Post-installation Security Advice
This page provides security advice, steps that can be applied after installation of Whonix for better security.
Whonix comes with many security features . Whonix is Kicksecure™ hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.
This page provides security advice, including steps that can be applied after installation of Whonix for better security.
On Whonix-Gateway and Whonix-Workstation
Increase Virtual Machine RAM
- Whonix-Workstation: No changes are necessary for most users.
- Whonix-Gateway: If enough host RAM is available, ideally the virtual RAM setting of Whonix-Gateway should be increased to
2048MB RAM.  If it is infeasible to increase the virtual RAM setting, Whonix-Gateway will still function properly. 
- Windows 10:
Task Manager in More details view→
Click/tap on the Performance tab→
Click/tap on Memory; or
Open a command prompt→
wmic MemoryChip get /format:list
About This Mac
Open a terminal→
- To add RAM in VirtualBox the VM must first be powered down.
1. Shut down the virtual machine(s).
virsh -c qemu:///system shutdown <vm_name>
2. Increase the maximum memory.
virsh setmaxmem <vm_name> <memsize> --config
3. Set the actual memory.
virsh setmem <vm_name> <memsize> --config
4. Restart the virtual machine(s).
virsh -c qemu:///system start <vm_name>
Change Keyboard Layout
If you are using a keyboard layout other than
qwerty (US), consider changing the keyboard layout. Refer to the dedicated Keyboard Layout entry for further details.
Test Keyboard Layout
- Open file
~/testfilein a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run. mousepad ~/testfile
If you are using a terminal, run. nano ~/testfile
Try typing the words
qwerty. Try typing further words to ensure the desired keyboard layout is functional.
After Whonix has finished installing, immediately change the password for the user
user account in both, Whonix-Gateway and Whonix-Workstation. 
2. Open a terminal (such as Xfce Terminal Emulator).
Start menu →
3. Run a test command as
root by using
4. Read the note below regarding the username and password.
5. Read the note below regarding the password change procedure.
When typing the password it will not appear on the screen, nor will the asterisk sign (
*) be visible. It is necessary to type blindly and trust the procedure.
6. Change the user (and
- To change the
user(Whonix default user account) password, run the following command. 
- This will also be the password when running
sudofrom Linux user account
sudo passwd user
7. Root password.
No changes required. Optional, for details, see root account in Whonix.
The procedure of changing passwords is complete.
If issues appear when gaining root, consider using dsudo.
Another option is to boot into recovery mode and change passwords there.
Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.
Network Time Syncing
This is a short summary of the Network Time Synchronization wiki page which is recommended reading.
1. Timezone information.
2. Check the host clock is reasonably accurate.
A reasonably accurate host clock is required for many general security properties because an inaccurate clock can lead to:
- Broken internet connectivity; and
- Time Attacks.
Therefore, at all times ensure the host clock has an accuracy of up to ± 30 minutes.
3. Avoid pause / suspend / save / hibernate functions.
In simple terms, most users should avoid the pause / suspend / save / hibernate features. Although discouraged, see Network Time Synchronization for further details on when this is possible.
This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Time Attacks and Network Time Synchronization page.
How do I Check the Current Whonix Version?
Open a terminal.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") →
Whonix-Gateway ProxyVM (commonly named sys-whonix) →
If you are using a graphical Whonix with Xfce, run.
Start Menu →
The first line shows the version of the major and minor version of Debian. The second line shows the version of the derivative (Whonix).
- Qubes has dynamic RAM assignment.
- This provides higher performance during upgrades and lowers the likelihood of issues.
- Although non-ideal, swap-file-creator will create an encrypted swap file and the system is configured to swap as little as possible.
- This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include:
cat /proc/meminfo |grep MemTotal,
By default, Qubes VMs use the same keyboard layout as Qubes
- By default, Qubes does not require a password for superuser access.
Type the command in the terminal and press
- Usual Debian / sudo default. Unspecific to Whonix,