Does whonix keep logs?

Not being amnesic. But does Whonix keep logs of what was going on inside Gateway and Workstation?


Not being amnesic. But does Whonix keep logs of what was going on inside Gateway and Workstation?

Not intentionally, but as far as a normal Debian system would do.

Would you recommend clearing/rotating logs regularly? In case your workstation got compromised or someone needs to check your VM. Could regular logs by Debian system be a threat to anonymity in this case?

If yes what do you think about using logrorate tools?

Good day,

letting anyone, aside from yourself, “check your VM”, is always something to recommend against, as you can never tell what intentions such a person has and in what way he or she could change anything on it. Furthermore, there really isn’t any scenario, where “someone needs to check your VM”. On that matter, it is always recommended, to encrypt the host using a full disk encryption (Veracrypt, dm-crypt, etc.) with a long and secure pass-phrase.

Getting compromised is another question: The logs which are kept by Debian per default are so minimal, that usually they can’t tell an attacker anything other then the date on which the machine was last used, though this information is also rather useless, as the system time on Whonix is always set to UTC, which makes it hard to impossible, to find out from which time zone you operate. Though you may check this yourself by opening the terminal and typing “cd /var/log”, followed by “ls”. Now you can see any log files kept by Debian and read through them, to make an educated decision on whether clearing up these files after using Whonix makes sense to you.

Regarding logrotate, this tool doesn’t seem to be tailored for anonymity focused objectives, it is as far as I can tell, made for network administrators, who want to receive and clear logs on an automated basis, via mail. I believe, there are more fitting solutions out there, if you really think, an attacker knowing what little can be found through the logs, is an issue, though personally in that case, removing the workstation on a regular basis manually (or through a script) might be more practical and safe.

Have a nice day,


See this:

I used logrotate when I was on a Debian host. It’s nice to control some things about the logs: size, compression, permissions, rotation, etc.

@Patrick maybe you put the wrong link?

Fixed link. See: https://www.whonix.org/wiki/FAQ#Is_there_a_substitute_for_Whonix.27s_lack_of_an_Amnesic_feature_.2F_Live_CD.2FDVD.3F_Forensics.3F

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]