Jump to: navigation, search

Security Guide

(Redirected from Update)


About this Security Guide Page
support status stable
difficulty medium
maintainer Whonix team
support Support

Contents

Basics[edit]

Motivation[edit]

You may skip this Motivation chapter.

If you need motivation to secure your computer, refer to these articles:


If that's too much to read, then just take a glimpse at the graphics:

Operating System[edit]

Updates[edit]

Important! All packages must stay up-to-date for security purposes.

Make sure you know about CVE-2016-1252 secure apt-get upgrading.

1. Update Your Package Lists

Check package lists on at least a daily basis and keep your host operating system updated. To update Whonix-Gateway and Whonix-Workstation packages lists, run:

sudo apt-get update

The output should look similar to this:

Hit http://security.debian.org jessie/updates Release.gpg                                                                                                    
Hit http://security.debian.org jessie/updates Release                                                                                                        
Hit http://deb.torproject.org jessie Release.gpg                           
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release                                             
Hit http://security.debian.org jessie/updates/contrib i386 Packages    
Hit http://ftp.us.debian.org jessie Release                           
Hit http://security.debian.org jessie/updates/non-free i386 Packages  
Hit http://deb.torproject.org jessie/main i386 Packages               
Hit http://security.debian.org jessie/updates/contrib Translation-en  
Hit http://ftp.us.debian.org jessie/main i386 Packages                
Hit http://security.debian.org jessie/updates/main Translation-en                        
Hit http://ftp.us.debian.org jessie/contrib i386 Packages                                
Hit http://security.debian.org jessie/updates/non-free Translation-en                    
Hit http://ftp.us.debian.org jessie/non-free i386 Packages                               
Ign http://ftp.us.debian.org jessie/contrib Translation-en              
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists... Done

If you see something like this:

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org jessie Release.gpg
  Could not resolve 'ftp.us.debian.org'
Err http://deb.torproject.org jessie Release.gpg
  Could not resolve 'deb.torproject.org'
Err http://security.debian.org jessie/updates Release.gpg
  Could not resolve 'security.debian.org'
Reading package lists... Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg  Could not resolve 'security.debian.org'

W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg  Could not resolve 'ftp.us.debian.org'

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg  Could not resolve 'deb.torproject.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this:

500  Unable to connect

Then something went wrong. It could be a temporary Tor exit relay or server failure that should resolve itself. Check if your network connection is functional by changing your Tor circuit, then try again. Running whonixcheck might also help to diagnose the problem.

Sometimes you might see a message like this:

Could not resolve 'security.debian.org'

It that case, it helps to run:

nslookup security.debian.org

And then try again.

2. Upgrade

sudo apt-get dist-upgrade

Please note that if you disabled the Whonix APT Repository (see Disable_Whonix_APT_Repository), then you'll have to manually check for new Whonix releases and manually install them from source code.

3. Never Install Unsigned Packages!

If you see something like this:

WARNING: The following packages cannot be authenticated!
  icedove
Install these packages without verification [y/N]?

Then don't proceed! Press N and <enter>. Running apt-get update again should fix it. If not, something is broken or it's a man-in-the-middle attack, which isn't that unlikely since we are updating over Tor exit relays and some of them are malicious. Changing your Tor circuit is recommended if this message appears.

4. Signature Verification Warnings

There should be no signature verification warnings at the moment. If such a warning appears, it will look like this:

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

In this case you should be careful, even though apt-get will automatically ignore repositories with expired keys or signatures, and you will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.

There are two possible reasons why this could happen. Either there is an issue with the repository that the maintainers have yet to fix or you are victim of a man-in-the-middle attack. [1] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when you get a different, non-malicious Tor exit relay or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. If you want to see how the documentation looked at that point, please click on expand on the right.

For instance, the Tor Project's apt repository key had expired and the following warning appeared:

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue had already been reported. There was no immediate danger and you could have just ignored it. Just make sure to never install unsigned packages as explained above.

For another example, see the more recent Whonix apt repository keyexpired error.

Please report any other signature verification errors you encounter. This outcome is considered unlikely at this time.

5. Changed Configuration Files

If you see something like the following:

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Be careful. If the updated file isn't coming from a Whonix specific package (some are called whonix-...), then press n. Otherwise, Whonix settings affecting anonymity, privacy, and security might be lost. If you are an advanced user and know better, you can of course manually check the differences and merge them.

This is how to determine if the file is coming from a Whonix-specific package or not:

  • Whonix-specific packages are sometimes called whonix-.... In the example above it's saying "Setting up ifupdown ...", so the file isn't coming from a Whonix-specific package. In this case, you should press n as previously advised.
  • If the package name does include whonix-..., it's a Whonix-specific package. In that case, your safest bet is pressing y, but then you will lose any customized settings. These can be re-added afterwards. Such conflicts will hopefully rarely happen if you use Whonix's modular flexible .d style configuration folders.


