Jump to: navigation, search

System Hardening Checklist

This page contains changes which are not marked for translation.


Hardening the Whonix and Host Operating System Platforms

System Hardening Checklist[edit]

It is possible for users to significantly harden their platform and improve the chances of successful, anonymous activity. This depends upon a user's skill level, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level (easy, moderate, difficult and expert).

Note: Recommendations specific to Qubes-Whonix or Non-Qubes-Whonix are marked accordingly.

Easy[edit]

Anonymous Blogging, Posting, Chat, Email and File Sharing[edit]

  • To remain anonymous, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
  • Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
  • Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
  • Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.

Disabling and Minimizing Hardware Risks[edit]

  • In Qubes-Whonix, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise of dom0 (PS/2 adapters and available controllers are required).
  • Do not enable audio input to any VM unless strictly required and consider disabling microphones where possible (muting on the host) or unplugging external devices.
  • Preferably detach or cover webcams unless they are in use. In Qubes-Whonix, assign it to an untrusted VM (if needed).
  • Avoid using wireless devices, since they are insecure.
  • Preferably disable or remove Bluetooth hardware modules.
  • Disable or remove problematic devices like ExpressCard, PMCIA, FireWire or Thunderbolt which may allow attackers with physical access to read RAM.

File Handling[edit]

Qubes-Whonix Only

  • In File Manager, disable previews of files from untrusted sources. Change file preferences in the TemplateVM's File Manager so future AppVMs inherit this feature.
  • Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a DisposableVM: Right-click -> Open In DisposableVM
  • Untrusted PDFs should be opened in a DisposableVM or converted into a trusted (sanitized) PDF to prevent exploitation of the PDF reader and potential infection of the VM.

Mandatory Access Control[edit]

  • Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs.
  • Enable seccomp on the Whonix-Gateway AppVM.

Passwords and Logins[edit]

  • Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
  • Use a trusted password manager, so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. For greater security, store the password manager off-line.
  • For high-entropy passwords, consider using Diceware passphrases. [1]
  • In Qubes-Whonix, store all login credentials and passwords in an offline vault VM (preferably with KeyPassX) and securely cut and paste them into the Tor Browser. Copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.
  • Do not create user accounts with any identifiable information that might be linked to the user, or which is known by friends or acquaintances.

Secure Downloads and Software Installation[edit]

  • Download Internet files securely using scurl instead of wget from the command line.
  • When downloading with Tor Browser, prevent SSLstrip attacks by typing https:// links directly into the URL / address bar. Prefer hidden services file downloads, which provide greater security and anonymity than https.
  • Prefer installation of software from signed GNU/Linux repositories and avoid installing unsigned software.
  • When possible, use mechanisms which simplify and automate software upgrades and installations, like apt-get functions.
  • Always verify key fingerprints and digital signatures of signed software before importing keys or installing software.

Secure Qubes Operation[edit]

Qubes-Whonix Only

  • Verify the authenticity and integrity of the Qubes iso download.
  • Check gpg is enabled in config files (gpgcheck=1) if new Fedora repositories are installed.
  • Safely import new signing keys by checking it is the same from multiple sources.
  • Preferably only install packages from trusted sources e.g. pre-configured Fedora, Debian, Whonix and Qubes sources. Untrusted or unverifiable programs should be installed in standaloneVMs or less trusted, cloned templates.
  • For critical user data, protect against unintentional leaks by setting an empty NetVM field (set to "none") for the corresponding AppVM.
  • Observe the security context of colored windows borders in Qubes before running applications or manipulating data.
  • Enable VT-d/IOMMU via BIOS to have DMA protection, effective network isolation, and the ability to assign PCIe devices to a HVM. Check it is running via dom0 (qubes-hcl-report).
  • Ensure computer hardware meets all other Qubes-Whonix requirements for the best security, functionality and future compatibility with Qubes 4.X releases.
  • Always keep the system up to date in dom0, template VMs and standalone VMs.
  • Never run applications in TemplateVMs or dom0, except updating tools or editors for configuration purposes (running applications poses security risks).
  • Avoid dual / multi-boot configurations in Qubes. The other OS could modify the unprotected /boot partition or firmware to maliciously compromise Qubes and/or spy on user activities.
  • Follow all other security advice from the Qubes team.

Tor Browser Series and Settings[edit]

VirtualBox[edit]

Non-Qubes-Whonix Only

Whonix Updates[edit]

  • Consider installing newer Tor versions via the Whonix stable-proposed-updates repository or directly from The Tor Project repository.

Moderate[edit]

Create a USB Qube[edit]

Qubes-Whonix Only

Host Operating System Distribution[edit]

Non-Qubes-Whonix Only

  • Install GNU/Linux as the only serious option for a private host operating system. Windows and MacOS are surveillance platforms that do not respect user freedom or privacy.
  • The Debian distribution is recommended by Whonix as providing a reasonable balance of security and usability.

