Whonix Stable Release
|About this Whonix Stable Release Page|
- 1 Whonix ™ 15 Changelog
- 1.1 All Platforms
- 1.2 Non-Qubes-Whonix
- 1.3 Qubes-Whonix ™
- 2 Whonix ™ 15 Updates
- 3 Footnotes
Whonix ™ 15 Changelog
Whonix ™ 15 was released on July 1, 2019.  Significantly, Whonix ™ 15 is based on the Debian buster (Debian 10) distribution which was officially released on July 6, 2019 instead of Debian stretch (Debian 9). The buster release has nearly 60,000 packages and over 62 per cent of them were updated   -- see the official Debian 10 release notes [archive] to learn more.
- Fixed file saving issues in scurl wrappers.   
- Fixed the partial truncation of text in Whonix Connection Wizard. 
- Installed cryptsetup by default so errors do not appear when using a GUI and interacting with encrypted containers.   
- Ported the build script to cowbuilder; build packages in chroot and use mmdebstrap for better security. 
- Modified whonixcheck so it suggests to start networking / onion-grater if it is not running. 
- Improved the /usr/share/sdwdate/unit_test  
- Improved the sdwdate message Tor consensus message. 
- Confirmed the sanity of systemd DNS after porting to Debian buster. 
- Established sane built-in defaults even if configuration files are non-existing.  
- Updated the onion list time sources for sdwdate so that offline and unwanted onions were removed. 
Improved Functionality and Usability
- Ported Whonix ™ from Debian stretch to Debian buster. 
- Added the qTox instant messaging application [archive] by default. 
- Install Firejail [archive] and Firetools [archive] by default inside Whonix ™.  
- Added the Metadata anonymisation toolkit v2 (MAT2) [archive] by default.   
- Added a LUKS container GUI (zulucrypt-gui [archive])  by default to make management and creation of containers easy.  
- OnionShare is now installed by default for easier, anonymous sharing of files.  
- Added KeePassXC [archive] as the default Password Manager in Whonix-Workstation. 
- Removed the Richochet instant messaging application [archive] since it is no longer working in Whonix ™ 15.  
- Nyx [archive] has replaced tor-arm as the Tor controller, providing (slightly) better functionality and usability.  
- Set VLC X11 video decoding by default so it works more reliably and avoids known problems. 
- The Jitter RNG Daemon (jitterentropy) [archive] is now installed by default to improve randomness if entropy on the system runs low.  
- Significantly reduced the size of Non-Qubes-Whonix images using zerofree. 
Improved Functionality and Usability
- Added grub-live Whonix ™ Live-mode as a default package.     
- Added a description to whonix-vbox images.   
- Implemented Whonix KVM serial console support. 
- Disabled boot devices and modified audio settings in VirtualBox Workstation and Gateway to improve security.  
- Forked [archive] the kloak - Keystroke Anonymization Tool [archive] and installed it by default in Non-Qubes-Whonix.  
- Improved the default kernel hardening options for better security.   
- Correctly configured Qubes-Whonix ™ XFCE default start menu entries (whitelisted appmenus). 
- Created Qubes-Whonix 15 template configuration files.  
- Confirmed the Whonix-15-gateway template builds. 
Improved Functionality and Usability
- Simplified instructions for VM kernel [archive] in Qubes-Whonix ™ by installing the same recommended Qubes packages as Qubes Debian packages.  
- In DisposableVMs, tb-updater / tb-starter was modified to no longer copy Tor Browser to the user home directory at first boot -- /var/cache/tb-binary is now directly used to improve startup performance.  
Whonix ™ 15 Updates
As Whonix ™ is now a rolling distribution, users will benefit from regular small security and usability improvements, features and bug fixes as they enter the Whonix ™ stable repository. Those will be announced here.
In 2019, point releases were announced on 10 September, 22 and 23 November.     In 2020, point releases were announced on 16 February, 27 February, 19 and 21 March, 29 May, 10 and 18 June, and 27 August.         
Notable changes are listed below. Note that an in-place upgrade is not recommended for KVM -- significant changes have been made to the host settings that require the current machines and virtual networks to be replaced with updated ones. Refer to the KVM wiki for detailed installation instructions.
- Implemented apparmor-profile-torbrowser improvements, see: Why does the Tor Browser AppArmor profile have sys_admin, sys_chroot and ptrace capabilities? [archive]
- Implemented AppArmor Live Mode fixes and various enhancements.  
- Further development of apparmor-profile-everything [archive] -- AppArmor for everything. APT, systemd, init, all systemd units, all applications.   
- Numerous apparmor profile enhancements were added.
- Fixed anon-connection-wizard truncated text.
- Fixed whonixcheck msgcollector permission errors.
- Corrected authentication failures related to Anon Connection Wizard and Whonix repository. 
- Fixed a tb-starter bug.
- Resolved the apt-get error relating to Debian's suite value changing from 'testing' to 'stable'. 
- Fixed starting pkexec-based applications from start menu, such as gdebi, synaptic and gparted. 
- Added an encrypted swap file to the system to avoid Whonix-Gateway freezing (for systems with low RAM) during the
apt-get dist-upgradeprocedure.   
- Prevented the keyboard-configuration debconf popup during
apt-get dist-upgrade.  