6. Restart Services After Upgrading

To restart services after upgrading, either simply reboot:

sudo reboot

Or if you want to omit rebooting, use the needrestart method (harder). If you are interested in the latter method, please click on expand on the right side.

Do this once. Install needrestart:

sudo apt-get update
sudo apt-get install needrestart

Run needrestart:

sudo needrestart

The program will provide some advice. Run it again after applying the advice:

sudo needrestart

If nothing else has to be restarted, it should show:

No services need to be restarted.

This feature might become more usable and automated in future. (T324)

7. Restart After Kernel Upgrades

When linux-image-... is upgraded, a reboot is required to profit from any security updates.

Whonix-Gateway Security[edit]

General[edit]

You should never use Whonix-Gateway for anything other than running Tor on it!

If the Whonix-Gateway is ever compromised, the identity (public IP address), all destinations visited, and the entirety of clear-text (and hidden service) communication over Tor becomes available to the attacker.

Before installing any extra packages on the Whonix-Gateway, please first consult the developers to ask whether that is really necessary and wise.

Warning: Bridged Networking[edit]

You shouldn't change the Whonix-Gateway's first or second network interface to a bridged network. This is untested and should not be necessary. If you feel it is necessary in your circumstances, please get in contact.

If you are interested, here is a discussion thread, and another one, debating whether NAT or a bridged network is more secure.

Host Security[edit]

Basics[edit]

Please read the Computer Security Education about Host Security.

Power Saving Considerations[edit]

Upon system suspend/standby, Full Disk Encryption keys are still kept in RAM. Avoid leaving a system in this state if you are at high-risk or traveling. Instead, the recommended power mode to use is hibernation. This will lock all system partitions to a safe state, though there is a small trade-off in startup time.

On GNU/Linux hosts, standby will not always result in having LUKS keys retained in memory. Some experimental projects[2] and custom setups with systemd+scripting are able to erase the keys before system suspend to avoid mistakes.

Following a system standby period, the network fingerprint for Tor on the Whonix-Gateway is identical to a standard Tor instance on the host that has gone through the same procedure. There are some old connections that go stale and need renewal, but nothing is seen by a network adversary because time leak identifiers have been stripped out of Tor's protocol/OpenSSL and TCP Timestamps are gone.

Non-Qubes-Whonix only:
In order to reconnect, manual time adjustment is required or the VM can simply be powered off and then powered on again. This step will not be necessary once hypervisor specific post resume hooks are used, because guest clocks will be seamlessly updated upon power state changes from the host.

Qubes-Whonix only:
Has automatic seamless time adjustment after resume. [3]

Hardware Component Risks[edit]

In the default configuration, Whonix provides significant protection against circumvention of the proxy obedience design. This includes:

  • Applications not honoring proxy settings (proxy bypass IP leaks);
  • Applications disclosing the user's real IP (protocol IP leaks);
  • Remote code execution exploits with user-only rights (exploit + unsafe browser); and
  • Remote code execution exploits with root rights (exploit + root exploit + unsafe browser).


However, if a second exploit is used to break out of the VM, the default Whonix installation is broken and the user's real IP address will be identified. Only Whonix run with physical isolation will defeat this attack. This is because the Whonix-Workstation host does not know the real IP address, only the Whonix-Gateway which is running on another machine. Consequently, to successfully deanonymize the user, the attacker must also: exploit the physically isolated Whonix-Gateway; subvert the Tor process; or attack the Tor network at large.

Nevertheless, physically-isolated users should be aware that if an adversary manages to break out of the Whonix-Workstation VM using an exploit, then additional risks are posed by the hardware components that are built-in or have been additionally installed. This includes CPU and hdd/ssd temperature sensors, microphones and cameras.

In the case of Whonix with physical isolation:

  • The user's IP address is still safe, but the temperature sensors can be used for anonymity set reduction;
  • Different CPU, ssd and hdd models will report different sensor information, depending on climate and weather. If you can, you are advised to remove or to obfuscate the sensor results; and
  • Cameras and microphones can be covertly activated by the adversary. Remove external hardware and/or disable them in BIOS if possible. At a minimum, cover them or ideally remove them.


In the case of a default Whonix installation, the same general recommendations apply, although it does not really matter since the user will have been deanonymized successfully.

Anonymous 3G modem[edit]

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or Whonix is compromised. An adversary just has to pressure your provider and can very easily find out your identity. This is not the case here.

