Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Alternative Operating Systems

Why isn't OpenBSD Used?

This FAQ entry addresses the suggestion that Whonix should be based on OpenBSD rather than Debian. The opinion provided below is based on the perspective of Whonix developers. ^[1]

The OpenBSD FAQ states: source (w)

OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit.

The landing page for OpenBSD also claims: ^[2]

Only two remote holes in the default install, in a heck of a long time!

These contentions are debatable and beg the question, "Who are those many security professionals and how thoroughly is the code reviewed?".

According to bststats.org (w), OpenBSD has very few users. Although bdstats is not representative of the total population of OpenBSD users due to the opt-in data collection program, 17 users at the time of writing is a very small figure. By comparison, TrueOS has 9,172 users in early 2018.

If OpenBSD cannot attract a critical mass of users, then ordinary crackers, hackers and the security research community are unlikely to gravitate to the distribution in contrast to more popular operating systems. At the same time targeted attacks become easier, because people who are paid to find exploits can find them more easily. Limited human resources inevitably means the code will remain more vulnerable to security flaws, since they are less likely to be identified.

As an example, see security vulnerability - NTP not authenticated. This six year old bug affects everyone using the distribution, but it does not appear anyone is stepping forward to fix it. The suggested solution was to authenticate the connection to the NTP server, but this would not be possible in Whonix for several reasons. The Whonix design focuses on distributing trust, and not using only one NTP server. Further, Whonix depends on free services which are available to anyone, ruling out a solution that requires a personal server. Even if Whonix used authenticated NTP, it has been pointed out ^[3] that the clock could not be moved more than 600 seconds. This is better than nothing, but still inadequate for adversaries who are capable of moving the clock more than 600 seconds, harming anonymity/privacy in the process (see Dev/TimeSync for further details).

In addition, previously the OpenBSD website was not reachable over SSL. ^[4] Therefore, at that time users were unable to securely view the OpenBSD site, since a man-in-the-middle attack would have been trivial to perform.

OpenBSD simply lacks innovative security improvements which are available in modern platforms like Qubes OS, despite their grandiose claims.

Why isn't FreeBSD Used?

This FAQ entry addresses the suggestion that Whonix should be based on FreeBSD rather than Debian. The opinion provided below is based on the perspective of Whonix developers. ^[5]

It is difficult and time consuming to try and list all the disadvantages of using FreeBSD, such as highlighting non-existent security features. The onus is on FreeBSD proponents to manually search for relevant features (or lack thereof) and present an objective case for its adoption.

To avoid presenting information that will quickly become out-of-date or that may insult FreeBSD adherents, it is better to avoid definitive security statements and instead ask appropriate questions which might affect the usability, security, anonymity and wide-scale adoption of Whonix. For instance:

• Does FreeBSD have a secure-by-default update mechanism?
• By default, will every (new) user download come from an existing signed repository?
  • If not, what special settings are required?
  • Are users expected to run their own repository?
• Does FreeBSD defend against outdated metadata; for example, can a man-in-the-middle use a roll back or freeze attack against the repository?
• Does FreeBSD defend against various attacks on package managers? (w)
• Does FreeBSD defend against attacks on the software update process by using the TUF threat model (w)?

Research which might provide a strong case for FreeBSD does not exclude the possibility of weaknesses or missing security features. The best way to determine the strength of the platform and its relative resilience is to directly ask the developers of that project. Honest replies can reasonably be expected from vibrant, open source communities.The only problem is, the Linux/BSD ecosystems have hundreds of distributions and it is a daunting prospect to rank their merits in this way.

Ultimately, the burden of proof falls on FreeBSD advocates to prove that it is the most secure distribution available, and not Whonix developers. Properly researched contributions that answer the questions above would be a good start, and possibly approaching FreeBSD developers directly. Alternatively, research into why various aforementioned protections are not necessary to improve security would also be welcomed. Until claims about FreeBSD are substantiated, one should not take offense that it has not already been adopted.

Why isn't OpenWRT Used?

OpenWRT is not used for the same reasons outlined above. Further, in early 2018 OpenWRT does not have signed packages.

Why isn't SubgraphOS Used?

Whonix has taken the decision not to use the Subgraph project for several reasons:

• Basing Whonix on Subgraph would tie our future with the viability of the Subgraph project. It is not ideal to rely on an OS in alpha status, particularly when the Debian alternative is rock solid and has decades of development behind it.

• The plentiful Subgraph bugs would become Whonix bugs, and developers would depend on Subgraph for fixes.

• Subgraph chose different programming languages (like Golang) that are unfamiliar to lead Whonix developers, making customization or modification very difficult.

• No full source code release to date (early 2018). ^[6]

• The publicly available software exists in a form that is not easily packaged. This would pose a significant maintenance burden for the Whonix team.

• Arbitrary limitations are in place, such as repository choices. This can of course be changed, but it is an example of wasted effort in patching the base OS to adapt to our vision.

• Subgraph has some undesirable feature additions that add no value. Whonix cannot benefit from Subgraph's manpower if the goals for the development roadmap are fundamentally different.

• There is no Subgraph meta package that can be installed using "sudo apt-get install subgraph-os" / "debootstrap Subgraph OS" in order to convert vanilla Debian into Subgraph OS. ^[7]

• To date, there has been no cooperation from the Subgraph project developers to correct any of the issues outlined above.

• Whonix Developer HulaHoop has also noted that Subgraph features totally rely on the GNOME desktop environment. This is undesirable because it is visually unappealing, has an over-simplified interface, and would require any "cloud integration" elements to be removed. Configuring GNOME to approach the specifications already achieved with KDE in Whonix would require a lot of effort. Further, Wayland and Flatpak will inevitably reach KDE in the future.

Clock Skew / Time Synchronization

How Do I Fix an Incorrect Host Clock?

As noted in the wiki:

When the user powers on Whonix-Gateway and the host time is grossly inaccurate, it will not be able to connect to the Tor network. After booting Whonix-Gateway, it is recommended to check that the host time is no more than 1 hour in the past or more than 3 hours in the future, otherwise Tor cannot establish circuits.

In Whonix, a correct host time is also critical to prevent or partially mitigate TimeSync Attacks such as: ^[8]

• Presenting outdated or vulnerable updates and https certificates.
• Potential denanonymization when connected to more than one adversary controlled website.
• Linking of all sessions to the same pseudonym.

