Whonix: A High Security Method of Surfing the Internet

Whonix is a desktop operating system designed for advanced security and privacy. Whonix mitigates the threat of common attack vectors while maintaining usability. Online anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks. Commonly used applications are pre-installed and safely pre-configured for immediate use. The user is not jeopardized by installing additional applications or personalizing the desktop. Whonix is under active development and is the only operating system designed to be run inside a VM and paired with Tor.

After approximately two years of development, the Whonix Project is proud to announce the release of Whonix 16.

Whonix 16 is based on the Debian bullseye (Debian 11) distribution. This means users have access to many new software packages in concert with existing packages. In addition, this release will serve as development foundation for many exciting upcoming security enhancement such as Hardened Malloc Kicksecure (HMK), Linux Kernel Runtime Guard (LKRG) and other items on the Kicksecure Security Roadmap.

Alternatively, in-place release upgrade is possible upgrade using Release Upgrade Whonix 15 to Whonix 16 instructions.

This release would not have been possible without the numerous supporters of Whonix!

Please Donate!

Please Contribute!

Major Changes

• ported Debian base from Debian 10 buster to Debian 11 bullseye (discussion)
• Monero GUI wallet (XMR) version 0.17.2.3
• electrum Bitcoin (BTC) wallet version 4.0.9 (Debian stable version)
• package binaries-freedom is deprecated (reason) (electrum installed from packages.debian.org stable repository)
• switched back from deb.torproject.org tor package to packages.debian.org stable tor package (Tor integration in Whonix Development Notes)
• enable Debian fasttrack repository by default
• updated paths from /usr/lib to /usr/libexec where appropriate as per lintian Debian FSH
• VirtualBox version: this release is using VirtualBox guest additions version 6.1.26-dfsg-3 from fasttrack.debian.net version (details)

Known Issues

• Desktop background image currently is the same for Whonix-Gateway and Whonix-Workstation. This will most likely be fixed in the next release.

