Verify the Whonix ™ Windows Installer

From Whonix

Ambox warning pn.svg.png Whonix ™ Windows Installer currently unavailable. Stay Tuned for news.

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

Download Whonix ™ Windows Installer and Digital Signature[edit]

The Whonix ™ Windows Installer was developed with design goals focused on provide users with an fast and easy method to install Whonix ™ in Microsoft Windows. When whonix-installer.exe is executed the Recommended VirtualBox version and both Whonix ™ VMs are seamlessly installed on the Windows machine. Once Whonix ™ is installed, users only need to click the start button in the Whonix ™ GUI for both Whonix-Gateway ™ and Whonix-Workstation ™ VMs to start.

Download the Whonix ™ Installer for Microsoft Windows.

Ambox warning pn.svg.png By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.


Whonix Windows Installer
Anonymous Download
Possible [1]
Download Security
- - Without Verification With Verification
Https long.png Whonix Installer Yes [1] Medium High [2]
Signature.png OpenGPG Signature Yes [1] - -
Crypto key.png Signing Key Yes [1] - -

Before continuing, download both Whonix ™ Windows Installer and corresponding OpenPGP signature in the above download table. Then continue with the steps needed to install of the software digital signature verification tools. Then verify the Whonix ™ digital software signatures.

Users that are familiar with OpenPGP verification can go straight to download the signing key and verify the Whonix ™ Windows installer.

Software Digital Signature Verification Tools Installation[edit]


Due to Conceptual Challenges in Digital Signatures Verification and impracticality, unpopularity of digital software signature verification on the Windows platform, this is a cumbersome process. None of these issues are specific to Whonix ™ to caused by Whonix ™. [3]

To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.

Most other vendors of software on the Windows platform are either unaware or ignore this issue. The Whonix ™ project makes an effort to document and cope up with the mess on the Windows platform.

This page includes documentation on how to securely acquire Gpg4win - an application which can be used to verify digital software signatures provided by the Whonix ™ project and other software.

Option A) The following guide provides steps to:

  1. Download and installation of SignTool.
  2. Download Gpg4win.
  3. Verify Gpg4win using SignTool.
  4. Import the developer's GPG signing key into Gpg4win.
  5. Verify the Whonix ™ Windows Installer using Gpg4win.

SignTool is a Windows platform focused tool provided by Microsoft which can be used to verify software digital signatures.

GnuPG is a complete and free implementation OpenPGP that allows users to encrypt and sign data and communications. Popular on Windows, macOS and Linux platform. Gpg4win is a graphical front end for GnuPG that is used to for file and email encryption in Windows. The verification process for the Whonix ™ Windows Installer includes securely downloading an verifying the gpg4win package. Once completed GPG can be used from the command-line to verify the Whonix ™ Windows Installer.

Download and installation of SignTool (from the Microsoft website over TLS) and verification of Gpg4win using SignTool might be considered optional. This is because both, SignTool and Gpg4win (downloaded from the Gpg4win website over TLS) are only downloaded over TLS, a very basic form of authentication. The argument for that is debatable. "It would be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win server." [4]

Option B) Therefore optionally the user might decide to skip the SignTool step and simplify as follows.

  1. Download and install Gpg4win.
  2. Import the developer's GPG signing key into Gpg4win.
  3. Verify the Whonix ™ Windows Installer using Gpg4win.

The Gpg4win documentation also covers subject.

Install SignTools[edit]

The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7 and 8) users can install SignTool by substituting the corresponding SDK Installer found in the Windows SDK archives for the Windows 10 SDK installer in the below instructions.

SignTools is a Windows command-line tool that uses Authenticode to digitally sign files and verify both signatures in files and time stamp files. SignTool is available as part of Mirosoft Windows SDK, which can be can be installed in just a few easy steps. Once installed it can be used to verify the gpg4win package before installation.

1. Browse to

  • Right-click Downloading The InstallerRight-click SaveRight-click Run.

2. Set the correct path.

After the the installer finishes loading:

  • Right-click Continuechoose PATHC:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSDKRight-click Next.

Figure: Choose SDK Installation Path

Sdk installer specify download path.png

3. Install the necessary SDK package.

The Windows SDK installer provides a number of different packages that can be installed. The only package needed for gpg4win verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Developmental Kit. This differs from the corresponding package in Windows 10.

Figure: Select SignTools Package

Select sdk features for download.png

Once the box to the corresponding package is "checked", right-click Download. Once installation is complete, close the installer.

Figure: Finalized SDK Download

Sdk installer download complete.png

Download and Verify Gpg4win[edit]

SignTool can be used to verify the authenticity of the gpg4win package itself.

Note: To simplify the SignTool verification process be sure to download the gpg4win package to the Downloads directory.

1. Download the gpg4win package.

  • Navigate to
  • Scroll down and download the latest version of gpg4win and the corresponding signature. At the time of writing (August 2020) gpg4win-3.1.12.exe was the latest version.

2. Verify the gpg4win package by running SignTool from the command prompt.

To open a command prompt, in the Windows Start Menu, run.


