System Hardening Checklist
|About this System Hardening Checklist Page|
- 1 Introduction
- 2 Easy
- 2.1 Anonymous Blogging, Posting, Chat, Email and File Sharing
- 2.2 Disabling and Minimizing Hardware Risks
- 2.3 File Handling
- 2.4 Mandatory Access Control
- 2.5 Passwords and Logins
- 2.6 Secure Downloads
- 2.7 Secure Qubes Operation
- 2.8 Secure Software Installation
- 2.9 Tor Browser Series and Settings
- 2.10 VirtualBox
- 3 Moderate
- 3.1 Create a USB Qube
- 3.2 Host Operating System Distribution
- 3.3 Host Operating System Hardening
- 3.4 Networking
- 3.5 Newer Kernels
- 3.6 Sandboxing
- 3.7 Spoof MAC Addresses
- 3.8 Time Stamps and NTP Clients
- 3.9 Tor Settings
- 3.10 Whonix VM Security
- 4 Difficult
- 5 Expert
- 6 Footnotes
It is possible for users to significantly harden their Whonix and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.
Anonymous Blogging, Posting, Chat, Email and File Sharing
- To remain anonymous, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
- Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
- Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
- Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
- Utilize OnionShare to share or receive files securely and anonymously over the Tor network.
Disabling and Minimizing Hardware Risks
- In Qubes-Whonix, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise of dom0 (PS/2 adapters and available controllers are required).
- Do not enable audio input to any VM unless strictly required and consider disabling microphones where possible (muting on the host) or unplugging external devices.
- Preferably detach or cover webcams unless they are in use. In Qubes-Whonix, assign it to an untrusted VM (if needed).
- Avoid using wireless devices, since they are insecure.
- Preferably disable or remove Bluetooth hardware modules.
- Disable or remove problematic devices like ExpressCard, PCMCIA, FireWire or Thunderbolt which may allow attackers with physical access to read RAM.
- Apply CPU microcode updates on the host operating system  or baremetal configurations like Physical Isolation. 
- In File Manager, disable previews of files from untrusted sources. Change file preferences in the TemplateVM's File Manager so future AppVMs inherit this feature.
- Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a DisposableVM:
Open In DisposableVM
- Untrusted PDFs should be opened in a DisposableVM or converted into a trusted (sanitized) PDF to prevent exploitation of the PDF reader and potential infection of the VM.
Mandatory Access Control
- Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs.
- Enable seccomp on Whonix-Gateway (
Passwords and Logins
- Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
- Use a trusted password manager, so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. 
- For high-entropy passwords, consider using Diceware passphrases. 
- In Qubes-Whonix, store all login credentials and passwords in an offline vault VM (preferably with KeyPassX) and securely cut and paste them into the Tor Browser. 
- Read and follow all the principles for stronger passwords.
- Download Internet files securely using scurl instead of wget from the command line.
- When downloading with Tor Browser, prevent SSLstrip attacks by typing
https://links directly into the URL / address bar.
- Prefer onion services file downloads, which provide greater security and anonymity than https.
Secure Qubes Operation
- Refer to the Qubes-Whonix security recommendations and always follow the latest security news and advice from the Qubes team.
Secure Software Installation
- Default to Debian's official package manager APT for installing software, and avoid third party package managers.
- When possible, use mechanisms which simplify and automate software upgrades and installations, like apt-get functions.
- Prefer installation of software from signed (Debian) GNU/Linux repositories and avoid manually installing software, particularly if it is unsigned.
- Set the Qubes package updates to Tor onion service repositories. 
- For safer installations or updates, first stop all activity/applications and rotate the Tor circuits.
- Always verify key fingerprints and digital signatures of signed software before importing keys or installing software.
Tor Browser Series and Settings
- Consider using the Tor Browser alpha series. It provides additional Selfrando (load-time memory randomization) protection.   
- Run the Tor Browser Security Slider in the highest position. 