  • Non-physical isolation users: Either 1) Plugged or integrated into the host as host internet connection replacement (easier) or 2) plugged into Whonix-Gateway and only routing Whonix-Gateway's traffic through it, not the host's one (undocumented, therefore harder).
  • Physical Isolation: Same as 2) above. (While there is no host in that sense.)
  • Buy the 3G modem anonymously (in a store, second hand, on street, no personal data).
  • Be sure to have never used it for non-anonymous use before.
    • Because in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
  • Also be sure to buy the SIM-card anonymously.
  • Prepaid is better.
  • Buy cash codes in different stores anonymously.
  • Be sure, to never have used this anonymous SIM-card with a non-anonymous phone or 3G modem.
    • Because in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
    • Optionally, always get a fresh, distant, random, non-circle spot. (security vs. comfort)
    • Check of cameras and witnesses.
  • 3G users often get only a shared IP. Due to scarcity of IPv4 IP's, thousands of users share the same external IP (IPv4). Some providers do not log yet user's (NAT) ports. Consequently they can not identify them, when they are given an IP and timestamp. Nice to have, but don't rely on it! (Some providers assign additional IPv6 IP's to their users, which are unique. Tor does not use IPv6 yet.)

Anonymous WiFi adapter[edit]

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or Whonix is compromised. An adversary just has to pressure your provider and can very easily find out your identity. This is not the case here.

  • Plugged or integrated into Whonix-Gateway.
  • Buy the wifi adapter anonymously (In a store, second hand, on street, no personal data).
  • Be sure to have never used it for non-anonymous use before.
    • Because a few providers or hotspot providers log the MAC address and the username (for paid hotspots) for each dial up.
  • Use only free hotspots or pay them anonymously (if that's possible, otherwise abstain from paid hotspots).
    • Optionally, always get a fresh, distant, random, non-circle spot. (security vs. comfort)
    • Check cameras and witnesses.

Hardening[edit]

Whonix does not yet improve host security. You are advised to use a secure host operating system.

Mandatory Access Control[edit]

AppArmor[edit]

Check out Whonix's AppArmor profiles. Not that difficult and considerable security enhancement.

Seccomp[edit]

Consider enabling secomp.

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Add.

Sandbox 1

Save.

Firejail[edit]

Introduction[edit]

According to the Firejail project page:[4]

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.

Firejail has built-in profiles for a large number of popular Linux programs - many of which are used in Whonix. A small sample of the 100+ profiles includes: Chromium, CryptoCat, Dolphin, Evince, Firefox, HexChat, Icedove, LibreOffice, Okular, Thunderbird, Transmission, VirtualBox, VLC and wget.[5]

Installing Firejail[edit]

Works in both Qubes-Whonix as well as Non-Qubes-Whonix.

1. Boot your Whonix-Workstation (commonly called whonix-ws) TemplateVM.

2. Add jessie-backports to your sources.list

   sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Or alternatively use the .onion mirror:

   sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

3. Use apt-pinning before installing dependencies.

Apt-Pinning provides a safe mechanism to mix and match packages from different Debian repo branches without breaking your base distro.

A higher pin priority ensures that only the stable package version is preferred over any other when installing with apt. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref

Paste:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save.

4. Update your package lists.

   sudo apt-get update

5. Install firejail.

   sudo apt-get -t jessie-backports install firejail

6. Use firejail.

To run sand-boxed applications, simply prefix your program command with "firejail" in a terminal, for example:

   firejail evince
   firejail vlc

There is no secure and reliable way to create start menu entries / desktop shortcuts using firejail. In meanwhile, you are better off starting firejailed applications from the command line.

For a further technical discussion of Firejail, see: https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment

Sandboxing Tor Browser[edit]

Non-Qubes-Whonix:
Note: The instructions linked below are now blocked until the release of Whonix 14 due to current problems with the Whonix developers repository. Stay tuned.

Firejail can be used as an interim measure. The instructions to use the recently released alpha Tor sandbox, which was previously successfully tested in Whonix 13 prior to developer repository changes, is here.

Qubes-Whonix:
Due to a bug,[6] bubblewrap cannot be used in Qubes-Whonix. Until that issue is solved, users can consider restricting the Tor Browser process with Firejail. It makes sense to mitigate the risk of security breaches because Tor Browser is an untrusted application with a huge attack surface; it is frequently and successfully attacked in the wild.

Note: consider cloning your Whonix-Workstation-TemplateVM prior to installing Firejail. It requires a number of dependencies that you may not want in your default template.

1. Boot your Whonix-Workstation TemplateVM.

2. Follow the steps to install Firejail from jessie-backports.

3. Optional step - create a customized Firejail profile for Tor Browser.

Follow these steps.