- Implemented a
command-not-foundpermission fix to avoid the WARNING:root:could not open file '/etc/apt/sources.list' message.  
- Fixed the bug parsing
- Fixed a bug in Whonix 184.108.40.206.9 where anon-connection-wizard added %include /etc/torrc.d/95_whonix.conf to
/etc/tor/torrcconfiguration file even though Whonix was already ported to %include /etc/torrc.d/
kicksecure-desktop-environment-essential-guito fix XFCE logout button. 
vm.unprivileged_userfaultfd=0because it is currently broken.   
- pkexec wrapper: fixed gdebi / synaptic but at the cost of checking for passwordless sudo /etc/suders /etc/sudoers.d exceptions. 
- SecBrowser / i2pbrowser: no longer use firejail by default even if installed since currently not maintained by anyone in Whonix / Kicksecure.
- Fixed the i2pbrowser local browser homepage.
- Fixed an onioncircuits error report related to user permissions.  
- Added an ENOUGH_RAM setting to swap-file-creator (1950 MB RAM default), so if there is enough RAM a swap file is not created (improving boot time). 
- Miscellenous whonix-firewall improvements. 
- Various fixes for i2p inside Whonix-Workstation:  
- Preparation for installation of i2p by default.
- Do not autostart
- Do not autostart
- Do not autostart
i2p.servicein Qubes TemplateVM.
- Do not autostart
privoxy.servicein Qubes TemplateVM.
- first-boot-skel: fixed
/home/user/.bashrchandling if the home folder is completely empty.
- Disabled the Tor Browser security slider question at first start because it is broken [archive]. 
- Fixed some anon-connection-wizard “unknown connection tag” messages in Whonix-Gateway.
proc-hidepiddue to pkexec issues.
command-not-foundfrom the default package installation, since it is not working out of the box which leads to confusing error messages.  
- Ensured consistent parsing of
/usr/local/etc/name.dfor applications by Whonix that also parse
/rw/config/name.dis still possible for compatibility but will be deprecated.
- Fixed adduser -- no longer writing to
- Set the environment variable
QMLSCENE_DEVICE=softwarecontext(in VirtualBox, and also after upgrades in KVM) to workaround a VM-specific Monero bug [archive].
security-miscto allow group sudo and console to use consoles.
sdwdate, implemented a python 3.7 fix if the host timezone is set to something other than UTC.
- Fixed a false positive live mode detection in live mode indicator.
- Bumped base Debian packages to 10.1
- Work on hardened Linux kernel for VMs and hosts [archive].  
- Work on fixing arm64 / RPi builds -- incomplete [archive]. 
- Fixed packaging issues preventing experimental
- Fix building without using cowbuilder to allow for build support in more environments; that is, building with
- Fixed errors causing Whonix-Gateway build failures on a physical host. 
- Tor Browser Updater (by Whonix developers): reduced old versions being kept to
- Removed unneeded dependency
- Do not create a home folder during postinst.
- Leave user
usercreation to Qubes.
- Fixed and actually use
- No longer depend on logrotate.
- Whonix Development News [archive]
- Significant progress regarding Whonix-Host development.
- Whonix is slowing migrating from GitHub to GitLab.  
- Documented how to use recovery mode.
- Created detailed Whonix Networking Implementation Documentation which documents the differences with Debian networking. 
- Wrote research notes on how to write good VirtualBox bug reports that actually have a chance of getting fixed.
- Wrote VirtualBox developer documentation on VirtualBox Licensing Issues, unavailable in Debian main and Debian backports, missing features, VirtualBox security and arguments for keeping VirtualBox Support.
- Documented Onion Services Authentication for v3 onions.
- Researched and documented entropy / randomness generation.
- Rebranded Whonix as a research project.  
- Added vanguards documentation. 
- Added security-misc documentation of stable security features [archive], testing security features and experimental security features.
- Documented VM Fingerprinting threats and defenses.
Improved Functionality and Usability
- Disabled whonixcheck “Connecting to Tor…” and “Connected to Tor.” messages. 
- Added support for OnionShare “bundled Tor”.
- Packaged str_replace for literal search and replace functions.
- Display the pulseaudio plugin by default.
- Added arc-theme, gnome-themes-extra, gnome-themes-extra-data and gtk2-engines-murrine for better visual presentation and a more modern look.
- Set SUDO_EDITOR="mousepad" if: mousepad is installed and the environment variable SUDO_EDITOR has not already been set.
- Upgraded Tor Browser to version 9 and later versions of this series.
- Upgraded Tor to version 0.4.2.6-1 and then again to version 0.4.3.5 in a later release.   
/etc/torrc.d/*.confconfiguration snippet drop-in folder support. 
- The Whonix build script now optionally supports installing packages from the Whonix remote repository, rather than building packages locally. 
- Simplified the default sudo lecture (presenting text upon first run) so it only shows the default password for Whonix.   
- Removed the deprecated obfs3 bridges option from Anon Connection Wizard.
- Enabled serial console functionality in VirtualBox, see: Serial Console.  
- From the VirtualBox host, simplify the sending of SysRq commands to VirtualBox VMs using the
- Work towards Whonix Host operating system [archive].
- Install gvfs by default:     
- Fixed access to LUKS encrypted USB drive with Thunar.
- Added gvfs to
- Renamed package
- Onion services authentication: 
- No longer install serial-console-enable [archive] by default due to issues [archive]. 
