Testers wanted! Whonix 9 early first test version


The version number for this testers-only release is, which will become Whonix 9 the moment it’s blessed stable.

Download link for Virtual Box images (.ova), experimental kvm/qemu images and OpenPGP signatures (.asc):


Thanks to everyone who made this test release possible! Next step is working on that.

Upgrading from Whonix 8, 8.1, 8.2, 8.3 to is not yet possible!

Testers wanted!

If you want to build from source code, see:


Build instructions for Physical Isolation are not yet tested. Help needed!


Changelog between Whonix 8.2 and Whonix

– Modding Whonix, extending Whonix, such as installing a different desktop environment is now much simpler, because Whonix has been split into smaller packages https://github.com/Whonix/Whonix/issues/40. Therefore also understanding Whonix internals got simpler.

– added experimental libvirt (kvm, qemu) support

– Breaking change: Changed Whonix-Gateway internal IP address to and netmask to to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.

– Breaking change: Changed Whonix-Workstation internal IP address to, netmask to and gateway to to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.

– use logrotate for bootclockrandomization, sdwdate, control-port-filter, timesanitycheck

– sdwdate now uses the median instead of average

– fixed timezone question during upgrade for Whonix build version 9 and above

– added apt-transport-https to anon-shared-packages-dependencies

– encrypt swapfile on boot with random password, create swap file on boot using init script instead of postinst script

– added openvpn to anon-shared-packages-recommended

– sdwdate implemented options –no-move-forward and –no-move-backwards (disabled by default)

– sdwdate implemented option to update hardware clock –systohc (disabled by default)

– Whonix-Gateway firewall: reject invalid outgoing packages

– added spice-vdagent to anon-shared-packages-recommended for better kvm support

– providing xz archives with sparse .qcow2 images

– build script: improved error handling, when error is detected, wait until builder presses enter before cleanup and exit to make it simpler to read error messages when building in cli

– ram adjusted desktop starter: fixed lightdm (/usr/sbin/…) auto detection

– Physical Isolation: automated ‘Install Basic Packages’ (‘sudo apt-get install $(grep -vE “^\s*#” grml_packages | tr “\n” ” “)’) build step

– verifiable builds: now using fixed disk identifiers to make verification easier

– build script: added support for –vram, –vmram, –vmsize switches

– whonixcheck: increased Tor socks port reachability test timeout from 5 to 10 as per https://www.whonix.org/forum/index.php/topic,129.0.html

– Changed keyserver (suggested by tempest @ https://www.whonix.org/forum/index.php/topic,140.0.html) from hkp://2eghzlv2wwcq7u7y.onion to hkp://qdigse2yzvuglcix.onion as used by torbirdy and https://raw.github.com/ioerror/torbirdy/master/gpg.conf.

– Whonix-Gateway: Re-enabled AppArmor for System Tor. Removed workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 (USE_AA_EXEC=”no”) by removing Whonix’s displaced (config-package-dev) /etc/default/tor since that bug has been fixed upstream.

– build script: whonix_build now acts differently for –clean option depending on –virtualbox, –qcow2 and –bare-metal

– removed Whonix’s grml-debootstrap fork, because Whonix’s patches were merged upstream

– bootclockrandomization: randomizing milliseconds

– update-torbrowser: break when endless data attack is detected (max file size 100 mb for torbrowser, 1 mb for other files)

– Whonix-Workstation: added password manager fpm2 as per https://www.whonix.org/forum/index.php/topic,187.15.html

– removed –onion feature from update-torbrowser and its man page because torproject took its .onion domain permanently offline (https://trac.torproject.org/projects/tor/ticket/11567) thanks got z (https://www.whonix.org/forum/index.php?action=profile;u=94) for the report (https://www.whonix.org/forum/index.php/topic,277.msg1827.html#msg1827)

– help_check_tor_bootstrap.py: – suggestions by Damian Johnson from — https://lists.torproject.org/pipermail/tor-dev/2014-May/006799.htmlhttps://lists.torproject.org/pipermail/tor-dev/2014-May/006804.html – troubadour advised on implementation https://www.whonix.org/forum/index.php/topic,278.0 – controller.authenticate(“password”) isn’t required, controller.authenticate() works – more robust method to parse Tor bootstrap percent

– removed obsolete whonix_gateway/usr/bin/armwrapper (user “user” is now member of group “debian-tor”, so no longer required to start arm as user “debian-tor”)

– removed backgroundd, was replaced by gateway first run notice https://www.whonix.org/forum/index.php?topic=207

– added machine readable copyright files

– build script: Renamed “img” to “raw”, because “img” was a poor name for raw images.

– build script: made variables overrideable by build config

– build script: set DEBUILD_LINTIAN_OPTS to “–info –display-info –show-overrides –fail-on-warnings”, to show more verbose lintian output and to break the build should lintian find an error such as a syntax error in a bash script

– build script: Workaround for a bug in kpartx, which fails to delete the loop device when using very long file names as per https://www.redhat.com/archives/dm-devel/2014-July/msg00053.html

– better output, better formatting, clickable links, thanks to https://github.com/troubadoour for working on msgcollector

– kde-kgpg-tweaks: added gnupg-agent to dependencies because we’re using it in the config and because otherwise kgpg would complain about using use-agent while having no agent installed

– Refined whonixlock.png. Thanks to nanohard (https://www.whonix.org/forum/index.php?action=profile;u=248) for the edit!