4. Create a new Whonix-Workstation-AppVM based on your modified template.

Qubes VM Manager -> VM -> Create AppVM

Create Qubes-Whonix-Workstation AppVM.png
[7]

5. Run the sand-boxed Tor Browser.

Open a terminal and run:

   firejail torbrowser

6. Test Tor Browser is sand-boxed.

Start Tor Browser in anon-whonix AppVM. Then open a terminal and run:

   firejail --tree

The output should show Tor Browser is now running in a Firejail container:

   XXXX:user:firejail torbrowser
   XXXX:user:/bin/bash /usr/bin/torbrowser
   XXXX:user:bash /home/user/.tb/tor-browser/Browser/start-tor-browser --all
   XXXX:user:./firefox --class Tor Browser -profile TorBrowser/Data/Browse

Running Firefox-ESR in a Firejail Sandbox (Qubes Debian-8 Template only)[edit]

Note: preferably clone your Debian-8 TemplateVM prior to taking these steps below, as some dependencies are required.

Warning: Do not use Firefox-ESR in a Whonix template! It is easily fingerprinted and less secure than the Tor Browser.

1. Boot your Debian-8 TemplateVM.

2. Follow the steps to install Firejail from jessie-backports.

3. Create a new Debian-8 AppVM based on your modified template.

4. Launch the sand-boxed Firefox-ESR.

In a terminal, run:

   firejail firefox

5. Confirm Firefox-ESR is sand-boxed.

Open another terminal and run:

   firejail --tree

The output should confirm Firefox-ESR is now running in a firejail container:

   XXXX:user:firejail /usr/lib/firefox-esr/firefox-esr

Virtualization Platform[edit]

VirtualBox Hardening[edit]

For an overview on security risks of VMs in general: How secure are Virtual Machines really?

The less features, the smaller the attack surface. Here are some suggestions for features which you can remove and not impact core functionality:

  • Disable Audio
  • Do not enable Shared Folders
  • Do not enable video acceleration
  • Do not enable 3d acceleration [8] [9]
  • Do not enable Serial Port
  • Remove Floppy drive
  • Remove CD/DVD drive
  • Do not attach USB devices
    • Disable USB controller (enabled by default). Requires setting Pointing Device to "PS/2 Mouse" or changes will revert
  • Do not enable Remote Display server
  • Do not enable IO APIC, EFI? (questionable)
  • Enable PAE/NX? (NX is a security feature)

Whonix-Workstation Security[edit]

Introduction[edit]

If this VM is compromised all data it has access to, all credentials, browser data, passwords... the user has entered can be compromised. The IP is never leaked but these information can still result in identity disclosure.

The best practice is to back up the VM and "roll back" after risky activity and whenever the user suspect the integrity of the system could have been compromised, see the Recommendation to use multiple VM Snapshots below.

Whonix Example Implementation is currently based on Debian.

For Technical Design notes, see Dev/Operating System. For information on how to use other operating systems, see Other Operating Systems.

VM Snapshots[edit]

Apart from offering protection against hardware serial leaks, VMs got another great advantage: the ability to quickly discard and restore a system.

It is recommended that you keep a master copy of Whonix-Workstation, keep it updated, make regular "clean" snapshots but do not edit any settings or install additional software or use it directly for any activity. Instead make a clone or use snapshotting (but never mix up clean and unclean states!) for activities that require anonymity.

After importing the VMs, do a first run of the Whonix-Gateway and Whonix-Workstation virtual machines. Securely update it. After that stop and do not browse anywhere or open any unauthenticated communication channel to the internet. Shutdown the virtual machines and create snapshots of their clean state before browsing or initiating any connections with the outside world. Note: The only exception to this is running apt which has a guaranteed way to securely download and verify packages.

For important VirtualBox information, please press on expand on the right.

Warning to VirtualBox users: VirtualBox's VM Snapshot feature is recommended against, because we experienced data loss with it. You're better off using clones or see "Reliable Alternative To Virtualbox VM Snapshots" below.

Warning: VirtualBox's snapshot feature is not (highly) recommended as a reliable method for backing up virtual machines because of possible data loss primarily in the form of corrupted virtual hard drives [VHD]. Alternative methods are copy/paste, cloning, exporting/importing. While all these methods provide virtual machine [VM] backups, they nevertheless make inefficient use of disk resources and inherently require manual versioning. Virtualbox's 'snapshot' feature is very useful when it works properly particularly when making interim snapshots of live running systems prior to installing new application(s), reverting can be very painful, and sometimes impossible, if/when virtual hard drive file(s) is corrupted.

