Based on feedback (thanks!), I will reduce this to a really short version in a new thread in the coming weeks when I have time.
NB: The formatting doesn’t work well in this forum, the Table of Contents normally wouldn’t have Chapter headings with 1.0, 2.0 etc, but rather 1, 2, 3… (this can be fixed in v0.2) Also, the sub-headings would have a tab space against them.
TABLE OF CONTENTS
1.0 DISCLAIMER
2.0 AN INTRODUCTION TO WHONIX
2.1 What is Whonix?
2.2 Should I Use Whonix?
2.3 Whonix Advantages and Disadvantages
2.4 Whonix vs Other Anonymity Distributions
2.5 Warnings
3.0 POSSIBLE WHONIX CONFIGURATIONS
3.1 Physical Isolation and Virtualization
3.2 Qubes-Whonix
3.3 Standard Host Operating Systems and Virtualization (Non-Qubes-Whonix)
3.4 Minimum Qubes-Whonix System Requirements
3.4.1 Important Notes
3.5 Minimum Non-Qubes-Whonix System Requirements
3.5.1 Important Notes
4.0 QUBES-WHONIX INSTALLATION, UPDATING AND CONFIGURATION
4.1 Install Whonix TemplateVMs
4.2 Enable AppArmor on TemplateVMs
4.3 Create Whonix-Gateway ProxyVMs
4.4 Create Whonix-Workstation AppVMs
4.5 Change TemplateVM Proxy Settings
4.6 Update (Upgrade) Whonix-Gateway and Whonix-Workstation TemplateVMs
4.7 Update (Upgrade) Precautions
4.8 Start Whonix-Workstation AppVMs
4.9 Further Links
5.0 NON-QUBES-WHONIX INSTALLATION AND VERIFICATION
5.1 Recommended Host Operating System
5.1.1 Avoid Windows Hosts
5.1.2 GNU/Linux Hosts
5.2 Harden the Host Operating System
5.3 Choose a Virtualization Platform
5.3.1 KVM is Preferable to VirtualBox
5.3.2 QEMU and VMWare are Not Recommended
5.4 Install a KVM Virtualizer
5.4.1 Debian
5.4.2 Arch Linux
5.4.3 Other Distributions
5.4.4 KVM Workarounds on Debian Stable (Jessie)
5.4.5 KVM Workarounds on Other Distributions
5.4.6 Post-installation Advice
5.5 Install a VirtualBox Virtualizer
5.5.1 Debian
5.5.2 Mac OS X and Windows
5.5.3 Install the Latest VirtualBox Version (Debian)
5.6 Download Whonix Images
5.6.1 KVM
5.6.2 VirtualBox
5.7 Download the Whonix Signing Key
5.8 Verify Whonix Images
5.8.1 KGpg in GNU/Linux
5.8.2 Terminal in GNU/Linux
5.8.3 Gpg4win in Windows
5.8.4 GPGTools in Mac OS X
5.9 Install (Import) Whonix Images
5.9.1 Install Whonix in KVM
5.9.2 Install Whonix in VirtualBox
6.0 FIRST STEPS IN NON-QUBES-WHONIX
6.1 Launch and Connection
6.1.1 KVM
6.1.2 VirtualBox
6.2 Change Passwords
6.3 Run Whonixcheck (Optional)
6.4 Update (Upgrade) Whonix
6.5 Update (Upgrade) Precautions
6.6 Take VM Snapshots
6.7 General Advice
6.7.1 Only Use the Whonix-Workstation
6.7.2 Avoid Interrupting the Virtualizer
6.7.3 VirtualBox Hardening
6.8 Bridges for Censored Whonix Users
6.8.1 When to Use Bridges
6.8.2 Finding a Bridge and Suitable Protocol
6.8.3 Configure a Bridge in Whonix
6.9 Further Links
7.0 COMMON WHONIX TASKS
7.1 Internet Browsing
7.2 Pre-Installed Applications
7.3 Install Software for Work on Sensitive Documents
7.3.1 Recommended Software
7.3.2 Printers and Scanners Warning
7.4 Install Other Software
7.4.1 Install Software From Debian Stable
7.4.2 Don’t Login As Root
8.0 PRESERVING ANONYMITY AND PRIVACY
8.1 Unsafe Whonix User Actions
8.2 Safe Whonix User Actions
9.0 ADVANCED TOPICS AND FURTHER LINKS
9.1 Multiple Browsers, Gateways and Workstations
9.2 Advanced Tunneling Options
9.2.1 Connecting to a Tunnel Link Before Tor
9.2.2 Connecting to a Tunnel Link After Tor
9.3 Other Popular Topics
10.0 SUPPORT
11.0 CREDITS
1. DISCLAIMER
This Quick-Start Guide provides a simple overview of Whonix and instructions for safe installation on your preferred host operating system (OS) and virtualization platform. A crash course in staying anonymous and secure on the Internet is also provided.
Whonix is a technological means to anonymity, but staying anonymous is not just a technological problem. Anonymity is a complex problem without an easy solution. The more you know, the safer you can be. Users are strongly recommended to review the full Whonix documentation, particularly the Security Guide and Advanced Security Guide found in the links below:
[http://kkkkkkkkkk63ava6.onion/wiki/Documentation]
[Whonix ™ Documentation]
Whonix, as well as all the software it includes, are under continuous development and might contain programming errors or security holes. Do not rely on it for strong anonymity. Users should keep themselves informed regarding Whonix development. Whonix is free software, but no warranties are given or implied - see the GNU General Public License for further details:
2.0 AN INTRODUCTION TO WHONIX
2.1 What is Whonix?
Whonix is a free desktop operating system which is run on top of a host operating system (OS) and is specifically designed for advanced security and privacy. Based on Tor, Debian GNU/Linux and the principle of security by isolation, it realistically addresses common attack vectors while maintaining usability. Online anonymity is made possible via fail-safe, automatic, and desktop-wide use of the Tor network - all connections are forced through Tor or blocked.
Tor protects you from traffic analysis by bouncing your communications around a distributed network of relays run by global volunteers. Anybody watching your Internet connection can’t see what sites you visit, and the sites you visit can’t learn your physical location. For further information, see:
Figure 1: How Tor Works
Whonix uses a heavily reconfigured Debian base which is run inside multiple virtual machines (VMs). This architecture provides a substantial layer of protection from malware and IP address leaks. Applications are pre-installed and pre-configured with safe defaults to make them ready for use. The user is not jeopardized by installing custom applications or personalizing the desktop. Whonix is the only actively developed OS designed to be run inside a VM and paired with Tor.
Whonix consists of two parts: the Whonix-Gateway and the Whonix-Workstation. The former runs Tor processes and acts as a gateway, while the latter runs user applications on a completely isolated network. Critically, only connections through Tor are permitted, DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP address. Threats posed by misbehaving applications and user error are also minimized.
Figure 2: How Whonix Works
Whonix users benefit from the stream isolation of different pre-installed or custom-installed applications used simultaneously. Tor Browser, Hexchat, Thunderbird and other applications use a dedicated Tor Socksport, preventing identity (pseudonym) correlation that may otherwise occur when the same Tor circuit and exit relay are used. Applications using Tor’s DNS and/or Transport can be optionally disabled. The following graphic illustrates applications taking different routes (nodes) through the Tor network.
Figure 3: Whonix Stream Isolation
2.2 Should I Use Whonix?
Increasing levels of mass surveillance and repression all over the world mean our freedoms and privacy are rapidly being eroded. Without precautions, your Internet service provider (ISP), the State, the police and global surveillance systems can record everything you do online, as IP addresses associated with network activity are easily traced to the physical location of your computer(s), and ultimately you.
Whonix is one solution to this problem. It benefits anyone who values privacy, or does sensitive work on their desktop or online. This includes, but is not limited to: investigators, whistleblowers, researchers, government officials, journalists, political activists, businesspeople, those living in repressive or censored environments, and average computer users who wish to assert their privacy rights.
2.3 Whonix Advantages and Disadvantages
The primary Whonix advantages include:
The main Whonix disadvantages are that it is more difficult to set up than the regular Tor Browser bundle and it requires the use of VMs (or additional hardware) to operate. Further, higher maintenance is required and updating of the OS and applications behind a Tor proxy is slow. Whonix is not a one-click anonymization solution, nor is it (yet) an amnesic system like TAILS.
2.4 Whonix vs Other Anonymity Distributions
Prior to using Whonix as the default anonymity solution, potential users should conduct a thorough risk assessment of their personal circumstances and consider the suitability of other anonymity distributions like TAILS. For a full comparison of Whonix with other anonymity solutions, see:
[Anonymity Operating System Comparison - Whonix ™ vs Tails vs Tor Browser Bundle]
2.5 Warnings
Before making the final decision to use Whonix, users should carefully read the Warnings documentation linked below. Whonix is not a silver bullet, since every project is imperfect and cannot possibly mitigate all known risks:
[Whonix ™ and Tor Limitations]
In summary, the potential risks include:
3.0 POSSIBLE WHONIX CONFIGURATIONS
Users have three primary choices in how they wish to run Whonix. This choice is dictated by the user’s available hardware, hardware capabilities, skill level, host OS, desired security, and consideration of the maintenance status of Whonix images:
a) Whonix using physical isolation - setting up two different computers AND virtualization (advanced)
b) Whonix running on Qubes OS (Qubes-Whonix) - a Type I hypervisor (advanced)
c) Whonix running on a Mac, Windows, GNU/Linux or BSD host OS, paired with a supported Type II hypervisor (virtualizer) like KVM or VirtualBox (beginner to advanced)
3.1 Physical Isolation and Virtualization
The first option is for advanced users only and provides only an experimental level of security (not recommended).
Essentially, one computer acts as the Whonix-Gateway while another acts as the client Whonix-Workstation, and an isolated point to point network is established between them. The primary benefits of this approach are:
This option is not considered in this guide for the sake of brevity. For further instructions see:
[Build Documentation: Physical Isolation]
3.2 Qubes-Whonix
The second option is for advanced users only and provides a production level of security (recommended).
Qubes is the superior choice for security-conscious users. Based on Xen and Fedora, and through hardware support (VT-x, VT-d, TXT) Qubes provides a security-by-isolation architecture, while also offering a single integrated user-friendly desktop experience across VMs. There are multiple security, usability and performance benefits to using Qubes over other virtualizers, including:
Users choosing to install Qubes normally enable Whonix by:
a) Installing Qubes 3.1/3.2 as a hypervisor on their physical host computer;
b) At first boot, checking the option to install two TemplateVMs (Whonix-Gateway and Whonix-Workstation) - automatically creating a ProxyVM (sys-whonix) and Whonix-Workstation AppVM (anon-whonix) by default; and (optionally)
c) Select the sys-whonix ProxyVM to route all desktop activities over Tor.
