any unauthenticated communication channel to the internet. Shutdown the virtual machines and create snapshots of their clean state before browsing or initiating any connections with the outside world. Note: The only exception to this is running apt which has a guaranteed way to securely download and verify packages.

For important VirtualBox information, please press on expand on the right.

Warning to VirtualBox users: VirtualBox's VM Snapshot feature is recommended against, because we experienced data loss with it. You're better off using clones or see "Reliable Alternative To Virtualbox VM Snapshots" below.

Warning: VirtualBox's snapshot feature is not (highly) recommended as a reliable method for backing up virtual machines because of possible data loss primarily in the form of corrupted virtual hard drives [VHD]. Alternative methods are copy/paste, cloning, exporting/importing. While all these methods provide virtual machine [VM] backups, they nevertheless make inefficient use of disk resources and inherently require manual versioning. Virtualbox's 'snapshot' feature is very useful when it works properly particularly when making interim snapshots of live running systems prior to installing new application(s), reverting can be very painful, and sometimes impossible, if/when virtual hard drive file(s) is corrupted.

Alternative to methods mentioned above, SubVersioN [SVN] in particular is a very reliable tool with which to make backups of VM operating environments. It is akin to Virtualbox's snapshot feature in many respects but much more reliable and efficient. For those that have never used SVN, it is recommended they familiarize themselves with the tool's documentation - what it is/isn't and how it works prior to making use of it. Numerous implementations of SVN clients are available to choose from for various platforms.

What is SVN? In a nutshell, SVN is a tool typically used by software developers to conduct collaborative configuration management, version control and backup/restore of file sets under development by many people over extended period of time.

Why SVN as opposed to CVS, GIT, etc.? While most configuration management tools, including SVN, offer the same basic functionality of versioning, backing up and restoring changes to sets of files, by design SVN has no file size limitations - the operative words are "by design". This means when used to back up virtual hard drives for example, regardless of how big or small the files are SVN can handle them reliably and efficiently. See section "Be patient with large files" (link). When versioning file sets, SVN employs "atomic commits". By way of comparison, Concurrent Versions System (CVS) does not employ atomic commits. Manual backup procedures are inherently not atomic functions. Additionally, SVN also handles sparse (dynamic) virtual hard disk files (an option Virtualbox offers when instantiating new virtual disk drives).

From version to version, like Virtualbox's snapshot capability, SVN also takes into consideration differences in files - both textual and binary. This means, for example, if a 50GB virtual hard drive was saved last week and has grown to 60GB this week, SVN's repository will not [necessarily] grow by an additional 60GB when a new back up is performed this week - it depends how much of the original file changed since the previous backup. It will analyse differences between newer files against older files in its repository and only save differences. Therefore the repository may only grow as little as 10GB+ making more efficient use of system resources.

Virtualbox's snapshot feature provides 'branching' capability. This means, one can revert to an earlier version of your VM and start a new branch/version of your VM from where you left off earlier. By comparison, SVN also provides similar branching capability.

NOTE: When using configuration management tools like SVN for back ups and restores, a 50GB file for example typically requires approximately 150GB of disk space to manage that instance of the VM because you require 50GB for the original source file, 50GB in SVN's database repository, and another 50GB for SVN's local workspace working folder ['./.svn']. How is this more efficient? In that sense, it is not. However, when you consider SVN's functionality and reliability compared to manual backup methods mentioned above, this overhead might be considered an investment.

In addition to backing up Whonix gateway and workstation(s) virtual hard drive files, it is also possible to back up the whole of Virtualbox application in conjunction with Whonix for a complete restoreable environment. Cloning is also possible albeit that requires more advance technical skills.

Typically, Virtualbox is an installable application as provided by Virtualbox.org. A portable application version of Virtualbox is possible via a tool provided by VBox.me. This application converts Virtualbox 'install application' into a 'portable application' thereby providing the option to port VMs to other computers via external USB hard drives and/or sticks. By instantiating virtual machines under portable Virtualbox's '~/data/.VirtualBox/Machines' folder, it is possible to backup and restore the complete operating environment not only that of Whonix but also specific instance of Virtualbox as well via SVN for complete portability. This encapsulates the entire Whonix operating environment under one parent folder rather than distributing it across various user and system folders:

2014-05-11 09 42 19.png

2014-05-11 09 46 43.png

2014-05-11 09 54 39.png

Adding NAT adapter to Whonix-Workstation / Updates without Tor[edit]

Obviously the anonymity will get compromised if you add another NAT network adapter to the Whonix-Workstation. It is quite clear not to do that. If you were infected, it could leak then. Therefore it's recommended to do updates over Tor. It's slow but there are no leaks.

