[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix Quick-Start Guide v0.1


#1

Based on feedback (thanks!), I will reduce this to a really short version in a new thread in the coming weeks when I have time.

NB: The formatting doesn’t work well in this forum, the Table of Contents normally wouldn’t have Chapter headings with 1.0, 2.0 etc, but rather 1, 2, 3… (this can be fixed in v0.2) Also, the sub-headings would have a tab space against them.


Whonix Short Documentation - Suggested FINAL
introduction for "user friendly" documentor
splitting Whonix documentation into a short and long edition for better usability
#2

TABLE OF CONTENTS

1.0 DISCLAIMER

2.0 AN INTRODUCTION TO WHONIX

2.1 What is Whonix?
2.2 Should I Use Whonix?
2.3 Whonix Advantages and Disadvantages
2.4 Whonix vs Other Anonymity Distributions
2.5 Warnings

3.0 POSSIBLE WHONIX CONFIGURATIONS

3.1 Physical Isolation and Virtualization
3.2 Qubes-Whonix
3.3 Standard Host Operating Systems and Virtualization (Non-Qubes-Whonix)
3.4 Minimum Qubes-Whonix System Requirements
3.4.1 Important Notes
3.5 Minimum Non-Qubes-Whonix System Requirements
3.5.1 Important Notes

4.0 QUBES-WHONIX INSTALLATION, UPDATING AND CONFIGURATION

4.1 Install Whonix TemplateVMs
4.2 Enable AppArmor on TemplateVMs
4.3 Create Whonix-Gateway ProxyVMs
4.4 Create Whonix-Workstation AppVMs
4.5 Change TemplateVM Proxy Settings
4.6 Update (Upgrade) Whonix-Gateway and Whonix-Workstation TemplateVMs
4.7 Update (Upgrade) Precautions
4.8 Start Whonix-Workstation AppVMs
4.9 Further Links

5.0 NON-QUBES-WHONIX INSTALLATION AND VERIFICATION

5.1 Recommended Host Operating System
5.1.1 Avoid Windows Hosts
5.1.2 GNU/Linux Hosts
5.2 Harden the Host Operating System
5.3 Choose a Virtualization Platform
5.3.1 KVM is Preferable to VirtualBox
5.3.2 QEMU and VMWare are Not Recommended
5.4 Install a KVM Virtualizer
5.4.1 Debian
5.4.2 Arch Linux
5.4.3 Other Distributions
5.4.4 KVM Workarounds on Debian Stable (Jessie)
5.4.5 KVM Workarounds on Other Distributions
5.4.6 Post-installation Advice
5.5 Install a VirtualBox Virtualizer
5.5.1 Debian
5.5.2 Mac OS X and Windows
5.5.3 Install the Latest VirtualBox Version (Debian)
5.6 Download Whonix Images
5.6.1 KVM
5.6.2 VirtualBox
5.7 Download the Whonix Signing Key
5.8 Verify Whonix Images
5.8.1 KGpg in GNU/Linux
5.8.2 Terminal in GNU/Linux
5.8.3 Gpg4win in Windows
5.8.4 GPGTools in Mac OS X
5.9 Install (Import) Whonix Images
5.9.1 Install Whonix in KVM
5.9.2 Install Whonix in VirtualBox

6.0 FIRST STEPS IN NON-QUBES-WHONIX

6.1 Launch and Connection
6.1.1 KVM
6.1.2 VirtualBox
6.2 Change Passwords
6.3 Run Whonixcheck (Optional)
6.4 Update (Upgrade) Whonix
6.5 Update (Upgrade) Precautions
6.6 Take VM Snapshots
6.7 General Advice
6.7.1 Only Use the Whonix-Workstation
6.7.2 Avoid Interrupting the Virtualizer
6.7.3 VirtualBox Hardening
6.8 Bridges for Censored Whonix Users
6.8.1 When to Use Bridges
6.8.2 Finding a Bridge and Suitable Protocol
6.8.3 Configure a Bridge in Whonix
6.9 Further Links

7.0 COMMON WHONIX TASKS

7.1 Internet Browsing
7.2 Pre-Installed Applications
7.3 Install Software for Work on Sensitive Documents
7.3.1 Recommended Software
7.3.2 Printers and Scanners Warning
7.4 Install Other Software
7.4.1 Install Software From Debian Stable
7.4.2 Don’t Login As Root