For further instructions on installing Qubes on your host OS, see:
Pre-existing Qubes users who wish to run Whonix should refer to section 4 which provides additional instructions on installing, updating and configuring the available TemplateVMs, and creating AppVMs.
3.3 Standard Operating Systems and Virtualization (Non-Qubes-Whonix)
The third option is for beginner to advanced level users and provides either production, testing or experimental level security depending on the host OS and choice of virtualizer.
Most new or beginner-level users get started by installing VirtualBox on their current host OS and import the Whonix images. Advanced users usually boot a GNU/Linux host OS dedicated solely to running the Whonix virtual machines.
The available options are:
a) For production level security (recommended), advanced users should run Whonix within KVM on top of a GNU/Linux host OS;
b) For testing level security (not recommended), beginner-level users can run Whonix within VirtualBox on top of a GNU/Linux host OS; and
c) For experimental level security (not recommended), beginner-level users can run Whonix within VirtualBox on top of a Mac or Windows host OS.
Note: Users should not run Whonix inside either QEMU or VMWare. Neither is currently maintained by Whonix developers.
3.4 Minimum Qubes-Whonix System Requirements
For Qubes-Whonix, the minimum system requirements are:
Note: Generally speaking, UEFI support is implemented. However, a common problem is buggy UEFI firmware, particularly on Lenovo systems. Existing workarounds can be found here:
For better security and performance, the recommended Qubes-Whonix system requirements are:
Note: Nvidia GPUs may require significant troubleshooting. ATI GPUs have not been formally tested, but potential users can refer to the Qubes Hardware Compatibility List (HCL) for clarification.
Note: AEM does not currently work with UEFI installations. Use legacy BIOS instead if you want this option.
In all cases, the HCL should be referred to before purchasing suitable hardware for Qubes-Whonix. It has a compilation of hardware reports generated and submitted by users across various Qubes versions. Users may also consider a Qubes-certified laptop:
3.4.1 Important Notes
Qubes-Whonix can be installed on systems which do not meet the recommended requirements. Such systems will still offer significant security improvements over traditional operating systems, since mechanisms like Graphical User Interface (GUI) isolation and kernel protection do not require special hardware.
Qubes-Whonix can be installed on a USB flash drive or external disk, and testing has shown that this works very well (a live USB option is also available). A fast USB 3.0 flash drive is recommended for this, but its capacity must be at least 32 GB. Simply plug the flash drive into the computer before booting into the Qubes installer from a separate installation medium, choose the flash drive as the target installation disk, and proceed with the installation normally. After Qubes has been installed on the flash drive, it can then be plugged into other computers in order to boot into Qubes.
A portable copy of Qubes is useful for users to test for hardware compatibility on multiple machines (e.g. at a brick-and-mortar computer store) before deciding on which computer to purchase. Running the following command in a dom0 terminal will indicate whether Intel VT-x (AMD-v) and Intel VT-d (AMD IOMMU) are supported by the architecture and activated in the BIOS:
sudo qubes-hcl-report
If present and active, the output will read:
HVM: Active
I/O MMU: Active
Users should also consider 8-16 GB of RAM if they expect to run a large number of AppVMs in parallel. For further information on system requirements, see:
3.5 Minimum Non-Qubes-Whonix System Requirements
For non-Qubes-Whonix, the minimum system requirements are:
For better performance and security, the recommended non-Qubes-Whonix system requirements are:
3.5.1 Important Notes
4.0 QUBES-WHONIX INSTALLATION, UPDATING AND CONFIGURATION
This section provides instructions for the installation of a TwoVM split security architecture: an isolated Whonix-Gateway ProxyVM for routing of all traffic over Tor, and a Whonix-Workstation AppVM for user desktop applications.
Once the Whonix TemplateVMs are created, you can customize and create as many Whonix-Gateway ProxyVMs and Whonix-Workstation AppVMs as you’d like, for optimal privacy-enhanced compartmentalization of your digital life.
Reminder: For security, privacy and anonymity purposes, never use templates for normal desktop activities (browsing etc). Only use the tailored Whonix-Workstation AppVM OS environment created from the Whonix-Workstation TemplateVM.
4.1 Install Whonix TemplateVMs
Note: Pre-existing Qubes 3/3.1/3.2 users only. KDE screenshots are shown throughout this section.
a) Launch dom0 Terminal
→ Qubes App Launcher (blue/grey “Q”)
Figure 4: Qubes App Launcher
Then go to:
System Tools → Konsole (KDE)
Or
System Tools → XFCE Terminal (XFCE)
b) Install the Whonix-Gateway and Whonix-Workstation TemplateVMs
Inside konsole/terminal, enter the following command:
sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw qubes-template-whonix-ws
c) Make sure inactive VMs are shown in the Qubes VM Manager (QVMM)
Start QVMM.
Figure 5: Start Qubes VM Manager
In QVMM, if you do not see whonix-… in the list, use the “View” menu to toggle the setting “Show/Hide inactive VMs”.
Figure 6: Qubes VM Manager - Show/Hide Inactive VMs
After the download process finishes, you should see whonix-ws and whonix-gw.
Figure 7: whonix-ws and whonix-gw
4.2 Enable AppArmor on TemplateVMs
Note: This is an optional, testers-only security enhancement. Do this at your own risk! If you want to use Tor bridges, AppArmor has been known in the past to cause problems with obfsproxy.
These instructions should be applied to both the Whonix-Gateway and Whonix-Workstation TemplateVMs (commonly referred to as “whonix-gw” and “whonix-ws” in Qubes). These settings should be applied to the TemplateVMs before creating any Whonix AppVMs.
To enable AppArmor in the Whonix-Gateway, complete the following:
a) Open a dom0 terminal.
→ Qubes App Launcher (blue/grey “Q”)
Then go to:
System Tools → Konsole (KDE)
Or
System Tools → XFCE Terminal (XFCE)
b) Get a list of current kernel parameters.
Enter the following command in konsole/terminal:
qvm-prefs -l whonix-gw kernelopts
As of Qubes Q3/3.1/3.2, the output will show:
nopat
c) Keep the existing kernel parameters and add ‘apparmor=1 security=apparmor’.
In konsole/terminal, enter the command:
qvm-prefs -s whonix-gw kernelopts “nopat apparmor=1 security=apparmor”
d) Re-run the command to get a list of the current kernel parameters.
Press the arrow up key twice so you don’t have to type the command again):
qvm-prefs -l whonix-gw kernelopts
The output should now reflect the new kernel parameters which apply the AppArmor framework:
nopat apparmor=1 security=apparmor
e) Start the Whonix-Gateway TemplateVM and check whether AppArmor is now active.
In konsole, issue the command:
sudo aa-status --enabled ; echo $?
It should show:
0
To enable Apparmor in the Whonix-Workstation, complete the following:
a) Open a dom0 terminal.
→ Qubes App Launcher (blue/grey “Q”)
Then go to:
System Tools → Konsole (KDE)
Or
System Tools → XFCE Terminal (XFCE)
b) Get a list of current kernel parameters.
Enter the following command in konsole/terminal:
qvm-prefs -l whonix-ws kernelopts
As of Qubes Q3/3.1/3.2, the output will show:
nopat
c) Keep the existing kernel parameters and add ‘apparmor=1 security=apparmor’.
In konsole/terminal, enter the command:
qvm-prefs -s whonix-ws kernelopts “nopat apparmor=1 security=apparmor”
d) Re-run the command to get a list of the current kernel parameters.
Press the arrow up key twice so you don’t have to type the command again:
qvm-prefs -l whonix-ws kernelopts
The output should now reflect the new kernel parameters which apply the AppArmor framework:
nopat apparmor=1 security=apparmor
e) Start the Whonix-Workstation TemplateVM and check whether AppArmor is now active.
In konsole, issue the command:
sudo aa-status --enabled ; echo $?
It should show:
0
f) Install AppArmor profiles packages from Whonix’s APT repository.
It is highly recommended to switch to Whonix’s testers repository before installing them, because the profiles in the stable repository are much older and have some issues.
Note: Switching to the testers repository will also update other packages from the testers repository unless you know how to avoid this.
First, enable Whonix’s testers repository in both the Whonix-Workstation and Whonix-Gateway TemplateVMs:
sudo whonix_repository --enable --repository testers
Second, update your package lists:
sudo apt-get update
Third, install all the apparmor profiles (easiest method):
sudo apt-get install apparmor-profiles-whonix
Note: You might end up with a few apparmor profiles for software that you have not installed, but then they don’t have any effect, so it does not matter.
For further information, such as installing only specific AppArmor profiles or how to unload profiles, refer to the Whonix documentation:
[AppArmor]
4.3 Create Whonix-Gateway ProxyVMs
QVMM → Create AppVM
Figure 8: Create a New Whonix-Gateway ProxyVM
Then change the settings as shown below - you can choose any name and color you like.
Figure 9: Change Whonix-Gateway ProxyVM Settings
4.4 Create Whonix-Workstation AppVMs
QVMM → Create AppVM
Figure 10: Create a New Whonix-Workstation AppVM
4.5 Change TemplateVM Proxy Settings
a) Attach Whonix TemplateVMs to a Whonix-Gateway ProxyVM (sys-whonix).
QVMM → one right click on TemplateVM whonix-gw → VM-Settings
Figure 11: Select the Whonix-Gateway TemplateVM
NetVM: → sys-whonix → OK
Figure 12: Change the Whonix-Gateway TemplateVM Settings
b) Attach Whonix TemplateVMs to a Whonix-Workstation AppVM (whonix-ws).
QVMM → one right click on TemplateVM whonix-ws → VM-Settings
then
NetVM: → sys-whonix → OK
Figure 13: Change the NetVM Settings on the Whonix-Workstation TemplateVM
4.6 Update Whonix-Gateway and Whonix-Workstation TemplateVMs
It is critical that the Whonix-Gateway and Whonix-Workstation templates stay updated!
a) Double-check that both templates (whonix-gw and whonix-ws) are attached to sys-whonix (the Whonix-Gateway ProxyVM) as per section 4.5:
QVMM → right click on TemplateVM whonix-gw → VM-Settings → NetVM → sys-whonix
QVMM → right click on TemplateVM whonix-ws → VM-Settings → NetVM → sys-whonix
b) Open a TemplateVM terminal:
Qubes App Menu (blue/grey “Q”) → Template: whonix-gw → Konsole
Qubes App Menu (blue/grey “Q”) → Template: whonix-ws → Konsole
c) Update your package lists.