Alternative to methods mentioned above, SubVersioN [SVN] in particular is a very reliable tool with which to make backups of VM operating environments. It is akin to Virtualbox's snapshot feature in many respects but much more reliable and efficient. For those that have never used SVN, it is recommended they familiarize themselves with the tool's documentation - what it is/isn't and how it works prior to making use of it. Numerous implementations of SVN clients are available to choose from for various platforms.

What is SVN? In a nutshell, SVN is a tool typically used by software developers to conduct collaborative configuration management, version control and backup/restore of file sets under development by many people over extended period of time.

Why SVN as opposed to CVS, GIT, etc.? While most configuration management tools, including SVN, offer the same basic functionality of versioning, backing up and restoring changes to sets of files, by design SVN has no file size limitations - the operative words are "by design". This means when used to back up virtual hard drives for example, regardless of how big or small the files are SVN can handle them reliably and efficiently. See section "Be patient with large files" (link). When versioning file sets, SVN employs "atomic commits". By way of comparison, Concurrent Versions System (CVS) does not employ atomic commits. Manual backup procedures are inherently not atomic functions. Additionally, SVN also handles sparse (dynamic) virtual hard disk files (an option Virtualbox offers when instantiating new virtual disk drives).

From version to version, like Virtualbox's snapshot capability, SVN also takes into consideration differences in files - both textual and binary. This means, for example, if a 50GB virtual hard drive was saved last week and has grown to 60GB this week, SVN's repository will not [necessarily] grow by an additional 60GB when a new back up is performed this week - it depends how much of the original file changed since the previous backup. It will analyse differences between newer files against older files in its repository and only save differences. Therefore the repository may only grow as little as 10GB+ making more efficient use of system resources.

Virtualbox's snapshot feature provides 'branching' capability. This means, one can revert to an earlier version of your VM and start a new branch/version of your VM from where you left off earlier. By comparison, SVN also provides similar branching capability.

NOTE: When using configuration management tools like SVN for back ups and restores, a 50GB file for example typically requires approximately 150GB of disk space to manage that instance of the VM because you require 50GB for the original source file, 50GB in SVN's database repository, and another 50GB for SVN's local workspace working folder ['./.svn']. How is this more efficient? In that sense, it is not. However, when you consider SVN's functionality and reliability compared to manual backup methods mentioned above, this overhead might be considered an investment.

In addition to backing up Whonix gateway and workstation(s) virtual hard drive files, it is also possible to back up the whole of Virtualbox application in conjunction with Whonix for a complete restoreable environment. Cloning is also possible albeit that requires more advance technical skills.

Typically, Virtualbox is an installable application as provided by Virtualbox.org. A portable application version of Virtualbox is possible via a tool provided by VBox.me. This application converts Virtualbox 'install application' into a 'portable application' thereby providing the option to port VMs to other computers via external USB hard drives and/or sticks. By instantiating virtual machines under portable Virtualbox's '~/data/.VirtualBox/Machines' folder, it is possible to backup and restore the complete operating environment not only that of Whonix but also specific instance of Virtualbox as well via SVN for complete portability. This encapsulates the entire Whonix operating environment under one parent folder rather than distributing it across various user and system folders:

2014-05-11 09 42 19.png

2014-05-11 09 46 43.png

2014-05-11 09 54 39.png

Adding NAT adapter to Whonix-Workstation / Updates without Tor[edit]

Obviously the anonymity will get compromised if you add another NAT network adapter to the Whonix-Workstation. It is quite clear not to do that. If you were infected, it could leak then. Therefore it's recommended to do updates over Tor. It's slow but there are no leaks.

Adding Host-Only Networking adapter to Whonix-Workstation / SSH into Whonix-Workstation[edit]

One might wish to access the Whonix-Workstation through SSH. Therefore one could consider something dangerous - to add a second network adapter with Host-Only Networking. Dangerous! Don't add another network adapter! Also potentially dangerous if any other VMs are running besides Whonix-Workstation! This would expose the MAC address of your host to Whonix-Workstation.

The warning of VMware Host Only networking may also apply to Whonix:

"If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network.

On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing."

  1. If you want to SSH or VNC your Whonix-Workstation your safest bet would be to do it from another Whonix-Workstation. When using Virtual Machines, if they are within the same virtual LAN, they can see each other. When using Physical Isolation, if they are within the same LAN, they can see each other.
  2. Or you could run those services using Hidden Services and access them through another Whonix-Workstation...
  3. ...or from the host using the ordinary torification methods.
  4. Alternatively you could SSH from the host into Whonix-Gateway (see File Transfer for instructions) and SSH from there into Whonix-Workstation.

In case 3 and 4, you would weaken isolation between the host and Whonix-Workstation.

Installing additional software[edit]

See Install Software.