Adding Host-Only Networking adapter to Whonix-Workstation / SSH into Whonix-Workstation[edit]

One might wish to access the Whonix-Workstation through SSH. Therefore one could consider something dangerous - to add a second network adapter with Host-Only Networking. Dangerous! Don't add another network adapter! Also potentially dangerous if any other VMs are running besides Whonix-Workstation! This would expose the MAC address of your host to Whonix-Workstation.

The warning of VMware Host Only networking may also apply to Whonix:

"If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network.

On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing."

  1. If you want to SSH or VNC your Whonix-Workstation your safest bet would be to do it from another Whonix-Workstation. When using Virtual Machines, if they are within the same virtual LAN, they can see each other. When using Physical Isolation, if they are within the same LAN, they can see each other.
  2. Or you could run those services using Hidden Services and access them through another Whonix-Workstation...
  3. ...or from the host using the ordinary torification methods.
  4. Alternatively you could SSH from the host into Whonix-Gateway (see File Transfer for instructions) and SSH from there into Whonix-Workstation.

In case 3 and 4, you would weaken isolation between the host and Whonix-Workstation.

Installing additional software[edit]

See Install Software.

Updating with extra care[edit]

See How to install or update with most caution?.

Onionizing Repositories[edit]

When Whonix, Debian and Qubes packages are installed or updated, default settings point to repositories with a http:// URI.[11] However, experimental .onion support is already available for the Whonix, Debian and Qubes packages.

There are several security and privacy benefits of using .onions:[12]

  • The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update);
  • The package repository, or observers watching it, can't track what programs you've installed;
  • The ISP cannot easily learn what packages you fetch; and
  • End-to-end authentication and encryption provides protection against man-in-the-middle attacks e.g. version downgrade attacks.

Whonix and Debian Packages[edit]

Whonix 14 will prefer .onion repositories by default, even when adding third-party resources. Until then, in order to install or update with the utmost caution, users may consider manually editing their sources.list to point to the Whonix and Debian .onion mirrors.

To use the .onion mirrors, it is necessary to change the whonix.list and debian.list files in the /etc/apt/sources.list.d directory in both the Whonix-Workstation and Whonix-Gateway TemplateVMs. tor:// or tor:// + http:// entries are not required in Whonix because apt is uwt-wrapped.

1. Open the Debian sources file in an editor with root rights.

Qubes-Whonix users note: You should do this in the whonix-gw and whonix-ws TemplateVMs.

If you are using a graphical Whonix or Qubes-Whonix, run:

       kdesudo kwrite /etc/apt/sources.list.d/debian.list

If you are using a terminal-only Whonix, run:

       sudo nano /etc/apt/sources.list.d/debian.list

2. Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.

       #deb http://ftp.debian.org/debian jessie main contrib non-free
       deb http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free
       #deb http://security.debian.org jessie/updates main contrib non-free
       deb http://sgvtcaew4bxjd7ln.onion jessie/updates main contrib non-free
       #Optional Backports
       #deb http://ftp.debian.org/debian jessie-backports main contrib non-free
       deb http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free

Save and exit.

3. Point to the Whonix APT Repository .onion mirror.

       sudo whonix_repository --baseuri http://deb.kkkkkkkkkk63ava6.onion --enable --repository stable

Note: Whonix users have four preferences available for packages: stable, stable-proposed-updates, testers and developers. Change the entry above to reflect this preference.[13]

4. Check the .onions are correct and functional in your Whonix system.

       sudo apt-get update && sudo apt-get dist-upgrade

5. Repeat steps 1-4 for Whonix-Workstation.

Note: Qubes users can repeat the steps above in their Debian-8 TemplateVM to onionize future installations and updates.

6. Optional - create an onionized torproject.list.

If you are using a graphical Whonix or Qubes-Whonix, run:

       kdesudo kwrite /etc/apt/sources.list.d/torproject.list

If you are using a terminal-only Whonix, run:

       sudo nano /etc/apt/sources.list.d/torproject.list

Cut and paste the following text and comment out (#) the corresponding http repository:

       #Tor Project Mirror
       #deb http://deb.torproject.org/torproject.org jessie main
       deb http://sdscoq7snqtznauu.onion/torproject.org jessie main

Save and exit.

