This page is targeted at users who wish to improve the security of their Whonix-Workstation to become even more secure.
Whonix comes with many security features . Whonix is Kicksecure™ hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.
This page is targeted at users who wish to improve the security of their Whonix-Workstation for even greater protection.
If the Whonix-Workstation (
anon-whonix) VM is ever compromised, the attacker has access to the data it contains, including all credentials, browser data and passwords. The IP address is never leaked since this requires a compromise of the Whonix-Gateway™ (
sys-whonix) VM, but this information may still result in identity disclosure.
Best practice is to:
- Keep a clean master copy of the Whonix-Workstation VM.
- Make snapshots / clones of the master copy.
- Only use the snapshots / clones for Internet activity.
- Periodically delete old snapshots / clones.
This way it is possible to 'rollback' -- use a new clean clone / snapshot VM -- after risky activity or if a system compromise is suspected. See the multiple VM Snapshots recommendation below.
Best practice is to:
- Use Disposables for all Internet activity; or
- Periodically delete the Whonix-Workstation AppVM(s) and create fresh instances from the Whonix-Workstation Template.
It is recommended to enable the Whonix AppArmor profiles which are available for various applications that are run in either the Whonix-Gateway or Whonix-Workstation, such as Tor, Tor Browser, Thunderbird and others. The profiles are easy to apply and provide a considerable security benefit.
File Storage Location
According to the Firejail project page: 
Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.
Firejail has built-in profiles for a large number of popular Linux programs, including many which are used in Whonix. A small sample of the 100+ profiles includes: Chromium, CryptoCat, Thunar, Evince, Firefox, HexChat, LibreOffice, Okular, Thunderbird, Transmission, VirtualBox, VLC and wget. 
Launch Firejailed Applications
To run sandboxed applications, simply prefix the program command with "firejail" in a terminal. For example:
firejail evince firejail vlc
To confirm an application is sandboxed, open a terminal and run.
Additional Firejail Options
The full list of Firejail command line options can be found in the official documentation. Alternatively, run the following terminal command in Whonix-Workstation (
Firejail has a host of additional security features. For instance, VLC could be run while blocking access to the Internet as follows.
firejail --net=none vlc
Similarly, the following commands would run VLC with seccomp restrictions and debug output. 
firejail --debug vlc
Firejail Firefox-ESR in Qubes Debian AppVM
It is recommended to clone the Debian Template before proceeding, as a number of dependencies are installed:
- In a Debian AppVM, launch a firejailed Firefox-ESR application.
- Confirm Firefox-ESR is sandboxed:
- firejail --tree
The output should confirm Firefox-ESR is now running in a firejail container.
Hardened malloc ('hardened_malloc') is a hardened memory allocator created by security researcher, Daniel Micay.
According to the author's GitHub description: 
This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independent arenas, with the internal locking within arenas further divided up per size class.
It is possible to use this as the memory allocator for many applications to increase security.
Refer to the dedicated Hardened Malloc wiki page for further details.
Add a Host-Only Networking Adapter / SSH into Whonix-Workstation
If accessing the Whonix-Workstation via SSH, some users may consider something dangerous - adding a second network adapter with host-only networking.
The VMware host-only warning regarding routing and connection sharing may equally apply to Whonix: 
If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network. On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing.
If it is necessary to SSH or VNC into Whonix-Workstation, then use one of these recommended methods:
- It is safest to do this from another Whonix-Workstation. When using VMs, they can see each other if they are within the same virtual LAN. When using Physical Isolation, VMs can see each other if they are within the same LAN.
- Alternatively, run the services using Onion Services and access them through another Whonix-Workstation.
The following methods are not recommended, since they risk weakening isolation between the host and Whonix-Workstation:
- Another alternative is to run the services using Onion Services and access them from the host using ordinary torification methods.
- A final method is to SSH from the host into Whonix-Gateway (see File Transfer for instructions) and then SSH from there into Whonix-Workstation.
Add a NAT Adapter / Updates without Tor
If this advice is disregarded, then a user's identity is leaked if/when infection occurs. Therefore, it is strongly recommended to always update over the Tor network. Although Tor updating is slow by comparison, it prevents inadvertent leaks.
Regular clean snapshots or clones of the master VM should be made for activities that require anonymity. Particular care must be taken that clean and unclean states are never mixed up!
- Preliminary tests of other security features reveals they are not yet functional in Whonix, for instance , , and . If the user does not specify a path to a specific profile when running Firejail, it will search for any relevant profile automatically. If a specific profile is not located, a default profile will be used.