The following steps (updating and upgrading) should be applied in both TemplateVM terminals and repeated at least daily thereafter.
sudo apt-get update
The output should look similar to this:
Hit http://security.debian.org jessie/updates/Release.gpg
Hit http://security.debian.org jessie/updates/Release
Hit http://deb.torproject.org jessie Release.gpg
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release
Hit http://security.debian.org jessie/updates/contrib i386 Packages
Hit http://ftp.us.debian.org jessie Release
Hit http://security.debian.org jessie/updates/non-free i386 Packages
Hit http://deb.torproject.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/contrib Translation-en
Hit http://ftp.us.debian.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://ftp.us.debian.org jessie/contrib i386 Packages
Hit http://security.debian.org jessie/updates/non-free Translation-en
Hit http://ftp.us.debian.org jessie/non-free i386 Packages
Ign http://ftp.us.debian.org jessie/contrib Translation-en
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists… Done
If you see something like this:
W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found
W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
Err http://ftp.us.debian.org jessie Release.gpg
Could not resolve ‘ftp.us.debian.org’
Err http://deb.torproject.org jessie Release.gpg
Could not resolve ‘deb.torproject.org’
Err http://security.debian.org jessie/updates Release.gpg
Could not resolve ‘security.debian.org’
Reading package lists… Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg Could not resolve ‘security.debian.org’
W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg Could not resolve ‘ftp.us.debian.org’
W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg Could not resolve ‘deb.torproject.org’
W: Some index files failed to download. They have been ignored, or old ones used instead.
Then something went wrong. It could be a temporary Tor exit relay or server failure that should remedy itself. Usually changing your Tor circuit and trying again is successful. If that fails, running whonixcheck can help to diagnose the problem.
If you see an error message like:
Could not resolve ‘security.debian.org’
It helps to run:
nslookup security.debian.org
And then try updating your package lists again.
b) Upgrade Whonix.
In konsole, run:
sudo apt-get dist-upgrade
Note: At first Whonix boot, you are asked if you want to enable or disable Whonix’s apt repository. If you disabled the Whonix APT Repository, then you will have to manually check for new Whonix releases and install them from source code:
4.7 Update Precautions
a) Never install unsigned packages!
If you see output like the following:
WARNING: The following packages cannot be authenticated!
icedove
Install these packages without verification [y/N]?
Then don’t proceed! Press N and Enter.
Running apt-get update again should fix the problem. If not, then something is broken or it may be a man-in-the-middle attack. This possibility isn’t that unlikely, since we are updating over Tor exit relays and some of them are malicious. Change your Tor circuit and then try again.
b) Do not ignore signature verification warnings.
There should be none at the moment. If there is such a warning, the output will look like this:
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681
In that case, you should be careful even though apt-get will automatically ignore repositories with expired keys or signatures, meaning you will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.
There are two possible reasons for why this could happen. Either you are a victim of a man-in-the-middle attack, or there is an issue with the repository that the maintainers have to fix. The former is not a big issue, either it will automatically resolve after a period of time or you can change your Tor circuit and try again.
If you experience other signature verification errors, these should be reported, but they are unlikely at this time.
c) Be cautious of changed configuration files.
If you see output like the following:
Setting up ifupdown …
Configuration file `/etc/network/interfaces’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : background this process to examine the situation
The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N
Then be careful. If the updated file isn’t coming from a Whonix specific package (some are called whonix-…), then press N. Otherwise, anonymity/privacy/security settings deployed with Whonix might get lost. If you are an advanced user and know better, you can of course manually check the difference and merge them. Pressing Y will result in the loss of customized settings.
d) Restart and Update Whonix VMs.
To benefit from security updates, particularly kernel upgrades (linux-image-… was upgraded), the best practice is to first shutdown the TemplateVMs:
QVMM → right click on TemplateVM → Shutdown VM
Then restart your Whonix-Gateway ProxyVM (sys-whonix) and running Whonix-Workstation AppVMs (anon-whonix)
QVMM → right click on AppVM → Shutdown VM
QVMM → right click on AppVM → Start/Resume VM
4.8 Starting Whonix-Workstation AppVMs
For example, to start Tor Browser:
Qubes App Launcher (blue/grey “Q”) → Domain: anon-whonix → Tor Browser (AnonDist)
4.9 Further Links
Using Tor bridges in Whonix (see also section 6.8 of this guide):
[Configure (Private) (Obfuscated) Tor Bridges]
Using multiple Whonix-Workstations or Whonix-Gateways:
[Multiple Whonix-Workstation]
Using Whonix-Workstations as Disposable VMs:
[Qubes Disposables]
Re-install Whonix TemplateVMs:
Uninstall Whonix templates:
https://www.qubes-os.org/doc/whonix/uninstall/
Security Guide (see also section 8 of this guide):
[Security Guide - Whonix]
Advanced Security Guide (see also section 8 of this guide):
[Advanced Security Guide - Whonix]
5.0 NON-QUBES-WHONIX INSTALLATION AND VERIFICATION
This section provides recommendations for a suitable host OS and Type II hypervisor (virtualizer). Instructions are also provided for installing Whonix in two configurations, namely:
5.1 Recommended Host Operating System
5.1.1 Avoid Windows Hosts
Windows platforms have commodified users by adopting a business strategy similar to Google, Facebook and other large corporations - seeking to profit from the harvesting and selling of users’ personal information. In addition, Microsoft has subverted the user’s control over their own systems and implemented a host of privacy-invading features which either cannot be disabled easily, or at all. This is particularly true of Windows 10 and system updates which have been backported to earlier platforms like Windows 7, 8 and 8.1.
One small snippet of the Windows 10 ‘privacy statement’ makes their intentions clear:
http://windows.microsoft.com/en-us/windows/preview-privacy-statement
Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage. […] We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.
Other Windows ‘features’ include, but are not limited to:
Frankly speaking, Microsoft platforms are incompatible with anonymity and privacy. Microsoft also has a proven track record of consulting with intelligence agencies and providing information on security weaknesses before informing the public of the risk and providing patches. Logically, active collaboration places Windows users at a higher risk. Microsoft also has a track record of using weak cryptographic verification like MD5 and SHA-1 (now broken).
If you insist on using Whonix on a Windows host, ensure that Windows was installed from a legitimate source and turn off as many privacy-invading features as possible. Do not use a pirated Windows ISO found online, since it could include malware. Also avoid pirated software programs, which usually involve running unverified, possibly malicious binary cracks or key generators.
In addition, always download over https (SSL) and verify software signatures with GPG whenever possible. It is better to use renowned open source software like Firefox, Gimp, 7-zip, and LibreOffice rather than proprietary solutions which are more likely to contain malicious code.
5.1.2 GNU/Linux Hosts
For preserving anonymity, GNU/Linux is strongly recommended in preference to Windows as a suitable host OS.
For intermediate to advanced users, Debian GNU/Linux is recommended as a reasonable compromise of security and usability. Debian is a stable distribution and is used widely by a large community. Further, Debian has ties to Tor, is well-documented, boasts a secure package manager, has good kernel protection, is working on reproducible builds, and has just made package updates available via .onion sites and mirrors.
Users should only use in-repository software that is automatically GPG-signed and installed from the distributor’s reponsitories by package manager. This is far safer than downloading software from the Internet like typical Windows users.
There are of course many other potentially suitable distributions (like Fedora), but users should refer to the link below before making a final decision:
[Security-Focused Operating System Comparison as Base for Whonix]
5.2 Harden the Host Operating System
Prior to choosing a virtualizer and installing Whonix, users are recommended to harden their host OS following applicable steps in the link below:
[Computer Security Education - Whonix]
In summary, users should consider:
5.3 Choose a Virtualization Platform
The virtualization platform is an essential component of a secure Whonix system. A vulnerable virtualizer may provide opportunities for an attacker to break out from a VM, undoing the security by isolation features that Whonix provides. The decision to install an alternative virtualizer should not be taken lightly.
When setting up Whonix in the form of two VMs running on the same physical host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP address of the user. Any malware running on the host has full control over all VMs.
5.3.1 KVM is Preferable to VirtualBox
KVM [Kernel Virtual Machine] is an openly developed, FOSS GPL licensed hypervisor that comes with a GNU/Linux OS. It provides a familiar, intuitive and easy-to-use GUI when combined with the VirtualMachineManager front-end and is well-rated in research assessing its security merits. KVM is actively maintained by Whonix developers.
On the other hand, VirtualBox does not have a dedicated maintainer because development efforts have shifted to Qubes-Whonix. However, VirtualBox images are still being built, and grave security issues are unlikely due to Whonix’s design. The rudimentary testing of new VirtualBox images and updates on a Debian host explain the ‘testing’ staus of the GNU/Linux platform. The ‘experimental’ staus of VirtualBox images for Windows and Mac is explained by no Whonix team member currently doing testing on those platforms.
There are three other major issues with depending on VirtualBox as a virtualizer. VirtualBox developers (Oracle) recently decided to switch out the BIOS in their hypervisor with one requiring compilation by a toolchain that does not meet the definition of Free Software as per the guidelines of the Free Software Foundation. Consequently, certain restrictions are placed on the use of the software and the licence asserts specific software patents.
Secondly, the security practices of Oracle are of concern. Oracle is infamous for their lack of transparency in disclosing the details of security bugs and for discouraging full public disclosure by third parties. Security through obscurity is the corporation’s modus operandi. Zero day bugs reported to Oracle have at times gone unfixed for years.
Finally, VirtualBox contains significant functionality that is only available as a proprietary extension, such as USB and PCI passthrough and RDP connectivity. Oracle’s unfriendly track record with the free software community - examples include OpenSolaris and OpenOffice - suggest they may charge for proprietary features in the future, or simply abandon the project if they cannot monetize it to their liking.
5.3.2 QEMU and VMWare are Not Recommended
Installing Whonix inside either QEMU or VMWare is inadvisable as neither platform is currently maintained by Whonix developers.
QEMU has been deprecated in favor of KVM because the slow performance of QEMU pure emulation makes it non-practical for most of the GNU/Linux user base. Also, most computer systems support the hardware virtualization extensions required by KVM.
VMWare is rarely (officially) tested. Although it works for Windows and GNU/Linux users, it is closed source and therefore relies on security through obscurity - an approach discredited by security experts since it cannot be reasonably determined if VMWare bugs may compromise the user’s anonymity.
GNU/Linux users should default to using KVM, or VirtualBox as a second-tier choice. Windows users should default to using VirtualBox.
5.4 Install a KVM Virtualizer
5.4.1 Debian
To install KVM in Debian stable (Jessie), first update your package lists in terminal:
sudo apt-get update
Then install KVM:
sudo apt-get install qemu-kvm libvirt-bin virt-manager
5.4.2 Arch Linux
To install KVM in Arch Linux, first update your package lists:
sudo pacman -Syu
Then install KVM:
sudo pacman -S qemu libvirt virt-manager
5.4.3 Other Distributions
To install KVM in other GNU/Linux distributions, you need to have qemu-kvm and libvirt-bin. For a graphical user interface, then you will also need virt-manager. These packages can likely be installed using your distribution’s package manager.