Qubes Packages[edit]

All the following commands must be run in dom0 in order to use Qubes’ Tor hidden service repositories for each type of VM.[14]

Note: The cat commands are optional, for confirmation only. Also, the downside of this approach is that repository definitions are managed by a Qubes package, meaning you'll need to apply further manual updates in the future when it changes. If you would prefer to use the Qubes .onion instead of the Whonix .onion for these instructions, simply substitute in the relevant locations:

  • deb.qubesos4rrrrz6n4.onion
  • yum.qubesos4rrrrz6n4.onion


In dom0, run:

   sudo sed -i 's/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo
   sudo sed -i 's/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/' /etc/yum.repos.d/qubes-templates.repo && cat /etc/yum.repos.d/qubes-templates.repo

Fedora Template

In dom0, run:

   qvm-run -a --nogui -p -u root $FedoraTemplateVM 'sed -i "s/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/" /etc/yum.repos.d/qubes-r3.repo && cat /etc/yum.repos.d/qubes-r3.repo'

Debian and Whonix Templates

In dom0, run:

   qvm-run -a --nogui -p -u root $DebianTemplateVM 'sed -i "s/deb.qubes-os.org/qubes-deb.kkkkkkkkkk63ava6.onion/" /etc/apt/sources.list.d/qubes-r3.list && cat /etc/apt/sources.list.d/qubes-r3.list'

Other Anonymizing Networks over Tor UDP Tunnel[edit]

If you are Tunneling UDP over Tor to connect to Other Anonymizing Networks you must read this chapter, otherwise you can skip this one.

Read first: Tor Plus VPN or Proxy and Whonix VPN disclaimer.

You should beware that because you need to install additional tunnel software (OpenVPN, etc.), once exploits are found, an attacker could target them.

However, when you are using a secure tunnel software (for example, OpenVPN, not PPTP), the Tor exit relay may not read your communication with the VPN provider. It can only recognize, a encrypted VPN connection to the VPN provider.

The VPN provider can find out, depending on the other anonymizing network design, that you are connecting to that network. The VPN provider won't know who you are, but can find out, that someone is connecting over Tor.

The encryption of the tunnel software is not relevant, because the other anonymizing network most likely will make use of encryption itself. Subsequently neither the Tor exit relay nor the VPN provider will know the content of your other anonymizing network connection. The usefulness of the information, the Tor exit relay and the VPN provider can gather, is minimal.

"Normally Tor switches frequently its path through the network. When you choose a permanent destination X, you give away this advantage, which may have serious repercussions for your anonymity." as mentioned applies.

It's recommended to use a dedicated virtual machine for this activity, see Multiple Whonix-Workstations.

Time Attacks[edit]

See Time Attacks.

General Hardening Checklist[edit]

It is possible to significantly harden your platform and improve the chances of successful anonymous activity. This depends upon a user's skill level, motivation and available hardware. This checklist is intended to provide a quick overview of some of the most important issues, categorized by difficulty level (easy, moderate, difficult and expert).

Note: Recommendations specific to Qubes-Whonix or non-Qubes-Whonix have been marked accordingly.


Anonymous Blogging, Posting, Chat, Email and File Sending[edit]

  • To remain anonymous, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometry analysis and other covert channels.[15]

Disabling/Minimizing Hardware Risks[edit]

  • In Qubes-Whonix, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise of dom0 (PS/2 adapters and available controllers are required);
  • Do not enable audio input to any VM unless strictly required and consider disabling microphones where possible (muting on the host) or unplugging external devices;[16]
  • Preferably detach or cover webcams unless they are in use; and[17]
  • Avoiding using wireless devices, since they are insecure.[18]

Mandatory Access Control[edit]

  • Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs; and[19]
  • Enable seccomp on the Whonix-Gateway AppVM.[20]

Passwords and Logins[edit]

Qubes-Whonix Only

  • Store all login credentials and passwords in an offline vault VM (preferably with KeypassX) and securely cut and paste into the Tor Browser; and
  • Copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.

