Security Hardening Checklist
|About this System Hardening Checklist Page|
Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ Security Hardened by default and also provides extensive Documentation including this Security Hardening Checklist. The more you know, the safer you can be.
This page is targeted at users who wish to improve the security of their systems for even greater protection.
- 1 Introduction
- 2 Easy
- 2.1 Anonymous Blogging, Posting, Chat, Email and File Sharing
- 2.2 Command Line Operations
- 2.3 Disabling and Minimizing Hardware Risks
- 2.4 Entropy
- 2.5 File Handling
- 2.6 File Storage Location
- 2.7 Mandatory Access Control
- 2.8 Passwords and Logins
- 2.9 Screensavers
- 2.10 Secure Downloads
- 2.11 Secure Qubes Operation
- 2.12 Secure Software Installation
- 2.13 Tor Browser Series and Settings
- 2.14 VirtualBox
- 3 Moderate
- 3.1 Create a USB Qube
- 3.2 Host Operating System Distribution
- 3.3 Host Operating System Hardening
- 3.4 Kernels / Kernel Modules
- 3.5 Live-mode
- 3.6 Memory Allocator
- 3.7 Networking
- 3.8 Sandboxing
- 3.9 Spoof MAC Addresses
- 3.10 Time Stamps and NTP Clients
- 3.11 Tor Settings
- 3.12 Whonix ™ VM Security
- 4 Difficult
- 5 Expert
- 6 Footnotes
It is possible to significantly harden the Whonix ™ and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.
Anonymous Blogging, Posting, Chat, Email and File Sharing
- To remain anonymous, follow all the Whonix ™ recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
- Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
- Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
- Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
- Utilize OnionShare to share or receive files securely and anonymously over the Tor network, or to host anonymous websites.
- High-risk users should manually install OnionShare 2.0 or higher to enforce v3 onion connections.
Command Line Operations
- Do not run commands unless they are completely understood -- first refer to a suitable Whonix ™ wiki resource if available.
- If root privileges are required, run the command with
sudorather than logging in as root or using
sudo su. 
- Consider disabling the root account permanently. 
- To prevent malware sniffing the root password, before performing administrative tasks that require root access, create an
adminuser account with sudo permissions.
sudoeditfor better security when editing files. 
- Consider enabling SysRq "Security Keys" functionality as insurance against system malfunctions -- this assists in system recovery efforts and limits the potential harm of a malware compromise.
Disabling and Minimizing Hardware Risks
- In Qubes-Whonix ™, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise [archive] of dom0 (PS/2 adapters and available controllers are required).
- Do not enable audio input to any VM unless strictly required and consider disabling microphones where possible (muting on the host) or unplugging external devices.
- Preferably detach or cover webcams unless they are in use. In Qubes-Whonix ™, assign it to an untrusted VM (if needed).
- If possible, physically remove speakers on the host and remove/disable the beeper. 
- Avoid using wireless devices, since they are insecure.
- Preferably disable or remove Bluetooth hardware modules [archive].
- Disable or remove problematic devices like ExpressCard, PCMCIA, FireWire or Thunderbolt which may allow attackers with physical access to read RAM.
- Apply CPU microcode updates on the host operating system  or baremetal configurations like Physical Isolation. 
- Consider restricting hardware information to the root user in Whonix-Workstation ™ and Whonix-Gateway ™. 
- To mitigate against inadequate entropy seeding by the Linux Random Number Generator (RNG), it is recommended to install daemons that inject more randomness into the pool.
- In File Manager, disable previews of files from untrusted sources. Change file preferences in the TemplateVM's File Manager so future AppVMs inherit this feature.
- Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a DisposableVM:
Open In DisposableVM
- Untrusted PDFs should be opened in a DisposableVM or converted into a trusted (sanitized) PDF [archive] to prevent exploitation of the PDF reader and potential infection of the VM.
File Storage Location
- Avoid storing files directly in the root home folder and create appropriate sub-folders instead.
- Move files downloaded by Tor Browser from the
~/Downloadsfolder to another specially created one. 
Mandatory Access Control
- Enable all available apparmor profiles in the Whonix-Workstation ™ and Whonix-Gateway ™ TemplateVMs.
- Enable seccomp on Whonix-Gateway ™ (
Passwords and Logins
- Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
- Use a trusted password manager [archive], so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. 