Notable Changes

• anon-apt-sources-list
  • enable fasttrack.debian.net by default
  • add fasttrack.debian.net
  • enable backports repository by default
• anon-gw-anonymizer-config
  • actually ControlPort 9052
  • ControlPort 9052 Required for onion-grater updates. https://gitlab.torproject.org/tpo/core/tor/-/issues/25173
• anon-meta-packages
  • binaries-freedom → electrum
  • whonix-shared-packages-recommended-cli: add kicksecure-recommended-cli
  • remove flashproxy-client and fteproxy from Whonix-Gateway since deprecated in Debian bullseye
  • remove obfsproxy (deprecated obfsproxy version 3) but keep obfs4proxy from Whonix-Gateway obfs4proxy package is deprecated in Debian bullseye
• anon-ws-disable-stacked-tor
  • Provides: obfsproxy, obfs4proxy
• apparmor-profile-dist
  • security-msic /run/faillock/** rwc,
  • pam security-misc bullseye
  • /etc/security/ r,
  • /etc/security/faillock.conf r,
• apparmor-profile-everything
  • rm_conffile /etc/apparmor.d/sbin.networking-aae
  • usrmerge - renamed: etc/apparmor.d/sbin.networking-aae → etc/apparmor.d/usr.sbin.networking-aae
  • usrmerge - renamed: sbin/networking-aae → usr/sbin/networking-aae
• genmkfile
  • genmkfile deb-install: install using apt-get install instead of dpkg -i for dependency resolution (sdwdate vs time-deamon)
  • update make_dependencies_filter_helper
  • exclude /debian folder from upstream tarball to avoid lintian warning no-debian-changes
  • Force the inclusion of the original source if Debian package revision number is higher than 1. LKRG package compatibility fix.
  • improve support for debian/changelog file without epoch
  • add support for debian/changelog file without epoch
  • LKRG v0.9.1 compatibility
  • clean up temporary file “debian/$package.dkms.debhelper”
• helper-scripts
  • etc/apparmor.d/abstractions/tor-circuit-established-check: deny /etc/ssl/openssl.cnf r, Not needed. Works without.
  • implement /usr/libexec/helper-scripts/first-boot-skel force to ease Default Home Folder Configuration Files Reset https://www.whonix.org/wiki/Desktop#Default_Home_Folder_Configuration_Files_Reset
  • move usr/lib/helper-scripts/ to usr/libexec/helper-scripts move usr/lib/curl-scripts to usr/libexec/helper-scripts as per lintian FHS
• kicksecure-base-files
  • /etc/kicksecure_version: 16
• kicksecure-meta-packages
  • add chromium to dummy-dependency so it can be removed
  • binaries-freedom → electrum
  • move obfs4proxy from kicksecure-dependencies-cli to kicksecure-recommended-cli https://forums.whonix.org/t/meta-packages-development-discussion/11948
  • kicksecure-cli Depends: kicksecure-recommended-cli
  • introduce kicksecure-recommended-cli install fasttrack-archive-keyring by default https://forums.whonix.org/t/install-debian-fasttrack-archive-keyring-by-default/11456
  • bullseye: libexo-1-0 → libexo-2-0
  • Merge branch ‘HulaHoop0-master-patch-35409’ into ‘master’ Added obfs4proxy and firefox-esr See merge request whonix/kicksecure-meta-packages!1
  • Added obfs4proxy and firefox-esr (Thanks to @HulaHoop!!)
• onion-grater
  • upgrade to newer onion-grater version by Tails
• open-link-confirmation
• qubes-whonix
  • yum → dnf
  • Honor skip-torified-updates-proxy-check qvm-service Reintroduce the ability (from qubes-whonix < 15.4) to skip the torified-updates-proxy-check script by enabling a qvm-service. This allows a Whonix template to be updated through a non-Whonix qubes.UpdatesProxy VM if necessary. (Thanks to Rusty Bird!)
• rads
  • do not start display manager if it was disabled (for example using sudo systemctl disable lightdm)
• repository-dist
  • legacy
  • required change /etc/apt/trusted.gpg.d/derivative.gpg → /etc/apt/trusted.gpg.d/derivative.asc
  • use ascii armored gpg key; code simplification since APT folder /etc/apt/trusted.gpg.d support ascii armored gpg keys since Debian bullseye
  • gnupg2 (dummy transitional package) → gnupg
• sdwdate
  • deny /usr/sbin/ldconfig rix,
  • Conflicts: time-daemon
  • Replaces: time-daemon
  • Revert “bullseye” This reverts commit 67222afa9b01c8bba1f814d5c57b1c7632355d6d.
  • Provides: time-daemon to avoid systemd pulling Depends: systemd-timesyncd
  • config-test
• security-misc
  • add hardened malloc compatibility for haveged workaround /lib/systemd/system/haveged.service.d/30_security-misc.conf SystemCallFilter=getrandom Otherwise haveged will exit with a core dump.
  • port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream
  • port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream
  • enable “apt-get --error-on=any” by default makes apt exit non-zero for transient failures /etc/apt/apt.conf.d/40error-on-any https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
  • replace no longer required /usr/lib/security-misc/apt-get-wrapper with apt-get --error-on=any
  • port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger
  • improve LKRG VirtualBox host configuration as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
  • add LKRG compatibility settings automation for VirtualBox hosts https://github.com/openwall/lkrg/issues/82
• systemcheck
  • apparmor bullseye
  • @{PROC}/sys/kernel/osrelease r,
  • replace no longer required /usr/lib/security-misc/apt-get-wrapper with apt-get --error-on=any
• tb-starter
  • improve function tb_prefs_js_file_patches