- corridor -- Tor traffic whitelisting gateway and leak tester -- merged upstream changes and improved Debian host support.  
- Added usability and output enhancements to grub-live, and improved the live mode indicator systray.   
- Added packaging and other improvements to Hardened Malloc 
- Removed Whonix specificity from onion-grater. 
- Added a sudo askpass wrapper for automated testing.  
- Added packaging and other enhancements for kloak. 
- Refactored Qubes-Whonix network proxy setup. 
- Created debug-misc [archive]: opt-in package which enables miscellaneous debug settings for easier debugging. 
- Install Monero GUI by default in Whonix-Workstation.
- Added links to search engines to the Whonix landing page in Tor Browser.
- Added new command line tools
onion-grater-removewhich will allow to simplify instructions that require
- Split most of
/etc/torrc.ddrop-in configuration snippets.
- Hide verbose output messages during boot to improve startup speed (logs are still available in the journal).
- Changed the desktop background images to better distinguish Whonix-Gateway from Whonix-Workstation and vice versa.
- Upgraded packages by packages.debian.org [archive]
- Set hostname to
localhostfor VM builds. 
- Disable DNSCrypt by default for now due to issues. 
- The Debian
stable-updatesrepository is now enabled by default. 
- Upgraded the
monero-guipackage to version
- Updated the default bridges in
anon-connection-wizardfrom The Tor Project  and removed ‘-max 3’ from the snowflake command.
- Permit Tor Browser to show improved error pages for onion service errors.
tb-updater, updated the OpenPGP verification keys and updated the Tor Browser version from
Kernel and Related Hardening
- Enabled kernel panic on kernel oops after boot, see: set oops=panic kernel parameter or kernel.panic_on_oops=1 sysctl for better security [archive].
- Enabled pam_umask.so usergroups, so group permissions are the same as user permissions. 
- Removed read, write and execute access for others for all users who have home folders under folder /home.  
- Group sudo membership is required to use
- Passwordless, recovery / emergency mode has been implemented.
- Lock user accounts with pam_tally2 after five failed authentication attempts are detected. 
- Fix pam_tally2 check when read-only disk boots without ro-mode-init or grub-live.
- The thunderbolt and firewire modules were blacklisted, since they can be used for Direct Memory Access (DMA) attacks.
- Every module must now be signed before being loaded; any module that is unsigned or signed with an invalid key cannot be loaded. 
- Uncommon network protocols were blacklisted: these are rarely used and may have unknown vulnerabilities. 
- Enabled IOMMU [archive].
- The SysRq key is restricted to only allow shutdowns/reboots.
- Restrict [archive] the SysRq key so it can only be used for shutdowns and the Secure Attention Key.
- A systemd service mounts /proc with
hidepid=2at boot, thereby preventing users from seeing each other’s processes.
- A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. 
- Remove System.map after a kernel upgrade.
- remove-system-map: use shred instead of rm.
- The kernel logs are restricted to root only.
- The BPF JIT compiler is restricted to the root user and is hardened.
- The ptrace system call is restricted to the root user only.
- Added user
rootto group sudo. This is necessary so it is still possible to login as a user in a virtual console. 
- Kernel symbols in /proc/kallsyms are hidden. This prevents malware from reading and using them to learn more about system vulnerabilities that can be attacked.
- Kexec is disabled because it can be used for live patching of the running kernel.
- Bluetooth is blacklisted to reduce the attack surface.
- Added experimental SUID Disabling and Permission Hardening:  
- A systemd service removes SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. 
- Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. 
- Unconditionally enable all kernel patches for CPU bugs (spectre, meltdown, L1TF and so on) -- this might reduce performance:  
- The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory.
- Vsyscalls are disabled as they are obsolete, are at fixed addresses and are a target for ROP.
- Page allocator freelist randomization is enabled.
- The vivid kernel module is blacklisted as it is only required for testing and has been the cause of multiple vulnerabilities.
- An initramfs hook sets the sysctl values in
/etc/sysctl.dbefore init is executed so sysctl hardening is enabled as early as possible.
- The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing.
- Improve entropy collection:  
- Load jitterentropy_rng kernel module.
- Distrust the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor.
- Disable trusting RDRAND.
- Experimental: remount
/runwith nosuid,nodev (default) and noexec (opt-in). To disable this, see footnote.   
- Fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup [archive].
- Do show lxqt-sudo password prompt if there is a sudoers exception.
- Improved pkexec wrapper logging.
- Installation fix in the case when user
userdoes not exist.
- Better output if trying to login with a non-existing user.
- Add user
consolein Whonix and Kicksecure.
- Lock user accounts after 50 rather than 100 failed login attempts [archive].
- Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.   
- Only allow symlinks to be followed when outside of a world-writable sticky directory, or when the owner of the symlink and follower match, or when the directory owner matches the symlink’s owner. Prevent hardlinks from being created by users that do not have read/write access to the source file. These prevent many TOCTOU races:
- Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl which has been used in exploits before.   
- For a full list of changes, see: https://github.com/Whonix/security-misc [archive]
- Command line control of KVM VMs is now supported. 
- The microphone is disabled by default.
- Switched RNG to /dev/urandom
- pvspinlock is enabled.
- Fixed Whonix-Gateway firewall desktop shortcuts.