- For high-entropy passwords, consider using Diceware passphrases. 
- In Qubes-Whonix ™, store all login credentials and passwords in an offline vault VM (preferably with KeePassXC) and securely cut and paste them into the Tor Browser. 
- Read and follow all the principles for stronger passwords.
- At a minimum, lock the screen of the host when it is unattended.
- For better security, shut down the computer entirely -- screensavers are notoriously insecure. 
- Download Internet files securely using scurl instead of wget from the command line.
- When downloading with Tor Browser, prevent SSLstrip attacks by typing
https://links directly into the URL / address bar.
- Prefer onion services file downloads, which provide greater security and anonymity than https.
Secure Qubes Operation
- Refer to the Qubes-Whonix ™ security recommendations and always follow the latest security news [archive] and advice [archive] from the Qubes team.
Secure Software Installation
- Default to Debian's official package manager APT for installing software, and avoid third party package managers.
- When possible, use mechanisms which simplify and automate software upgrades and installations, like apt-get functions.
- Prefer installation of software from signed (Debian) GNU/Linux repositories and avoid manually installing software, particularly if it is unsigned.
- Set the Qubes, Debian and Whonix ™ package updates to Tor onion service repositories. 
- For safer installations or updates, first stop all activity/applications and rotate the Tor circuits.
- Always verify key fingerprints and digital signatures of signed software before importing keys or installing software.
Tor Browser Series and Settings
- Prefer the stable Tor Browser release over the alpha series in line with Tor developer recommendations; see footnotes.    
- Run the Tor Browser Security Slider in the highest position. 
- Do not configure custom NoScript (per-site) settings which persist across successive Tor Browser sessions because this aids fingerprinting.
- Use .onion services [archive] where possible to stay within the Tor network, such as defaulting searches to the DuckDuckGo onion service [archive]. 
- Consider setting HTTPS Everywhere user rules to consistently utilize .onion resources instead of clearnet domains for the Whonix ™ main page, homepage, forums, download page, phabricator site, and Debian repository.
- Use multiple Tor Browser instances or Whonix-Workstation ™s to better compartmentalize contextual identities.
- Follow all other Whonix ™ recommendations for safe and anonymous use of Tor Browser.
- Install Tor Browser outside of Whonix ™ so a second, working instance is always available for anonymous activities. 
- Remove a host of VirtualBox features to reduce the attack surface.
- Take regular, clean VM snapshots that are not used for any activities.
- Spoof the initial virtual hardware clock offset.
- Consider disabling clipboard sharing to reduce the risk of identity correlation. 
- Shared folders are discouraged because they weaken isolation between the guest and the host. 
Create a USB Qube
Host Operating System Distribution
- For a truly private operating system, install GNU/Linux on the host. 
- The Debian distribution is recommended by Whonix ™ as providing a reasonable balance of security and usability.
Host Operating System Hardening
- Use Full Disk Encryption (FDE) on the host.
- Apply a BIOS password for BIOS setup and boot.
- Torrify apt-get traffic on the host to prevent fingerprinting and leakage of sensitive security information.
- Follow all other Whonix ™ recommendations to further harden the host OS against physical attacks.
- Harden the host Debian Linux OS.
Kernels / Kernel Modules
- To benefit from additional protections,  consider installing newer kernels.
- Consider installing the Linux Kernel Runtime Guard (LKRG) kernel module for improved detection and protection against common kernel exploits. 
- In Qubes-Whonix ™, consider installing the tirdad [archive] kernel module to protect against TCP ISN-based CPU information leaks [archive].  
- Consider running Whonix ™ as a live system, so all writes go to RAM instead of the hard disk.
- Disable swap and program crash dumps as an anti-forensics precaution.
- Consider enabling read-only hard drive mode to make it harder for malware to gain persistence. 
- Consider installing a hardened memory allocator ('Hardened Malloc') to launch regularly used applications. 
- If possible, use a dedicated network connection (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
- If using a shared network via a common cable modem/router or ADSL router, configure a de-militarized zone (perimeter network). 
- Test the LAN's router/firewall with either an internet port scanning service or preferably a port scanning application from an external IP address.
- Change the default administration password on the router to a unique, random, and suitably long Diceware passphrase to prevent bruteforcing attacks.
- WiFi users should default to the WPA2-AES [archive] or WPA3 [archive] standard; the protocols are safer and have stronger encryption.  