From the command prompt, change to the Downloads directory.

cd C:\Users\<your_user_name>\Downloads

Verify the gpg4win package using SignTool.

signtool verify /pa gpg4win-3-1.12.exe

The following output shows a successful gpg4win verification.

Figure: Successful Verification

Signtool verify gpg4win success.png

Ambox warning pn.svg.png Warning: if verification fails, delete the gpg4win package and repeat the download and verification process again.

Verify the Whonix ™ Windows Installer[edit]

It is important to check the integrity of the downloaded Whonix ™ Windows Installer to ensure that neither a man-in-the-middle attack or file corruption occurred; (see Download Security).

Ambox warning pn.svg.png Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This page is strongly related to the pages Placing Trust in Whonix ™ and Verifying Software Signatures.

1. If not already completed, have GnuPG initialize your user data folder.

gpg --fingerprint

2. Download 0brand's OpenPGP key.


3. Store the key as C:\Users\<user_name>\Downloads\0brand.asc

4. Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint 0brand.asc

5. Verify the output. The output should be identical to the following.

pub   rsa4096/CFDBC23923C0433B 2019-08-08 [SC] [expires: 2021-08-07]
      Key fingerprint = B67C 6FE6 4BAE 05CD 05ED  775D CFDB C239 23C0 433B
uid                           "0brand" <>
sub   rsa4096/530523783446A24A 2019-08-08 [E] [expires: 2021-08-07]
sub   rsa4096/397090C34BED0A12 2019-08-08 [S] [expires: 2021-08-07]

If the key was successfully imported, the following message will appear.

gpg: key 0xCFDBC23923C0433B: public key ""0brand" <>" imported
gpg: Total number processed: 1
gpg:               imported: 1

6. Import the key.

gpg --import 0brand.asc

The output should confirm the key was imported.

gpg: key 0xCFDBC23923C0433B: public key ""0brand" <>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Output already imported.

If the signing key was already imported in the past, the output should confirm the key is unchanged.

gpg: key 0xCFDBC23923C0433B: ""0brand" <>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

4. Start the cryptographic verification, which can take several minutes.

In Windows command prompt, change to the directory with the whonix-installer.exe package and corresponding signature file.

cd C:\Users\<user_name>\<directory_name>

Next, verify the Whonix ™ Windows Installer.

gpg --verify-options show-notations --verify whonix-installer.exe.asc whonix-installer.exe

If the Whonix Installer image is correct the output will tell you that the signature is good.

gpg: Signature made Sun 18 Aug 2019 08:31:41 PM EDT
gpg:                using RSA key 307274F1AF46F1599B3F40A1397090C34BED0A12
gpg: Good signature from ""0brand" <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B67C 6FE6 4BAE 05CD 05ED  775D CFDB C239 23C0 433B
     Subkey fingerprint: 3072 74F1 AF46 F159 9B3F  40A1 3970 90C3 4BED 0A12

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Whonix ™ signing key and the web of trust. To remove this warning, the Whonix ™ signing key must be personally signed with your own key.

warning Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2020 and now see a signature from 2019, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [5]

The first line includes the signature creation timestamp. Example.

gpg: Signature made Sun 18 Aug 2019 08:31:41 PM EDT

warning Note: OpenPGP signatures sign files, but not file names. [6]

Install Whonix[edit]

Note: When the Whonix ™ Windows Installer is executed, the currently installed VirtualBox package -- if there is one installed on the system -- is removed and the latest VirtualBox package is installed. [7]

Whonix ™ can be installed by simply running whonix-installer.exe. When installation is complete, users will be greeted with the Whonix ™ GUI which can then be used to start the VMs. Keep in mind that installation could take can up to 15 minutes to complete depending on your hardware configuration.

In the folder you downloaded the Whonix ™ Windows Installer:

  • Double "click" whonix-installer.exeLicense agreement "click" Install → Finish

Figure: Whonix Windows Installer

Whonix windows installer.png

Figure: Install Whonix

Whonix installer wizard.png

Figure: License agreement

Whonix windows installer license agreement.png

Figure: Extracting files

Installing whonix.png

Figure: Whonix installation complete

Whonix setup wizard complete.png

Start Whonix[edit]

Whonix Desktop Starter

  • Double "click" Whonix desktop starter"click" Start Whonix.

VirtualBox interface

  • Double "click" Whonix desktop starter "click" Advanced in Whonix GUI.

When the Advanced button is pressed, the VirtualBox user interface will open and the VMs can be started.

The VirtualBox interface will provide a more granular control of the VMs. From there users can manage the Whonix ™ VMs or modify VirtualBox settings.

Figure: Whonix desktop starter

Whonix desktop starter.png

Figure: Whonix user interface

Whonix User Interface start.png

Figure: Start Whonix VM

Virtualbox user interface.png

Shutdown Whonix[edit]

From the Whonix GUI

  • Both Whonix VMs can be shutdown simultaneously by clicking the Stop Whonix button.