If you get one of the following errors while later using virsh define, then you most likely need a more recent version of libvirt and KVM:
error: Failed to define domain from Whonix-Gateway_kvm-8.6.2.8.xml
error: internal error Unknown controller type 'pci
Whonix-Gateway_kvm-8.6.2.8.xml:24: element pm: Relax-NG validity error : Element domain has extra content: pm
Whonix-Gateway_kvm-8.6.2.8.xml fails to validate
Relax-NG validity error : Extra element devices in interleave
Whonix-Gateway_kvm-8.6.2.8.xml:24: element devices: Relax-NG validity error : Element domain failed to validate content
Whonix-Gateway_kvm-8.6.2.8.xml fails to validate
5.4.4 KVM Workarounds on Debian Stable (Jessie)
These workarounds solve problems affecting KVM on Debian stable (Jessie).
KVM refuses to start: on the host, a libvirt bug that conflicts with Apparmor and the VM will cause it to fail. It was fixed upstream but it will be a while until it reaches you.
To fix it run:
sudo ln -s /etc/apparmor.d/libvirt/TEMPLATE.qemu /etc/apparmor.d/libvirt/TEMPLATE.kvm
The KVM qxl package: xserver-xorg-video-qxl suffers from performance bugs caused by the Xorg surfaces feature. The graphics will lag even during mundane tasks such as scrolling down a webpage. This has been reported extensively and fixed upstream in testing. Until testing becomes stable, a workaround provided by a Whonix package is available.
In the guest, install the fix:
sudo apt-get install qxl-xorg-enhance
Whonix 13 users: To get rid of the Whonixcheck PVClock warning, upgrade the packages in the VM. This assumes you have enabled the Whonix stable repository:
sudo apt-get update && apt-get dist-upgrade
Addgroup: In order to manage VMs as regular (non-root) user, you must add that user to the libvirt and KVM group. For Debian users, assuming the simple use case - that you wish to use KVM with the user you are currently logged in as - then use the following command:*
sudo addgroup “$(whoami)” libvirt
sudo addgroup “$(whoami)” kvm
5.4.5 KVM Workarounds on Other Distributions
If you are using another GNU/Linux distribution, then refer to the distribution’s manual e.g. Arch Linux’s libvirt wiki page.
Post-installation Advice
After installating KVM or adding users to groups, a reboot is required! Run the command:
sudo reboot
To ensure that KVM’s default networking is enabled and started, run the command:
virsh -c qemu:///system net-autostart default
virsh -c qemu:///system net-start default
5.5 Install a VirtualBox Virtualizer
5.5.1 Debian
To install the latest stable VirtualBox package in Debian (recommended), in a terminal run:
sudo apt-get install virtualbox linux-headers-$(uname -r)
To install VirtualBox Guest Additions in Debian:
sudo apt-get install virtualbox-guest-x11
For other GNU/Linux distributions, you can likely install the VirtualBox package and Guest Additions via your distribution’s package manager.
5.5.2 Mac OS X and Windows
To install VirtualBox, download the latest VirtualBox and Guest Additions binaries from Oracle:
https://www.virtualbox.org/wiki/Downloads
At the time of writing these were:
VirtualBox 5.1.2 for Windows hosts x86/amd64
VirtualBox 5.1.2 for OS X hosts amd64
And:
VirtualBox 5.1.2 Oracle VM VirtualBox Extension Pack (all supported platforms)
If you are already using an earlier addition of VirtualBox (4.3.x or 5.0.x), then you can download extension packs instead. Compare the SHA256 checksums file to provided (limited) verification of file integrity. Do not rely on the MD5 checksums.
5.5.3 Installing the Latest VirtualBox Version (Debian)
At the time of writing, the Debian stable version of VirtualBox is 4.3.x, while the latest major release of VirtualBox (from Debian Stretch) is 5.0.x.
If you are sure you wish to install the latest VirtualBox version for newer features, then you are recommended to either install VirtualBox from Debian Testing via Backports or install from the Oracle depository. This is preferable to downloading, verifying and installing binaries manually.
To install from Debian Testing via Backports:
a) Open /etc/apt/sources.list.d/backports.list in an editor with root rights.
If you are using a graphical Whonix environent, run:
kdesudo kwrite /etc/apt/sources.list.d/backports.list
If you are using a terminal-only Whonix environment, run:
sudo nano /etc/apt/sources.list.d/backports.list
b) Add the following line:
deb Index of /debian jessie-backports main contrib
(Change “jessie” to the current name of your stable distribution).
c) Update the package lists and install VirtualBox.
sudo apt-get update
sudo apt-get -t jessie-backports install virtualbox
d) Install VirtualBox Guest Additions.
sudo apt-get -t jessie-backports install virtualbox-guest-x11
If you wish to install VirtualBox from the Oracle repository instead:
a) Retrieve the latest Oracle VirtualBox package information.
Open /etc/apt/sources.list.d/oracle.list in an editor with root rights.
b) Edit your apt sources list.
If you are using a graphical Whonix environment, run:
kdesudo kwrite /etc/apt/sources.list.d/oracle.list
If you are using a terminal-only Whonix, run:
sudo nano /etc/apt/sources.list.d/oracle.list
c) Add the following line:
deb Index of http://download.virtualbox.org/virtualbox/debian jessie contrib
(Change “jessie” to the current name of your stable distribution).
d) Add Oracle’s signing key to apt-get keyring.
curl --tlsv1.2 --proto =https https://www.virtualbox.org/download/oracle_vbox_2016.asc | sudo apt-key add -
e) Check the signing key’s fingerprint.
sudo apt-key adv --fingerprint B9F8D658297AF3EFC18D5CDFA2F683C52980AECF
The output should read:
Key fingerprint = B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
uid Oracle Corporation (VirtualBox archive signing key) info@virtualbox.org
f) Install VirtualBox.
sudo apt-get update
sudo apt-get install virtualbox-5.0
Note: The VirtualBox Guest Additions ISO is included in the package. To install, mount the ISO in a guest VM following these instructions:
https://www.virtualbox.org/manual/ch04.html#idp46640732075968
5.6 Download Whonix Images
At the time of writing, Whonix 13 was the latest version available. Always first check the Whonix download page for the latest stable release:
5.6.1 KVM
GNU/Linux users need to download both Whonix Gateway and Workstation VM (.xz) images and PGP signatures (.xz.asc) for later verification of the files. To anonymize the download, use the Tor Browser bundle:
Whonix-Gateway image (1.7 GB)
https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.libvirt.xz
https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.libvirt.xz.asc
Whonix-Workstation image (2.0 GB)
https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.libvirt.xz
https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.libvirt.xz.asc
5.6.2 VirtualBox
For Windows, Mac OS X and GNU/Linux OS, you need to download both Whonix Gateway and Workstation VM (.ova) images and PGP signatures (.ova.asc) for later verification of the files. To anonymize the download, use the Tor Browser bundle:
Whonix-Gateway image (1.7 GB)
https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.ova
https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.ova.asc
Whonix-Workstation image (2.0 GB)
https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.ova
https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.ova.asc
5.7 Download the Whonix Signing Key
Note: This section is for GNU/Linux users in the first instance.
Mac OS X and Windows users should refer to section 5.8 first, and download a compatible GnuPG program (GPGTools for Mac OS X; Gpg4win for Windows) before following instructions to:
a) (Optional) Have GnuPG initialize your user data folder.
If you are new to gnupg or have not already done this, it will fix eventual “gpg: WARNING: unsafe ownership” warnings. Run the following command in terminal:
gpg --fingerprint
Then set warning free permissions:
chmod --recursive og-rwx ~/.gnupg
b) Download Patrick Schleizer’s (adrelanos’) OpenPGP key from:
http://kkkkkkkkkk63ava6.onion/patrick.asc
Or
https://www.whonix.org/patrick.asc
Note: All Whonix releases are signed with the same key. Using these steps, you will not have to verify the key every time, but you will still need to verify the signatures of Whonix images every time you download a new release.
c) Store the key as ~/patrick.asc
d) Check the key’s fingerprints before importing it:
gpg --with-fingerprint patrick.asc
e) Verify the fingerprint shows the following output:
pub 4096R/2EEACCDA 2014-01-16 Patrick Schleizer adrelanos@riseup.net
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
sub 4096R/CE998547 2014-01-16 [expires: 2021-04-17]
sub 4096R/119B3FD6 2014-01-16 [expires: 2021-04-17]
sub 4096R/77BB3C48 2014-01-16 [expires: 2021-04-17]
f) Import the key.
gpg --import patrick.asc
The following output tells you the key was successfully imported:
gpg: key 2EEACCDA: public key “Patrick Schleizer adrelanos@riseup.net” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
If you have already imported the Whonix signing key in the past, the output should state the key was not changed:
gpg: key 2EEACCDA: “Patrick Schleizer adrelanos@riseup.net” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
If you are shown the following message at the end of the output:
gpg: no ultimately trusted keys found
Analyse the other messages as usual. This extra message doesn’t relate to the Whonix signing key that you just downloaded. Usually, this output means you haven’t yet created an OpenPGP key for yourself, which is of no importance to verifying the VM images.
g) For better security, advanced users can check the Web of Trust following these steps:
5.8 Verify Whonix Images
It is critical to check the integrity of the VM images you downloaded to make sure no man-in-the-middle attack or file corruption occured. All Whonix VM images are cryptographically signed using OpenPGP by Whonix lead developer, Patrick Schleizer.
Warning: If verification fails, do NOT continue! If you ignore this warning, then you risk using infected or corrupted files.
5.8.1 KGpg in GNU/Linux
KGpg is a simple, free, open source KDE frontend for gpg.
a) To install KGpg in Debian, in a terminal run the commands:
sudo apt-get update
sudo apt-get install kgpg
b) Start KGpg and open patrick.asc that you downloaded and imported at step 5.7.
When you start KGpg, a system tray icon will appear. A left mouse button click will open the Key Manager window, while a right mouse button click will open a menu allowing quick access to some important features.
Having already imported the key, you should see the following message:
Figure 14: KGpg - Key Already Imported
If you did not already download and import the key, you should see the following message:
Figure 15: KGpg - New Key Imported
c) Verify the VM images against the cryptographic signatures.
The cryptographic signatures (.asc) must be in the same folder as the VM images you wish to verify (.ova for VirtualBox, .xz for KVM).
Start kgpg, and go to:
KGpg → File → Open Editor → Signature → Verify Signature… → Choose the downloaded cryptographic signature (.asc)
This process can take a few minutes and there is no progress meter. Repeat this procedure for both the Whonix-Gateway and Whonix-Workstation images.
