Long Wiki Edits Thread


OK, I think the last bit of editing I was due to start was:

  • generating a strong encryption key pair for email purposes (the wiki guide is a bit weak there)
  • adding maybe something to Tor Browser entry about not ignoring “Allow this website to extract canvas image data?” question that sometimes appears here and there
  • finishing off edits on Advanced Security Guide (was about half way through) so all of that shit can be switched around between Security Guide, Advanced Security Guide and Comp Security Education as per phabricator entry

Won’t have nearly as much time to edit as before, but should be able to do a few hours here and there.

PS You should do a search and delete apt-pinning instructions across the entire documentation? If it is screwing up some configs, then it is dangerous advice.

PPS Safe to run Tor Browser 7.5a5? It works, and has content sandboxing set to level 2, which 7.06 doesn’t, so if that is okay, we can recommend it in the hardening checklist. (off topic: have you tried debian 9 for sys-net and sys-firewall?)


Sounds all good!

That apt pinning template is empty so shouldn’t mess up any instructions anywhere.


That was me but I forgot to login…


I think we need to flesh out the Firejail stuff a bit, so people use better options e.g.


Is it possible to run a video player like VLC or SMplayer by allowing it access to videos in filesystem, while blocking its access to the internet?

$ firejail --net=none vlc

If any problem is encountered, a solution is to replace “–net=none” with “–protocol=unix”, the effect will be the same as “–net=none”.

Is it possible to combine Firejail with TorBrowser, with the profiles you made for Firefox? (TorBrowser has full access to .gnupg folder contents of same user). It will useful if you will write a separate blog article post about this if it is difficult to do.

You can reuse an existing profile for another application. Actually, this is how I start tor:

$ firejail --profile=/etc/firejail/firefox.profile ./start-tor-browser

Now, we can’t do the above in Whonix for Tor Browser (the firefox-esr.profile doesn’t work), but I’ve gone through the man firejail entry, and tried to run Tor Browser with various security options.

Most of them don’t work in Whonix e.g. --apparmor --caps.drop=all --private --overlay-tmpfs etc probably due to the unique environment running.

But --seccomp works nicely, as does --debug so you can see what the program is doing.


Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_han dle_at, create_module, init_module, finit_module, delete_module, iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, migrate_pages, move_pages, vmsplice, chroot, tuxcall, reboot, mfsservctl and get_kernel_syms.

System architecture is not strictly imposed. The filter is applied at run time only if the correct architecture was detected. For the case of I386 and AMD64 both 32-bit and 64-bit filters are installed.

So, using a layered security approach, surely we should recommend from the terminal for Firejail users:

firejail --debug --seccomp torbrowser

(it ends up using a default profile which isn’t too bad. Advanced users can build their own config)

This blacklists a lot of directories and processes - see man firejail for more information.

I thought the developer had released a tor browser .profile but I couldn’t find it, or at least it’s not part of the Debian 8 package that is installed.

PS Apparmor profile for Tor Browser in Whonix still unusable? Blank pages would only appear in recent times. Pity not to use it.


You just have to manually edit it per your thread. :slight_smile: (for 7.0.6)


OK, forgot about that! :blush:

We should add a section to the Apparmor part explicitly outlining what users should do to maintain a functional browser, instead of saying something about it being an advanced user problem.

No easy instructions = lower user base = people are less secure.

How about (I’ve tried this, doesn’t work yet, probably because the apparmor profile has to be renamed to etc/apparmor.d/home.tor-browser.firefox ? Error is around apparmor trying to access (denied read, r) the actual profile itself)

== Maintain a Functional Tor Browser ==

Tor Browser upgrades frequently break the Whonix Apparmor profile used to contain it. Even when Apparmor related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix stable or even the developer version. This means manual profile fixes are required until [[http://kkkkkkkkkk63ava6.onion/wiki/About#Whonix_Version|the next Whonix version is released]].