Users experiencing Tor connection problems in Whonix should follow these instructions to set a correct host and/or Whonix-Gateway clock.

Compromise Indicators

Am I Compromised?

If the user notices trivial changes on their system - such as a duplicate deskop icon - it is not evidence of a hack or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in Arm, then it is more likely a harmless bug and/or usability issue rather than a compromise.

Skilled attackers do not leave such obvious traces of their breach. An infection by tailored malware is more plausible in this scenario, and virtually impossible to detect by reading random messages in system logs. Even malware that is bought off-the-shelf (malware building toolkits) are unlikely to be discovered by cursory inspections. ^[9] Rootkit technology is no doubt a standard feature of the various programs.

Strange files, messages or other system behavior could feasibly relate to an attacker wanting the user to find something. However, the likelihood of this kind of harassment is considered low. Script kiddies ("skiddies") are unskilled attackers who uses scripts or programs to conduct attacks on computer systems and networks, most often with juvenile outcomes. For example, they might use programs to remotely control poorly-secured Windows desktops, trolling their victims from an open, forced chat window, opening their DVD drive, and so on. It is improbable that skiddies can achieve similar exploits against Linux, Xen or BSD platforms. ^[10] Sophisticated attackers generally avoid detection, unless the user is perhaps unlucky enough to be a victim of Zersetzung (a psychological warfare technique).

Every forum post and support request requires time that could otherwise be directed to Whonix development. Unless the user believes there is a serious and credible problem, there is no need for a new post. Developers and the Whonix community at large do not have enough time to explain every message that Linux might report. In most cases, they are not important and outside the control of Whonix developers.

If you are reading this page, then it is safe to assume being anonymous (less unique), and remaining so is of great interest. Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result ^[11] is a false positive, regression, known or unknown issue.

To date, none of the various leak testing websites running inside Whonix-Workstation^™ were ever able to discover the real (external), clearnet IP address of a user during tests. This held true even when using JavaScript or plugins such as Flash Player and/or Java were activated, despite the known fingerprinting risks. Messages such as "Something Went Wrong! Tor is not working in this browser." ^[12] (from about:tor) or "Sorry. You are not using Tor." (from check.torproject.org) are in most cases non-issues. If the real, external IP address can be revealed from inside Whonix-Workstation, then this would constitute a serious and heretofore unknown issue (otherwise not).

It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Whonix development is hindered. Users valuing anonymity don't want this, otherwise this would violate the aforementioned assumption.

If something is identified that appears to be a Whonix-specific issue, please first read the Whonix Self Support First Policy before making a notification.

Related:

• Browser Tests
• Leak Tests

DNSCrypt

Can I Use DNSCrypt in Whonix?

DNSCrypt is possible in Whonix; see Secondary DNS Resolver. ^[13]

Why not Use DNSCrypt by Default in Whonix?

DNSCrypt may have good use cases for clearnet activities. However, it is not useful in Whonix and therefore should not be installed and activated by default for everyone. Although some users may have high expectations, DSNCrypt does not magically solve all DNS-related security issues, nor does it implement end-to-end DNS encryption to the destination server. ^[14] Most important of all, the server will still see all DNS requests in cleartext. ^[15]

There are several other reasons why DNSCrypt is not activated by default. Firstly, Tor distributes trust because the DNS server changes as circuits are rotated. For pre-installed applications, circuits are also stream-isolated and change every ten minutes by default. Notably, in early 2018 there are 78 open resolvers that support the protocol.

Public resolvers supporting DNSCrypt have not yet acted in a way to cause mistrust. However, even if the operators were absolutely trustworthy, complete confidence is also needed in their servers - it is unwise to let the DNS security for all Whonix users depend on a few servers. Another consideration is load balancing. If Whonix relied upon a DNSCrypt supporting server by default, DNS would break for all users if that server ever decided to forbid connections from the Tor network ^[16] or if the servers went down for maintenance.

For more detailed information about DNSCrypt, refer to these related forum posts.

Can I Use DNSCrypt on the Host or Router for Clearnet?

This configuration is possible; read the next section before proceeding.

Does DNSCrypt on the Host or Router Harm Anonymity when Using Tor/Whonix?

The short answer to this question is no. The longer answer is DNSCrypt on the host or in the router only affects clearnet activities. Tor assumes in advance that a user's local network and ISP are completely unsafe and untrustworthy. Tor and Whonix are unaffected by DNS settings that are made on the host or in the router.

It is debatable whether DNSCrypt is useful or not for clearnet activities since there are various pros and cons. It is useful when using foreign or untrusted Wi-Fi networks that are shared with others, since DNS requests could potentially be modified or read. That said, trust is just shifted from the ISP to a DNSCrypt supporting DNS server, such as OpenDNS. If the DNS server supporting DNSCrypt leaks a user's network address and/or logs queries as part of their business model, then it might actually be worse than using the ISP! It is hard to mount an argument for which party is more trustworthy, the ISP or a third party provider.

Live Operating System

Why not Use a Live CD/DVD as the Whonix-Workstation Operating System?

This option was previously discussed in depth and it was decided that Live CD/DVDs are not suitable for Whonix-Workstation.

Advantages:

• Often actively maintained.
• Stabilized.
• Hardened GNU/Linux distribution.
• Advanced features.

Disadvantages:

• No timely security updates.
• Limited persistence.
• Inflexible design.

Another serious disadvantage of Live CD/DVDs in the context of an anonymity-oriented OS is that they often have their own method of Tor enforcement included. In Whonix, this would result in a Tor over Tor scenario.

Will there be a Whonix Live CD or DVD?

Qubes-Whonix

The most promising mid term possibility may be running Qubes-Whonix on Qubes OS Live DVD/USB, which is currently in Alpha. ^[17] Unfortunately, at the time of writing Live-mode is no longer supported or maintained by Qubes. ^[18] Nevertheless, if this is further developed in the future, only limited changes are required on the Whonix side. The primary responsibility for hardware support and Live operating system development rests upon Qubes developers, with whom the Whonix team has a strong, collaborative, working relationship.

Non-Qubes-Whonix

This will not be available in the near future unless a developer steps forward, joins the Whonix team, and begins contributing code. Lead Whonix developer Patrick Schleizer has limited knowledge about Live CD/DVD creation and deployment, and completing this project would be difficult, particularly for hardware support. At the moment Whonix is a rather simple project, and many things are delegated upstream. For instance, there are various supported platforms, Debian provides a fine operating system, hardware support is delegated to the host operating system and supported platform, and Tor is providing a world class anonymizer. Another related problem is the large size of the Whonix images at present, making it very difficult to fit neatly on a Live CD/DVD. ^[19]

A workable alternative for testers is outlined in the next section below.