  • Update path to local browser homepage. Patch prefs.js in user home folder. Because it changed during Whonix 15 to Whonix 16 upgrade. from /usr/share/homepage/whonix-welcome-page/whonix.html to /usr/share/doc/homepage/whonix-welcome-page/whonix.html
  • delete /usr/share/tb-profile-i2p/profile.i2p/bookmarks.html since unused
  • usr/share/homepage → usr/share/doc/homepage
• tb-updater
  • alpha tbb_hardcoded_version=“11.0a4”
  • tbb_hardcoded_version=“10.5.5”
• usability-misc
  • replace no longer required /usr/lib/security-misc/apt-get-wrapper with apt-get --error-on=any
• uwt
  • usr/lib/uwt_settings_show → usr/bin/uwt_settings_show
• vm-config-dist
  • VirtualBox guest additions installer: switch to interest-await trigger Using interest-await instead of previously interest-noawait because when virtualbox-guest-additions-iso was upgraded as the same time as vm-config-dist the trigger was not executed.
  • Removed folder existence conditional to prevent catch-22 (Thanks to @HulaHoop!!)
• whonix-base-files
  • /etc/whonix_version: 16
  • renamed: usr/lib/whonix/whonix.sh → usr/libexec/whonix-base-files/whonix.sh
• whonix-developer-meta-files
  • renamed: migrate_to_buster_proposed_updates_repository → migrate_to_proposed_updates_repository renamed: migrate_to_buster_repository → migrate_to_stable_repository renamed: migrate_to_buster_testers_repository → migrate_to_testers_repository
  • modify warrant canary text as per: https://www.whonix.org/w/index.php?title=Dev/Warrant_Canary_Draft&oldid=65156 https://forums.whonix.org/t/whonix-warrant-canary/3208/29
• whonix-firewall
  • TODO: /{,usr/}bin/qubesdb-cmd rUx,
  • owner /run/updatesproxycheck/** rw,
  • TODO: /{,usr/}bin/qubesdb-read rUx
  • After=systemd-modules-load.service required for LKRG otherwise iptables modules cannot be auto load
  • /var/log/journal/{,**} r,
• whonix-initializer
  • change path
• whonix-legacy
  • version
  • improve release-upgrade
  • improve release-upgrade
  • release-upgrade: fix, respect onion sources
  • workaround for Qubes specific perl: warning: Setting locale failed. issue https://github.com/QubesOS/qubes-issues/issues/4889
  • version
  • legacy
  • legacy
  • version
  • improve release-upgrade
  • improve release-upgrade
  • improve release-upgrade
  • improve release-upgrade
  • improve release-upgrade
  • improve release-upgrade
  • improve release-upgrade
  • forward port release-upgrade improvements
  • renamed: usr/libexec/release-upgrade → usr/sbin/release-upgrade
  • release-upgrade script: replace the apt functionality test package python-qt4 with nano siince python-qt4 installs too many packages, dependencies and nano is installed by default. Much faster test.
  • port release upgrade script to bullseye
• whonix-welcome-page
  • usr/share/homepage → usr/share/doc/homepage
• Whonix build script
  • remove virtualbox-guest-dkms since deprecated in Debian (integrated into kernel)
  • fasttrack
  • .gpg → .asc
  • Revert “build sources, Debian fasttrack: disable temporrily” This reverts commit 288323a86e2dc037b03e004c62ab3f8ce2b1f616.
  • avoid build dependency on ftpsync (for rsync test script)
  • VirtualBox builds: switch back to guest additions packages - virtualbox-guest-utils - virtualbox-guest-dkms - virtualbox-guest-x11 (Previously virtualbox-guest-additions-iso.)
  • VirtualBox builds: temporarily download package virtualbox from Debian sid until it becomes available from either Debian fasttrack or virtualbox.org https://forums.whonix.org/t/challenges-installing-virtualbox/9984/6
  • VirtualBox builds: accept both sources of VirtualBox packages - either package virtualbox (by Debian), or - package virtualbox-6.1 (by virtualbox.org)
  • build sources, Debian fasttrack: disable temporrily until https://salsa.debian.org/fasttrack-team/support/-/issues/24 is fixed
  • help-steps/repo_download_chroot_script: fix for Debian bullseye update order of parameters passed toAPT
  • disable download_virtualbox_packages_virtualbox_guest_additions_iso_from_debian_sid moving to Debian fasttrack version
  • disable download_virtualbox_packages_virtualbox_org moving to Debian fasttrack version
  • fasttrack
  • fasttrack
  • default whonix_build_auto_retry=“0” auto retry function error handler trap lacks variables such as variable APTGETOPT. Would miss out on security related APT configuration options: apt-get --error-on=any / -o APT::Update::Error-Mode=any
  • add backports and fasttrack to build sources by default to support downloading VirtualBox from Debian fasttrack
  • build dependencies for maintainers
  • remove python from cowbuilder image since no longer required since apt-get-update wrapper is no longer required
  • back to Tor version from packages.debian.org (instead of earlier deb.torproject.org) https://www.whonix.org/wiki/Dev/Tor https://forums.whonix.org/t/tor-integration-in-whonix/10593
  • remove mmdebstrap copy from this source code no longer required version from Debian bullseye package is recent enough
  • remove python from cowbuilder image since no longer required since apt-get-update wrapper is no longer required
  • python3.9 no longer required in grml_packages since apt --error-on=any obsoleted any need for a python based apt-get wrapper
  • replace no longer required /usr/lib/security-misc/apt-get-wrapper with apt-get --error-on=any
  • replace no longer required /usr/lib/security-misc/apt-get-wrapper with apt-get --error-on=any