- No longer install
pulseaudioby default on Whonix-Gateway.
- Various apparmor fixes.
- Created new apparmor profiles for bootclockrandomization, permission lockdown, and pam tally2 information.
- Ensured future compatibility for apparmor-profile-everything.
- Improved the output of remove
- Fixed the KVM prepare_release script.
- Fixed the GPU tag in libvirt XML.
- Updated Tor Browser to version 9.0.1, then later versions (9.5).
- Fixed Kicksecure KVM’s broken networking.
- Moved to
- Other platforms build fix.
monero-guican be uninstalled.
export QMLSCENE_DEVICE=softwarecontextfor KVM.
- Upgraded to the 2020 Whonix logo version.
Much stronger Linux user account isolation has been enforced in Non-Qubes-Whonix ™: 
- Locked and expired the root account in new Whonix builds. Existing users who upgraded are advised to lock their root account. 
- Disabled root login in virtual consoles by default. 
- Added a Tor Browser first startup popup [archive] to ask whether the security slider should be set to safest -- this was disabled in a later release due to broken functionality.
- Anonymized /etc/machine-id [archive].
- anon-gpg-tweaks: disabled keyservers for improved security. 
- Enabled APT seccomp sandboxing [archive].
- Added more seccomp hardening.
- Enforced msgcollector security (mount option) hardening [archive].
- Implemented systemd unit file hardening of services maintained by Whonix.
- Tor Browser Starter (tb-starter Whonix package) hardening: implemented optional
--hardening / tb_hardening="true"which utilizes Firejail and/or Hardened Malloc, see: Tor Browser Hardening documentation.
- Installed Hardened Malloc [archive] by default to ease usage (although it is not enabled by default to avoid breakage).
- Upgraded Hardened Malloc to version 2 and switched to compile with clang rather than gcc as per upstream preference.
sudoeditis now used in Whonix software and documentation (rather than the
lxqtsudoeditor) for better security.  
- Created an opt-in feature to restrict hardware information to root, see: Restrict Hardware Information to Root. 
- The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information -- vanguards fixes this [archive].
- Use vanguards from packages.debian.org [archive]
- Improves overall system security and is compatible with tirdad.
- Hardens kernel security by killing whole classes of exploits, detecting exploits and performing Linux kernel runtime integrity checking.
- Worked with LKRG upstream to fix LKRG VirtualBox host support.
- Packaging enhancements were incorporated, so any standard Debian build tool can be used. 
- Disabled the “System is clean!” message to avoid spamming dmesg and tty1.
- Fixed [archive] compilation using DKMS on kernel upgrade by adding support for make variable KERNELRELEASE (DKMS sets it).
- Auto-load LKRG after installation. 
- Upgraded LKRG to the latest upstream version (version
0.8.1; although not yet installed by default).
Other security enhancements:
- Implemented TCP ISN CPU Information Leak Protection [archive] to prevent de-anonymization of Tor onion services [archive] and installed Tirdad kernel module for random ISN generation [archive] by default.      
- Fixed compilation [archive] using DKMS on kernel upgrade by adding support for make variable KERNELRELEASE (DKMS sets it).
- Console lockdown [archive]: allow members of group
consoleto use console. Everyone else except members of group
console-unrestrictedare restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. 
- Protect Linux user accounts against brute force attacks -- lock user accounts after 50 failed login attempts using pam_tally2.
- No longer install firejail by default because of fingerprinting reasons [archive].
- Prevented verbose output during boot to prevent kernel info leaks.
- Extensive security hardening and updated packages.
- Improved Thunderbird protocol level leak prevention by enforcing functionality previously provided by TorBirdy.  
- Upgraded VirtualBox to
- Reverted to
vmsvgagrapics controller settings due to issues [archive].
- Increased [archive] Whonix-Gateway default RAM to 1280 MB. Otherwise, VirtualBox guest additions kernel modules fail to compile.
- Current VirtualBox screen resolution situation:
- Functional VirtualBox VM Window → View → Virtual Screen 1 → resize to resolution
- Functional VirtualBox VM Window → View → Adjust Window Size
- A workaround to improve this situation is still required.
kicksecure-desktop-environment-essential-guibecause it is required by VirtualBox Graphics Controller VMSVGA for auto resize and resize through VirtualBox settings menu.
- Again set the VirtualBox Graphics Controller to VMSVGA (equivalent to “VirtualBox → click a VM → Settings → Display → Graphics Controller → VMSVGA → OK”).  
- Increased Whonix VirtualBox Whonix-Gateway video RAM to 128 MB since the previous assignment of only 16 MB RAM can cause resize issues.
- Updated VirtualBox and VirtualBox guest addition to
6.1.4. The VirtualBox guest addition has been further upgraded to
6.1.6in a later Whonix release.
- Added a workaround for the bug causing the VirtualBox screen resolution to be too small; the screen resolution is now 1920x1080 by default for all VMs [archive].
- Configured three (instead of four) virtual CPU cores by default as this can improve stability. 
- Enabled the Debian stable-updates repository by default. 
- Consolidated Whonix packages. 
- Installed fewer unneeded packages such as rsyslog (see footnote). 
- Unbreak VirtualBox clearnet DNS settings when not using DNSCrypt.
- Some fixes/changes were implemented in both Whonix ™ 14 and 15.