Is there Something like Whonix Live?

Starting with Whonix 14, Non-Qubes-Whonix users can optionally run Whonix as a live system. Booting into live mode will make all writes go to RAM instead of the hard disk. Everything that is created / changed / downloaded in the VM during that session will not persist after shutdown. This also holds true for malicious changes made by malware, so long as it did not break out of the virtual machine.

Alternatively, users can follow the recommendations to run Whonix with the dedicated host operating system installed on external media.

Tor

How do I Configure a Bridge?

Instructions for configuring a bridge in Whonix can be found here.

Whonix has Slowed Tor Connections Dramatically!

This is likely an incorrect assumption. Since Whonix does not modify the Tor package directly, nor attempt to improve the Tor routing algorithm, any sudden drop in network speed is almost certainly related to:

• User (mis)configurations relating to a VPN, proxy or other relevant settings.
• Tor network anomalies.
• Tor guards which are:
  • Malicious.
  • Overloaded.
  • Under attack.
  • Misconfigured.
• A change in the Tor guard selection which has resulted in poor throughput due to capacity issues.

Before posting about the issue in forums, first use one of the following two methods to create a test Whonix-Gateway with a different set of guards.

a) Easy: Whonix-Gateway Clone ^[20]

• Create a clone of the slow Whonix-Gateway (sys-whonix) and name it Whonix-Gateway-test VM (sys-whonix-test-vm). ^[21]
  • Virtualbox: follow these instructions to create a VM snapshot.
  • Qubes-Whonix: Right-click on sys-whonix -> Clone VM
• Regenerate the Tor State File.
• Retest the speed of Tor connections.

b) Moderate Difficulty: Manual Regeneration of the Tor State File ^[22]

Copy the Whonix-Gateway Tor state folder to a temporary folder by running the following commands in Konsole.

sudo systemctl stop tor@default sudo mv /var/lib/tor /tmp sudo systemctl restart tor@default

Retest the speed of Tor connections. Afterwards, to restore the Tor state folder to its original settings, run the following commands in Konsole.

sudo systemctl stop tor@default sudo rm -r /var/lib/tor sudo mv /tmp/tor /var/lib sudo systemctl restart tor@default

Interpreting the Test Results

There is no guarantee the test VM / new Tor state will be faster. However, if there is a significant difference in speed between the test and normal Whonix-Gateway VMs / Tor state, then this can be attributed to the Tor guards that are normally in use. This also means there is no bug in Whonix.

If the test VM / new Tor state does not speed up, the user may have selected Tor guards with poor throughput, or it could be a bug in Whonix. Before reporting the problem in the forums, regenerate the Tor state file and test the Tor throughput again. If it is still slow, then this may indicate a Whonix bug or other issue.

It is strongly discouraged to use the Whonix-Gateway-test VM / new Tor state (with a new Tor guard set) for activities other than testing, even if it is faster. It is feasible that adversaries might try to induce the user to switch their guards. By switching, the probability that a new chosen guard set is adversary-controlled increases, aiding end-to-end correlation attacks that deanoymize connections.

Why Waste Network Bandwidth by Downloading Operating System Updates over Tor?

The short answer is this option was discussed with The Tor Project and Whonix was granted permission to do so.

Interested readers who want to learn more should review the following:

• Tor Project thread about this issue; see updates over Tor, should not waste Tor bandwidth.
• The Tor Project was asked directly, after this issue and possible solutions were discussed thoroughly by the Whonix team; see tor-talk Operating system updates / software installation behind Tor Transparent Proxy. ^[23]
• Andrew Lewman, a former Executive Director, Director, and press contact for Tor downloads a lot of updates over Tor and did not complain.

Can I Speed Up Tor or the Whonix-Gateway?

Is there a way to configure the number of nodes in a circuit and to allow selection according to their speeds?

Users who already know how to configure Tor in this fashion using the command line in vanilla Debian can follow the same procedure in Whonix-Gateway. This is not an endorsement for making these manual Tor changes because it is not recommended by Tor developers and thus the Whonix team. ^[24] This is also the reason there are no instructions in the Whonix documentation to manipulate Tor nodes in this way.

That said, if general instructions were found describing how to achieve this on the host, then the same procedure could simply be repeated in Whonix-Gateway.

Does Whonix Modify Tor?

Although Whonix does not modify Tor, the configuration file has been adapted for Whonix. To inspect the relevant files, check both /etc/tor/torrc and /usr/share/tor/tor-service-defaults-torrc on Whonix-Gateway. ^[25] Tor is not patched and the normal Tor deb package is used in Whonix. This is installed from either deb.torproject.org, or sdscoq7snqtznauu.onion if the user has "onionized" Tor Project updates.

Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. ^[26] If proposed changes are not adopted by The Tor Project, then the option to create a Tor fork ^[27] is available. Tor has already been forked at least once.

A general Whonix design principle is to keep the Tor process as uniform as possible, in order to simplify any security audits. Diverging from this practice would introduce unnecessary complexity, possibly worsen fingerprinting or degrade anonymity, and limit Whonix discussions to the security impacts of the modified routing algorithm. For these reasons, the Whonix team is strongly disinclined to make any direct changes to the Tor package.

Can Whonix Improve Tor?

As outlined in the previous section, Whonix will not implement any changes to Tor directly and any suggested improvements or bug fixes are proposed upstream on torproject.org. This already happens on occasion. Creating Whonix is a difficult and time consuming endeavor, so Tor improvements are better left to dedicated, skilled developers who are more knowledgeable in this area.

Skilled coders can always provide upstream patches to Tor, or as a last resort, fork ^[27] it. Hypothetically, if a fork ^[27] developed a greater following than the original project due to proven security / anonymity benefits, then Whonix would seriously consider making a switch.

What is Clearnet?

This term has two meanings:

1. Connecting to the regular Internet without the use of Tor or other anonymity networks; and/or
2. Connecting to regular servers which are not onion services, irrespective of whether Tor is used or not.

check.torproject.org says "Sorry. You are not using Tor."

See Browser Tests.

