Tox Introduction

Tox [1] [2] looks like a promising solution for secure, encrypted communications. The official client implementation is based on the Toxcore protocol library, which is very feature-rich and has a variety of functions besides VOIP. By default, Tox does not attempt to cloak your IP address from authorized contacts. However, Tox connections can be tunneled through Tor, allowing communication with others even if they are not anonymous. [3] Desktop and mobile client versions have been developed for every major OS platform. [4]

In the Tox design, users are assigned a public and private key, with direct connections being established in a peer-to-peer network. Users can message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl crypto library, via libsodium. [5] [6]. Tox helps to protect your privacy by: [7]

  • Removing the need to rely on central authorities to provide messenger services
  • Concealing your identity (in the form of meta-data, e.g. your IP address) from people who are not your authorized friends
  • Enforcing end-to-end encryption with perfect forward secrecy as the default and only mode of operation for all messages
  • Making your identity impossible to forge without the possession of your personal private key, which never leaves your computer

As at April 2017, the following secure (encrypted) features had been implemented: [8]

  • Voice and video calls.
  • Instant messaging.
  • Desktop screen sharing / streaming.
  • File sharing.
  • Typing indicators.
  • Message read-receipts.
  • Profile encryption.
  • Group messaging, voice and video conferencing.

Additional features can be implemented by any client, so long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client. [9]

Tox Installation

Note: The following instructions will install the "qTox" graphical user client to your system. [10] To install the lightweight version with minimal dependencies ("uTox") or another Linux client like Ricin, Toxic or Toxygen, see here and here.

In the Whonix-Workstation (Qubes-Whonix: whonix-ws-14 TemplateVM), open a terminal (Konsole).

Download the Tox repository release key.

TODO: the following command is broken

curl-download TODO

Check the fingerprint before importing anything.

gpg --keyid-format long --with-fingerprint Release.key

Always check the fingerprint for yourself. [11]

At time of writing, the fingerprint was.

pub   rsa2048/F2AA0B1E5EF8303B 2014-09-04 [SC] [expires: 2019-01-21]
      Key fingerprint = 3EB5 027B 3CD8 D7CA AC30  EB6B F2AA 0B1E 5EF8 303B
uid home:antonbatenev OBS Project <>

Add the Tox signing key.

TODO: the following command needs testing

sudo apt-key --keyring /etc/apt/trusted.gpg.d/tox-pubkey.gpg add Release.key

Add the Tox apt repository.

TODO: the following command is broken

sudo sh -c 'echo deb / > /etc/apt/sources.list.d/qtox.list'

Update the package lists.

sudo apt-get update

Install qTox.

sudo apt-get install qtox

The Tox repository and qTox have now been installed.

TODO: Add instructions on how to use Tox with Stream Isolation without Tor over Tor.

  6. Tox employs curve25519 for its key exchanges, xsalsa20 for symmetric encryption, and poly1305 for MACs.
  8. Depending on the mobile / desktop client in use.
  10. This repository is directly referenced on the Tox Download webpage, see: Anton Batenev is a Tox developer.
  11. The list of GPG fingerprints currently in use by qTox developers can be referenced at