- https://www.debian.org/News/2019/20190706 [archive]
- More than 91 per cent of the source packages included in Debian 10 are reproducible (will build bit-for-bit identical binary packages).
- https://phabricator.whonix.org/T899 [archive]
- https://github.com/Whonix/scurl/pull/1 [archive]
- A few fixes were needed, such as:
--remote-nameand replace it with
- Improve download wrappers and add
- https://phabricator.whonix.org/T923 [archive]
- https://phabricator.whonix.org/T890 [archive]
- For instance, an error would otherwise appear when using XFCE file manager with encrypted USBs.
- https://forums.whonix.org/t/have-cryptsetup-installed-by-default-in-whonix/6684/5 [archive]
- https://forums.whonix.org/t/fixed-apt-rce-announced-new-whonix-images-needed-whonix-build-not-safe-at-the-moment/6715 [archive]
- https://phabricator.whonix.org/T853 [archive]
- https://phabricator.whonix.org/T712 [archive]
- Make it simpler (to split urls into chunks of 3).
- Generate average, total etc. for each pool.
- Add curl command for the failures (timeouts).
- https://phabricator.whonix.org/T850 [archive]
- https://phabricator.whonix.org/T866 [archive]
- https://phabricator.whonix.org/T503 [archive]
- This was completed for whonix-gw-firewall, whonix-ws-firewall, whonixcheck, sdwdate, uwt, onion-grater (Control Port Filter Proxy), rads, open-link-confirmation, tb-starter, tb-updater and anon-ws-disable-stacked-tor.
- https://github.com/TNTBOMBOM/sdwdate/commit/2985fc70625ae13aed45225b8c83592575c21a78 [archive]
- https://forums.whonix.org/t/port-whonix-from-debian-stretch-to-debian-buster/7101 [archive]
- https://phabricator.whonix.org/T889 [archive]
- https://phabricator.whonix.org/T869 [archive]
- https://forums.whonix.org/t/install-firejail-firetools-by-default/5363/3 [archive]
MAT2 only removes metadata from your files, it does not anonymise their content, nor can it handle watermarking, steganography, or any too custom metadata field/system.
- https://phabricator.whonix.org/T885 [archive]
- https://forums.whonix.org/t/add-mat2-to-whonix-15/6489 [archive]
- zulumount-gui [archive] is also installed.
- https://phabricator.whonix.org/T769 [archive]
- https://forums.whonix.org/t/zulucrypt-in-whonix-14/4876 [archive]
- https://phabricator.whonix.org/T595 [archive]
- https://forums.whonix.org/t/feature-request-onionshare-support/300/7?u=patrick [archive]
- https://github.com/Whonix/anon-meta-packages/commit/8d5e892d3b603bb1390d3c152f70f8b8e8bfefef [archive]
- Primarily due to incompatibility with v3 onions.
- https://forums.whonix.org/t/remove-ricochet-from-whonix/5009 [archive]
- https://forums.whonix.org/t/what-about-nyx/6380 [archive]
- nyx is actually the same project; just the name has changed and the presentation is very similar.
- http://phabricator.whonix.org/T798 [archive]
- https://phabricator.whonix.org/T817 [archive]
Using the Jitter RNG core, the rngd provides an entropy source that feeds into the Linux /dev/random device if its entropy runs low. ... Especially during boot time, when the entropy of Linux is low, the Jitter RNGd provides a source of sufficient entropy.
- https://phabricator.whonix.org/T848 [archive]
- https://forums.whonix.org/t/failed-failed-to-start-virtualbox-guest-utils/5975/4 [archive]
- https://forums.whonix.org/t/reducing-size-of-ova-images/5095 [archive]
- https://phabricator.whonix.org/T886 [archive]
- https://github.com/Whonix/grub-default-live [archive]
- https://github.com/Whonix/anon-meta-packages/pull/18 [archive]
- https://forums.whonix.org/t/installing-whonix-live-mode-in-all-distributed-images/6467 [archive]
- This means Non-Qubes-Whonix users can boot into live-mode out of the box, without needing to install it.
- https://phabricator.whonix.org/T825 [archive]
- Such as the root password, Whonix ™ home page and so on.
- https://forums.whonix.org/t/add-description-to-whonix-vbox-images/5828/1 [archive]
- https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271 [archive]
- https://phabricator.whonix.org/T782 [archive]
- The floppy and optical settings were disabled in both the Gateway and Workstation, while the Gateway audio was also disabled.
kloak is a privacy tool that makes keystroke biometrics less effective. This is accomplished by obfuscating the time intervals between key press and release events, which are typically used for identification. This project is experimental.
- https://forums.whonix.org/t/kloak-keystroke-anonymization-tool/7089 [archive]
- See recent pull requests here [archive].
- https://forums.whonix.org/t/kernel-hardening/7296/9 [archive]
- The specific changes include:
Kernel symbols in /proc/kallsyms are hidden to prevent malware from reading them and using them to learn more about what to attack on your system.
Kexec is disabled as it can be used for live patching of the running kernel.
The BPF JIT compiler is restricted to the root user and is hardened.
ASLR effectiveness for mmap is increased.
The ptrace system call is restricted to the root user only.
The TCP/IP stack is hardened.
This package makes some data spoofing attacks harder.