Host Operating System Hardening[edit]

Non-Qubes-Whonix Only

Networking[edit]

On both platforms:

  • If possible, use a dedicated network connection (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
  • If using a shared network via a common cable modem/router or ADSL router, configure a de-militarized zone (perimeter network) to restrict Whonix-Gateway accessibility to/from other nodes on the network e.g. printers, phones and laptops.
  • Test the LAN's router/firewall with either an internet port scanning service or preferably a port scanning application from an external IP address.
  • Change the default administration password on the router to a unique, random, and suitably long Diceware passphrase to prevent bruteforcing attacks.
  • WiFi users should default to the WPA2-AES standard which provides the safest protocol and strongest encryption. Do not rely on WiFi Protected Set-up (WPS), which has major security flaws.
  • Follow all other Whonix recommendations to lock down the router.


In Qubes-Whonix:

  • Use the Debian Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not "ping home", unlike the Fedora Template. [6]
  • For greater security, higher performance and a lower resource footprint, consider using an experimental MirageOS-based unikernel firewall that can run as a QubesOS ProxyVM.

Newer Kernels[edit]

Qubes-Whonix Only

Onionizing Repositories[edit]

Sandboxing[edit]

  • Use the alpha sandbox to restrict Tor Browser. [7]
  • Use Firejail to restrict Firefox-ESR, VLC and other regularly used applications.

Secure Back-ups[edit]

Qubes-Whonix Only

Spoof MAC Addresses[edit]

Note: This is only necessary if you expect to travel with your laptop or PC. It is not required for home PCs that do not change locations.

  • In Qubes-Whonix, follow these steps to spoof the MAC address on the Debian or Fedora TemplateVM used for network connections.
  • In Non-Qubes-Whonix, follow these steps to spoof the MAC address of the network card on a Linux, Windows or macOS host.

Time Stamps and NTP Clients[edit]

Non-Qubes-Whonix Only

  • Disable ICMP timestamps and TCP timestamps on the host operating system to prevent leakage of: system information, host time, system uptime, and fingerprinting of devices behind a router.
  • Uninstall the NTP client on the host operating system and disable systemd's timdatectl NTP synchronization feature. This prevents time-related attack vectors which rely on leakage of the host time.

Difficult[edit]

Anti-Evil Maid[edit]

Qubes-Whonix Only

  • If a Trusted Platform Module is available, use AEM protection to attest that only desired (trusted) components are loaded and executed during the system boot. Unauthorized modifications to BIOS or the boot partition will be notified.

Chaining Anonymizing Tunnels[edit]

DisposableVMs[edit]

Qubes-Whonix Only

  • Run all instances of Tor Browser in a DisposableVM which is preferably uncustomized to resist fingerprinting.

Email[edit]

In Qubes-Whonix:

  • Use split-GPG for email to reduce the risk of key theft used for encryption / decryption and signing.
  • Create an AppVM that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
  • Only open untrusted email attachments in a DisposableVM to prevent possible infection.


On both platforms:

  • Follow the Whonix recommendations to select an email provider compatible with privacy and anonymity:
    • Do not use Yahoo and Gmail, which use automated software to scan emails for keywords to tailor advertising and sell products.
    • Do not rely on Hotmail, which has a history of reading private emails and messages.
  • Prefer email providers that:
    • Are free.
    • Support PGP encryption and key management.
    • Have encrypted inboxes by default.
    • Are outside Fourteen Eyes jurisdictions.
    • Have desktop email compatibility with Mozilla Thunderbird. [8]
  • Do not rely on SSL/TLS encryption to protect emails from prying eyes.
  • For anonymous email, use Mozilla Thunderbird, PGP encryption and TorBirdy to utilize the Tor network. [9]
  • Use POP3 and SMTP settings, as IMAP leaks more metadata.

Multi-Factor User Authentication[edit]

Qubes-Whonix Only

  • Use a Yubikey to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.

Whitelisting Tor Traffic[edit]

  • Qubes-Whonix: Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through. This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical Whonix bugs, but does not address potential Qubes ProxyVM leaks. [10]
  • Non-Qubes-Whonix or Qubes-Whonix: Use a standalone corridor as a filtering gateway.

Expert[edit]

Disable Intel ME Blobs[edit]

Flash the Router with Opensource Firmware[edit]

Install Libreboot[edit]

  • Libreboot is a free, opensource BIOS or UEFI replacement (firmware) that initializes the hardware and starts the bootloader for your OS. Warning: incompatible with newer architectures - risk of bricking your computer!

Physical Isolation[edit]

Non-Qubes-Whonix Only

  • If additional hardware is available, consider physical isolation in Non-Qubes-Whonix. Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than Qubes' approach (software compartmentalization).

Footnotes[edit]

  1. A Diceware passphrase of 7-8 words in length provides 80-96 bits of entropy, while a 10 word passphrase provides 128 bits of entropy.
  2. Selfrando provides a significant security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers. Selfrando is incompatible with grsecurity kernels. Due to a recently resolved bug, Selfrando has now been integrated into the alpha series (v7.0a4).
  3. The "hardened" Tor Browser series has been deprecated, see: https://trac.torproject.org/projects/tor/ticket/21912
  4. This may affect usability and proper functioning on some websites.
  5. This is more secure, but increases the user's fingerprinting risk due to selective use of Javascript.
  6. https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952
  7. This is not possible until Whonix 14 is released.
  8. Formerly "Icedove", but now re-branded in Debian following resolution of trademark issues.
  9. Reminder: The Subject: line and other header fields are not encrypted.
  10. https://github.com/rustybird/corridor

Random News:

Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)