Whonix-Workstation Security Hardening
Donate
Whonix comes with many security features
. Whonix is Kicksecure™ hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.
This page is targeted at users who wish to improve the security of their Whonix-Workstation to become even more secure.
Introduction
[edit]Whonix is by no means a perfectly hardened system. Additional hardening measures are most welcome, but at the same time hardening by default is very difficult. Until the Whonix project realizes a significant increase in resources or community assistance, extra measures will remain out of scope and hardening will be left to the upstream operating system. See Virtualization Platform for further details.
AppArmor
[edit]Learn more about AppArmor
, which helps to protect against vulnerabilities by confining a program's file access based upon strict rule-sets. It is recommended to apply the available Whonix AppArmor profiles to contain various applications which are run in Whonix-Gateway™ (sys-whonix) and/or Whonix-Workstation (anon-whonix), like Tor, Tor Browser, Thunderbird and others.
Disable TCP SACK
[edit]TCP Selective Acknowledgement (SACK) is a commonly exploited option in the TCP protocol and not needed for many people. [1] For this reason, it is recommended to disable it unless required.
Open file /etc/sysctl.d/30_security-misc.conf in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See
Open File with Root Rights for details on why using sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /etc/sysctl.d/30_security-misc.conf
2 Notes.
- Sudoedit guidance: See Open File with Root Rights for details on why using
sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Qubes-Whonix, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /etc/sysctl.d/30_security-misc.conf
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence
- General procedure: This is a general procedure required for Qubes and is unspecific to Qubes-Whonix.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Whonix, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /etc/sysctl.d/30_security-misc.conf
Uncomment all lines starting with net.ipv4.
This procedure can also be repeated on the Whonix-Gateway.
TCP SACK is not disabled by default because on some systems it can greatly decrease network performance. [2]
Restrict Hardware Information to Root
[edit]See Restrict Hardware Information to Root.
Footnotes
[edit]- ↑ For example, it has been used for remote denial of service attacks and can even lead to a Linux kernel panic.
- ↑
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2026 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!