SACK is disabled as it is commonly exploited and is rarely used.
This package disables the merging of slabs of similar sizes to prevent an attacker from exploiting them.
Sanity checks, redzoning, and memory poisoning are enabled.
The kernel now panics on uncorrectable errors in ECC memory which could be exploited.
Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness.
SMT is disabled as it can be used to exploit the MDS vulnerability.
All mitigations for the MDS vulnerability are enabled.
DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have unknown vulnerabilities.
- https://phabricator.whonix.org/T883 [archive]
- https://github.com/QubesOS/qubes-template-configs/pull/6/commits/d4f429669b849fc73973e2e557a24cceab47c45e [archive]
- https://github.com/QubesOS/qubes-builder/pull/82/commits/64a661241430c6a22ca98bb11370b2a3e3cf0e12 [archive]
- https://github.com/QubesOS/qubes-issues/issues/4957 [archive]
- https://github.com/Whonix/qubes-whonix/commit/8d8ab41bbf9c7fa63f3e79b8511d439efe33caeb [archive]
- https://github.com/Whonix/qubes-whonix/commit/c08dfed97cfba369ff753b4d96755b47240fffb2 [archive]
- https://github.com/QubesOS/qubes-issues/issues/4918 [archive]
- Neither are backups of Tor Browser maintained anymore; previously three backups were stored.
- https://phabricator.whonix.org/T858 [archive]
- timesync-fail-closed means sdwdate did not succeed yet. Networking for all but Tor and sdwdate should still be locked in this scenario.
- https://github.com/Whonix/apparmor-profile-everything [archive]
- https://github.com/QubesOS/qubes-issues/issues/5212 [archive]
- https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581 [archive]
- https://forums.whonix.org/t/whonix-virtualbox-15-0-0-4-9-point-release/8076 [archive]
- https://forums.whonix.org/t/whonix-kvm-15-0-0-4-9-point-release/8096 [archive]
- https://forums.whonix.org/t/whonix-virtualbox-15-0-0-6-6-point-release/8524 [archive]
- https://forums.whonix.org/t/whonix-kvm-15-0-0-7-1-point-release/8540 [archive]
- https://forums.whonix.org/t/whonix-kvm-kicksecure-15-0-0-8-7-released-a-qunatum-leap-forward/8921 [archive]
- https://forums.whonix.org/t/whonix-virtualbox-15-0-0-8-9-point-release-vanguards-tcp-isn-leak-protection-extensive-hardening/8994 [archive]
- https://forums.whonix.org/t/whonix-virtualbox-15-0-0-9-4-point-release/9157 [archive]
- https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-1-202003070901-point-release/9159 [archive]
- https://forums.whonix.org/t/whonix-virtualbox-15-0-1-3-4-point-release/9616 [archive]
- https://github.com/Whonix/Whonix/compare/220.127.116.11.4-developers-only...18.104.22.168.4-developers-only [archive]
- https://forums.whonix.org/t/whonix-kicksecure-kvm-15-0-1-3-4-released/9729 [archive]
- https://forums.whonix.org/t/whonix-kicksecure-kvm-15-0-1-3-9-released/9785 [archive]
- https://forums.whonix.org/t/whonix-kicksecure-kvm-15-0-1-4-9-released/10167 [archive]
- https://forums.whonix.org/t/whonix-apparmor-profiles-development-discussion/108 [archive]
- https://forums.whonix.org/t/live-mode-etc-apparmor-d-tunables-home-d-live-mode-breaks-aa-enforce/5868 [archive]
- https://github.com/Whonix/apparmor-profile-everything/compare/f3140ea2153fcee68a901ef0c86d552d6fa0ec3e...ffbe4873836b7bc364f3bfee1fef56ba8fd9b0be [archive]
- https://github.com/Whonix/apparmor-profile-everything/compare/ffbe4873836b7bc364f3bfee1fef56ba8fd9b0be...63fdd0312a81f878d266ae9197803ccbd6bc18df [archive]
- More work is required such as multiple boot modes for better security: persistent user | live user | persistent admin | persistent superadmin | persistent recovery mode [archive] before it is installed by default.
- https://github.com/Whonix/Whonix/commit/5067d7eca6cfb36b71fe62ff7f3461f87bcdb3f6 [archive]
- https://forums.whonix.org/t/apt-get-error-e-repository-tor-https-cdn-aws-deb-debian-org-debian-security-buster-updates-inrelease-changed-its-suite-value-from-testing-to-stable/7704 [archive]
- https://forums.whonix.org/t/cannot-use-pkexec/8129 [archive]
- This also creates a new encrypted swapfile with a random password on every boot.
- https://github.com/Whonix/swap-file-creator [archive]
- https://forums.whonix.org/t/swap-swap-file-whonix-gateway-freezing-during-apt-get-dist-upgrade-encrypted-swap-file-creator/8317 [archive]
- https://forums.whonix.org/t/noscript-with-security-slider-at-safest-permits-around-30-sites/8160 [archive]
- https://github.com/Whonix/Whonix/commit/9fa062aafe9d3d8ad94aa6850225664f914174f0 [archive]
- https://forums.whonix.org/t/keyboard-configuration-debconf-popup-during-apt-get-dist-upgrade/8318 [archive]
- https://github.com/Whonix/whonix-legacy/commit/4bb3f9a93cef7a2076a70b986aa2c34d28ae1acf [archive]
- https://github.com/Whonix/whonix-legacy/commit/4202681132b1f0307cc95ceb3a1ca231fe6d9b3d [archive]
- https://forums.whonix.org/t/command-not-found-warningcould-not-open-file-etc-apt-sources-list/7903 [archive]
- Whonix host operating system [archive]
- Kernel Hardening [archive]
- Reverts “Restrict the userfaultfd() syscall to root as it can make heap sprays easier.”