New Identity and Tor Circuits

The behavior of "New Identity" in the context of TorButton and Arm is often misunderstood. First of all, there are various ways to issue a issue a "New Identity":

• Tor Browser - TorButton.
• Arm.
• tor-ctrl.
• netcat.
• And probably other methods.

In all cases, the "New Identity" function sends the protocol command "signal newnym" to Tor's ControlPort. This clears the browser state, closes tabs, and obtains a fresh Tor circuit for future requests. ^[28]

The impact of "signal newnym" on Tor circuit lifetimes is often misunderstood. "signal newnym" uses a fresh circuit for new connections. Sometimes Tor only replaces the middle relay while using the same Tor exit relay. This is by design and the Tor default. Further, "signal newnym" does not interfere with long-lived connections like an IRC connection.

Interested readers can verify the effect of "signal newnym" as follows:

1. Open https://check.torproject.org in Tor Browser.
2. Issue "signal newnym" using Arm.
3. Reload https://check.torproject.org.
4. In some cases it will still show the same IP address, probably because the browser did not close the connection to https://check.torproject.org in the first place.

Now repeat this experiment with a small modification which should result in a new Tor exit IP address:

1. Open https://check.torproject.org in Tor Browser.
2. Issue "signal newnym" using Arm.
3. Close Tor Browser, then restart it.
4. Open https://check.torproject.org again, and a new Tor exit relay IP address is (likely) visible.

New Identity is not yet perfect and there are open bugs; this is not a Whonix-specific issue. "signal newnym" is not a guaranteed method of unlinking various protocol states (like the browser) so the user absolutely appears to be a different identity. ^[29] Tor Browser's TorButton New Identity feature attempts this, but it is not yet perfect.

In general for greater security, it is better to completely close Tor Browser and restart it. In Qubes-Whonix, the safest option is using a Whonix-Workstation Qubes/DisposableVM and closing it and recreating a new one after critical activities.

Trust

Why Should I (not) Trust Whonix?

See Trust for a long answer.

User Support and Input

Feedback and Suggestions

The Whonix project is highly receptive to genuine feedback and suggested improvements from users. Software projects flourish from community input, and every suggestion is noted and considered.

The Whonix community is asked to remain patient. The development cycle involves a number of competing priorities and challenges which must be overcome to achieve ambitious roadmap goals. Further, there is also an existing backlog of unresolved bugs and feature requests to address.

As Whonix resources grow over time, development activity and responsiveness to user input will increase in kind.

What does Unsupported Mean?

Virtualizers

Is VirtualBox an Insecure Choice?

Update:

Although VirtualBox is not an ideal choice, fortunately other platforms are supported:

• Qubes-Whonix.
• Whonix for KVM / Virt-Manager.

For greater security, users with suitable hardware and sufficient skill are already recommended to prefer Qubes-Whonix (a bare-metal hypervisor) over Type 2 hypervisors like VirtualBox and KVM.

The primary reason Whonix supports VirtualBox is because it is a familiar, cross-platform virtualizer which can attract more users to open source (free/Libre) software, Tor, and Linux in general. By remaining highly accessible, Whonix:

• Increases the scope of potential growth in the userbase.
• Attracts greater attention as a suitable anonymity-focused operation system.
• Increases the likelihood of additional human resources and monetary contributions.
• Allows novice users to easily test Whonix and learn more about security and anonymity practices.
• Improves the relative security and anonymity of Tor / Tor Browser users by offering a virtualized solution.

Old statement:

Virtual Private Networks

Should I Install a VPN on the Host or Whonix-Gateway?

This entry presumes the user has already decided to utilize a VPN. If not, this FAQ entry may be skipped.

Template:VPN on the host vs on Whonix-Gateway

Linux Distributions

Can I Expect a Unified Experience Similar to Windows/Mac/...?

When users interact with an operating system such as a Linux distribution such as Whonix they have certain expectations in regards to their overall experience. For many users these expectations are based on using operating systems such as Windows that provides an easy to use and intuitive graphical user interface (GUI) in concert with applications that have all of the latest features. For these users, seamless integration of new software packages on their system is the rule and not the exception. In short, Windows users are accustomed to have a fully unified experience where "everything just works". Yet, providing Linux users with the same unified experience is very difficult and in most cases impossible. They may find the GUI is difficult to use and non-intuitive. There are software packages that are similar in design to those found in Windows. However, they lack many of the same features and in many instances do not fully integrate with other packages. For users that start using a Linux distribution it may be difficult to understand how applications with similar design goals can have vastly different functionality between operating systems. However, one needs only to compare the structure of a corporate hierarchy to that of a Linux distributions collaborative effort to understand these differences.

The following table provides a simplified comparison of each organizations structural differences.

Table: Linux distribution vs. Windows

Software

As shown in the table, Linux distributions are based on many third party projects which develop software according to their own design goals. This might be for example because the application is initially developed by a volunteer for the Windows platform and optimized for that. Later another volunteer joins the project or forks it and ports it to the Linux platform.

When these projects develop software they don't necessarily prioritize design goals to that of the Linux distribution.

Since the distribution can only pick software packages that are already available it is not always possible to select packages that meets all of the design goals of the distribution. Moreover distributions are not structured like a traditional company with a large number of paid employees. The distribution does not have the authority to issue a directive to a third party project to make changes to the their software. If a distribution requires changes to a package from an independent project, there are options available but they all require time and patience. ^[35]

• Try to understand the perspective of the third party project
• Polity ask the project if they would be willing to make the changes
• Submit code that makes sense from their point of view.
• Patch and/or fork their software
• Use an alternative package from a different project

In contrast to this is Windows which is based on software developed according to design goals which focus on providing users with a fully unified experience. While Linux distributions are based on third party packages, Windows is developed in a large company with a corporate hierarchy. In these companies the CEO can issue a directive to developers to make any change needed to move Windows closer to a fully unified operating system. If a developer refused to make those changes or did not posses the necessary skills, the CEO could terminate their employment for non-compliance since any delay in software development could cost large sums of money.

Funding

Linux distributions are based on Libre Software which can be used freely by anyone. Since there is no licensing fees to use the software, the ability to generate funding for development is severely limited. Without the necessary funding to hire a large contingent of full-time employees, it is all but impossible to provide users with a unified experience. Instead, distributions rely primarily on developers that volunteer their time to integrate and maintain the software packages. However, the time they can devote is limited since they do not receive a salary. This is attributed to the limited means a distributions has to generate funding which can vary depending on its size and popularity.