- Follow all other Whonix ™ recommendations to lock down the router.
- Disable TCP SACK to limit the risk of remote DoS and other attacks.
Qubes-Whonix ™ Only
- Prefer the Debian Template for networking (
sys-firewall) since it is minimal in nature [archive] and does not "ping home", unlike the Fedora Template. 
- Consider using customized minimal templates [archive] for NetVMs to reduce the attack surface. Three options are currently available:
- For greater security, higher performance and a lower resource footprint, consider using an experimental MirageOS-based unikernel firewall [archive] that can run as a QubesOS ProxyVM.
- Consider using Firejail to restrict Tor Browser, Firefox-ESR, VLC and other regularly used applications -- note this comes with an increased fingerprinting risk [archive]. 
Spoof MAC Addresses
- In Qubes-Whonix ™, follow these steps [archive] to spoof the MAC address on the Debian or Fedora TemplateVM used for network connections.
- In Non-Qubes-Whonix ™, follow these steps to spoof the MAC address of the network card on a Linux, Windows or macOS host.
Time Stamps and NTP Clients
- Disable ICMP timestamps and TCP timestamps on the host operating system to prevent leakage of information. 
- Uninstall the NTP client on the host operating system and disable systemd's timdatectl NTP synchronization feature. 
- Consider enabling Tor connection padding for potentially better anonymity; note it is unclear whether this provides any additional benefit (see footnote). 
- Consider installing newer Tor versions via the Whonix ™ stable-proposed-updates repository or directly from The Tor Project repository.
- Avoid regenerating the Tor state file or manually rotating Tor guards  because it degrades anonymity.
- Avoid configuring non-persistent entry guards, as this severely degrades anonymity.
- Consider using Bridges if Tor is censored, dangerous or deemed suspicious in your location.
- If using a bridge, configure alternating bridges for different physical locations.
- Heavily censored users should configure a meek-azure bridge with Anon Connection Wizard. 
- To help preserve anonymity, copy Tor configuration files and settings to any new
sys-whonixinstance which is created. 
Whonix ™ VM Security
- Consider disabling the Control Port Filter Proxy to reduce the attack surface of both the Whonix-Gateway ™ and Whonix-Workstation ™.
- On Whonix-Workstation ™, consider hardening whonixcheck.
- If a Trusted Platform Module is available, use AEM protection [archive] to attest that only desired (trusted) components are loaded and executed during the system boot. 
- Consider the Android Haven application [archive] for sensitive devices -- motion, sound, vibration and light sensors can monitor and protect physical areas. 
Chaining Anonymizing Tunnels
- Avoid this course of action. The anonymity benefits are unproven and it may actually hurt a user's anonymity and security goals.
- Virtual Private Network (VPN) tunnel-links are strongly recommended against due to multiple security and anonymity risks.
- Run all instances of Tor Browser in a DisposableVM which is preferably uncustomized to resist fingerprinting. 
- Configure each ServiceVM as a Static DisposableVM [archive] to mitigate the threat from persistent malware accross VM reboots. 
- Follow the Whonix ™ recommendations to select an email provider compatible with privacy and anonymity.
- For anonymous PGP-encrypted email over Tor, use Mozilla Thunderbird and Enigmail.  
- For greater email or message security, consider using the OneTime application or a Physical One-time Pad for military-grade encryption.
- Follow all other email principles for greater safety.
Qubes-Whonix ™ Only
- Use split-GPG [archive] for email to reduce the risk of key theft used for encryption / decryption and signing.
- Create an AppVM that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
- Only open untrusted email attachments [archive] in a DisposableVM to prevent possible infection.
Ethernet/FDDI Station Activity Monitor
- Consider running ArpON [archive] as a daemon to defend against ARP attacks like ARP spoofing [archive], ARP cache poisoning [archive] and ARP poison routing [archive]. 
- Consider utilizing Arpwatch [archive] to be alerted about any changes to the database of Ethernet MAC addresses seen on the network. 
Flash the Router with Opensource Firmware
- Flash the insecure, limited-utility, proprietary firmware on the router with a powerful, open-source GNU/Linux alternative.
Multi-Factor User Authentication
- Configure PAM USB [archive] as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored.
- For secure account logins, utilize a Yubikey [archive] hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols.
Whitelisting Tor Traffic
- Qubes-Whonix ™: Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through.  