- Do not configure custom NoScript (per-site) settings which persist across successive Tor Browser sessions because this aids fingerprinting.
- Use .onion services where possible to stay within the Tor network, such as defaulting searches to the DuckDuckGo onion service.
- Use multiple Tor Browser instances or Whonix-Workstations to better compartmentalize contextual identities.
- Follow all other Whonix recommendations for safe and anonymous use of Tor Browser.
- Install Tor Browser outside of Whonix so a second, working instance is always available for anonymous activities. 
- Remove a host of VirtualBox features to reduce the attack surface.
- Take regular, clean VM snapshots that are not used for any activities.
- Spoof the initial virtual hardware clock offset.
Create a USB Qube
Host Operating System Distribution
- For a truly private operating system, install GNU/Linux on the host. 
- The Debian distribution is recommended by Whonix as providing a reasonable balance of security and usability.
Host Operating System Hardening
- Use Full Disk Encryption (FDE) on the host.
- Apply a BIOS password for BIOS setup and boot.
- Torrify apt-get traffic on the host to prevent fingerprinting and leakage of sensitive security information.
- Follow all other Whonix recommendations to further harden the host OS against physical attacks.
- Harden the host Debian Linux OS.
- If possible, use a dedicated network connection (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
- If using a shared network via a common cable modem/router or ADSL router, configure a de-militarized zone (perimeter network). 
- Test the LAN's router/firewall with either an internet port scanning service or preferably a port scanning application from an external IP address.
- Change the default administration password on the router to a unique, random, and suitably long Diceware passphrase to prevent bruteforcing attacks.
- WiFi users should default to the WPA2-AES standard which provides the safest protocol and strongest encryption. 
- Follow all other Whonix recommendations to lock down the router.
- Prefer the Debian Template for networking (
sys-firewall) since it is minimal in nature and does not "ping home", unlike the Fedora Template. 
- Consider using customized minimal templates for NetVMs to reduce the attack surface.
- For greater security, higher performance and a lower resource footprint, consider using an experimental MirageOS-based unikernel firewall that can run as a QubesOS ProxyVM.
- Consider installing newer kernels in Qubes-Whonix or the host Linux platform to benefit from additional protections (including grsecurity elements) being mainlined by the Kernel Self Protection Project. 
Spoof MAC Addresses
This is only necessary if you expect to travel with your laptop or PC. It is not required for home PCs that do not change locations.
- In Qubes-Whonix, follow these steps to spoof the MAC address on the Debian or Fedora TemplateVM used for network connections.
- In Non-Qubes-Whonix, follow these steps to spoof the MAC address of the network card on a Linux, Windows or macOS host.
Time Stamps and NTP Clients
- Disable ICMP timestamps and TCP timestamps on the host operating system to prevent leakage of information. 
- Uninstall the NTP client on the host operating system and disable systemd's timdatectl NTP synchronization feature. 
- Consider enabling Tor connection padding for greater anonymity.
- Consider installing newer Tor versions via the Whonix stable-proposed-updates repository or directly from The Tor Project repository.
- Avoid regenerating the Tor state file or manually rotating Tor guards  because it degrades anonymity.
- Avoid configuring non-persistent entry guards, as this severely degrades anonymity.
- Consider using Bridges if Tor is censored, dangerous or deemed suspicious in your location.
- If using a bridge, configure alternating bridges for different physical locations.
- Heavily censored users should configure a meek-azure bridge with Anon Connection Wizard. 
- To help preserve anonymity, copy Tor configuration files and settings to any new
sys-whonixinstance which is created. 
Whonix VM Security
- Consider disabling the Control Port Filter Proxy to reduce the attack surface of both the Whonix-Gateway and Whonix-Workstation.
- On Whonix-Workstation, consider hardening whonixcheck.
- Consider enabling the optional (extra) Whonix-Workstation firewall.
- If a Trusted Platform Module is available, use AEM protection to attest that only desired (trusted) components are loaded and executed during the system boot. 