• Donation or volunteer payment based funding
• Selling professional services such as technical support, training and consulting
• Developmental Grants
• Corporate sponsorship

Windows is a proprietary operating system which is funded through the sale of software licenses. While Linux distributions are limited in there ability to generate funding. Windows licensing generates billions of dollars in revenue which is used to employ a large number of full-time developers. This in turn allows these employees to focus on developing the software packages from the ground up while remaining focused on the design goal that will move Windows closer to a unified operating system that users have come to expect.

Unified Linux Experience

Users might expect their Linux distribution to provide a unified experience similar to Windows. While some of the larger and more popular distributions provide a more consistent experience. It impossible for most (if any) distribution to provide the quality users have come to expect while using a Windows machine. Smaller distributions such as Whonix that have very limited human resources. It is infeasible since developers must focus a large portion of their time on core functionality development.

Whonix-specific

Design and Development

Why Use a 32-bit Operating System Instead of 64-bit?

Whonix 13

Whonix does not uniformly use a 32-bit operating system; it is dependent on the supported platform in use. In the current stable release:

• Qubes-Whonix is 64-bit by default, since Qubes is aimed at users with modern, compatible hardware.
• Non-Qubes-Whonix is 32-bit by default.

Until now, the decision to support a 32-bit build for Non-Qubes-Whonix has primarily related to compatibility. 32-bit software runs on both 32-bit and 64-bit hosts, while 64-bit builds cannot be created or used if running a 32 bit kernel. ^[36] Further, 64-bit software is more memory (RAM) intensive, which could be problematic for running 3 operating systems on older systems (Whonix-Gateway, Whonix-Workstation, and the host OS). ^[37] However, this does not prevent advanced users from building Whonix from source code and using --arch amd64 as per the build documentation to create 64-bit builds.

Whonix 14

In Whonix 14, slated for release in early 2018, only 64-bit builds will be available for download across all platforms. ^[38] This decision is based on several factors:

• Distributions are increasingly dropping support for 32-bit systems (including Debian). ^[39]
• Only a small minority of users are stuck with older hardware that will not support 64-bit builds. ^[40]
• It is a significant maintenance burden for Whonix to maintain both 32-bit and 64-bit builds for Non-Qubes-Whonix. That is, Whonix would need to maintain 10 images, instead of the current 6 images.
• Non-Qubes-Whonix users who rely on 32-bit (i686) hardware will still be able to use Whonix 14, by using the upgrade instructions instead of downloading new images. ^{[41] [42] [43]}

If a maintainer steps up to contribute, it may be possible to have both 32 and 64-bit downloads for Non-Qubes-Whonix in the future.

How is Whonix Different from Tails?

See Comparison with Others.

Why not Merge with Tails and Collaborate?

The following is a subjective opinion by lead Whonix developer Patrick Schleizer. ^[44] Feedback, corrections, and suggested improvements are welcome.

Tails is a respected project with similar goals to Whonix - improved anonymity, privacy and security. Tails has existed for many years and has multiple developers, significant experience and a complete working infrastructure. Whonix and Tails developers already cooperate to some degree and discuss things of mutual interest to both projects on various developers mailing lists like whonix-devel, tails-devel and secure-os.

Whonix and Tails Collaboration

Several parts of Whonix are based on Tails. For example, the development of sdwdate in Whonix was reliant upon Tail's invention of tails_htp. Whonix also profits from Tails' previous efforts to upstream packaging and other changes in Debian, current and historical discussions in various forums, Tails research, design documents, experience, feedback and so on.

Other examples of Tails and Whonix cooperation include:

• onion-grater - a whitelisting filter for dangerous Tor control protocol commands - was developed by Tails developer anonym with Whonix in mind. Whonix then forked the Python code to add a few necessary improvements. ^[45]
• Tails has expressed interest in using Anon Connection Wizard in the future.

Why Whonix is a Separate Project

Even though Tails is highly valued by Whonix developers, it may not be clear to the reader why Whonix remains a separate project and not just a contributor to Tails. There are several reasons for this decision: Whonix cannot be merged into Tails by the Whonix team on technical, skill and political grounds; implementing features or changes in Tails is an unfamiliar process; and it is unknown when/if Whonix priorities will be implemented in Tails - but it is known how to solve these in a separate project (at least with appropriate user documentation).

Further examples are outlined in the table below. Note that some of these items may already be partially or fully solved in Tails, but it is has been kept to justify the decision at that time not to merge with Tails.

TODO Broken since migration to whonix.org. Ignore for now.

(Previous) Tails TODO	Whonix Instructions
Remember installed packages	By design, everything persists. [46]
Applications Audit	By design, protocol leaks can not lead to deanonymization.
Two-layered, virtualized system	By design, this is achieved by using either VMs or Physical Isolation
VPN support	Features#VPN / Tunnel support
JonDo over Tor	JonDonym
Freenet over Tor	Freenet
obfsproxy	Bridges
Hide Tor from your ISP	Hide Tor and Whonix from your ISP
I2P over Tor	I2P
Transparent Proxy as a fallback mechanism	By design, everything not configured to use a SocksPort will automatically use Tor's TransPort.
Use Tor Browser	Tor Browser
Stream Isolation	Stream Isolation
Evaluate web fingerprint	Same as Tor Browser.
Unsafe browser fingerprint	Logging in to captive portals
Location Hidden/IP Hidden Servers	Location/IP Hidden Servers
VoIP	VoIP
...	...

Political and Design Considerations

There are also significant differences in political and design decisions which prohibit a merger:

• As a code contributor to Tails, Patrick Schleizer would need to accept decisions made via internal Tails decision-making processes. Whonix would lose the autonomy to simply modify anything in line with personal preferences or favored solutions. ^[47] At the time Whonix was created, Patrick Schleizer did not favor a Live DVD/USB approach and personally found improving Tails to be far more difficult than starting a fresh project.
• Source Code Merge Policy:
  • Whonix: A comprehensive merge policy has not yet been developed. This would be ideal, but it is not compulsory to formulate such a design or associated documentation.
  • Tails: In Patrick Schleizer's opinion, the Tails merge policy is too strict. This is not a complaint or critique. No doubt there are good reasons for that decision, and it should be noted that Tails is still a popular and effective solution for many users. Anyone who does not agree has the freedom to contribute to another project or to start a new project, leading Patrick Schleizer to make use of that freedom.
• Another major design difference is Tails' reliance on a Live DVD/USB which inherits some restrictions and limitations. Tails must fit on a DVD/USB, while Whonix does not have this requirement. Whonix also has higher hardware requirements, but therefore more space to implement features. As a consequence, initially fewer people are able to use Whonix, but this situation will improve in the future as available hardware improves. The Whonix design is fluid and new designs (both theoretical and practical) are being discovered over time. Depending on user feedback and general interest, eventually a Live DVD or Blu-ray might be created in Whonix.
• Patrick Schleizer has found it easier to cooperate with the security by isolation focused operating system Qubes OS, which resulted in Qubes-Whonix.

