This is a point release.

Download Whonix for VirtualBox:

Alternatively, in-place release upgrade is possible.

This release would not have been possible without the numerous supporters of Whonix!

Please Donate!

Please Contribute!

Notable Changes

• Signify Digital Signatures (Signify) for advanced users
• updated software
  • APT
  • electrum
  • Monero
  • Tor Browser
  • Tor Browser Downloader by Whonix Developers
  • Hardened Malloc
• Tor Browser Downloader by Whonix Developers
  • Configuration
    • add --onion to optionally download over onions
    • add --alpha to optionally download alpha rather than stable versions
  • fix update-torbrowser does not see version 10.0.6 due to new version format introduced by upstream
• Tor Browser Starter by Whonix Developers
  • fix opening URLs which contain question marks
  • add more folder permission checks
• whonixcheck
  • warn if dmesg contains “Bad RAM detected”
• Qubes-Whonix
  • enable workaround for Monero bug also in Qubes (Xen) “Automatic fallback to softwarecontext renderer”
  • sdwdate-gui
    • fix unwanted automatic restart of Qubes-Whonix-Workstation in after shutdown
    • fix, do not qrexec notify self on shutdown
  • fix msgcollector sudoers issue when qubes-core-agent-passwordless-root package was removed
• security-misc
  • usability: pam abort when attempting to login to root when root password is locked
  • fix, no longer unconditionally abort pam for user accounts with locked passwords
• Whonix-Custom-Workstation
  • add DVD drive by default for Whonix-Custom-Workstation (otherwise grave usability issue that users cannot choose ISO in VirtualBox first start wizard (which asks for which ISO to boot) (no longer add virtual DVD drive to VM by default))
• Live Mode
  • Host Live Mode (improved documentation)
  • VM Live Mode (improved documentation)
  • grub-live
  • fixed ro-mode-init: Live Mode Indicator not working - #16 by Patrick
• Thunderbird:
  • fix connectivity out of the box (torbirdy replacement - #35 by LavenderLevitator)
• whonix-welcome-page
  • all onion links to Whonix website
• Documentation Enhancements
  • Full Disk Encryption
  • Watching YouTube Videos
  • Downloading YouTube Videos
  • Tuning VM Performance
  • What is a TransparentProxy
  • added instructions how to use stream isolation for manually installed applications to Stream Isolation wiki page
  • documented Telegram
  • improved Non-Qubes-Whonix instructions on how to use multiple Whonix-Gateway
  • new page Please Use Search Engines And See Documentation First
  • improved System Recovery using SysRq Key
  • improved safely using root
  • documented Login Spoofing
  • improved secure screen locking documentation
  • created Phone Number Validation vs User Privacy
  • created Account and Mobile Security
  • improved Strong Linux User Account Isolation
  • created Miscellaneous Threats to User Freedom
  • improved Two-factor authentication 2FA‎‎
  • improved Whonix-Workstation Firewall‎
  • improved Whonix on USB‎‎
  • improved Metadata‎‎
  • improved Dev/Default Application Policy
  • created Policy On Nonfreedom Software
• Website improvements
  • wiki editing over onion
  • using forums over onion
  • mostly fixed Onion forum site redirects to clearnet - #13 by Patrick
  • implemented Onion-Location header, which shows Tor Browser user visiting the clearnet version of whonix.org “onion available”
  • fixed Wiki Miss offer Secure Connection while the connection over Onion - #7 by Patrick
  • implemented Expect-CT security header for whonix.org - #3 by Patrick
  • fixed URL with no Onion mirror
  • review hardenize.com results (no clean HSTS-Preload / DNSSEC)
  • research DANE TLSA (DNS-based Authentication of Named Entities) for whonix.org - #2 by TNT_BOM_BOM