8.0 PRESERVING ANONYMITY AND PRIVACY

8.1 Unsafe Whonix User Actions
8.2 Safe Whonix User Actions

9.0 ADVANCED TOPICS AND FURTHER LINKS

9.1 Multiple Browsers, Gateways and Workstations
9.2 Advanced Tunneling Options
9.2.1 Connecting to a Tunnel Link Before Tor
9.2.2 Connecting to a Tunnel Link After Tor
9.3 Other Popular Topics

10.0 SUPPORT

11.0 CREDITS


#3

1. DISCLAIMER

This Quick-Start Guide provides a simple overview of Whonix and instructions for safe installation on your preferred host operating system (OS) and virtualization platform. A crash course in staying anonymous and secure on the Internet is also provided.

Whonix is a technological means to anonymity, but staying anonymous is not just a technological problem. Anonymity is a complex problem without an easy solution. The more you know, the safer you can be. Users are strongly recommended to review the full Whonix documentation, particularly the Security Guide and Advanced Security Guide found in the links below:

[http://kkkkkkkkkk63ava6.onion/wiki/Documentation]
[https://www.whonix.org/wiki/Documentation]

Whonix, as well as all the software it includes, are under continuous development and might contain programming errors or security holes. Do not rely on it for strong anonymity. Users should keep themselves informed regarding Whonix development. Whonix is free software, but no warranties are given or implied - see the GNU General Public License for further details:

[https://github.com/Whonix/Whonix/blob/master/COPYING]


#4

2.0 AN INTRODUCTION TO WHONIX

2.1 What is Whonix?

Whonix is a free desktop operating system which is run on top of a host operating system (OS) and is specifically designed for advanced security and privacy. Based on Tor, Debian GNU/Linux and the principle of security by isolation, it realistically addresses common attack vectors while maintaining usability. Online anonymity is made possible via fail-safe, automatic, and desktop-wide use of the Tor network - all connections are forced through Tor or blocked.

Tor protects you from traffic analysis by bouncing your communications around a distributed network of relays run by global volunteers. Anybody watching your Internet connection can’t see what sites you visit, and the sites you visit can’t learn your physical location. For further information, see:

[https://www.torproject.org/]

Figure 1: How Tor Works

Whonix uses a heavily reconfigured Debian base which is run inside multiple virtual machines (VMs). This architecture provides a substantial layer of protection from malware and IP address leaks. Applications are pre-installed and pre-configured with safe defaults to make them ready for use. The user is not jeopardized by installing custom applications or personalizing the desktop. Whonix is the only actively developed OS designed to be run inside a VM and paired with Tor.

Whonix consists of two parts: the Whonix-Gateway and the Whonix-Workstation. The former runs Tor processes and acts as a gateway, while the latter runs user applications on a completely isolated network. Critically, only connections through Tor are permitted, DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP address. Threats posed by misbehaving applications and user error are also minimized.

Figure 2: How Whonix Works

Whonix users benefit from the stream isolation of different pre-installed or custom-installed applications used simultaneously. Tor Browser, Hexchat, Thunderbird and other applications use a dedicated Tor Socksport, preventing identity (pseudonym) correlation that may otherwise occur when the same Tor circuit and exit relay are used. Applications using Tor’s DNS and/or Transport can be optionally disabled. The following graphic illustrates applications taking different routes (nodes) through the Tor network.

Figure 3: Whonix Stream Isolation

2.2 Should I Use Whonix?

Increasing levels of mass surveillance and repression all over the world mean our freedoms and privacy are rapidly being eroded. Without precautions, your Internet service provider (ISP), the State, the police and global surveillance systems can record everything you do online, as IP addresses associated with network activity are easily traced to the physical location of your computer(s), and ultimately you.

Whonix is one solution to this problem. It benefits anyone who values privacy, or does sensitive work on their desktop or online. This includes, but is not limited to: investigators, whistleblowers, researchers, government officials, journalists, political activists, businesspeople, those living in repressive or censored environments, and average computer users who wish to assert their privacy rights.