At the time of writing, Tor Browser is non-functional with the available profile in the repositories. Advanced users can follow these steps to rectify the problem.

  1. Open a terminal in the Whonix-Workstation TemplateVM.

Whonix-WS TemplateVM -> Konsole

  1. List the available Apparmor profiles.

ls /etc/apparmor.d/

  1. Edit the Tor Browser appamor profile.

Note: change the name of the file to match whatever version is installed on the system.

sudo nano /etc/apparmor.d/home.*.tor-browser_*Browser.firefox

  1. Navigate to the Whonix Github resource for Apparmor.

The latest git commits can be found [https://github.com/Whonix/apparmor-profile-torbrowser here].

Select Code -> etc/apparmor.d -> home.tor-browser.firefox

Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.

  1. Enforce the new profile if it was previously disabled.

Note: change the name of the file below to match the one installed on the system.

In the Whonix-Workstation TemplateVM, run.

sudo aa-enforce /etc/apparmor.d/home..tor-browser_.Browser.firefox

  1. Shutdown any running instances of the the Whonix-Workstation AppVM and the Whonix-Workstation TemplateVM.

  2. Restart the Whonix-Workstation AppVM and run Tor Browser.

If everything has been applied correctly, Tor Browser will have full functionality.

To check Apparmor is really running and enforced, in a terminal run.

sudo aa-status

The output should show the Tor Browser profile is loaded and in enforce mode.


-> Fixed

-> Fixed

-> Fixed



Re: creating a strong key pair for email purposes.

I gather the following refs are pretty good, although some of the settings in the first one (Thunderbird) don’t marry up with Whonix recs, so could be tightened based on our wiki recommended settings:


Also, I don’t believe the GUI stuff in that guide is sufficient for creating a strong key pair (GPG auto creation defaults to 2048 bit key strength; we want 4096 bit).

Plus we can strengthen the hash preferences, create a safe master key pair (remove the original signing subkey) etc if it is manually created.

These guides below show how to create a 4096 bit key pair, with stronger settings. So, we’d probably outline the most relevant command line operations to create a strong key pair.






Then we need some clear instruction on how the manually generated key is used in Thunderbird i.e. importing step or other.

Also, pre-reqs before the user did any of this is I suppose are:

  • already have created an anonymous email account with a non-backdoored, non-heavily attacked provider, which is based in a country not in the extensive ‘Eyes’ network, and supports desktop email and encryption add-ons. Easier said than done.
  • separate Whonix-WS AppVM created just for email purposes.
  • user already has enigmail installed (should be by default in Whonix)

The guide also needs to be clear on:

  • removing private key off the template and storing in secure place so the user is not pwned.
  • revocation certificate stuff.
  • making a backup of the private key.
  • keys that expire and not indefinite ones.
  • all the keyserver crap (exporting public key) and doing it safely.
  • using long form IDs for everything.
  • making sure stuff is also signed appropriately for verification.
  • a thousand other security things mentioned in those guides further above.

Basically, the finished product should look like what Patrick or HulaHoop would be happy with, if they were using it for email purposes - keys, key management, relevant Thunderbird settings & relevant VM settings.

I’ll test all relevant steps, because if there’s a config error to be found, I’m sure to run into it.


Did you know…?

You’re suggesting this? Not sure that is overkill / too difficult for most. Even for me it’s a PITA.


Renaming profile is not necessary. Wildcards are in place to support all Tor Browser versions. Just need directory to start with tor-browser, which it should if downloaded from torproject.org.

Steps 5,6,7 are valid.
Alternatively, one just needs to close Browser and then reload the apparmor profile with:
sudo apparmor_parser --replace /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox


You may also want to look at relevant section in @tempest’s guide: Chapter 4f. Encrypted email with Icedove and Enigmail.


Ah, missed that one. But no, that is Jason Bourne level having thought about it some more.

What the documentation is missing is easy-medium difficulty steps where they can actually fulfil the Whonix mantra repeated everywhere - “use encrypted email with your own set of encryption keys”.

