Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Tor Entry Guards, Alternate Configurations, Fingerprinting Risks

Many well-known, enhanced anonymity designs like Tor, Whonix and the Tor Browser (TB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user. ^[3]

In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days. ^{[4] [5] [6]}

While natural guard rotation is recommended, in some situations it is safer to not use the usual guard relay! There are some corner cases in which an adversary could fingerprint the entry guard(s) ^[7] and de-anonymize a user. For instance:

• The same entry guards are used across various physical locations and access points.
• The same entry guards are used after permanently moving to a different physical location.

There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after returning home: ^[9]

1. Clone Whonix-Gateway (sys-whonix) with New Entry Guards.
2. Regenerate the Tor State File after Saving the Current Tor State.
3. Configure Tor to use Alternating Bridges.

If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.

Forum discussion:
https://forums.whonix.org/t/persistent-tor-entry-guard-relays-can-make-you-trackable-across-different-physical-locations/2090

Creating a new Whonix-Gateway (sys-whonix) will likely lead to a new set of Tor entry guards, which is proven to degrade anonymity.

Users may be tempted to create a new Whonix-Gateway (sys-whonix) in the following circumstances:

• Bootstrapping is slow or regularly fails.
• Tor logs show warnings suggestive of route manipulation attacks or other oddities.
• System logs reveal attempted attacks on Whonix or Tor processes, for example in AppArmor logs.
• Current Tor performance is very slow or unreliable due to collapsing circuits or other factors.
• The user is concerned about the amount of Tor data that could be revealed if Whonix-Gateway is infected, particularly after a long period of use.

Forcing the rotation of guards more often than Tor’s default is dangerous for several reasons:

• It increases the likelihood of a compromised or malicious Tor guard being selected. This raises the chance of a successful correlation attack if the adversary runs Tor exit relays in the network.
• The user is more likely to traverse a given set of Internet infrastructure links that are under the adversary's control, such as Autonomous Systems (ASes) or Internet Exchange Points (IXPs).
• Every Tor guard change acts like a fingerprinting mechanism, since other users are less likely to pick the same set. If the adversary is able to enumerate a user's Tor guards and later observes someone with the same set, the chance is high the two observations stem from the same person.

For these reasons the Tor design changed in 2014 to establish a solitary primary guard node, while also increasing the set period for guard rotation. Also, do not discount the possibility that an adversary might purposefully cause poor Tor throughput, in the hope Tor guards are manually changed: ^[10]

We should also consider whether an adversary can *induce* congestion or resource exhaustion to cause a target user to switch away from her guard. Such an attack could work very nicely coupled with the guard enumeration attacks discussed above.

In one sense, slow Tor entry guards should be welcomed -- “honeypot” operators on the Tor network are unlikely to have constrained bandwidth which might chase away intended targets.

If users feel compelled in their circumstances to proceed despite the anonymity risks, then it may be safer to first try:

• One of the fallback primary entry guards.
• A configured bridge.
• Chaining other tunnels with Tor.
• Creating a fresh Whonix-Gateway (sys-whonix) and copying across the Tor state file.

The safest decision is to persist with poor performance and wait for normal guard rotation.

Note: Weigh the fingerprinting risks outlined earlier before proceeding. In most cases the decision to not rotate guards (even temporarily) is the correct one.

If guard fingerprinting across different locations is a legitimate concern, there are several ways to mitigate the threat. Viable options include: bridges, temporarily rotating guards or cloning Whonix-Gateway (sys-whonix) with new guards.

It is possible to clone the current Whonix-Gateway (sys-whonix) and regenerate the Tor state file. Once the VM is cloned, it is important that the original is not unintentionally used for any anonymous activities. To negate this threat, disable networking in the original Whonix-Gateway until returning home.

Create a Whonix-Gateway (sys-whonix) clone and name it Whonix-Gateway-temp (sys-whonix-temp):

1. VirtualBox: follow these instructions to create a VM snapshot.
   Qubes-Whonix^™: In Qube Manager, Right-click on sys-whonix → Clone qube
2. Regenerate the Tor State File.

Before arriving at the remote location, the Whonix-Gateway Tor state folder is moved to the $HOME directory and the Tor state file is regenerated. Perform all the following steps in Whonix-Gateway konsole.