• anon-gw-base-files
  • bullseye background image fix https://forums.whonix.org/t/whonix-xfce-wallpaper-background-image/7984
• anon-meta-packages
  • integrate kicksecure-dependencies-system https://forums.whonix.org/t/replacing-initramfs-tools-with-dracut/4487
• anon-ws-base-files
  • bullseye background image fix https://forums.whonix.org/t/whonix-xfce-wallpaper-background-image/7984
• binaries-freedom
  • add debian install file (generated using “genmkfile debinstfile”)
  • binaries-freedom is an empty package at this time https://forums.whonix.org/t/policy-for-inclusion-of-compiled-software/6635
• debug-misc
  • dracut
  • Removing ‘rhgb’ from GRUB_CMDLINE_LINUX_DEFAULT
  • add_dracutmodules+=" debug "
• grub-live
  • dracut
  • dracut
  • fix, remove dracut kernel_cmdline="rootovl" since that is conditionally set in grub boot menu anyhow and otherwise the system would always boot into live mode
  • remove dracut hostonly="yes" since that’s Debian default anyhow
  • add dracut support Based on, and thanks to @friedrich12! https://github.com/friedrich12/dracut-grub-live https://forums.whonix.org/t/replacing-initramfs-tools-with-dracut/4487/10
• helper-scripts
  • improve diagnostic messages
• kicksecure-meta-packages
  • install flatpak by default add flatpak kicksecure-recommended-cli https://forums.whonix.org/t/flatpak-as-a-software-source-flathub-as-a-source-of-software/8500 https://www.whonix.org/wiki/Install_Software#flatpak
  • install extrepo by default add extrepo to kicksecure-recommended-cli https://forums.whonix.org/t/extrepo-safely-adding-repos/8539
  • switch from lightdm to gdm3 because lightdm autologin is broken
  • kicksecure-dependencies-system Depends: linux-initramfs-tool | dracut | initramfs-tools
  • kicksecure-dependencies-system Depends: dracut | initramfs-tools | linux-initramfs-tool
  • integrate kicksecure-dependencies-system https://forums.whonix.org/t/replacing-initramfs-tools-with-dracut/4487
  • introduce kicksecure-dependencies-system https://forums.whonix.org/t/replacing-initramfs-tools-with-dracut/4487
  • remove initramfs-tools from non-qubes-vm-enhancements-cli for dracut support
  • introduce kicksecure-qubes-cli and kicksecure-qubes-gui
• monero-gui
  • monero-gui-linux-x64-v0.17.2.3.tar.bz2 https://web.archive.org/web/20210902155943/https://github.com/monero-project/monero-gui/releases/tag/v0.17.2.3 https://web.archive.org/web/20210902155938/https://downloads.getmonero.org/gui/monero-gui-linux-x64-v0.17.2.3.tar.bz2 https://web.archive.org/web/20210902160006/https://www.getmonero.org/downloads/hashes.txt
• qubes-whonix
  • drop initramfs-tools from qubes-whonix-shared-packages-recommended leave that to Qubes for dracut support https://forums.whonix.org/t/replacing-initramfs-tools-with-dracut/4487/13
• sdwdate
  • fix dependency issue
• security-misc
  • do not set kernel parameter quiet loglevel=0 for recovery boot option for easier debugging
  • move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg
  • dracut reproducible=yes
  • Depends: libpam-modules-bin
  • fix faillock implementation dovecot / ssh are exempted
  • fix, add sshd to pam_service_exclusion_list to avoid faillock
• systemcheck
  • run check_sudo earlier
• usability-misc
  • remove /etc/lightdm/lightdm.conf.d/autologin.conf (comments only) since it might interfere with autologin
• vm-config-dist
  • config-package-dev displace /etc/gdm3/daemon.conf
  • enable gdm autologin
  • add original /etc/gdm3/daemon.conf
  • add gdm autologin
  • add gdm autologin
  • fix autologin
  • fix autologin
  • disable dracut module resume in VMs since it might break the boot process if build inside chroot
  • vbox-guest-installer: recommend, migrate from VirtualBox guest addition ISO to VirtualBox guest addition packages https://www.whonix.org/wiki/VirtualBox/Guest_Additions#Migration_to_Guest_Additions_Packages
• whonix-legacy
  • version
  • improve release-upgrade
  • improve release-upgrade
• whonix-xfce-desktop-config
  • bullseye background image fix https://forums.whonix.org/t/whonix-xfce-wallpaper-background-image/7984 [actually still broken]

Full difference of all changes

https://github.com/Whonix/Whonix/compare/15.0.1.9.3-developers-only…16.0.2.7-developers-only

Congrats & many thanks for all that work. Pleased to be part of the community.