Updating with extra care[edit]

See How to install or update with most caution?.

Onionizing Repositories[edit]

When Whonix, Debian and Qubes packages are installed or updated, default settings point to repositories with a http:// URI.[10] However, experimental .onion support is already available for the Whonix, Debian and Qubes packages.

There are several security and privacy benefits of using .onions:[11]

  • The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update);
  • The package repository, or observers watching it, can't track what programs you've installed;
  • The ISP cannot easily learn what packages you fetch; and
  • End-to-end authentication and encryption provides protection against man-in-the-middle attacks e.g. version downgrade attacks.

Whonix and Debian Packages[edit]

Whonix 14 will prefer .onion repositories by default, even when adding third-party resources. Until then, in order to install or update with the utmost caution, users may consider manually editing their sources.list to point to the Whonix and Debian .onion mirrors.

To use the .onion mirrors, it is necessary to change the whonix.list and debian.list files in the /etc/apt/sources.list.d directory in both the Whonix-Workstation and Whonix-Gateway TemplateVMs.

1. Open the Debian sources file in an editor with root rights.

Qubes-Whonix users note: You should do this in the whonix-gw and whonix-ws TemplateVMs.

If you are using a graphical Whonix or Qubes-Whonix, run:

       kdesudo kwrite /etc/apt/sources.list.d/debian.list

If you are using a terminal-only Whonix, run:

       sudo nano /etc/apt/sources.list.d/debian.list

2. Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.

       #deb http://ftp.debian.org/debian jessie main contrib non-free
       deb tor+http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free
       #deb http://security.debian.org jessie/updates main contrib non-free
       deb tor+http://sgvtcaew4bxjd7ln.onion jessie/updates main contrib non-free
       #Optional Backports
       #deb http://ftp.debian.org/debian jessie-backports main contrib non-free
       deb tor+http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free

Save and exit.

3. Point to the Whonix APT Repository .onion mirror.

       sudo whonix_repository --baseuri tor+http://deb.kkkkkkkkkk63ava6.onion --enable --repository stable

Note: Whonix users have four preferences available for packages: stable, stable-proposed-updates, testers and developers. Change the entry above to reflect this preference.[12]

4. Check the .onions are correct and functional in your Whonix system.

       sudo apt-get update && sudo apt-get dist-upgrade

5. Repeat steps 1-4 for Whonix-Workstation.

Note: Qubes users can repeat the steps above in their Debian-8 TemplateVM to onionize future installations and updates.

6. Optional - create an onionized torproject.list.

If you are using a graphical Whonix or Qubes-Whonix, run:

       kdesudo kwrite /etc/apt/sources.list.d/torproject.list

If you are using a terminal-only Whonix, run:

       sudo nano /etc/apt/sources.list.d/torproject.list

Cut and paste the following text and comment out (#) the corresponding http repository:

       #Tor Project Mirror
       #deb http://deb.torproject.org/torproject.org jessie main
       deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main

Save and exit.

Qubes Packages[edit]

All the following commands must be run in dom0 in order to use Qubes’ Tor hidden service repositories for each type of VM.[13]

Note: The cat commands are optional, for confirmation only. Also, the downside of this approach is that repository definitions are managed by a Qubes package, meaning you'll need to apply further manual updates in the future when it changes.

Dom0

In dom0, run:

   sudo sed -i 's/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo
   sudo sed -i 's/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/' /etc/yum.repos.d/qubes-templates.repo && cat /etc/yum.repos.d/qubes-templates.repo

Fedora Template

In dom0, run:

   qvm-run -a --nogui -p -u root $FedoraTemplateVM 'sed -i "s/yum.qubes-os.org/yum.qubesos4rrrrz6n4.onion/" /etc/yum.repos.d/qubes-r3.repo && cat /etc/yum.repos.d/qubes-r3.repo'

Debian and Whonix Templates

In dom0, run:

   qvm-run -a --nogui -p -u root $DebianTemplateVM 'sed -i "s/deb.qubes-os.org/deb.qubesos4rrrrz6n4.onion/" /etc/apt/sources.list.d/qubes-r3.list && cat /etc/apt/sources.list.d/qubes-r3.list'

Other Anonymizing Networks over Tor UDP Tunnel[edit]

If you are Tunneling UDP over Tor to connect to Other Anonymizing Networks you must read this chapter, otherwise you can skip this one.

Read first: Tor Plus VPN or Proxy and Whonix VPN disclaimer.

You should beware that because you need to install additional tunnel software (OpenVPN, etc.), once exploits are found, an attacker could target them.

However, when you are using a secure tunnel software (for example, OpenVPN, not PPTP), the Tor exit relay may not read your communication with the VPN provider. It can only recognize an encrypted VPN connection to the VPN provider.