- Non-Qubes-Whonix ™ or Qubes-Whonix: Use a standalone corridor [archive] as a filtering gateway.
Disable Intel ME Blobs
- It is possible to partially deblob [archive] Intel's despicable ME firmware image by removing unnecessary partitions [archive] from it.
- Libreboot [archive] is no longer recommended as a proprietary firmware alternative; see footnote. 
- Coreboot [archive] is a possible BIOS/UEFI firmware alternative -- consider purchasing hardware that has it pre-installed (like Chromebooks), or research flashing procedures for the handful of refurbished motherboards that support it.
- Note: The open Qubes ticket on Research support for libreboot/coreboot-based systems [archive] makes the opensource firmware recommendation generally unsuitable for Qubes-Whonix ™ at present.
- Exception: The fairly priced Insurgo PrivacyBeast X230 [archive] is the first custom, refurbished laptop to exceed all Qubes hardware certification requirements.  For detailed specifications and pricing, see: Insurgo PrivacyBeast X230 Laptop - QubesOS Certified & preinstalled - Single Order [archive].
- This reduces the likelihood of a successful root or non-root user compromise.
- Whonix ™ 16 and later versions will disable the root account by default.
- https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation/7599 [archive]
- This addresses deanonymization techniques relying on watermarked, (in)audible sounds that can link multiple devices, as well as headphones/speakers being covertly used as a microphone [archive].
- This applies to both Intel and AMD architecture.
- While this may introduce new vulnerabilities, this is objectively better than running a system that is vulnerable to known attacks.
- This hides hardware identifiers from unprivileged users.
sudo apt-get install jitterentropy-rngd
sudo apt-get install haveged
- The reason is AppArmor profiles (and possibly other mandatory access control frameworks) are unlikely to allow access to these folders by default.
- For greater security, store the password manager off-line.
- To estimate strength, an 8-word Diceware passphrase provides ~90 bits of entropy, while a 10-word passphrase provides ~128 bits of entropy.
- For greater safety, copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.
- For example, sensitive notifications [archive] (pop up dialog boxes) can appear over the screensaver while locked [archive], and screensaver bypass [archive] bugs [archive] are common. Screen Locker (In)Security - Can we disable these at least 4 backdoors? [archive]
- The Whonix ™ and Debian repositories are no longer set to onion mirrors by default due to stability issues. This decision will be reviewed in the future once v3 onions have further matured.
- Tor Blog [archive]:
Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
- Selfrando [archive] (load-time memory randomization) protection has been removed from alpha Tor Browser Linux builds [archive]. Although Selfrando provides a security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers, Tor developers believe it is relatively easy for attackers to bypass and not worth the effort.
- The "hardened" Tor Browser series has been deprecated, see: https://trac.torproject.org/projects/tor/ticket/21912 [archive]
- Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a native sandbox [archive].
- This may affect usability and proper functioning on some websites.
- Take care to observe you stay within the Tor network -- 'downgrade' attacks have been observed that result in clearnet URLs being loaded in place of onion services across successive page loads on some sites.
- Thereby circumventing any possible future problems, like the breakage of Whonix ™.
- Bidirectional clipboard sharing is currently enabled by default in Whonix ™ VirtualBox VMs. There are security reasons to disable clipboard sharing, for example to prevent the accidental copying of something (non-)anonymous and pasting it in its (non-)anonymous counterpart such as a browser, which would lead to identity correlation.
- Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host.
- A USB qube is automatically created as of Qubes R4.0.
- USB keyboards and mice expose dom0 to attacks, and all USB devices are potential side channel attack vectors [archive].
- Windows [archive] and macOS [archive] are surveillance platforms that do not respect user freedom or privacy.
- The Truth about Linux 4.6 [archive]:
The real "hard truth" about Linux kernel security is that there's no such thing as a free lunch. Keeping up to date on the latest upstream kernel will generally net all the bug fixes that have been created thus far, but with it of course brings completely new features, new code, new bugs, and new attack surface. The majority of vulnerabilities in the Linux kernel are ones that have been released just recently, something any honest person active in kernel development can attest to.
- Whonix developer madaidan has noted [archive]:
LTS kernels have less hardening features and not all bug fixes are backported but it has less attack surface and potentially less chance of having bugs. Stable kernels have more hardening features and all bug fixes but more attack surface and more bugs.