– added apt-transport-https to anon-shared-packages-dependencies

– added openvpn to anon-shared-packages-recommended

– added network-manager-kde to anon-shared-desktop-kde

– changed displace extension from .apparmor to .anondist, thanks to http://mailman.mit.edu/pipermail/config-package-dev/2014-May/000018.html

– control-port-filter: Added “lie feature”, i.e. when getting asked “GETINFO net/listeners/socks” answer ‘250-net/listeners/socks=”″‘; configurable by CONTROL_PORT_FILTER_LIMIT_GETINFO_NET_LISTENERS_SOCKS variable. Enabled by default.

– control-port-filter: Limit maximum accepted command string length to 128 (configurable) as done by Tails (https://mailman.boum.org/pipermail/tails-dev/2014-February/005041.html). Thanks to HulaHoop (Whonix Forum) for suggesting this (Whonix Forum).

– control-port-filter: added GETINFO status/circuit-established to whitelist

– whonixcheck / timesync / update-torbrowser: correct exit codes on signal sigterm and sigint

– sdwdate: no more clock jumps. Gradually adjust clock as NTP does. Sclockadj has been written by Jason Ayala (Jason@JasonAyala.com) (@JasonJAyalaP) – https://github.com/Whonix/Whonix/issues/169 – Sclockadj helps sdwdate gradually adjusting the clock instead of producing clock jumps, which can confuse Tor, i2p, servers, logs and more. – It can add/subtract any amount of nanoseconds. – It supports waiting an interval of min/max nanoseconds between iterations, which will be randomized if min/max differs. – It supports slewing the time for min/max nanoseconds, which will be randomized if min/max differs. – It supports to wait before its first iteration. – It can run either verbose or quite. – It supports either really changing the time or running in debug mode.

– sdwdate: use median instead of average as suggested in https://www.whonix.org/forum/index.php/topic,267.0.html

– whonixcheck: don’t check just if Tor is fully bootstrapped, also check if Tor was actually able to create a circuit.

– added VPN_FIREWALL feature to Whonix-Gateway’s firewall https://www.whonix.org/blog/testers-wanted-vpn-firewallhttps://www.whonix.org/wiki/Next#Tunnel_Tor_through_VPN

– Whonix-Firewall: make variables overwrite able by /etc/whonix_firewall.d config folder

– Whonix-Firewall: renamed variable NON_TOR_WHONIXG to NON_TOR_GATEWAY



sdwdate bug has been found:



confirm open used to say

will be opened in Tor Browser.

But now it says

will be opened in x-www-browser (usr/bin/torbrowser) which I found confusing. I guess this is to show the path when the default is changed but at least this one can be shown as simply Tor Browser.

I also dislike the new wordings Privacy Browser, Tor Browser (AnonDist) etc. Does not make sense and is confusing. I know your reason behind it, but its illogical

Other than that, I recommend to to combine same language texts in whonixsetup.

Rather than

ENG: xxx
GER: yyy

ENG: aaa
GER: bbb

this would be better



Forgot to add, the improvements overall are beautiful.

A question, could the log off screen be hidden or automized? I mean, the screen where you abort the session. That way it would be nice and smoother

Will think some more on your other suggestions and answer later.

Do you mean tty1? whonixcheck/timesync writing to tty1 (Platform-specific Desktop Tips)? VBox key (default: right strg) + F1? Related to rads (RAM Adjusted Desktop Starter) (Platform-specific Desktop Tips)?

If yes…

We are using auto login to tty1 at the moment - and rads will maybe (depending on options and RAM) start a login manager (such as kdm). At shutdown you see there messages which are outdated by then, you already saw them on the desktop. I guess it would be more logical to log out tty1 after rads started a login manager? Then whonixcheck/timesync writing to tty1 would be disabled - we would be back to Debian defaults.

Fixed a small bug in tb-starter (/usr/bin/torbrowser).

The messsage was not displayed.

I don’t understand why we have ENG and GER there anyway. We say “you must understand English to use whonix safely”, yet we have a German translation here and no where else.

For legal protection.

[quote=“troubadour, post:6, topic:364”]Fixed a small bug in tb-starter (/usr/bin/torbrowser).
Manually fixed without merge (because you didn’t base upon latest master, didn’t fetch beforehand), thanks!

[quote=“z, post:3, topic:364”]confirm open used to say

will be opened in Tor Browser.

But now it says

will be opened in x-www-browser (usr/bin/torbrowser) which I found confusing. I guess this is to show the path when the default is changed but at least this one can be shown as simply Tor Browser.[/quote]
Indeed. Will be changed back to “Tor Browser” in next version. desktop screenshot: start menu screenshot:

tb-starter is supposed to be fulfill three points (*):

See .desktop files:

GenericName=Privacy Browser

And GenericName is what kde’s start menu is showing by default. For example iceweasel is kde’s start menu is also just called “web browser” and you only get to see “iceweasel” when you hover of it with the mouse. So it might seem a bit unfamiliar, but I guess it’s the correct way.

The ugly addition (AnonDist) is used to make it distinguishable from torbrowser-launcher and from The Tor Project.

If you have suggestions on how to fulfill these three points (*) while using better naming, please make them.