Before returning home, the Tor state folder is restored to its original settings.

If Bridges are already configured, alternate bridges are recommended for different locations. If bridges are not being used, consider using entry guards in your primary location and relying on alternate bridges in different locations.

Wording clarification: There is no such thing as "Alternating-Bridges". It's not it's own word. It means "a bridge to alternate". As in "use different bridges".

Complete the following steps in Whonix-Gateway (sys-whonix).

In some circumstances Qubes-Whonix users might want to copy the Tor state and custom configuration options from an existing sys-whonix ProxyVM to another sys-whonix instance. For example, this is useful for testing later Whonix releases without aiding deanonymization attempts by advanced adversaries ^[13] or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.

The following instructions copy the Tor state from sys-whonix-old to sys-whonix-new.

qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)

  cached-certs cached-microdescs lock
  cached-microdesc-consensus cached-microdescs.new state

These instructions copy custom Tor configuration options (torrc) from sys-whonix-old to sys-whonix-new.

 qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)

The following instructions manually change a user's Tor entry guards. One use case for this action is before permanently relocating to a new area.

^[17]

Some users might consider configuring non-persistent entry guards so they constantly change. In almost all cases this is inadvisable, because persistent entry guards are a critical anonymity feature. A far more secure alternative is Alternating Bridges, although this requires a considerable time investment.

To proceed in spite of the warning, press on Expand on the right.

Complete these steps in Whonix-Gateway (sys-whonix).

1. Disable Tor using Anon Connection Wizard (safest option).

Start Anon Connection Wizard.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Anon Connection Wizard

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu → Applications → System → Anon Connection Wizard

If you are using a terminal emulator (such as for example xfce4-terminal) on Whonix-Gateway, type.

lxsudo anon-connection-wizard

If you are using a CLI Whonix-Gateway, see footnote. ^[11]

Choose the Disable Tor option. Press next.

2. Modify Tor settings.

Open file /usr/local/etc/torrc.d/50_user.conf in a text editor of your choice, with administrative rights.

Platform specific. Select your platform.

Whonix

If you are using a graphical Whonix-Gateway, take the following step.

Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf

Qubes-Whonix

If you are using Qubes-Whonix^™, take the following step.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)

CLI

If you are using Whonix-Gateway with command line interface (CLI), take the following step. sudoedit /usr/local/etc/torrc.d/50_user.conf

Add.

DataDirectory /var/run/tor

Save.

3. Enable Tor at the new location.

Enable Tor using Anon Connection Wizard (easiest option).

Start Anon Connection Wizard.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Anon Connection Wizard

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu → Applications → System → Anon Connection Wizard

If you are using a terminal emulator (such as for example xfce4-terminal) on Whonix-Gateway, type.

lxsudo anon-connection-wizard

If you are using a CLI Whonix-Gateway, see footnote. ^[11]

Choose the Enable Tor option. Press next.

4. Before leaving this location, disable Tor and repeat the above steps if traveling to a different area. To revert to the usual guard nodes at home, remove the torrc setting before enabling the network or rollback to a VM snapshot that was created there.

The proposed Tails solutions towards AdvGoalTracking have disadvantages ^{[18] [19]} and are not suitable options for Whonix. The reason is Whonix does not connect directly to a user's internet LAN, so trying to remember a network based on its SSID will not work. Unlike wireless access points, physical or virtual wired networks lack SSIDs and cannot be "remembered" that way.

Even if it were possible, it is best to avoid letting adversaries influence guard changes in any way. Spoofing MAC addresses or SSIDs would trigger the use of the alternative entry guard recorded for another "location profile". Global networks also have generic characteristics that cannot be differentiated from the point of view of a connecting device, resulting in the same guards being used on different networks.

Developers/Auditors-only: The development discussion related to this documentation chapter can be found here.

Whonix Tor Entry Guards wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Tor Entry Guards wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos(at)whonix.org (Replace (at) with @.)Please DO NOT use e-mail for one of the following reasons: Private Contact: Please avoid e-mail whenever possible. (Private Communications Policy) User Support Questions: No. (See Support.) Leaks Submissions: No. (No Leaks Policy) Sponsored posts: No. Paid links: No. SEO reviews: No. Advertisement deals: No. Default application installation: No. (Default Application Policy) >

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!