- Including grsecurity elements [archive] being mainlined by the Kernel Self Protection Project [archive].
- This will likely become the default in future, see: Simplify and promote using in-vm kernel [archive].
- Do not raise Qubes VM Kernel issues at Whonix ™. Instead, contact Qubes support [archive].
- https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not/2275 [archive]
- Openwall [archive]:
... LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials (such as user IDs) of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant the process access (such as open a file) based on the unauthorized credentials.
- The TCP Initial Sequence Numbers (ISNs) are randomized.
- tirdad [archive] is installed in Non-Qubes-Whonix ™ by default.
- https://github.com/Whonix/grub-live [archive]
- Boots into persistent mode by default. The grub boot menu has an option to boot into live mode.
- https://github.com/Whonix/grub-default-live [archive]
- Boots into live mode by default. The grub boot menu has an option to boot into persistent mode.
- This prevents remounting of the hard drive as read-write.
- This provides hardening against heap corruption vulnerabilities [archive] and improves overall memory performance and usage. Note that using Hardened Malloc with Tor Browser, Firefox or SecBrowser ™ is difficult and unsupported.
- This restricts Whonix-Gateway ™ accessibility to/from other nodes on the network such as printers, phones and laptops.
- WPA3 protocol improvements [archive] include:
- Protection against brute force “dictionary” attacks -- adversaries cannot make multiple login attempts with commonly used passwords.
- Stronger encryption: WPA2 relies on a 64-bit or 128-bit encryption key, but WPA3 uses 192-bit encryption.
- Use of individualized data encryption in open networks to strengthen user privacy.
- Forward secrecy [archive]: if an adversary captures encrypted Wi-Fi transmissions and cracks the password, they cannot use it to read older data.
- Do not rely on WiFi Protected Set-up (WPS), which has major security flaws [archive].
- https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952 [archive]
sudo qubes-dom0-update qubes-template-centos-8-minimal
sudo qubes-dom0-update qubes-template-debian-10-minimal
sudo qubes-dom0-update qubes-template-fedora-32-minimal
- Previously The Tor Project's alpha sandbox was recommended to restrict Tor Browser, but the project has unfortunately been abandoned [archive].
- Such as system information, host time, system uptime, and fingerprinting of devices behind a router.
- This prevents time-related attack vectors which rely on leakage of the host time.
- https://forums.whonix.org/t/tor-connectionpadding/7477 [archive]
- Via creation of a new Whonix-Gateway ™ (
- For example, Whonix ™ users residing in China.
- This is useful when testing later Whonix ™ releases to stymie deanonymization attempts by advanced adversaries, or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.
- Unauthorized modifications to BIOS or the boot partition will be notified.
- Notifications are made in real time for any potentially suspicious activity.
- This is safe in the stable Qubes R4 release, but privacy issues [archive] were unresolved in Qubes R3.2 (now unsupported).
- Users can configure
sys-usbas static DisposableVMs. This option has been available from Qubes R4 onward.
- Reminder: The Subject: line and other header fields are not encrypted in the current configuration.
- Although TorBirdy has been deprecated, a number of necessary TAILS patches have been upstreamed and independent preference settings are now incorporated in Whonix ™ packages for secure functionality.
- Attackers use these methods to redirect local network traffic and execute Man-in-the-middle Attacks.
- Administrators are advised of any changes via email, such as new station/activity, flip-flops and re-used/changed old addresses.
- This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical Whonix ™ bugs, but does not address potential Qubes ProxyVM leaks.
- https://github.com/rustybird/corridor [archive]
- Although Libreboot is a free, opensource BIOS or UEFI replacement that initializes the hardware and starts the bootloader for the OS, the absence of proprietary firmware means important microcode security updates are unavailable. Also, even experts risk bricking their hardware during the process and it is incompatible with newer architectures, making it impractical for the majority of the Whonix population.
- This includes:
- Binary-blob-free Coreboot initialization, including native graphic initialization.
- Heads provides an Anti-evil Maid (AEM) firmware solution and protects against malicious interdiction.
- Intel ME is neutered and unnecessary modules involved in main CPU initialization have been deleted.
- Ships with Qubes OS pre-installed (with full-disk encryption), with the final disk encryption key being regenerated when first powered on by the buyer.
- Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than Qubes' approach [archive] (software compartmentalization).
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)