Tor Browser Series and Settings[edit]

  • Consider using the 'hardened' Tor Browser series for additional ALSR memory protections;
  • Default search settings to the DuckDuckGo .onion hidden service;
  • Select 'ClearClick' protections in NoScript;
  • Run the Tor Browser Security Slider in the highest position;
  • Disable Javascript by default and only allow sparingly for trusted sites;
  • Use .onion hidden services where possible to stay within the Tor network; and
  • Follow all other Whonix recommendations for safe use of the Tor Browser.[21]


Non-Qubes-Whonix Only

  • Remove a host of VirtualBox features to reduce the attack surface;[22]
  • Take regular 'clean' VM snapshots that are not used for any activities; and[23]
  • Spoof the Initial Virtual Hardware Clock Offset.[24]

Whonix Updates[edit]

  • Install newer Tor versions via jessie-proposed-updates.[25]


Create a USB Qube[edit]

Qubes-Whonix Only

  • Prepare and utilize a USB qube to protect dom0 from malicious USB devices.[26]


Qubes-Whonix Only

  • Use the Debian-8 Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not 'ping home', unlike the Fedora Template.[27] [28]

Newer Kernels[edit]

Qubes-Whonix Only

  • Install newer kernels to benefit from additional protections (including grsec elements) being mainlined by the kernel hardening project.[29]

Onionizing Repositories[edit]

  • Default the Debian, Whonix and Qubes package updates to Tor hidden service repositories.[30]


  • Use the alpha sandbox to restrict the Tor Browser; and[31]
  • Use Firejail to restrict Firefox-ESR, VLC and other applications.[32]

Secure Back-ups[edit]

Qubes-Whonix Only

  • Store encrypted back-ups on a separate back-up disk that is already encrypted with LUKS.[33]

Spoof MAC Addresses[edit]

Qubes-Whonix Only

  • Spoof the MAC address on the Debian-9 or Fedora-24 TemplateVM used for network connections if you expect to travel with your laptop or PC (unnecessary for home PCs not changing locations).[34]

Time Stamps[edit]

Non-Qubes-Whonix Only

  • Disable ICMP and TCP timestamps on your host operating system.[35] [36]


Anti-Evil Maid[edit]

Qubes-Whonix Only

  • If you have a Trusted Platform Module, use AEM protection to attest that only desired (trusted) components have been loaded and executed during the system boot.[37][38]

Chaining Anonymizing Tunnels[edit]

  • Avoid this course of action; the anonymity benefits are unproven and it may actually hurt your anonymity and security.[39]

Disposable VMs[edit]

Qubes-Whonix Only

  • Run all instances of the Tor Browser in a DispVM - preferably uncustomized to resist fingerprinting.[40]


Qubes-Whonix Only

  • Use split-GPG for email to reduce the risk of key theft used for encryption/decryption and signing.[41]

Grsec Templates[edit]

  • In Qubes-Whonix, use dom0, Debian, Fedora and Whonix grsec templates to provide significant kernel exploit protections; and[42]
  • In non-Qubes-Whonix, install the latest Grsecurity kernel on your host or KVM Whonix guest.[43]

Host Security[edit]

Non-Qubes-Whonix Only

  • Follow all Whonix recommendations to harden your host OS e.g. minimize the attack surface, utilize full-disk encryption, torify apt-get traffic, scan your firewall, and other measures.[44] [45]


Disable Intel ME Blobs[edit]

  • It is possible to partially deblob Intel's (despicable) ME firmware image by removing unnecessary partitions from it (warning: high risk of bricking of your computer!).[46][47]

Flash the Router with Opensource Firmware[edit]

  • Flash the insecure, limited-utility, proprietary firmware on your router with a powerful open-source Linux alternative (warning: risk of bricking your router!).[48][49]

Install Libreboot[edit]

  • Libreboot is a free, opensource BIOS or UEFI replacement (firmware) that initializes the hardware and starts the bootloader for your OS (warning: incompatible with newer architectures - you risk bricking your computer!).[50]

Stay Tuned[edit]

Stay Tuned

Advanced Security Guide[edit]

For even more Security, see Advanced Security Guide.


