Whonix-Workstation Security Hardening

From Whonix

Doors-1767563 640.jpg

Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ security hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their Whonix-Workstation ™ to become even more secure.


Whonix ™ is by no means a perfectly hardened system. Additional hardening measures are most welcome, but at the same time hardening by default is very difficult. Until the Whonix ™ project realizes a significant increase in resources or community assistance, extra measures will remain out of scope and hardening will be left to the upstream operating system. See Virtualization Platform for further details.


Learn more about AppArmor [archive], which helps to protect against vulnerabilities by confining a program's file access based upon strict rule-sets. It is recommended to apply the available Whonix ™ AppArmor profiles to contain various applications which are run in Whonix-Gateway ™ (sys-whonix) and/or Whonix-Workstation ™ (anon-whonix), like Tor, Tor Browser, Thunderbird and others.

Disable TCP SACK[edit]

TCP Selective Acknowledgement (SACK) [archive] is a commonly exploited option in the TCP protocol and not needed for many people. [1] For this reason, it is recommended to disable it unless required.

Open file /etc/sysctl.d/30_security-misc.conf in an editor with root rights.

(Qubes-Whonix ™: In Template)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/sysctl.d/30_security-misc.conf

Uncomment all lines starting with net.ipv4.

This procedure can also be repeated on the Whonix-Gateway ™.

TCP SACK is not disabled by default because on some systems it can greatly decrease network performance. [2]

Multiple Tor Browser Instances and Workstations[edit]

Appropriate compartmentalization of user activities is important when different identities and/or additional software are in use. Multiple Tor Browser instances provide some separation of distinct identities, however this issue has not yet been fully solved by Tor Browser or Torbutton. A more secure method of compartmentalization is using Multiple Whonix-Workstation ™, which are easily created.

Multiple Tor Browser Instances[edit]

To better separate different contextual identities, consider starting multiple Tor Browser instances. Follow the steps in the Manually Downloading Tor Browser entry, except for minor changes that are necessary; for example Tor Browser must be extracted into a different folder.

This method is less secure than using multiple Whonix-Workstation ™, which is outlined below.

Multiple Whonix-Workstation ™[edit]

For tasks requiring different identities and/or additional software, it is recommended to utilize two or more Whonix-Workstation ™ VMs since different torified clients are isolated from each other. In this configuration, a Tor Browser exploit in one Whonix-Workstation ™ cannot simultaneously read the user's identity in another VM (for example, an IRC account). [3]

This method is less secure than using Tor Browser in a Qubes Whonix-Workstation ™ DisposableVM.

Restrict Hardware Information to Root[edit]

See Restrict Hardware Information to Root.


  1. For example, it has been used for remote denial of service attacks [archive] and can even lead to a Linux kernel panic.
  2. [archive]
  3. This does not protect against the sudden loss of networking, which could reveal to the attacker that two activities / accounts suddenly going off-line are probably related.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Whonix-Workstation Security Hardening&body= link= Security Hardening link= Security Hardening link= Security Hardening%20 Security Hardening

Please contribute by helping to answer Whonix ™ questions.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.