The VPN provider can find out, depending on the other anonymizing network design, that you are connecting to that network. The VPN provider won't know who you are, but can find out, that someone is connecting over Tor.

The encryption of the tunnel software is not relevant, because the other anonymizing network most likely will make use of encryption itself. Subsequently neither the Tor exit relay nor the VPN provider will know the content of your other anonymizing network connection. The usefulness of the information, the Tor exit relay and the VPN provider can gather, is minimal.

"Normally Tor switches frequently its path through the network. When you choose a permanent destination X, you give away this advantage, which may have serious repercussions for your anonymity." as mentioned applies.

It's recommended to use a dedicated virtual machine for this activity, see Multiple Whonix-Workstations.

Time Attacks[edit]

See Time Attacks.

General Hardening Checklist[edit]

It is possible to significantly harden your platform and improve the chances of successful anonymous activity. This depends upon a user's skill level, motivation and available hardware. This checklist is intended to provide a quick overview of some of the most important issues, categorized by difficulty level (easy, moderate, difficult and expert).

Note: Recommendations specific to Qubes-Whonix or non-Qubes-Whonix have been marked accordingly.

Easy[edit]

Anonymous Blogging, Posting, Chat, Email and File Sending[edit]

  • To remain anonymous, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometry analysis and other covert channels.

Disabling and Minimizing Hardware Risks[edit]

  • In Qubes-Whonix, only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent malicious compromise of dom0 (PS/2 adapters and available controllers are required);
  • Do not enable audio input to any VM unless strictly required and consider disabling microphones where possible (muting on the host) or unplugging external devices;
  • Preferably detach or cover webcams unless they are in use; and
  • Avoid using wireless devices, since they are insecure.

Document Handling[edit]

Qubes-Whonix-Only

  • Potentially malicious PDFs downloaded from the internet should be converted into a trusted pdf before being opened (or otherwise opened in a DispVM). This prevents a hypothetical exploitation of the PDF reader and infection of the VM.

Mandatory Access Control[edit]

  • Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs; and
  • Enable seccomp on the Whonix-Gateway AppVM.

Passwords and Logins[edit]

  • In Qubes-Whonix, store all login credentials and passwords in an offline vault VM (preferably with KeypassX) and securely cut and paste into the Tor Browser. Copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere; and
  • Use unique and random Diceware passphrases of 6-7 words in length for all on-line accounts, system logins and encryption/decryption purposes to prevent the feasibility of brute-forcing attacks.

Tor Browser Series and Settings[edit]

VirtualBox[edit]

Non-Qubes-Whonix Only

Whonix Updates[edit]

Moderate[edit]

Create a USB Qube[edit]

Qubes-Whonix Only

  • Prepare and utilize a USB qube to protect dom0 from malicious USB devices.

Host Operating System Distribution[edit]

Non-Qubes-Whonix Only

  • Install GNU/Linux as the only serious option for a private host operating system. Windows and Mac OS-X are surveillance platforms that do not respect user freedom or privacy; and
  • The Debian distribution is recommended by Whonix as providing a reasonable balance of security and usability.

Host Operating System Hardening[edit]

Non-Qubes-Whonix Only

  • Follow all Whonix recommendations to harden your host OS against physical attacks, for example, minimizing the attack surface, utilizing full-disk encryption, torrifying apt-get traffic, scanning your firewall, and other measures; and
  • Harden your host Debian Linux OS.

Networking[edit]

Qubes-Whonix Only

  • Use the Debian-8 Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not 'ping home', unlike the Fedora Template.[14]

Newer Kernels[edit]

Qubes-Whonix Only

  • Install newer kernels to benefit from additional protections (including grsec elements) being mainlined by the kernel hardening project.

Onionizing Repositories[edit]

Sandboxing[edit]

  • Use the alpha sandbox to restrict the Tor Browser; and
  • Use Firejail to restrict Firefox-ESR, VLC and other regularly used applications.

Secure Back-ups[edit]

Qubes-Whonix Only

Spoof MAC Addresses[edit]

  • This is only necessary if you expect to travel with your laptop or PC and is not required for home PCs not changing locations;
  • In Qubes-Whonix, follow these steps to spoof the MAC address on the Debian or Fedora TemplateVM used for network connections; and
  • In non-Qubes-Whonix, follow these steps to spoof the MAC address of your network card on a Linux host.

Time Stamps[edit]

Non-Qubes-Whonix Only

Difficult[edit]

Anti-Evil Maid[edit]

Qubes-Whonix Only

  • If you have a Trusted Platform Module, use AEM protection to attest that only desired (trusted) components have been loaded and executed during the system boot.