Chaining Anonymizing Tunnels
- Avoid this course of action. The anonymity benefits are unproven and it may actually hurt a user's anonymity and security goals.
- Run all instances of Tor Browser in a DisposableVM which is preferably uncustomized to resist fingerprinting. 
- Configure each ServiceVM as a Static DisposableVM to mitigate the threat from persistent malware accross VM reboots. 
- Follow the Whonix recommendations to select an email provider compatible with privacy and anonymity.
- For anonymous PGP-encrypted email over Tor, use Mozilla Thunderbird, Enigmail and TorBirdy. 
- Follow all other email principles for greater safety.
- Use split-GPG for email to reduce the risk of key theft used for encryption / decryption and signing.
- Create an AppVM that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
- Only open untrusted email attachments in a DisposableVM to prevent possible infection.
Flash the Router with Opensource Firmware
Warning: risk of bricking your router!
- Flash the insecure, limited-utility, proprietary firmware on the router with a powerful, open-source GNU/Linux alternative.
Multi-Factor User Authentication
- Utilize a Yubikey to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.
Whitelisting Tor Traffic
- Qubes-Whonix: Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through.  
- Non-Qubes-Whonix or Qubes-Whonix: Use a standalone corridor as a filtering gateway.
Disable Intel ME Blobs
Warning: high risk of bricking your computer!
- It is possible to partially deblob Intel's despicable ME firmware image by removing unnecessary partitions from it.
Warning: incompatible with newer architectures - risk of bricking your computer!
- Libreboot is a free, opensource BIOS or UEFI replacement (firmware) that initializes the hardware and starts the bootloader for your OS.
- This applies to both Intel and AMD architecture.
- While this may introduce new vulnerabilities, this is objectively better than running a system that is vulnerable to known attacks.
- For greater security, store the password manager off-line.
- To estimate strength, an 8-word Diceware passphrase provides ~90 bits of entropy, while a 10-word passphrase provides ~128 bits of entropy.
- For greater safety, copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.
- From Whonix 14, the Whonix and Debian repositories are set to onion mirrors by default.
- Selfrando provides a significant security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers. Selfrando is incompatible with grsecurity kernels. Due to this resolved bug, Selfrando has been integrated into the alpha series from 7.0a4 onward.
- The "hardened" Tor Browser series has been deprecated, see: https://trac.torproject.org/projects/tor/ticket/21912
- Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a native sandbox.
- This may affect usability and proper functioning on some websites.
- Thereby circumventing any possible future problems, like the breakage of Whonix.
- A USB qube is automatically created as of Qubes R4.0
- USB keyboards and mice expose dom0 to attacks, and all USB devices are potential side channel attack vectors.
- Windows and macOS are surveillance platforms that do not respect user freedom or privacy.
- This restricts Whonix-Gateway accessibility to/from other nodes on the network e.g. printers, phones and laptops.
- Do not rely on WiFi Protected Set-up (WPS), which has major security flaws.
- This recommendation comes with a warning: cutting-edge kernels may destabilize the system or cause boot failures.
- Previously The Tor Project's alpha sandbox was recommended to restrict Tor Browser, but the project has unfortunately been abandoned.
- Such as system information, host time, system uptime, and fingerprinting of devices behind a router.
- This prevents time-related attack vectors which rely on leakage of the host time.
- Via creation of a new Whonix-Gateway (
- For example, Whonix users residing in China.
- This is useful when testing later Whonix releases to stymie deanonymization attempts by advanced adversaries, or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.
- Unauthorized modifications to BIOS or the boot partition will be notified.
- This is safe in Qubes R4, but privacy issues are unresolved in Qubes R3.2
- Users may configure
sys-usbas static DisposableVMs. This option is only available for Qubes R4 users.
- Reminder: The Subject: line and other header fields are not encrypted in the current configuration.
- This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical Whonix bugs, but does not address potential Qubes ProxyVM leaks.
- Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than Qubes' approach (software compartmentalization).
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)