If the virtual machine image is correct you will get a notification telling you that the signature is good:
Figure 16: KGpg Good Signature
Note: The e-mail has changed to adrelanos at riseup do net, but this doesn’t change anything, since the key fingerprint remains the same as step 5.7.e.
d) Click on the ‘Details’ button to check the gpg signature for both files.
The first line includes the signature creation timestamp and it should make sense. For example, if you previously saw a signature from 2016 and you are now seeing a signature from 2015, then you could be target of a rollback (downgrade) or indefinite freeze attack.
An example signature creation timestamp is below:
[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2015-01-19
e) Click on the ‘Details’ button to check the file name has not been tampered with.
Note: OpenPGP signatures sign files, not file names. Beginning from Whonix version 9.6, by convention the file@name OpenPGP notation includes the file name.
An example is provided below:
NOTATION_NAME file@name [GNUPG:] NOTATION_DATA Whonix-Gateway-9.6.ova
f) Do not install files with bad signatures!
If the VM image is not correct, then you will get a notification telling you that the signature is bad:
Figure 17: KGpg Bad Signature
(Again, the e-mail has changed to adrelanos at riseup do net, but this doesn’t change anything, since the key fingerprint remains the same as step 5.7.e.)
5.8.2 Terminal in GNU/Linux
a) Ensure you have GnuPG installed.
GnuPG is the common OpenPGP implementation for Linux. It is installed by default under Debian, Ubuntu, Whonix and many other distributions.
b) Ensure the VM images and cryptographic signatures are in the same folder.
The cryptographic signatures (.asc) must be in the same folder as the VM images you wish to verify (.ova for VirtualBox, .xz for KVM).
c) Cryptographically verify the Whonix-Gateway image.
This process can take a few minutes and there is no progress meter.
cd [the directory in which you downloaded the .ova or .xz and the .asc]
Then, start the cryptographic verification of the Whonix-Gateway image:
gpg --verify-options show-notations --verify Whonix-Gateway-.ova.asc Whonix-Gateway-.ova
Or
gpg --verify-options show-notations --verify Whonix-Gateway-.xz.asc Whonix-Gateway-.xz
d) Cryptographically verify the Whonix-Workstation image.
cd [the directory in which you downloaded the .ova or .xz and the .asc]
Then, start the cryptographic verification of the Whonix-Workstation image:
gpg --verify-options show-notations --verify Whonix-Workstation-.ova.asc Whonix-Workstation-.ova
Or
gpg --verify-options show-notations --verify Whonix-Workstation-.xz.asc Whonix-Workstation-.xz
e) Confirm the signatures are good for both the Whonix-Gateway and Whonix-Workstation.
If the VM images are correct, the output of the last step will show a good signature. For example:
gpg: Signature made Mon 19 Jan 2015 11:45:41 PM CET using RSA key ID 77BB3C48
gpg: Good signature from “Patrick Schleizer adrelanos@riseup.net” [unknown]
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=Whonix-Gateway-9.6.ova
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48
This might be followed by a warning saying:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
This last warning doesn’t alter the validity of the (good) signature according to the Whonix signing key you downloaded. It only refers to the trust level you place on the Whonix signing key and the web of trust. Removing this warning would require you to personally sign the Whonix key with your own.
f) Check the gpg signature timestamp makes sense.
If you previously saw a signature from in 2016 and are now seeing a signature from 2015, then you could be target of a rollback (downgrade) or indefinite freeze attack.
The first line includes the signature creation timestamp. In this example:
gpg: Signature made Mon 19 Jan 2015 11:45:41 PM CET using RSA key ID 77BB3C48
g) Check the file name has not been tampered with.
Note: OpenPGP signatures sign files, not file names. Beginning from Whonix version 9.6, by convention the file@name OpenPGP notation includes the file name.
An example is provided below:
gpg: Signature notation: file@name=Whonix-Gateway-9.6.ova
h) Do not install files with bad signatures!
If the VM image is not correct you will get a notification telling you that the signature is bad:
gpg: Signature made Sun Nov 25 21:48:54 2012 UTC
gpg: using RSA key 77BB3C48
gpg: BAD signature from “Patrick Schleizer adrelanos@riseup.net”
5.8.3 Gpg4win in Windows
GnuPG, a common free software implementation of OpenPGP has versions and graphical frontends for Windows.
Note: Due to the weaknesses in Kleopatra, advanced users may instead prefer to verify VM images using the command line instructions outlined in:
a) Download Gpg4win.
If you wish to download a GnuPG version for Windows securely, then you are advised to follow these directions:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029256.html
b) Install Gpg4win.
The “Gpg4win-Compendium” is the end-user documentation for Gpg4win and has almost 200 pages on how to install and use the software:
https://www.gpg4win.org/doc/en/gpg4win-compendium.html
Installation instructions are specifically found in Chapter 6:
https://www.gpg4win.org/doc/en/gpg4win-compendium_11.html
c) Download Patrick Schleizer’s (adrelanos’) OpenPGP key from:
http://kkkkkkkkkk63ava6.onion/patrick.asc
Or
https://www.whonix.org/patrick.asc
d) Import the Whonix signing key.
Follow the directions of Chapter 10 of the compendium:
https://www.gpg4win.org/doc/en/gpg4win-compendium_15.html
e) Inspect the signing key with Kleopatra.
Follow the directions of Chapter 11 of the compendium:
https://www.gpg4win.org/doc/en/gpg4win-compendium_16.html
Advanced users may wish to use the gpg command line instead, since this process is cumbersome. As long as the signing key is only listed under “other certificates” in Kleopatra, you will get the message “Not enough information to check signature validity”.
The signing key needs to be listed under “trusted certificates”. To achieve that, you need to create your own OpenPGP key first:
Kleopatra → File → New Certificate.
To sign Whonix’s singing key:
Right click on it and click “Certify Certificate”. Creating a local signature suffices.
f) Check the cryptographic signature of the VM image you want to certify.
Follow the directions in Chapter 18 of the compendium to check the integrity of the VM image and VirtualBox signature you downloaded in section 5.6.2:
https://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4
If you see the error message “Not enough information to check signature validity” as shown below:
Figure 18: Kleopatra Error Message
Then you either did not import Whonix’s signing key or you did not sign Whonix’s signing key with your own key.
If you see:
Signature valid.
Signed on 2014-04-13 06:52 with unknown certificate
0x63979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
Figure 19: Kleopatra Valid Signature and Unknown Certificate
Then this is a bug in Kleopatra which they have not fixed since 2011.
g) Check the gpg signature timestamp makes sense.
If you previously saw a signature from in 2016 and are now seeing a signature from 2015, then you could be target of a rollback (downgrade) or indefinite freeze attack.
h) Check the file name has not been tampered with.
Note: OpenPGP signatures sign files, not file names. Beginning from Whonix version 9.6, by convention the file@name OpenPGP notation includes the file name.
5.8.4 GPGTools in Mac OS X
GnuPG, a common free software implementation of OpenPGP has versions and graphical frontends for Mac OS X.
The website has detailed documentation on how to install and use the software suite.
a) Download GPGTools for Mac OS X:
b) Install GPGTools.
After installing GPGTools, you should be now be able to follow the GNU/Linux command line instructions in this guide.
c) Open the command line.
Navigate to your Applications folder → open Utilities → double click on Terminal.
c) Follow the instructions in section 5.7 to download and check the fingerprints of the Whonix signing key before importing it.
e) Follow the instructions in section 5.8.2 to cryptographically verify the Whonix VM images.
5.9 Install (Import) Whonix Images
The section outlines how to install (import) the verified Whonix VM images into the chosen virtualizer.
5.9.1 Install Whonix in KVM
a) Decompress the archived Whonix-Gateway and Whonix-Workstation archives.
Use tar to decompress the archive:
tar -xvf Whonix-Gateway*.libvirt.xz
tar -xvf Whonix-Workstation*.libvirt.xz
Note: Do not use unxz!
b) Import the Whonix VM Templates.
The supplied XML files serve as a description for libvirt, which describe the properties and networking of a Whonix machine.
First, the Whonix-Gateway is defined:
virsh -c qemu:///system define Whonix-Gateway*.xml
Second, the Whonix isolated internal network is defined. This XML is also in the same folder as the Whonix Gateway:
virsh -c qemu:///system net-define Whonix_network*.xml
Note: if the definition of the Whonix internal network fails because the network bridge “virbr1” already exists, the Whonix_network*.xml file must be edited. Change the name to one that doesnt exist e.g. “virbr2”. You can list all existing bridge adapters with “sudo brctl show”.
virsh -c qemu:///system net-autostart Whonix
virsh -c qemu:///system net-start Whonix
Lastly, the Whonix-Workstation is defined:
virsh -c qemu:///system define Whonix-Workstation*.xml
c) Move the Whonix image files.
The XML files are configured to point to the default storage location: /var/lib/libvirt/images
This step will move the images there in order for the machines to boot.
Note: It is highly recommended you use this default path for storing the images to avoid any conflicts with AppArmor or SELinux, which will prevent the machines from booting.
It is best to move the image files, instead of copying them:
sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
Whonix disk images are known as ‘sparse files’, meaning they expand when filled rather than allocating their entire size (100 GB outright). Special commands are needed when copying them to ensure they don’t lose this property, leading them to occupy all the actual space.
To copy to a privileged system location, higher privileges (sudo) is required:
sudo cp --sparse=always Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
sudo cp --sparse=always Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
d) Cleanup after importing Whonix.
Post-installation, the archives (.libvirt.xz files) and the temporarily extracted folders can be deleted or moved to a custom location. This helps avoid conflicts and confusion should you later download a new Whonix version.
To delete them:
rm Whonix-Gateway*.libvirt.xz
rm Whonix-Workstation*.libvirt.xz
rm -r Whonix-Gateway*
rm -r Whonix-Workstation*
rm -r Whonix_network*
5.9.2 Install Whonix in VirtualBox
a) Start VirtualBox.
Figure 20: VirtualBox Welcome Page
b) Select ‘Import Applicance’:
File → Import Appliance…
Figure 21: Import Appliance Into VirtualBox
c) Navigate and select the Whonix-Gateway image (.ova) and press ‘Next’:
Figure 22: Select the Whonix-Gateway Image
d) Do NOT change any settings! Just click on ‘Import’:
Figure 23: Select the Import Button
e) Select ‘Agree’ to the license agreement:
Figure 24: Select Agree with the License
f) Wait until the Whonix-Gateway image has been imported.
Figure 25: Importing of VirtualBox Image
g) Repeat steps a-f with the Whonix-Workstation image (.ova)
When finished, you will now see both the Whonix-Gateway and Whonix-Workstation VMs in a powered off state in VirtualBox.
Figure 26: Successfully Imported Whonix Images
6.0 FIRST STEPS IN NON-QUBES-WHONIX
6.1 Launch and Connection
6.1.1 Start Whonix in KVM
If you know Virtual Machine Manager, there is nothing special about starting Whonix VMs compared to starting other VMs. First start Whonix-Gateway, followed by Whonix-Workstation.