2.3 Whonix Advantages and Disadvantages

The primary Whonix advantages include:

  • A free, open-source Debian (Linux) software platform;
  • Building Whonix from source is easy;
  • Identifying information is not silently uploaded in the background;
  • Numerous features and optional configurations are available;
  • Whonix can be installed on a Windows, Mac OS-X, GNU/Linux or BSD host OS using a Type-II hypervisor (KVM, VirtualBox, QEMU, VMWare etc.);
  • Whonix templates can be installed in a Xen bare-metal Type-I hypervisor (Qubes-Whonix);
  • Whonix can be used with physical isolation, setting up using two different computers and virtualization;
  • A host of pre-configured, pre-installed applications are available e.g. web browser, IRC client, messengers and more;
  • Any compatible software packages can be installed;
  • All applications are Tor-routed, including those which do not support proxy settings - hiding your IP address, preventing ISP spying, and identification by websites or malware;
  • Censored users have full internet access;
  • Stream isolation prevents identity correlation between social media and other logins;
  • Tor processes and Tor Browser do not run inside the same VM - browser exploits can’t affect Tor process integrity;
  • Public or private obfuscated Tor bridges can be used for censorship circumvention;
  • Tor’s data directory and entry guards are persistently stored - a distinct advantage over live CD/USB systems;
  • A user’s real external IP address cannot be leaked by Java, Javascript, Flash, browser plug-ins or misconfigured applications;
  • Protection against side channel attacks - no IP address or DNS leaks are possible;
  • Anti-malware and anti-exploit modifications lower the threat of trojans and backdoors;
  • Protection against IP address/location discovery via malware root exploits in Whonix-Workstation;
  • Protection against protocol leaks and device/system fingerprinting;
  • Whonix can be combined with advanced tunneling options like VPNs, I2P, JonDoNym, Lantern, SSH and other proxies - there are no restrictions on the possible chaining permutations;
  • Whonix allows for the safe hosting of hidden Tor services; and
  • The cost of targeting a Whonix user for analysis is greatly increased - default ISP inspection methods for internet traffic have limited utility.

The main Whonix disadvantages are that it is more difficult to set up than the regular Tor Browser bundle and it requires the use of VMs (or additional hardware) to operate. Further, higher maintenance is required and updating of the OS and applications behind a Tor proxy is slow. Whonix is not a one-click anonymization solution, nor is it (yet) an amnesic system like TAILS.

2.4 Whonix vs Other Anonymity Distributions

Prior to using Whonix as the default anonymity solution, potential users should conduct a thorough risk assessment of their personal circumstances and consider the suitability of other anonymity distributions like TAILS. For a full comparison of Whonix with other anonymity solutions, see:

[https://www.whonix.org/wiki/Comparison_with_Others]

2.5 Warnings

Before making the final decision to use Whonix, users should carefully read the Warnings documentation linked below. Whonix is not a silver bullet, since every project is imperfect and cannot possibly mitigate all known risks:

[https://www.whonix.org/wiki/Warning]

In summary, the potential risks include:

  • Tor exit relays can eavesdrop on communications;
  • Whonix makes it clear that you are using Tor;
  • Whonix might make it clear you are using Whonix;
  • Man-in-the-middle attacks are still possible, unless you are using end-to-end encryption;
  • Advanced adversaries can measure traffic coming in and out of the network (confirmation attacks via traffic analysis);
  • Persistent Tor Entry Guard Relays can make you trackable across different physical locations;
  • Whonix doesn’t encrypt your documents by default;
  • Whonix is not amnesic (unlike TAILS);
  • Whonix doesn’t clear the metadata of your documents;
  • Whonix doesn’t encrypt the subject line and other headers when sending PGP encrypted e-mail messages;
  • Tor doesn’t protect you from a global adversary (well-resourced intelligence agencies);
  • Whonix doesn’t magically separate your different contextual identities;
  • Whonix doesn’t make your passwords stronger;
  • Whonix doesn’t secure your host OS;
  • Whonix doesn’t prevent the installation of potentially malicious proprietary software or unsigned software;
  • Whonix doesn’t prevent users doing ‘anonymous’ activities outside of the Whonix-Workstation;
  • Whonix doesn’t improve security/anonymity outside of Whonix;
  • Whonix doesn’t prevent users from shooting their own feet;
  • Whonix doesn’t defeat stylometric analysis;
  • Whonix doesn’t protect against social engineering;
  • Whonix does not (yet) implement a number of other desirable security features; and
  • Whonix is a work in progress.