- https://duasynt.com/blog/linux-kernel-heap-spray [archive]
- cannot use pkexec [archive]
disksd: failed to load module crypto: libbd_crypto.so.2: cannot open shared object file: No such file or directory
- onioncircuits started from tor-control-panel by running it under user debian-tor rather than root [archive].
- Fix Non-Qubes-Whonix Whonix-Gateway slow boot [archive].
- fix, don’t lock down network if IPv6 isn’t available and thereby no need to firewall, apparmor profile added in complain mode [archive].
- https://forums.whonix.org/t/i2p-inside-whonix-workstation-broken/8610/83 [archive]
- i2p is not yet installed by default because of this reason [archive].
- Also: check for noexec, remount exec and work on Qubes DispVM exec / noexec [archive].
- It is also not compatible with apt speedup, see: Speeding up "apt update" with Acquire::Languages=none and Contents-deb::DefaultEnabled=false - It's so much faster! [archive]
- For instructions on how to use
command-not-found, see here.
- Build CI builds on Travis CI [archive]
- Integration with APT and packaging [archive] is not yet complete. Help welcome!
- Help is welcome to finish this work.
- See: Error. Failed bilding Whonix gateway on physical host. [archive]
- See: Whonix moving from GitHub to GitLab [archive].
- The current
developers-onlyversion and next stable version of Whonix can be built completely from GitLab.
- https://forums.whonix.org/t/whonix-networking-implementation-developer-documentation-feedback-wanted/8274 [archive]
- https://forums.whonix.org/t/whonix-experimental-for-how-long/5206/6 [archive]
- Old: “Whonix is experimental software. Do not rely on it for strong anonymity.” New: “Whonix is a research project.”
- vanguards - Additional protections for Tor Onion Services [archive]
- In favor of sdwdate-gui. whonixcheck connectivity check code checks Tor as well as sdwdate. Due to slow Tor/onion speed it often times out. Improving that code is difficult, so sdwdate-gui is used instead as a solution that provides better visual feedback to users.
- tor_0.4.2.6-1~d10.buster+1_amd64.deb from deb.torproject.org
- Tor 0.4.25 release how can we upgrade [archive]
- Onion Services DDOS Defense Tor 0.4.2.5 [archive]
- torrc.d cleaner [archive]
- Quote Tor manual: ‘Files starting with a dot are ignored.’
- Quote Tor manual: ‘Files on subfolders are ignored.’
- https://forums.whonix.org/t/whonix-build-script-now-optionally-supports-installing-packages-from-whonix-remote-repository-rather-than-building-packages-locally/8107 [archive]
- https://forums.whonix.org/t/disable-or-change-sudo-lecture-at-frist-run-we-trust-you-have-received-the-usual-lecture-from-the-local-system-administrator-it-usually-boils-down-to-these-three-things/8323 [archive]
- https://github.com/Whonix/anon-base-files/commit/a929f1c438a9ac2a7cc01926e30b8d210debe442 [archive]
- https://github.com/Whonix/anon-base-files/blob/master/usr/share/derivative-base-files/sudo-default-password-lecture [archive]
- https://forums.whonix.org/t/serial-console-in-virtualbox/8021 [archive]
- This helps for recovery efforts and simplifies setting up the kernel boot parameters inside the VM.
- https://forums.whonix.org/t/send-sysrq-commands-to-virtualbox-usability-helper-virtualbox-send-sysrq/8369 [archive]
- https://phabricator.whonix.org/T965 [archive]
- Cannot access encrypted USB drive with Thunar in Whonix 15 [archive]
- Whonix host operating system [archive]
- Whonix XFCE Development [archive]
- Use sudoedit in Whonix documentation and Whonix software [archive]
- Onion Services Authentication [archive]
- See also: Serial Console.
- Merge upstream changes [archive].
- Improved Debian host support [archive].
- Usability, output enhancements [archive].
- Added compatibility [archive] with restrict hardware information to root for Live Mode Indicator Systray.
- Fixed Live Mode Indicator Systray [archive] to detect ro-mode-init.
- Packaging enhancements, no longer depend on genmkfile, fix, use same version number as upstream (2.0) [archive].
- Remove Whonix specificity [archive] (default config file) from onion-grater (Whitelisting filter for dangerous Tor control protocol commands).
- dsudo - add sudo askpass wrapper for automated testing [archive].
- This means as long as the password is set to
changeme, it is possible to use dsudo and not be asked to enter the default password.
- Packaging enhancements, no longer depend on genmkfile, can be build using standard Debian packaging tools, apparmor enhancements [archive].
- Refactoring /usr/lib/qubes-whonix/init/network-proxy-setup [archive].
- This replaces
- Speeding up "apt update" with Acquire::Languages=none and Contents-deb::DefaultEnabled=false - It's so much faster! [archive].
