Upgrading Whonix 13 to Whonix 14
High Level Overview
1. Backup your data - ideally have a copy of the VM so it is possible to try again (if necessary).
2. Consider running the optional #Sanity Tests.
3. Upgrade Whonix-Workstation.
4. Power off Whonix-Workstation.
5. Upgrade Whonix-Gatway.
6. Restart Whonix-Gateway.
7. Restart Whonix-Workstation.
These are optional, but recommended. To complete sanity tests, please press on expand on the right.
sudo dpkg --audit ; echo $?
sudo dpkg --configure -a ; echo $?
sudo apt-get update
sudo apt-get dist-upgrade
For testing purposes, install python-qt4.
sudo apt-get install python-qt4 ; echo $?
## ... successful installation of python-qt4 ... 0
|Downloading a new Whonix-Gateway / Whonix-Workstation is easier than applying the following upgrade instructions, but this process should be relatively smooth.|
First consider completing the #Sanity Tests described above; the system is checked for obvious and grave issues that must be fixed before attempting an upgrade. For example, if the package manager is broken due to the mixing of packages from both Debian stable and Debian testing, then the upgrade may fail part way through, leaving the system in an unstable state that is difficult to resolve.
Consider retaining the full terminal (Konsole) log. Even if the upgrade appears successful, there might be issues following reboot. To properly report a bug in the Whonix forums it is necessary to share the upgrade log so the issue can be investigated.
|If you are using Qubes-Whonix: If Qubes R3.0 or R3.1 is used as the host operating system, it is strongly advised to upgrade the VMs and dom0 to R3.2 before proceeding. Only Qubes R3.2 and R4 are currently supported.  Follow the Qubes R3.1 > R3.2 upgrade instructions on the Qubes website.|
First, upgrade the system's packages from Debian.
|If you are using Qubes-Whonix: When upgrading the TemplateVM, |
Update Whonix apt sources list.
sudo whonix_repository --enable --codename stretch
Update Debian apt sources list.
sudo sed -i "s/jessie/stretch/g" /etc/apt/sources.list.d/debian.list
Qubes-Whonix only. Update Qubes apt sources list.
sudo sed -i "s/jessie/stretch/g" /etc/apt/sources.list.d/qubes*.list
Enable extensive debugging so the reporting of any eventual bugs is easier.
Update the package lists.
apt-get install torsocks usability-misc
Purge packages which are not required or deprecated in Whonix and have been replaced by new functionality.  anon-shared-kde-accessibility and kaccessible can be excluded from the following command if accessibility tools are in use.
apt-get purge anon-shared-kde-accessibility kaccessible iceweasel firefox-esr exim* unattended-upgrades cups control-port-filter-python packagekit at wpasupplicant apparmor-profile-sdwdate apparmor-profile-whonixcheck
Restart whonix-legacy service. 
service whonix-legacy restart
Non-Qubes-Whonix users please click on expand on the right.
Qubes-Whonix users please click on expand on the right.
|Qubes-Whonix only! Whonix-Gateway only!|
apt-get install qubes-whonix-gateway
|Qubes-Whonix only! Whonix-Workstation only!|
apt-get install qubes-whonix-workstation
|Qubes-Whonix Whonix-Workstation only! Only when you upgrade from Qubes R3.2 to Qubes R4!|
apt-get install pulseaudio-qubes
Remove packages which are no longer required.
Reinstall whonix-firewall. 
apt-get install --reinstall whonix-firewall
Systemctl unmask whonix-firewall.
systemctl unmask whonix-firewall
Systemctl enable whonix-firewall.
systemctl enable whonix-firewall
sudo apt-get install --reinstall virtualbox-guest-*
Remember to store the terminal (Konsole) log:
Save Output As
Open a new terminal (Konsole) tab. 
A poweroff is required.
- Non-Qubes-Whonix users: All necessary steps are now complete.
- Qubes-Whonix users: In Dom0
sudo qubesctl state.sls qvm.anon-whonix
Only complete the next step if all upgrades should be routed through
sudo qubesctl state.sls qvm.updates-via-whonix
The upgrade procedure is now complete.
Update Settings in Qubes R4
After successfully cloning
whonix-ws-14, some users will want to configure a new
sys-whonix-14 ProxyVM and have TemplateVMs use it for future updates. Follow these steps below.
1. Create a new Proxy-VM using the
whonix-gw-14 template. Label the new VM "sys-whonix-14".
2. Edit the /etc/qubes-rpc/policy/qubes.UpdatesProxy file to set
sys-whonix-14 as the target VM for the recently upgraded Whonix-Workstation and Whonix-Gateway. Copy and paste the text below.
whonix-ws $default allow,target=sys-whonix whonix-ws $anyvm deny whonix-gw $default allow,target=sys-whonix whonix-gw $anyvm deny whonix-ws-14 $default allow,target=sys-whonix-14 whonix-ws-14 $anyvm deny whonix-gw-14 $default allow,target=sys-whonix-14 whonix-gw-14 $anyvm deny ## Note that policy parsing stops at the first match, ## so adding anything below "$anyvm $anyvm action" line will have no effect ## Please use a single # to start your custom comments # Default rule for all TemplateVMs - direct the connection to sys-net $type:TemplateVM $default allow,target=sys-net $anyvm $anyvm deny
Save and exit.
3. After upgrading to Qubes-Whonix 14 in Qubes R4, the network setting for any Whonix TemplateVM should be set to
none because a qrexec-based updates proxy is in use. 
- This avoids some torsocks warnings due to the torsocks upgrade.
- Provides apt-get-noninteractive.
- sysfsutils - https://github.com/Whonix/Whonix/commit/d7cb15aa96bd571368b54f8a980922d9e1982250
- A manual restart is required because apt-get-noninteractive is being used. This step is not crucial since it would also run after reboot.
- This is required because the Whonix repository URI has been upgraded to a new location by the whonix-legacy package.
- This is because of the whonix-gw-firewall / whonix-ws-firewall to whonix-firewall package migration.
- Not always required. Depends on host VirtualBox version. No harm if not needed.
exitto sign out as root to get back to user
- Qubes-Whonix 13 supports this feature as well after running apt-get dist-upgrade.
https | (forcing) onion
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.