Chaining Anonymizing Tunnels[edit]

Disposable VMs[edit]

Qubes-Whonix Only

  • Run all instances of the Tor Browser in a Disposable VM which is preferably uncustomized to resist fingerprinting.

Email[edit]

In Qubes-Whonix:

  • Use split-GPG for email to reduce the risk of key theft used for encryption/decryption and signing;
  • Create an AppVM that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ('Deny network access except...'); and
  • Only open untrusted email attachments in a DispVM to prevent possible infection.


On both platforms:

  • Follow the Whonix recommendations to select an email provider compatible with privacy and anonymity;
  • Refuse to use Yahoo and Gmail, which use automated software to scan emails for keywords to tailor advertising and sell products. Do not rely on Hotmail, which has a history of reading private emails and messages; and
  • Prefer email providers that are: free, support GPG encryption and key management, have encrypted inboxes by default, are outside US jurisdictions, and have desktop email compatibility with Icedove (Mozilla Thunderbird).

Grsec Templates[edit]

  • In Qubes-Whonix, use dom0, Debian, Fedora and Whonix grsec templates to provide significant kernel exploit protections; and
  • In non-Qubes-Whonix, install the latest Grsecurity kernel on your host or KVM Whonix guest.

Whitelisting Tor Traffic[edit]

Qubes-Whonix Only

  • Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through. This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical Whonix bugs, but does not address potential Qubes ProxyVM leaks.[15]

Expert[edit]

Disable Intel ME Blobs[edit]

Flash the Router with Opensource Firmware[edit]

Install Libreboot[edit]

  • Libreboot is a free, opensource BIOS or UEFI replacement (firmware) that initializes the hardware and starts the bootloader for your OS. Warning: incompatible with newer architectures - risk of bricking your computer!

Physical Isolation[edit]

Non-Qubes-Whonix Only

  • If you have the available hardware, consider physical isolation in non-Qubes-Whonix. Using two different computers and virtualization is the most secure configuration available, but may be less secure than Qubes' approach (software compartmentalization).

Stay Tuned[edit]

Stay Tuned

Advanced Security Guide[edit]

For even more Security, see Advanced Security Guide.

Footnotes[edit]

  1. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md - http://www.webcitation.org/6F7Io2ncN.
  2. https://github.com/jonasmalacofilho/ubuntu-luks-suspend
  3. https://github.com/Whonix/sdwdate/blob/master/etc/qubes/suspend-pre.d/30_sdwdate.sh https://github.com/Whonix/sdwdate/blob/master/etc/qubes/suspend-post.d/30_sdwdate.sh
  4. https://firejail.wordpress.com/
  5. https://github.com/netblue30/firejail/tree/master/etc
  6. bubblewrap Sandboxed Tor Browser fails to start in Qubes Debian based AppVM - firefox: Can't mount proc on /newroot/proc
    • Create Qubes-Whonix-Workstation AppVM
      • Name and label: Name your AppVM. Don't include any personal information. (This is because in case an AppVM gets compromised, one could run qubesdb-read /name to read the VMs name from within the VM.) Name your AppVM something generic, for example: anon-whonix.
      • Color: Choose a color label for your Whonix-Workstation AppVM.
      • Use this template: Choose your Whonix-Workstation TemplateVM. For example: whonix-ws.
      • Standalone: Leave the Standalone field unchecked, unless you want a persistent root filesystem.
      • Type: Choose the "AppVM" type.
      • Allow networking: Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix.
      • Press: OK
  7. Quote http://www.virtualbox.org/manual/ch04.html#guestadd-3d

    Untrusted guest systems should not be allowed to use VirtualBox's 3D acceleration features, just as untrusted host software should not be allowed to use 3D acceleration. Drivers for 3D hardware are generally too complex to be made properly secure and any software which is allowed to access them may be able to compromise the operating system running them. In addition, enabling 3D acceleration gives the guest direct access to a large body of additional program code in the VirtualBox host process which it might conceivably be able to use to crash the virtual machine.

  8. Quote https://hsmr.cc/palinopsia/

    If the "3D-Acceleration" feature of VirtualBox is activated, running the proof-of-concept code from inside the VM provides the ability to read framebuffers from the host system.

  9. https://www.whonix.org/wiki/Whonix-APT-Repository#Repository_Location_URI
  10. https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions
  11. https://www.whonix.org/wiki/Whonix-APT-Repository#Whonix_APT_Repository_Overview
  12. https://www.qubes-os.org/doc/hidden-service-repos/
  13. https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952
  14. https://github.com/rustybird/corridor

Random News:

There are 5 different options to subscribe to Whonix source code changes.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.