Using the Graphical User Interface, start the Virtual Machine Manager:
Start Menu → Applications → System → Virtual Machine Manager
Then, start the Whonix-Gateway:
Click on Whonix-Gateway → click open → click the play symbol
Repeat these steps for Whonix-Workstation.
If you prefer the command line interface, run:
virsh -c qemu:///system start Whonix-Gateway
To start Whonix-gateway. Then run:
virsh -c qemu:///system start Whonix-Workstation
To start the Whonix-Workstation.
Note: If you want to adjust the display resolution seamlessly to match your host screen size after starting, do the following:
Virt-Manager Whonix-Workstation window → View → Scale Display → Always | Check: Auto resize VM with window
If you later decide to remove the Whonix KVM VMs, Whonix network and images, follow the ‘Uninstall’ instructions in this link:
6.1.2 Start Whonix in VirtualBox
Starting Whonix is simple: either double click on the Whonix-Gateway and Whonix-Workstation, or highlight each selection in turn and press ‘Start’.
Figure 27: Start Whonix in VirtualBox
6.2 Change Passwords
On the first run of Whonix, you should immediately change the passwords on BOTH the Whonix-Gateway and Whonix-Workstation (this step is not relevant for Qubes-Whonix users).
The passwords for both the account, user user and user root, must be changed. By default, the password is changeme.
Open a terminal:
Start menu → Applications → System → Terminal.
Login as root:
sudo su
Change root and user password:
passwd
passwd user
and follow the instructions.
Note: Consider using diceware passphrases for better security. Diceware passphrases of 6-7 words in length cannot be feasibly brute-forced within your lifetime using standard (non-quantum) computers.
http://world.std.com/~reinhold/diceware.html
6.3 Run Whonixcheck (Optional)
By default, Whonixcheck runs automatically from time to time whenever the user starts up a Whonix-Workstation. Whonixcheck’s purpose is to verify that the Whonix system is up-to-date and that everything is in proper working order. You may want to manually run Whonixcheck before updating your system. It usually takes a few minutes to run.
If you are using a graphical Whonix environment, complete the following step:
Start Menu → System → whonixcheck
If you are using a terminal-only Whonix environment, complete the following step:
whonixcheck
If everything is functioning properly, the output should show each heading “INFO” in green (not red). For example:
INFO: SocksPort Test Result: Connected to Tor. IP: 146.10.104.240
INFO: TransPort Test Result: Connected to Tor. IP: 91.89.96.88
INFO: Stream Isolation Test Result: Functional.
INFO: Whonix News Result:
√ Up to date: whonix-workstation-packages-dependencies 2.5-1
√ Up to date: Whonix Build Version: 11.0.0.3.0
INFO: Debian Package Update Check Result: No updates found via apt-get.
INFO: Whonix APT Repository: Enabled. When the Whonix team releases JESSIE updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read Placing Trust in Whonix to understand the risk. If you want to change this, use:
Start menu → Applications → System → Whonix Repository
INFO: Tor Browser Update Check Result: Up to date.
INFO: Please consider making a small reoccurring donation. See: Donating to Whonix
6.4 Update Whonix
It is critical that the Whonix-Gateway and Whonix-Workstation VMs stay updated! Unpatched software is one of the most common attack vectors identified in research.
a) Update your package lists.
The following steps (updating and upgrading) should be applied in both the Whonix-Gateway and Whonix-Workstation terminals and repeated at least daily thereafter.
sudo apt-get update
The output should look similar to this:
Hit http://security.debian.org jessie/updates/Release.gpg
Hit http://security.debian.org jessie/updates/Release
Hit http://deb.torproject.org jessie Release.gpg
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release
Hit http://security.debian.org jessie/updates/contrib i386 Packages
Hit http://ftp.us.debian.org jessie Release
Hit http://security.debian.org jessie/updates/non-free i386 Packages
Hit http://deb.torproject.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/contrib Translation-en
Hit http://ftp.us.debian.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://ftp.us.debian.org jessie/contrib i386 Packages
Hit http://security.debian.org jessie/updates/non-free Translation-en
Hit http://ftp.us.debian.org jessie/non-free i386 Packages
Ign http://ftp.us.debian.org jessie/contrib Translation-en
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists… Done
If you see something like this:
W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found
W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
Err http://ftp.us.debian.org jessie Release.gpg
Could not resolve ‘ftp.us.debian.org’
Err http://deb.torproject.org jessie Release.gpg
Could not resolve ‘deb.torproject.org’
Err http://security.debian.org jessie/updates Release.gpg
Could not resolve ‘security.debian.org’
Reading package lists… Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg Could not resolve ‘security.debian.org’
W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg Could not resolve ‘ftp.us.debian.org’
W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg Could not resolve ‘deb.torproject.org’
W: Some index files failed to download. They have been ignored, or old ones used instead.
Then something went wrong. It could be a temporary Tor exit relay or server failure that should remedy itself. Usually changing your Tor circuit and trying again is successful. If that fails, running whonixcheck can help to diagnose the problem.
If you see an error message like:
Could not resolve ‘security.debian.org’
It helps to run:
nslookup security.debian.org
And then try updating your package lists again.
b) Upgrade Whonix.
In konsole, run:
sudo apt-get dist-upgrade
Note: At first Whonix boot, you are asked if you want to enable or disable Whonix’s apt repository. If you disabled the Whonix APT Repository, then you will have to manually check for new Whonix releases and manually install them from source code:
6.5 Update (Upgrade) Precautions
a) Never install unsigned packages!
If you see output like the following:
WARNING: The following packages cannot be authenticated!
icedove
Install these packages without verification [y/N]?
Then don’t proceed! Press N and Enter.
Running apt-get update again should fix the problem. If not, then something is broken or it may be a man-in-the-middle attack. This possibility isn’t that unlikely, since we are updating over Tor exit relays and some of them are malicious. Change your Tor circuit and then try again.
b) Do not ignore signature verification warnings.
There should be none at the moment. If there is such a warning, the output will look like this:
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681
In that case, you should be careful even though apt-get will automatically ignore repositories with expired keys or signatures, meaning you will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.
There are two possible reasons for why this could happen. Either you are a victim of a man-in-the-middle attack, or there is an issue with the repository that the maintainers have to fix. The former is not a big issue, either it will automatically resolve after a period of time or you can change your Tor circuit and try again.
If you experience other signature verification errors, these should be reported, but they are unlikely at this time.
c) Be cautious of changed configuration files.
If you see output like the following:
Setting up ifupdown …
Configuration file `/etc/network/interfaces’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : background this process to examine the situation
The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N
Then be careful. If the updated file isn’t coming from a Whonix specific package (some are called whonix-…), then press N. Otherwise, anonymity/privacy/security settings deployed with Whonix might get lost. If you are an advanced user and know better, you can of course manually check the difference and merge them. Pressing Y will result in the loss of customized settings.
d) Restart and Update Whonix VMs.
To benefit from security updates, particularly kernel upgrades (linux-image-… was upgraded) which require a full reboot, the best practice is to shutdown the VMs and restart them.
In terminal:
sudo reboot
If you want to omit rebooting, use needrestart and follow instructions in this link:
[Operating System Software and Updates]
6.6 Take VM Snapshots
A good security practice is to keep a master copy of your updated, ‘clean’ Whonix-Gateway and Whonix-Workstation VMs and only use snapshots (or clones) of these VMs for anonymous activity. The master copies should not have any settings edited or additional software installed on them. Also, the ‘clean’ and ‘unclean’ VM states should not be mixed up from the start.
Users who may be targeted should regularly ‘roll back’ after risky activity and whenever the user suspects the integrity of the system may have been compromised. That is, the unclean VMs should be deleted and fresh clones created from the ‘clean’ templates for additional activities.
If this advice is ignored and the VMs are compromised, then an attacker potentially has access to all data contained therein: all credentials, browser data, passwords etc. Although the IP address is never leaked, this information is probably enough to de-anonymize most users.
Following this advice, you should now stop and not browse anywhere or open any unauthenticated communication channels to the Internet with the VMs freshly created from the previous steps. The only exception to this rule is running apt, which has a guaranteed way to securely download and verify packages. It is recommended you now:
This process is easy in VirtualBox, using copy/paste, cloning and exporting/importing. VirtualBox’s VM Snapshort feature is not recommended, as users have experienced data loss with it (corrupted virtual hard drives). However, for users who wish to use it and experience no problems, it provides a convenient and useful feature for making snapshots of live running systems prior to the installation of new applications. Use at your own risk!
Users are instead recommended to use SubVersioN (SVN) which is a more reliable and efficient tool for making backups of VM operating environments across multiple operating systems. Before installing SVN, users should familiarize themselves with SVN and how to use it:
https://subversion.apache.org/
https://subversion.apache.org/docs/
6.7 General Advice
For a more thorough consideration of safe and unsafe user actions in Whonix, see section 8.
6.7.1 Only Use the Whonix-Workstation
All your desktop activities should take place in the Whonix-Workstation. You should never use Whonix-Gateway for anything other than running Tor on it! Also, do not install additional software in the Whonix-Gateway unless you know what you are doing.
If you ignore this advice and the Whonix-Gateway is compromised, the attacker can access your identity (public IP address) as well as all destinations, clear-text and hidden service communication.
6.7.2 Avoid Interrupting the Virtualizer
To prevent against time zone leaks, the system clock inside Whonix is set to UTC. This means the clock may be a few hours before or ahead of your host system clock. Do not change the system clock!
It is recommended users not use pause/suspend/save/resume features of virtualizers or hibernation functions on the host OS while Whonix-Workstation is running. If this advice is ignored, users should manually run TimeSync afterwards:
Start Menu → Applications → System → Time Synchronization Monitor (sdwdate-gui)
It is also recommended to not pause/suspend/save/resume the Whonix-Gateway, because it is difficult to properly restore the clock afterwards. Specifically, if your host clock (in UTC) is more than 1 hour in the past or more than 3 hours in the future, Tor can’t connect.
If this advice is ignored, the user should check the host’s battery status and fix the host clock manually (right clicking on the clock). The Whonix-Gateway can then be powered off and on again, and Tor should be able to connect. If your host clock is too inaccurate, you may experience problems in updating your host operating system.
6.7.3 VirtualBox Hardening
As many users default to VirtualBox, consider removing unnecessary features which increase the attack surface. Many features can be safely removed and do not impact core functionality:
6.8 Bridges for Censored Whonix Users
6.8.1 When to Use Bridges
When using Tor with Whonix in its default configuration, anyone observing the traffic of your Internet connection - your ISP, your government, law enforcement and intelligency agencies - can easily determine you are using Tor. This may be a problem if the following applies in your country:
a) Tor is blocked by censorship: since all connections to the Internet are Tor-routed, this would make Whonix useless for everything except working offline on documents etc; or
b) Using Tor is dangerous or considered suspicious: in this case starting Whonix in its default configuration might get you into serious trouble with authorities.