How is Whonix Different from Tor Browser?

See Comparison with Others.

How Difficult is Whonix Development?

The following information is an opinion expressed by lead developer Patrick Schleizer, which is based on several years of Whonix development and related activities.

Consider the following comparison table. Whonix source code is relatively simple when compared with activities like the development of cryptographic algorithms and hand written binary code.

Legend: One star (*) = very easy; 10 stars (**********) = very difficult.

* Using a computer.
** Writing Whonix bash scripts.
** Writing Whonix documentation.
*** Whonix-related anonymity and privacy research.
**** Scripting language.
***** Using Hardened Gentoo.
****** Programming languages such as C/C++.
******* Core Tor development.
******** Reverse engineering software.
******** Kernel development.
******** Assembly language.
********* Compiler development.
********* Aeronautical science.
********* Cryptographic algorithms development.
********** Hand written binary code.

Images

Why are Whonix Images so Large?

Currently the size of the Whonix-Gateway and Whonix-Workstation is 1.7 GB and 2.0 GB, respectively. This is much larger than other "Tor-VM" or "Tor-LiveCD/DVD" projects, which sometimes depend on specially "stripped-down" or minimal distributions like TinyCore, DSL, and Puppy Linux. From Whonix 14, zerofree has been used to reduce the size of the binary images by approximately 35 per cent.

Minimal Distribution Disadvantages

The primary reason for the large size of the images is that small/er distributions do not meet Whonix requirements; namely the upstream distribution must have a proactive security policy. In addition:

• Most minimal distributions are small projects. Consequently, there is no dedicated security team that audits packages and quickly releases security patches.
• Whonix requires a distribution that cryptographically signs all updates. ^[48]
• The security of minimal distributions is premised on reducing the potential attack surface, and not much else. Whonix also has a small attack surface, due to only installing a few selected applications and not having any network listening services by default. However, on the upside a full distribution supports MAC, kernel patches, IDS and much more.
• Large, established projects have many users and developers, and the many eyeballs on the code implies greater trustworthiness.
• Debian has a significant number of security features that are unavailable in smaller distributions.
• For further reading on this topic, see Operating System.

Maintenance and Usability Concerns

Since Whonix is based on Debian, it is a complete, anonymity-oriented, general purpose operating system. This greatly improves usability in comparison to minimal systems which lack a host of features.

There are several other benefits of relying on Debian, rather than a minimal distribution:

• A wider range of use cases is supported, such as hosting onion services. In contrast, small distributions usually have limited repositories.
• Debian has comprehensive documentation about topics like security and hardening, unlike many small distributions.
• Creating a slim system increases the maintenance burden, because it is difficult and requires significant development time. This is not, and should not be the primary focus of the Whonix team.
• Minimal projects do not usually focus on anonymity, privacy and security-related matters; the core competence of the Whonix project.
• Attempts to slim down systems inevitably results in numerous "strange bugs". Users who are familiar with Debian or Ubuntu would then question why Whonix is broken or lacks full functionality.

It should be noted that by increasing usability, Whonix actually improves security over time. This stems from a larger user pool, a more prominent profile in the press, increased development activity, and additional security audits and research. On the contrary, a slimmed down system would only attract specialists or experts. ^[49]

An interesting analogy is Mixminion, which was once touted as an alternative to Tor. ^[50] Due to Mixminion being a high latency remailer, with cover traffic and protection against traffic confirmation (end-to-end correlation attacks), it should theoretically have been more secure than Tor. The only problem was that Mixminion did not attract a critical mass of users. Without a sizable population to help disguise traffic, the putative anonymity benefits were seriously degraded - making it no more or less (in)secure than Tor. ^[51]

Absence of a Live Whonix CD/DVD

The final reason Whonix images are large, is that the project is not (yet) focused on the anonymity-oriented Live CD/DVD market. Without the restriction of needing to fit on a CD/DVD, there is no necessity to balance functionality with available space and security. Being a general purpose anonymous operating system has its benefits - default or optional functionality can be increased at whim. For example, integrating Bitcoin into Whonix would be quite simple, apart from the documentation burden.

Patches

Patches are Welcome

Volunteer contributions to Whonix are most welcome. All proposed patches are carefully reviewed and merged if appropriate. Volunteers with the requisite coding ability should refer to the current backlog of open Whonix issues and consult with developers before undertaking any significant body of work.

Often, proposed improvements or fixes to the Whonix platform have not yet implemented due to differing developer priorities, limited human resources, and/or the inordinate amount of time required to develop a particular feature or solution. In a minority of cases, the Whonix team is unsure how to resolve a bug, or how to implement a specific change / feature. ^[52]

It is generally unhelpful to debate the priorities laid out in the future Whonix roadmap, as this diverts energy from core development. Some major suggestions like the availability of a Live Whonix CD/DVD might become available in the long-term, or might never eventuate.

Security

Does Whonix Guarantee my IP Address and Location are Safe when Using Skype?

This answer has been moved to the VoIP page.

Full Disk Encryption Should be Added to Whonix!

This assumption is incorrect. In short, it is more effective to add Full Disk Encryption to the host to protect against theft or robbery of personal information or data.

The interested reader can refer to Encrypted Guest Images for further details.

You Should Disable JavaScript by Default!

Whonix has not changed default JavaScript settings in Tor Browser for several reasons:

• Whonix is not a "secure browser" project - the focus is on creating a stable, reliable anonymity distribution which aligns with best practice security and privacy principles, informed by educated researchers in the field.
• Possible fingerprinting or security issues with default settings in Tor Browser are the domain of core Tor developers.
• Whonix has limited manpower, meaning the resources do not exist to create a more secure browser, even if it was desirable. ^[53]
• Tor Browser is not significantly modified for the same reasons Whonix does not modify or attempt to improve Tor. ^[54]
• Having Whonix share the fingerprint of other Tor Browser users is good for anonymity.