Figure: Stop Whonix VMs

Whonix User Interface stop.png

First Time Users[edit]

First time users and more[edit]

First time users information

Whonix ™ default admin password is: changeme default username: user
default password: changeme

Whonix first time users warning Warning:

  • If you do not know what metadata or a man-in-the-middle attack is.
  • If you think nobody can eavesdrop on your communications because you are using Tor.
  • If you have no idea how Whonix ™ works.

Then read the Design and Goals, Whonix ™ and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix ™ is the right tool for you based on its limitations.

Footnotes and Experimental Spectre / Meltdown Defenses → press Expand

VirtualBox Stable Version | VirtualBox Testers Only Version

Testers only! For more information please press on expand on the right.

These experimental Spectre/Meltdown defenses are related to issues outlined in Firmware Security and Updates. Due to the huge performance penalty and unclear security benefits of applying these changes, it may not be worth the effort. The reason is VirtualBox is still likely vulnerable, even after:

  1. A host microcode upgrade.
  2. A host kernel upgrade.
  3. A VM kernel upgrade.
  4. A "not vulnerable" result from spectre-meltdown-checker run on the host.
  5. Installation of the latest VirtualBox version. [8]
  6. All Spectre/Meltdown-related VirtualBox settings are tuned for better security as documented below.

To learn more, see: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed and the associated VirtualBox forum discussion. [9] Users must patiently wait for VirtualBox developers to fix this bug.

On the host. [10] [11] [12] [13] [14] [15] [16]

VBoxManage modifyvm "Whonix-Gateway" --ibpb-on-vm-entry on VBoxManage modifyvm "Whonix-Gateway" --ibpb-on-vm-exit on VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-vm-entry on VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-sched on VBoxManage modifyvm "Whonix-Gateway" --spec-ctrl on VBoxManage modifyvm "Whonix-Gateway" --nestedpaging off VBoxManage modifyvm "Whonix-Gateway" --mds-clear-on-vm-entry on VBoxManage modifyvm "Whonix-Gateway" --mds-clear-on-sched on

VBoxManage modifyvm "Whonix-Workstation" --ibpb-on-vm-entry on VBoxManage modifyvm "Whonix-Workstation" --ibpb-on-vm-exit on VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-vm-entry on VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-sched on VBoxManage modifyvm "Whonix-Workstation" --spec-ctrl on VBoxManage modifyvm "Whonix-Workstation" --nestedpaging off VBoxManage modifyvm "Whonix-Workstation" --mds-clear-on-vm-entry on VBoxManage modifyvm "Whonix-Workstation" --mds-clear-on-sched on

Info These steps must be repeated for every VirtualBox VM, including multiple and custom VMs.

The above instructions only apply to the default VM names Whonix-Gateway ™ and Whonix-Workstation ™. Therefore, if Multiple Whonix-Workstation ™s and/or Multiple Whonix-Gateway ™s are configured, then repeat these instructions using the relevant name/s.


  1. 1.0 1.1 1.2 1.3 By using the Tor Browser Bundle (TBB). For an introduction, see Tor Browser. See also Hide Tor and Whonix ™ from your ISP.
  2. It does not matter if the bulk download is done over an insecure channel if OpenPGP verification is used at the end.
  3. This is being stated to avoid Whonix ™ of getting blamed for this mess. Previously users put it this way:

    I never had to verify any software. Why Whonix makes this more complicated than everyone else?

  5. As defined by TUF: Attacks and Weaknesses:
  7. At the time of writing (AUG 19 2019) VirtualBox 6.0.10 was the latest stable release version.
  8. VirtualBox version 5.2.18 or above is required since only that version comes with Spectre/Meltdown defenses. See
  9. Also see the following forum discussion: vulerable due to missing processor microcode packages? spectre / meltdown / retpoline / L1 Terminal Fault (L1TF)
  10. --ibpb-on-vm-[enter|exit] on|off: Enables flushing of the indirect branch prediction buffers on every VM enter or exit respectively. This could be enabled by users overly worried about possible spectre attacks by the VM. Please note that these options may have sever impact on performance.

    There is a mistake in the VirtualBox manual stating enter which does not work. It is actually entry.


    --l1d-flush-on-vm-enter on|off: Enables flushing of the level 1 data cache on VM enter. See Section 13.4.1, “CVE-2018-3646”.

  12. --l1d-flush-on-sched on|off: Enables flushing of the level 1 data cache on scheduling EMT for guest execution. See Section 13.4.1, “CVE-2018-3646”.


    For users not concerned by this security issue, the default mitigation can be disabled using

    VBoxManage modifyvm name --l1d-flush-on-sched off

    Since we want to enable the security feature we set --l1d-flush-on-sched on.

  14. --spec-ctrl on|off: This setting enables/disables exposing speculation control interfaces to the guest, provided they are available on the host. Depending on the host CPU and workload, enabling speculation control may significantly reduce performance.

  15. According to this VirtualBox ticket --spec-ctrl should be set to on.
  16. --nestedpaging on|off: If hardware virtualization is enabled, this additional setting enables or disables the use of the nested paging feature in the processor of your host system; see Section 10.7, “Nested paging and VPIDs” and Section 13.4.1, “CVE-2018-3646”.