It would build on this stuff here ->


But, I think the basic structure would be:

  1. Creation of separate VM purely for email

  2. Pre-existing account created with reasonable provider (via Tor)

  3. Manually create the key on the command line. To not overwhelm the user, maybe just focus on four changes:

  • 4096 bit strength
  • 2 years before expires
  • strengthen hash preferences
  • creating a revocation certificate

(skip all the subkey and other stuff, too involved for general privacy advocates) It can link to the Jason Bourne page for advanced users at this step.

  1. Publishing public key to keyservers

  2. Run Thunderbird

  3. Configure Thunderbird settings as per that Linux guide & email provider & change anything that doesn’t match with different recs in Whonix docs here and there

  4. Configure Thunderbird so it can use the manually generated key

  5. Advise re: how/where/what to do with keys - noting danger of private key theft. For low risk users, the Qubes vault might be good enough. For medium risk users, maybe USB/external media. For high risk users, maybe locked in a remote safe somewhere.

  6. Show email example with successful decryption/encryption and signing pages

I think that covers it off. A one stop encrypted email shop, so easy your grandma could do it. That’s the plan. It’s a bit fragmented now, and not complete for ordinary users.


Thanks entropy, I’ll have a look.

I’ll test that apparmor thing again, since I’m not sure why it blocked Tor Browser before if most of that above is correct.

Once it works, I’ll put that edit in, with your recommended apparmor_parser line.



(Feel free to mention briefly https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key. We can let users know that there are options when we mention how difficult these get.)


-> Fixed.

Working on this next.


I was trying to add some information on configuring Tor Bridges. Unfortunately, all the changes just disappeared and I did not back it up.

I was also trying to create templates called Template: Anon Connection Wizard Use Bridges and Template: Anon Connection Wizard Use Proxy, but I was not able to find the place to create an article page. Do I still have the privilege to create new page? If not, could someone help me to create the templates please? :slight_smile:

Thank you very much!



These empty template pages can be found through the search bar.

Just search for template:Anon Connection Wizard Use Bridges and template:Anon Connection Wizard Use Proxy and edit away.

To insert the templates on an existing documentation page, just reference {{Anon_Connection_Wizard_Use_Proxy}} and {{Anon_Connection_Wizard_Use_Bridges}}

Safest method for edits is to have a separate Work VM (not connected to the Net) where you put all your proposed changes in a gedit program or similar. Then cut and paste into the wiki page, so that when you get some server error or bad Tor circuit when trying to save edits, you don’t lose your work.

Plus, you shouldn’t type directly into the web browser for security/privacy reasons :wink:

Love your work Iry! :slight_smile:


https://www.whonix.org/w/index.php?title=AppArmor&oldid=30960&diff=cur - apparmor-profile-tor - there is no such thing.


There is https://github.com/Whonix/apparmor-profile-anondist (installed by default) and Tor’s profile (installed by tor package by default).




These empty template pages can be found through the search bar.

Just search for template:Anon Connection Wizard Use Bridges and template:Anon Connection Wizard Use Proxy and edit away.

To insert the templates on an existing documentation page, just reference {{Anon_Connection_Wizard_Use_Proxy}} and {{Anon_Connection_Wizard_Use_Bridges}}

Thank you very much for your immediate help and detailed instructions,

Safest method for edits is to have a separate Work VM (not connected to the Net) where you put all your proposed changes in a gedit program or similar. Then cut and paste into the wiki page, so that when you get some server error or bad Tor circuit when trying to save edits, you don’t lose your work.

Plus, you shouldn’t type directly into the web browser for security/privacy reasons :wink:

Thank you for sharing the instructions with me! I agree with you that it
is strongly preferred to edit locally in a separate Work VM without
Internet connection :slight_smile:

Love your work Iry! :slight_smile:

Thank you for your encouragement, @torjunkie !