Tor bridges (Tor bridge relays) are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your ISP to know that you are using Tor. Before using bridges, familiarize yourself with what bridges are and how obfsproxy works. Obfsproxy is the application that Tor uses to connect bridges, see:
[Configure (Private) (Obfuscated) Tor Bridges]
Bridges are less reliable and tend to have lower performance than other entry points to the Tor network. If you live in a uncensored area, they are not necessarily more secure than entry guards.
Warning: Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could make to identify Tor users.
6.8.2 Finding a Bridge and Suitable Protocol
When Whonix starts for the first time, it won’t automatically connect to the public Tor network. Whonix Setup Wizard, which is automatically started, will guide you.
In order to use bridges, you must know in advance the address of at least one bridge. The Tor Project distributes public bridge addresses in several ways, for example from their website and via email. The easiest way to find a list of public bridges is from The Tor Project Bridge Database.
Recommendations:
a) Only use obfuscated bridges since they are harder to identify than other bridges. The Tor Project only recommends the obfs4 protocol at the time of writing (not obfs2 or obfs3), since it defends more effectively against active probing.
b) It is better to use a private obfuscated bridge than a publicly known one. The latter have a greater likelihood of being censored since they are publicly listed. Unfortunately, since some bridge addresses can be obtained by anyone from the Tor website or by email, it is also possible for an adversary to get the same bridge information by the same means. The Tor Project has some protections against that, but they are far from being perfect.
Warning: Intelligence agencies are known to monitor emails to the Tor Project requesting bridges. That is, XKEYSCORE selection rules target and record in a database those sending email to:
bridges@bridges.torproject.org
with the line “get bridges” in the body. Notably, XKEYSCORE selection rules also include those just visiting the websites of the Tor Project and TAILS.
If you wish to use this method anyhow, then follow the directions in the following link:
c) The safest method is to find a trusted friend or organization in a different country who can run a private obfuscated bridge for you. In this case “private” means that the bridge is configured with the option PublishServerDescriptor 0. Without this option the Tor Project can learn about the bridge and may distribute its address to others and so it could end up in the hands of an adversary.
6.8.3 Configure a Bridge in Whonix
Whonix does not include a wizard to set up private or public obfuscated bridges. The graphical tor-launcher screenshots seen on the Tor Project’s website cannot be used in Whonix. Instead, bridges are configured on the Whonix-Gateway in the same way as if you were using vanilla Debian GNU/Linux (Whonix is based on Debian).
a) Access /etc/tor/torrc on the Whonix-Gateway to add bridges.
If you are using a graphical Whonix-Gateway:
Start Menu → Applications → Settings → /etc/tor/torrc
If you are using a terminal-only Whonix-Gateway:
sudo nano /etc/tor/torrc
b) Edit /etc/tor/torrc on the Whonix-Gateway and configure bridges.
Once inside /etc/tor/torrc, scroll to the very bottom and copy-paste the following text:
UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
Now you must add the IP addresses for your bridges that your sourced from earlier steps. Copy-paste the IP addresses at the bottom of /etc/tor/torrc. Make sure to manually add the text “bridge” at the beginning of each line entry.
Below is a text example for obfs3 and obfs4 (do not copy-paste this list; these IP’s will not work). Note: your torrc file will have EITHER obfs3 or obfs4, not both at the same time.
bridge obfs3 109.195.132.77:22321 4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 55.32.27.22:38123 4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 192.24.131.513:62389 4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs4 192.235.207.85:42086 0EEB10BF4B4FAF56D46E cert=oue8sYYw5wi4n3mf2WDOg iat-mode=0
bridge obfs4 34.218.26.20:43263 DD21A551767816A0C9495 cert=7qzS6KASquPvJU82Fm7qoJw iat-mode=0
bridge obfs4 161.217.177.95:10703 B3B8009D01BB7E5FDFAEC cert=4RaIqGiOytEXm6Hw iat-mode=0
Once you have completed editing /etc/tor/torrc, save and exit:
Ctrl-X → press Y → Enter
c) Enable Tor.
If you have not already enabled Tor, then do so via the whonix-setup-wizard.
If you are using a graphical Whonix-Gateway:
Start Menu → Applications → System → Whonix Setup Wizard
Select “Enable Tor” and press next
For terminal-only Whonix-Gateway:
sudo whonixsetup
Select “Enable Tor” and press next
d) Reload Tor.
After editing /etc/tor/torrc you must reload Tor so your changes take effect.
If you are using a graphical Whonix-Gateway:
Start Menu → Applications → Settings → Reload Tor
For terminal-only Whonix-Gateway (reload Tor and check Tor’s daemon status):
sudo service tor@default reload
sudo service tor@default status
It should output a message saying:
Active: active (running) since …
In case of issues, check Tor’s configuration:
sudo -u debian-tor tor --verify-config
The output should show something like:
Sep 17 17:40:41.416 [notice] Read configuration file “/etc/tor/torrc”.
Configuration was valid
Note: If you are not able to connect to Tor after completing all these steps, you have most likely done something wrong. Go back and check your /etc/tor/torrc file and redo the steps outlined in the sections above. If problems persist, refer to this link for troubleshooting:
[Configure (Private) (Obfuscated) Tor Bridges]
6.9 Further Links
Change the keyboard layout:
[Keyboard Layout]
Change the system language:
[Change the System or Tor Browser Language]
7.0 COMMON WHONIX TASKS
7.1 Internet Browsing
It is recommended that only Tor Browser is used in Whonix for browsing the Internet.
Tor Browser is a fork of the Mozilla Firefox web browser, developed by the Tor Project, which is optimized and designed for anonymity. If you use other browsers in Whonix, your IP address/DNS is still protected, but you don’t benefit from Tor Browser’s protocol level sanitization and privacy-enhancing patches and add-ons. As a result you become pseudonymous, rather than anonymous. Another benefit of using Tor Browser is that you blend in with the near two million other Tor users, and share a common browser fingerprint.
When using Tor browser, users should visit encrypted (HTTPS) sites as often as possible, rather than unencrypted (HTTP) alternatives. Websites with the .onion extension are even safer, since man-in-the-middle attacks with fraudulently issued certificates are impossible (for instance, the Whonix onion is http://kkkkkkkkkk63ava6.onion). The benefit of HTTPS is that it (generally) prevents a Tor exit relay eavesdropping on your communications as data is exchanged between your browser and the server.
HTTPS includes mechanisms to authenticate the server you are communicating with - although this is an imperfect system. It is important to only use HTTPS services when you are sending or retrieving sensitive information (like passwords), otherwise it is very easy for an eavesdropper to steal whatever information you are sending or to modify the content of a page on its way to your browser.
Tor Browser ships with the HTTPS Everywhere extension. It automatically encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
Another benefit of using Tor Browser is the built-in Torbutton and NoScript add-on. With advanced privacy and security settings, the Torbutton helps to defend against elements which can defeat the anonymity of the Tor network: JavaScript, Adobe Flash, cookies and other trackable/fingerprintable features. The benefit of NoScript is that JavaScript, Java and other plugins are only allowed for trusted domains of your choice, helping to reduce the attack surface of the browser.
For better security and anonymity when using Tor Browser, follow these recommendations:
This is only a general introduction to remaining anonymous and secure when browsing the Internet. For a comprehensive overview of other issues like chatting, hosting location hidden servers, filesharing/bittorent, anonymous money, VOIP etc. please refer to “Connect to the Internet Anonymously” section in the Whonix documentation and section 9.3 of this guide:
7.2 Pre-Installed Applications
Basically, any program can be used together with Whonix. Whonix comes with a host of free software pre-installed and pre-configured with safe defaults, including:
Browsing, Email and Messaging/Chat
Servers
Other Tools
Note: scurl is a SSL command line downloader which provides a simple wrapper around curl. /usr/bin/scurl simply adds --tlsv1 --proto =https to all runs of curl. It also has Stream Isolation in Whonix, because /usr/bin/curl is an uwt wrapper symlinked to /usr/lib/whonix/uwtwrapper which will ultimately run /usr/bin/curl.real. To use scurl, follow the instructions at this link:
7.3 Install Software for Work on Sensitive Documents
7.3.1 Recommended Software
If you need to work on sensitive documents, then install the recommended software below or other applications of your choosing.
a) Office Suite - LibreOffice
LibreOffice is a full-featured office productivity suite that provides a near drop-in replacement for Microsoft Office. A word processor, a spreadsheet and a presentation application is included.
Start menu → Applications → System → Terminal
sudo apt-get update
sudo apt-get install libreoffice
b) Desktop Screenshot Creator - Shutter (non-Qubes-Whonix only)
Start menu → Applications → System → Terminal
sudo apt-get update
sudo apt-get install shutter
Note: Qubes-Whonix users use the Screenshot tool available in dom0.
c) Desktop Video Recorder - RecordMyDesktop
Start menu → Applications → System → Terminal.
sudo apt-get update
sudo apt-get install gtk-recordmydesktop
d) Image Editing - kolourpaint4
Start menu → Applications → System → Terminal
sudo apt-get update
sudo apt-get install kolourpaint4
e) Video Editing - Kdenlive
Start menu → Applications → System → Terminal
sudo apt-get update
sudo apt-get install kdenlive
f) Publishing - Scribus
Scribus is an Open Source Desktop Page Layout that can be used for many tasks; from booklets design to newspapers, magazines, newsletters and posters to technical documentation.
Start menu → Applications → System → Terminal
sudo apt-get update
sudo apt-get install scribus
g) Audio Editing - kwave
kwave is a multi-track audio editor for GNU/Linux, Mac OS X and Windows. It is designed for easy recording, playing and editing of digital audio.
Start menu → Applications → System → Terminal
sudo apt-get update
sudo apt-get install kwave
7.3.2 Printers and Scanners Warning
Printing is risky. This is not a Whonix-related problem, but a general issue with printers. As the eff.org notes:
Imagine that every time you printed a document it automatically included a secret code that could be used to identify the printer - and potentially the person who used it. Sounds like something from an episode of “Alias” right?
Unfortunately the scenario isn’t fictional.
We don’t know if scanners also add extra hidden data which can uniquely identify a user. To be safe, you might consider buying an extra printer and/or scanner which you only use for anonymous activity. Another non-technical consideration is forensic evidence left on printers and peripherals e.g. fingerprints, DNA etc.
7.4 Install Other Software
If you don’t like the available Whonix software options, then you can install other applications of your choosing. You can install any software inside the Whonix-Workstation using apt-get, since it’s based on Debian.