- This is a sane default that works with default
/etc/hostswithout generating warnings about a wrong hostname when using sudo.
/etc/hostnameis not managed by any configuration package and can be changed.
- This might be re-introduced later as an opt-in package, see: Use DNSCrypt by default in Kicksecure? (not Whonix!) [archive]
- See: enable Debian stable-updates repository by default [archive].
- https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/tor-browser/Bundle-Data/PTConfigs/bridge_prefs.js [archive]
- https://github.com/Whonix/security-misc/compare/a99dfd067ac8a43bdcd779cf57b3533bdaa404fb...163e20b886f298cb9d3aca54c14f66991001b396 [archive]
- By default, Debian utilizes User Private Groups (UPG) [archive]. Also see: /usr/share/pam-configs/usergroups-security-misc
- For example, this affects those running “chmod o-rwx /home/user” during package installation or an upgrade.
- This is only performed once for each folder in the parent /home folder, so users who wish to relax file permissions can do so. This action protects files in the user's home folder which were previously created with lax file permissions prior to the installation of this package.
- See: unlock instructions. This means it is possible to have short, easy-to-remember, "weak" passwords for the user
useraccount, while still preventing compromised non-root users from bruteforcing it.
- This makes it harder to load a malicious module.
- See: /etc/modprobe.d/uncommon-network-protocols.conf
- Forum discussion [archive].
- See: debian/security-misc.postinst
- Disable SUID Binaries [archive]
- https://github.com/Whonix/anon-apps-config/compare/a6a6c2ed3c58ef5b023866a8aed4ae1996d93420...9cbfad0aa30ce2014b65d997007baa3bf26005ca#diff-44b21d78d2546f10b7f1ba806e28e1f1 [archive]
- It is disabled by default for now during testing and can optionally be enabled by running
systemctl enable permission-hardening.serviceas root.
- This is interesting when using security-misc or Kicksecure.
- This is interesting when using security-misc on the host or using Kicksecure as the host operating system.
- Should all kernel patches for CPU bugs be unconditionally enabled? Vs Performance vs Applicability [archive]
- RDRAND reception [archive]
- https://twitter.com/pid_eins/status/1149649806056280069 [archive]
- Run “sudo touch /etc/remount-disable”. To opt-in noexec, run “sudo touch /etc/noexec” and reboot (easiest). Alternatively file
/usr/local/etc/noexeccould be used.
- (re-)mount home (and other?) with noexec (and nosuid among other useful mount options) for better security? [archive]
- More work needed [archive]. Help welcome!
- GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
- https://mjg59.dreamwidth.org/54433.html [archive]
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 [archive]
- Such as CVE-2017-2636 [archive].
- https://lkml.org/lkml/2019/4/15/890 [archive]
- See: KVM Command Line Interface (CLI)
- http://forums.whonix.org/t/whonix-moving-from-github-to-gitlab/9676 [archive]
- This does not yet apply to Qubes-Whonix.
- Qubes issue [archive].
- This is a purposeful security feature and there are no user freedom restrictions; read more here.
- See: gpg --recv-keys fails / no longer use keyservers for anything [archive].
- https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation-and-whonix-software/7599 [archive]
- Running any editor as root is insecure.
sudoeditcopies the file to a temporary location, edits it as a normal user and then overwrites the original using
- https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/2 [archive]
- CVE-2020-8516 Hidden Service deanonymization [archive]
- enable vanguards by default [archive]
- install by default [archive]
- Also available in Qubes OS Debian templates and Qubes-Whonix with use of an in-VM kernel.
- LKRG will likely be installed by default in Whonix and Kicksecure in one of the next stable releases.
- This is quick and easy. For example: “dpkg-buildpackage -b”
- Since LKRG now supports module parameters and VirtualBox host support [archive], it can be automatically started after installation since it would no longer kill VirtualBox VMs running on a host.
- TCP ISN CPU Information Leaks can be used de-anonymize Tor onion services. tirdad fixes that.
- An analysis of TCP secure SN generation in Linux and its privacy issues [archive]
- Tirdad kernel module for random ISN generation [archive]
- Tor Project bug report: Add research idea for Linux TCP Initial Sequence Numbers may aid correlation [archive]
- Research paper: Hot or not: revealing hidden services by their clock skew [archive]
- Whonix ticket [archive]
- See CVE-2001-0797, using pam_access.
- See torbirdy deprecated - replacement required [archive].
- This was ported from Tails to
anon-apps-configby Whonix developer HulaHoop. Sincere appreciation is expressed to Tails for the torbirdy replacement!
- Get VirtualBox from Debian sid and recompile for Debian buster [archive]
- Quote VirtualBox manual [archive]:
VMSVGA: Use this graphics controller to emulate a VMware SVGA graphics device. This is the default graphics controller for Linux guests.
- This has better desktop resolution in CLI (virtual terminal) mode. When it was previously disabled, this led to a black screen [archive] on
- https://www.virtualbox.org/ticket/19500 [archive]
- https://forums.whonix.org/t/enable-debian-stable-updates-repository-by-default/9382 [archive]
- https://forums.whonix.org/t/consolidating-whonix-packages/1945 [archive]
- https://forums.whonix.org/t/whonix-default-packages-review-mmdebstrap-varriant-related-risk-of-regressions/9254 [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)