  • Whonix Software Signature Verification Documentation Discussion - VirtualBox vs KVM - GPG / signify / codecrypt - #21 by HulaHoop
  • check https://forums.whonix.org/t/discourse-reply-by-e-mail-broken-2/9970/3
  • investigate Uploaded Images doesnt show up after creating topic
  • documented Testing the Whonix ™ server with test websites such as hardenize.com / securityheaders.com / Mozilla Observatory / SSL Labs / hstspreload.org
  • improved documentation chapter Trusting the Whonix ™ Website
  • considered drop-www vs yes-www
  • considered Hide Server IP
  • Set up dedicated server for Kicksecure, with dedicated domain kicksecure.com, homepage, wiki and soon forums. (Not yet public. Big effort to rewrite wiki for Kicksecure.)
• Development Activities
  • SUID Disabler and Permission Hardener - #76 by Patrick
  • Offline Documentation
  • Tor integration in Whonix - #5 by Patrick
  • document IP HARDCODED
  • hardened-malloc-kicksecure
  • sandboxed-app-launcher
  • Continuous Integration, CI
  • Whonix-Host
  • Qubes Remote Support (github)
  • Tor can now serve as http proxy - HTTPTunnelPort - #9 by Patrick
  • tirdad
• Development Discussions
  • https://forums.whonix.org/t/flathub-as-a-source-of-software/10706/2
  • Snap Store / snaps / snapd / snapcraft.io - a new software source? - #10 by TNT_BOM_BOM
  • Hardened Kernel vs LKRG - #2 by Patrick
  • Chromium Browser for Kicksecure Discussions (not Whonix) - #59 by HulaHoop
  • Screen Locker (In)Security - Can we disable these at least 4 backdoors? - #13 by anon1344380
  • coyIM in Whonix - development discussion - #20 by Patrick
  • Is RAM Wipe possible inside Whonix? Cold Boot Attack Defense - #33 by Patrick / Dev/RAM Wipe‎‎
  • dino-im messenger - #36 by IMV
  • Fork XFCE Theming of another Debian based Linux distribution - #10 by Patrick
  • Whonix coding style inconsistencies - #3 by madaidan
  • Should (lesser) Adversaries with Physical Access be part of the Threat Model of Whonix / Whonix-Host / Kicksecure? - #11 by madaidan
  • SysRq (Magic SysRq key) - #71 by madaidan
  • Restricting access to and stripping down default installed compilers and debuggers - #5 by Patrick
  • iptables to nftables transition - Upstream developments - #2 by HulaHoop
  • Etherify - Leaking data via out of unconnected devices - #2 by Patrick
  • Current State of Kloak? - #30 by Patrick
  • Auto Logout Virtual Console on Inactivity? - #3 by Patrick
  • Random Hidden Service Resolvers Default [RFC] - #7 by Patrick
  • Eliminate LD_PRELOAD and other Dangerous Environment Variables - #8 by Patrick
  • enforce kernel module software signature verification [module signing] / disallow kernel module loading by default - #57 by Patrick
  • Debian Short Term Support (STS) Proposal - similar Debian Rolling / CUT (Constantly Usable Testing)
  • Switching to ALSA
  • spectre / meltdown mitigation defaults changed
  • use XFCE with Wayland - #10 by HulaHoop
  • Thunderbird 78 Deprecates Enigmail - #5 by m-ueberall
  • magic-wormhole - easyly get things from one computer to another, safely - review? - #3 by Patrick
  • disabling CPU MSRs breaks CPU temperature control
  • (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? - #52 by Patrick
  • Dealing with File System Timestamps
  • Ship or Document DDoS Resistant torrc Settings
  • kernel built-in RAM memory test - parameter memtest=1 - enable by default?
  • Ship or Document DDoS Resistant torrc Settings
  • Enable Secure Memory Encryption (SME) - kernel parameter mem_encrypt - by default?
  • systemd-analyze security
  • Install memlockd by default? (daemon to increase system reliablity during low RAM)
  • Porting Whonix to Void Linux
  • Use DNSCrypt by default in Kicksecure? (not Whonix!)

Full difference of all changes

• https://gitlab.com/Whonix/Whonix/compare/15.0.1.5.1-developers-only...15.0.1.5.4-developers-only