Due to the Whonix design, it is possible to torrify almost all applications which are not capable of proxy support by themselves. However, it is generally inadvisable to install additional software unless you really need it, because it increases the risk of using software that is not exclusively designed to work with Tor.
Reminder: Qubes-Whonix users need to install persistent software in their Workstation TemplateVM(s). Using apt-get in an AppVM will install software for the current session only, and those changes will be lost when the VM is shut down.
7.4.1 Install Software From Debian Stable
The general recommendation is to install packages from the Debian Stable repository, rather than the Testing/Unstable or third party repositories. Further, manually installed packages, even trusted ones, tend not to get updated by users in a timely fashion. As the Debian FAQ notes:
https://www.debian.org/doc/manuals/debian-faq/ch-choosing.en.html#s3.1
Stable is rock solid. It does not break and has full security support. But it not might have support for the latest hardware.
If security or stability are at all important for you: install stable. Period. This is the most preferred way.
Since there is typically over 1 year between releases you might find that stable contains old versions of packages. However, they have been tested in and out. One can confidently say that the packages do not have any known severe bugs, security holes etc., in them. The packages in stable integrate seamlessly with other stable packages. These characteristics are very important for production servers which have to work 24 hours a day, 7 days a week.
On the other hand, packages in testing or unstable can have hidden bugs, security holes etc. Moreover, some packages in testing and unstable might not be working as intended.
In respect of Debian Backports, they state:
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
7.4.2 Don’t Login As Root
Never login as root user (sudo su or run GUI applications using sudo application). This will fail. This is a limitation inherited by Debian and you will see error messages.
As a KDE user (Whonix default) use kdesudo application or otherwise use gksudo application. The example below shows how to open /etc/tor/torrc in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run:
kdesudo kwrite /etc/tor/torrc
If you are using a terminal-only Whonix, run:
sudo nano /etc/tor/torrc
For more information on securely installing additional software, refer to the following link:
8.0 PRESERVING ANONYMITY AND PRIVACY
In this section, an anonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP address/location) of that connection nor to associate it with an identifier.
A pseudonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP address/location) of a connection, but can associate it with an identifier.
While the information below provides an overview of safe and unsafe Whonix user actions, it is not a substitute for reading the full Whonix documentation. At-risk users should always refer to the detailed information outlined in these links:
[Whonix ™ Documentation]
[https://www.whonix.orgwiki/DoNot]
8.1 Unsafe Whonix User Actions
Websites and Accounts
Browsers
Networks
Application and Whonix Settings/Operation
Note: Changing user interface settings for applications which do not connect to the internet is mostly safe. For example, checking a box “don’t show this tip of the day anymore” or “hide this menu bar” will have no effect on anonymity. For those applications attached to the internet, changing settings (even on the user interface) must be carefully reviewed.
Communication
Note: Qubes-Whonix users can safely open links or PDFs in a DisposableVM.
Anonymity Modes
8.2 Safe User Actions
Essentially, safe user actions can be defined as the opposite of those just mentioned, plus others already mentioned throughout this guide. Be sure to educate yourself by referring to these links:
[Security Guide - Whonix]
[Advanced Security Guide - Whonix]
As a reminder, recommended actions include:
General Systems Advice
Qubes-Whonix
For MAC spoofing see: Redirecting…
Recent research shows MAC spoofing is ineffective for WiFi, however, it should still work for hard-wired connections. Use of ‘burner’ WiFi USB sticks is one possible solution for the former case.
Non-Qubes-Whonix
Tor and Tor Browser
Note: A possible alternative to Tor bridges is configuring optional tunnels (VPNs etc) before (or after) connecting to Tor, but note the warnings attached where it is discussed.
Applications
See: Stream Isolation
Other
9.0 ADVANCED TOPICS AND FURTHER LINKS
9.1 Multiple Browsers, Gateways and Workstations
a) Multiple Browsers
[Advanced Security Guide - Whonix]
b) Multiple Whonix-Workstations
[Multiple Whonix-Workstation ™]
c) Multiple Whonix-Gateways
[Multiple Whonix-Workstation ™]
d) Chaining Anonymous Gateways
[Advanced Security Guide - Whonix]
9.2 Advanced Tunneling Options
Numerous chaining configurations are possible using VPNs, SSH, I2P, JonDonym, Lantern etc.
Warning: It is unclear whether complicated chaining configurations actually improve or worsen anonymity, nor whether the use of Tor can be sufficiently disguised by this method (if that is the intention). Further, not all chaining methods provide an equal level of protection!
Carefully read the documentation and blog entry below before committing to this course of action:
[News - Whonix Forum]
[Hide Tor use from the Internet Service Provider]
[Combining Tunnels with Tor]
[Whonix versus Proxies - Whonix]
9.2.1 Connecting to a Tunnel Link Before Tor
a) VPN → Tor
[Connecting to a VPN before Tor]
b) Proxy → Tor
[Connecting to a Proxy before Tor]
c) SSH → Tor
[Connecting to SSH before Tor]
d) JonDonym → Tor
[Combining Whonix ™ with JonDonym]
e) Lantern → Tor
[Lantern: Alternative Censorship Circumvention Tool]
9.2.2 Connecting to a Tunnel Link After Tor
a) Tor → VPN
[Connecting to Tor before a VPN]
b) Tor → Proxy
[Connecting to Tor before a Proxy]
c) Tor → SSH
[Connecting to Tor before SSH]
d) Tor → I2P
[Invisible Internet Project (I2P)]
e) Tor → JonDonym
[Combining Whonix ™ with JonDonym]
9.3 Other Popular Topics
a) Controlling and Monitoring Tor
[Control and Monitor Tor]
b) Anonymous Chatting
[Instant Messenger Chat]
c) Hosting Location Hidden Services
[Hosting Location Hidden Services - Whonix]
d) File Sharing/Bittorent
[Filesharing and Torrenting]
e) Anonymous Email
[Email Overview]
f) Anonymous Money
[Anonymous Money]
g) VOIP
[Voice over IP (VoIP)]
h) Cleaning Metadata
[Metadata - Whonix]
10.0 SUPPORT
Before requesting personal support, please first search the known issues, guides, documentation, issue tracker, web, and past support requests found on the forums. In most cases, your support needs will have already been addressed.
Be aware of the Free Support Principle when requesting help:
[Free Support for Whonix ™]
For general Qubes-related issues, use Qubes Support:
For general Whonix, Debian, Tor, etc. related issues, use Whonix Support:
[Support - Whonix Forum]
For Qubes-Whonix specific issues, use the Qubes-Whonix Forum:
[Qubes-Whonix - Whonix Forum]
A list of frequently asked questions can be found here:
[https://forums.whonix.org/wiki/FAQ]
11.0 CREDITS
The vast majority of the information contained in this guide has been sourced from Whonix documentation:
A big thankyou to the many anonymous contributers, the Whonix development team, and lead developer Patrick Schleizer for collating this information and placing it in the public domain.
Additional material has been sourced from the Tor Project and Qubes OS websites:
Good day,
I have to say that I am quite impressed. Great effort and incredibly detailed.
Have a nice day,
Ego
What a tremendous amount of work! Congratulations!
When I imagined a Quick-Start Guide, I envisioned something tailored to a “prototypical journalist” accustomed to using a Windows PC for basic office and communications tasks: web browsing, email, chatting, video conference, word processing, spreadsheets. In other words, unfamiliar with Linux, Virtualization, and Anonymity Software. The guide would allow this journalist to communicate with a source securely while allowing the source to preserve their anonymity. The journalist might be under deadline pressure, and/or not be interested in achieving anything more than a reasonably secure setup.
I think your Guide does a good job of sticking to the important topics. The final version will appear much shorter since it will fork after choice of virtualizer and hide non-applicable info. I would suggest cutting out the sections on Stream Isolation & Physical Isolation. The proper place to mention (or link to) Stream Isolation is in the section “Install Other Software” since any user that confines themselves to the pre-installed programs will be stream isolated by default. Physical Isolation has been unsupported for quite some time and is difficult to troubleshoot remotely - especially if the user is new to Linux.
I think the most important section of this guide (in terms of UX) would have to be the section devoted to Host & Virtualizer choice. This needs to be worded very carefully. Despite all of our long-held criticisms of Windows, that OS is for many the only computer experience they have ever had. I think for a guide like this we need to leave open the possibility of using Windows. Obviously it’s important to state limitations / warnings regarding use of Windows but at the same time, the goal is not to scare the crap out of a potential user (not necessarily anyway).
To that end, I would approach the decision along these lines:
If you have the resources to dedicate a separate hardware system for Whonix-only use, that is highly recommended. If you are comfortable or willing to learn to use Linux, both Whonix-Qubes and Whonix-KVM are under active development and are considered relatively secure. Windows and Mac users have the option of using VirtualBox to run Whonix as long as they are mindful of the following precautions [link]. [Note: no idea how to present Qubes vs KVM decision.]
If you require using your existing system to run Whonix, please regard these Warnings [link] before proceeding. Linux users have the option to use KVM or VirtualBox as their virtualization platform. [Insert decision criteria.] Windows and Mac users can use Virtualbox to run Whonix, as long as they are comfortable with the following additional Warnings [link].
[I don’t think you need to mention QEMU, VMWare, ArchLinux. Again, my recommendations are for a Guide written to MY specs. Those are some high-level suggestions - will drill down as guide progresses.]
Great job!
An incredible amount of work.
I fear you unfortunately misinterpreted the goal I tried to formulate in
https://forums.whonix.org/t/splitting-whonix-documentation-into-a-short-and-long-edition-for-better-usability.
In essence, this single page Whonix Documentation is a mess currently. Too big. It should be replaced by a a shorter version. The goal was just a shorter, better table of contents. Not to rewrite the existing documentation pages.
A quick-start guide can be useful, but at it’s current length and detail it’s not really quick start. Quite expert, detailed.
Please do not take this as discouragement. There is a huge amount of improved documentation that should be merged. Such as “What is Whonix”, “Should I use Whonix”, “Whonix Advantages and Disadvantages” and a lot more I have not read yet.
Such a huge amount of suggestions is difficult to handle in one thread.
Can you please suggest all your suggestions step by step into Whonix wiki? Why not let’s start with “Whonix Advantages and Disadvantages”. Looks like that belongs to Features, Advantages, Use Cases - Whonix? Looks like you got better wording, additions and what not.
For non-controversial changes, just edit the wiki. For other stuff, open new forum threads.
More points to leave out to make it shorter:
Some more but that should be enough for now.
Thanks!
No problem - this material can easily be shortened in the coming weeks based on your feedback. It is easier to reduce drafts in size, rather than the other way around. I’ll do that in another thread.
I have to find some time to do that, but I hope the work can be finished relatively soon, so it might be okay for publishing when the new website is ready to go.