As noted in the Tor Browser chapter, disabling JavaScript by default may worsen fingerprinting:

The take-home message is disabling all JavaScript with white-list based, pre-emptive script-blocking may better protect against vulnerabilities (many attacks are based on scripting), but it reduces usability on many sites and acts as a fingerprinting mechanism based on the select sites where it is enabled. On the other hand, allowing JavaScript by default increases usability and the risk of exploitation, but the user also has a fingerprint more in common with the larger pool of users.

Experienced Tor developer Mike Perry has provided justification for enabling JavaScript by default in a tor-talk mailing list topic; see "Tor Browser disabling Javascript anonymity set reduction". In summary, Tor Button and Tor Browser patches handle the most serious JavaScript concerns, such as IP address / location bypass problems. ^[55]

Due to the loss in functionality, disabling JavaScript by default might place Whonix users in a small subset of the Tor Browser population. The JavaScript behavior of the broader Tor Browser population is an open research question, so it safest to avoid a possible reduction in the anonymity set of Whonix users. Users should remember that the degree of fingerprinting that is possible will also rely on Tor Browser's security slider settings. Ultimately the user is free to turn JavaScript on or off, depending on their security, anonymity and usability preferences.

Does Whonix / Tor Provide Protection from Advanced Adversaries?

Targeted Surveillance

Whonix cannot provide protection against advanced attack tools which have the capability to penetrate all types of OSes, firewalls, routers, VPN traffic, computers, smartphones and other digital devices. Implants are capable of surviving across reboots, software / firmware upgrades, and following the re-installation of operating systems. ^[56]

Once infected in this way, it is virtually undetectable and no solution can be readily found, except throwing away the hardware and moving on from the targeted physical / network location. Encryption, Tor / Tor Browser, other anonymity tools, "secure" hardware configurations and so on are helpless against these attacks, which are increasingly automated and being scaled up in size. For example, the American IC prefers using the TURBINE system for this purpose.

The following is just a small sample of the hundreds of advanced implants and tools currently in use. Needless to say, advanced adversaries can achieve almost any outcome they like: ^{[57] [58] [59]}

• Exfiltrate or modify information / data including removable flash drives (SALVAGERABBIT).
• Log keystrokes or browser history (GROK, FOGGYBOTTOM).
• Surreptitiously turn on cameras or microphones (CAPTIVATEAUDIENCE, GUMFISH).
• Exploit VPN and VOIP data (HAMMERCHANT, HAMMERSTEIN).
• Block certain websites (QUANTUMSKY).
• Corrupt downloads (QUANTUMCOPPER).
• Present fake or malware-ridden servers (FOXACID, QUANTUMHAND). ^[60]
• Launch malware attacks (SECONDDATE).
• Upload and download data from an infected machine (VALIDATOR).
• Detect certain targets for attack (TURMOIL). ^[61]
• Collect images of computer screens (VAGRANT).
• Collect from LAN implants (MINERALIZE).
• Image the hard drive (LIFESAFER).
• Jump air-gaps (GENIE).
• Inject ethernet packets onto targets (RADON).
• And much, much more.

The take-home message is that current hardware and software solutions provide multiple attack vectors which are impossible to completely close. Air-gapped solutions which have never been connected to the Internet may provide security for targeted individuals, but Internet-connected devices should be considered completely unsafe.

Passive Surveillance

Users should be aware that passive surveillance systems will attempt to intercept, record, categorize and attribute all data that can be feasibly collected, including straight off the Internet backbone. These systems are designed to hoover up everything, irrespective of whether it is browsing history, emails, chat / video, voice data, photographs, attachments, VoIP, file transfers, video conferencing, social networking, logins, or user activity meta-data.

Consistent use of anonymous handles, strong encryption, Tor / Tor Browser, and world class open source anonymity tools and platforms may provide partial protection against passive surveillance programs, such as:

• PRISM.
• FAIRVIEW.
• BLARNEY.
• STORMBREW and OAKSTAR.
• XKEYSCORE.
• MARINA, TRAFFICTHIEF, PINWHALE.
• MAINWAY.
• MYSTIC.
• And many more similar programs run by governments all around the world.

Be aware that this claim comes with an important caveat - it depends on whether Tor (and other software / hardware solutions) provide adequate protection or not. The answer to that question is not clear. Whonix has adopted a skeptical mindset and only makes conservative claims, because it is impossible to prove a negative. For a related statement about advanced adversaries, refer to the following technical introduction.

Can Certain Activities Leak DNS and/or the Real External IP Address / Location?

No activity conducted inside Whonix-Workstation can cause IP/DNS leaks so long as Whonix-Gateway is left unchanged or only documented changes are made like configuring bridges, establishing onion services, and running updates.

However, certain behaviors can degrade anonymity or inadvertently expose a user's real identity or location. For instance:

• Do not confuse pseudonymity with anonymity.
• Avoid activities that risk de-anonymization.
• Avoid major networking changes like using non-Tor, secondary DNS resolvers or establishing permanent Tor exit relays. ^[62]

Is there a Whonix Amnesic Feature / Live CD / Live DVD? What about Forensics?

As noted in the Whonix Live entry, Whonix 14 allows non-Qubes-Whonix users to optionally run Whonix as a live system. Writes go to RAM instead of the HDD/SSD, and everything that is created, changed or downloaded in the VM during that session does not persist after shutdown. However, neither non-Qubes-Whonix or Qubes-Whonix is an amnesic system by default.

For reasons why a Whonix Live CD/DVD is currently unavailable, refer to these earlier entries.

Forensic Considerations

In the past, a number of ideas have been put forward to try and make Whonix an amnesic system:

• Shredding the Whonix hard disk images.
• Having a zip archive of Whonix hard disk images and restoring them every time Whonix is used.
• Restoring a fresh snapshot every time Whonix is used.
• Running Whonix completely in ramdisks.
• Using full disk encryption.
• And so on.

Unfortunately, none of these methods are a substitute for a true amnesic system. Amnesic live systems have a superior design insofar as sensitive (or unencrypted) data is never stored on storage media in the first place. It is manifestly unsafe to try and deal with data by wiping it after it has already been stored, and this is a poor design principle to implement.