  1. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md - http://www.webcitation.org/6F7Io2ncN.
  2. No malicious packages get installed.
  3. Because you got a different, non-malicious Tor exit relay.
  4. https://github.com/jonasmalacofilho/ubuntu-luks-suspend
  5. https://firejail.wordpress.com/
  6. https://github.com/netblue30/firejail/tree/master/etc
  7. bubblewrap Sandboxed Tor Browser fails to start in Qubes Debian based AppVM - firefox: Can't mount proc on /newroot/proc
    • Create Qubes-Whonix-Workstation AppVM
      • Name and label: Name your AppVM. Don't include any personal information. (This is because in case an AppVM gets compromised, one could run qubesdb-read /name to read the VMs name from within the VM.) Name your AppVM something generic, for example: anon-whonix.
      • Color: Choose a color label for your Whonix-Workstation AppVM.
      • Use this template: Choose your Whonix-Workstation TemplateVM. For example: whonix-ws.
      • Standalone: Leave the Standalone field unchecked, unless you want a persistent root filesystem.
      • Type: Choose the "AppVM" type.
      • Allow networking: Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix.
      • Press: OK
  8. Quote http://www.virtualbox.org/manual/ch04.html#guestadd-3d

    Untrusted guest systems should not be allowed to use VirtualBox's 3D acceleration features, just as untrusted host software should not be allowed to use 3D acceleration. Drivers for 3D hardware are generally too complex to be made properly secure and any software which is allowed to access them may be able to compromise the operating system running them. In addition, enabling 3D acceleration gives the guest direct access to a large body of additional program code in the VirtualBox host process which it might conceivably be able to use to crash the virtual machine.

  9. Quote https://hsmr.cc/palinopsia/

    If the "3D-Acceleration" feature of VirtualBox is activated, running the proof-of-concept code from inside the VM provides the ability to read framebuffers from the host system.

  10. https://www.whonix.org/wiki/Whonix-APT-Repository#Repository_Location_URI
  11. https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions
  12. https://www.whonix.org/wiki/Whonix-APT-Repository#Whonix_APT_Repository_Overview
  13. https://www.qubes-os.org/doc/hidden-service-repos/
  14. https://www.whonix.org/wiki/Surfing_Posting_Blogging
  15. https://www.whonix.org/wiki/Computer_Security_Education#Microphone
  16. https://www.whonix.org/wiki/Computer_Security_Education#Webcam
  17. https://www.whonix.org/wiki/Computer_Security_Education#Wireless_Input_Devices
  18. https://www.whonix.org/wiki/Security_Guide#AppArmor
  19. https://www.whonix.org/wiki/Security_Guide#Seccomp
  20. https://www.whonix.org/wiki/Tor_Browser
  21. https://www.whonix.org/wiki/Security_Guide#VirtualBox_Hardening
  22. https://www.whonix.org/wiki/Security_Guide#VM_Snapshots
  23. https://www.whonix.org/wiki/Advanced_Security_Guide#Spoof_the_Initial_Virtual_Hardware_Clock_Offset
  24. https://www.whonix.org/wiki/Whonix-APT-Repository#Change_Whonix_APT_Repository
  25. https://www.qubes-os.org/doc/usb/
  26. https://github.com/QubesOS/qubes-issues/issues/1781
  27. https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952
  28. https://www.qubes-os.org/doc/software-update-dom0/
  29. https://www.whonix.org/wiki/Security_Guide#Onionizing_Repositories
  30. https://www.whonix.org/wiki/Tor_Browser#Sandboxing_Tor_Browser_in_Qubes-Whonix
  31. https://www.whonix.org/wiki/Security_Guide#Firejail
  32. https://github.com/QubesOS/qubes-issues/issues/971
  33. https://www.qubes-os.org/doc/anonymizing-your-mac-address/
  34. https://www.whonix.org/wiki/Computer_Security_Education#Disable_TCP_Timestamps
  35. https://www.whonix.org/wiki/Computer_Security_Education#Disable_ICMP_Timestamps
  36. https://www.qubes-os.org/doc/anti-evil-maid/
  37. https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
  38. https://www.whonix.org/wiki/Tunnels/Introduction
  39. https://www.whonix.org/wiki/Qubes/Disposable_VM
  40. https://www.qubes-os.org/doc/split-gpg/
  41. https://www.whonix.org/wiki/Grsecurity#How-To:_Qubes-Whonix
  42. https://www.whonix.org/wiki/Grsecurity#How-To:_Non-Qubes-Whonix
  43. https://www.whonix.org/wiki/Advanced_Security_Guide#Host_Security
  44. https://www.whonix.org/wiki/Advanced_Security_Guide#Physical_Attacks
  45. https://github.com/corna/me_cleaner/blob/master/me_cleaner.py
  46. http://hardenedlinux.org/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html
  47. https://www.flashrouters.com/ddwrt-router-information
  48. https://www.flashrouters.com/ddwrt-router-information
  49. https://libreboot.org/

Random News:

Please help to improve Whonix's Wikipedia Page. See also feedback thread.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.