Using full disk encryption is still useful to protect against forensic analysis, but in some parts of the world this is illegal or draws unwanted attention. Therefore, full disk encryption is not an applicable stopgap for some Whonix users and this cohort requires an amnesic version of Whonix in all instances.

The reader should always be cautious regarding claims made about the ability to defeat disk forensics. For example, the Whonix team are not experts in matters related to:

• HDD/SSD swap space.
• Computer forensics. ^[63]
• Data remaining on USBs and SSDs after "secure" erasing.
• Wear leveling.
• The possibility of ordinary hard disks sometimes marking sectors as bad and never releasing their data. ^[64]
• Data traces that may be left on disk by Tor Browser on the macOS, Linux and Windows platforms.
• Other related forensic capabilities.

Even carefully designed setups fail to approach the efficiency of an amnesic system. At a bare minimum, before any strong claims can be made about anti-forensics, the following steps should be undertaken:

1. Make an image of the HDD/SSD.
2. Run Whonix and perform a range of normal user activities.
3. Make another image of the HDD/SSD.
4. Compare the images.

Unless these basics steps are performed, the setup may seem ingenious but fail against contemporary forensic tools. Users concerned about local forensics should at least use full disk encryption. When established open source encryption solutions like Linux dmcrypt are used correctly, they live up to their promises. However, always remember this approach is inferior to an amnesic system, particularly if the user can be forced to surrender their password under certain circumstances. If that is a legitimate concern, then Whonix may not be the right tool and alternatives like Tails should instead be investigated.

Stability

Whonix Crashes because of PAE?

See PAE crash.

Versioning

What is the Difference Between the stable, stable-proposed-updates, testers and developers Repositories?

Whonix currently provides four repository choices:

• Whonix stable APT repository: recommended for most users. The production level packages focus on providing the most reliable Whonix experience.

• Whonix stable-proposed-updates APT repository: recommended for testers and only briefly tested by Whonix developers. It also contains stable upgrades, but it can break apt-get during an upgrade, requiring terminal commands to rectify the problem. After testing by a wider audience, these packages migrate to the stable repository. ^[65]

• Whonix testers APT repository: As above, except it does not have stable upgrades. ^[66]

• Whonix developers APT repository: As above, except it includes untested changes. These changes may eventually migrate to the testers repository if the Whonix team is confident these changes will not break the update system.

Users can easily change their repository in the Whonix-Gateway or Whonix-Workstation by following these instructions.

Due to the Whonix design, a user's security is unlikely to be materially affected by preferring the "beta" (stable-proposed-updates) or "alpha" (testers, developers) repositories over the default stable one. The terms alpha and beta are avoided because they have generally lost their meaning in the software field; many applications remain in alpha or beta status for years, even though they work perfectly well. ^[67]

Whonix Gateway

Why can't I Ping the Whonix-Gateway?

The Whonix-Gateway does not respond to ping or similar commands because it is firewalled for security reasons; see Template:WhonixFirewall or refer to the Whonix source code. In most cases it is unnecessary to ping the Whonix-Gateway anyhow.

If a user insists on pinging the Whonix-Gateway or has a unique setup that requires it, then this can be tested by clearing all firewall rules with the dev_clearnet script. Alternatively, a script can be run to try and unload / remove every iptables rule, or the Whonix firewall can be hacked to not load at all. The latter method is only for experts and it is necessary to comment out the exit 0 at the beginning.

Graphical Whonix-Gateway?

Qubes-Whonix:
Does not apply.

Non-Qubes-Whonix:

If a user believes the Whonix-Gateway is using too much RAM or generally prefers a terminal version of Whonix-Gateway, the allocated RAM can be reduced to 256 MB and RAM Adjusted Desktop Starter will automatically boot into a terminal version of Whonix-Gateway.

When Whonix is used in combination with KVM, dynamic memory management of the RAM overhead might be a non-issue. By manually enabling these features it is possible to immediately profit. Eventually when Whonix 10 or a later version is released and KVM is in use, Whonix will enable this by default.

Whonix aims to be as accessible and usable as possible. Linux experts who were content with the older non-graphical version of Whonix-Gateway ^[68] may not appreciate the change, but Whonix is aimed at a broad audience. Whonix is also an attempt to recruit more casual users^{[69] [70]} to Tor, because the more people who use Tor, the better the anonymity that is provided^[71].

In the older, non-graphical version of Whonix-Gateway ^[72] it was difficult for users who had never used Linux before to complete tasks like upgrading or configuring obfuscated bridges. Many activities are simpler and easily accessible in a graphical desktop environment, such as:

• Setting up bridges / flashproxies.
• Auditing logs.
• Auditing iptables.
• Auditing the system architecture in general.
• Running Tests.
• Running Leak Tests.
• Editing the Tor configuration file /etc/tor/torrc.
• Editing the firewall settings folder /etc/whonxi_firewall.d.
• Reading status messages (whonixcheck and timesync).
• Changing the Tor circuit.
• Copying and pasting (configuration) commands, (error) messages and logs.
• Running tshark / wireshark.
• Tunneling only Whonix-Gateway's traffic through a VPN.

A black, text-only window (terminal) is intimidating for normal users. A graphical desktop environment is also a prerequisite for further planed improvements, such as a Whonix Controller. The proposed graphical Whonix Controller will provide buttons such as:

• "Create hidden blog", which creates a pre-configured blog.
• "Backup onion service keys".
• A Better Circumvention User Interface.
• And more.

Also, terminal-only environments are often unusable for users with disabilities. This is another reason why recent Whonix versions ^[73] feature an optional graphical desktop environment.

Users do not have many options if they believe the graphical Whonix-Gateway uses too much disk space and/or they want to achieve activities that Whonix was not designed for, such as running Whonix completely in RAM. Whonix was never developed with low installation size, low RAM, or low system requirements in mind. See also: Why are Whonix Images so Large? and Will there be a Whonix Live CD or DVD?

Advanced users can build Whonix from source code and use a build configuration to create a terminal-only version of Whonix-Gateway; refer to Build Documentation if that is of interest.

Last but not least, a terminal-only version of Whonix-Gateway could be easily provided if the role of Release Manager was filled. This requires someone willing to build terminal-only versions of Whonix-Gateway, which is not strictly about development since it only requires running the build script and uploading it. Until more people are contributing to The Whonix Project, this won't be possible due to resource constraints.

See also Other Desktop Environments for workarounds and alternatives.

Footnotes

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!