#5

3.0 POSSIBLE WHONIX CONFIGURATIONS

Users have three primary choices in how they wish to run Whonix. This choice is dictated by the user’s available hardware, hardware capabilities, skill level, host OS, desired security, and consideration of the maintenance status of Whonix images:

a) Whonix using physical isolation - setting up two different computers AND virtualization (advanced)
b) Whonix running on Qubes OS (Qubes-Whonix) - a Type I hypervisor (advanced)
c) Whonix running on a Mac, Windows, GNU/Linux or BSD host OS, paired with a supported Type II hypervisor (virtualizer) like KVM or VirtualBox (beginner to advanced)

3.1 Physical Isolation and Virtualization

The first option is for advanced users only and provides only an experimental level of security (not recommended).

Essentially, one computer acts as the Whonix-Gateway while another acts as the client Whonix-Workstation, and an isolated point to point network is established between them. The primary benefits of this approach are:

  • The trusted computing base is more than halved;
  • Malware running on the host does not have full control over all VMs; and
  • Exploits of the Whonix-Workstation VM will not immediately expose the IP address of the user, since both VMs are not running on the same physical host.

This option is not considered in this guide for the sake of brevity. For further instructions see:

[https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation]

3.2 Qubes-Whonix

The second option is for advanced users only and provides a production level of security (recommended).

Qubes is the superior choice for security-conscious users. Based on Xen and Fedora, and through hardware support (VT-x, VT-d, TXT) Qubes provides a security-by-isolation architecture, while also offering a single integrated user-friendly desktop experience across VMs. There are multiple security, usability and performance benefits to using Qubes over other virtualizers, including:

  • A reduced attack surface: the network stack and drivers run in a dedicated NetVM;
  • The Qubes design discourages the host (dom0) running any processes other than running VMs;
  • No networking is present in dom0 - even host upgrades are fetched via a dedicated UpdateVM before verification and installation;
  • DisposableVMs are available;
  • Compartmentalized, desktop-related workflows may be even more secure than physical isolation;
  • Multiple Whonix-Workstation AppVMs can use the same Whonix-Gateway ProxyVM without being able to contact each other;
  • Secure clipboard and file copy-paste mechanisms exist;
  • VMs are easily backed-up, restored or re-installed;
  • A default seamless mode is available for Windows;
  • VMs start much faster because fewer services are needed;
  • AppVMs use less RAM; and
  • AppVMs use less disk space because they can share the root image of the TemplateVM.

Users choosing to install Qubes normally enable Whonix by:

a) Installing Qubes 3.1/3.2 as a hypervisor on their physical host computer;
b) At first boot, checking the option to install two TemplateVMs (Whonix-Gateway and Whonix-Workstation) - automatically creating a ProxyVM (sys-whonix) and Whonix-Workstation AppVM (anon-whonix) by default; and (optionally)
c) Select the sys-whonix ProxyVM to route all desktop activities over Tor.

For further instructions on installing Qubes on your host OS, see:

Pre-existing Qubes users who wish to run Whonix should refer to section 4 which provides additional instructions on installing, updating and configuring the available TemplateVMs, and creating AppVMs.

3.3 Standard Operating Systems and Virtualization (Non-Qubes-Whonix)

The third option is for beginner to advanced level users and provides either production, testing or experimental level security depending on the host OS and choice of virtualizer.

Most new or beginner-level users get started by installing VirtualBox on their current host OS and import the Whonix images. Advanced users usually boot a GNU/Linux host OS dedicated solely to running the Whonix virtual machines.

The available options are:

a) For production level security (recommended), advanced users should run Whonix within KVM on top of a GNU/Linux host OS;
b) For testing level security (not recommended), beginner-level users can run Whonix within VirtualBox on top of a GNU/Linux host OS; and
c) For experimental level security (not recommended), beginner-level users can run Whonix within VirtualBox on top of a Mac or Windows host OS.

Note: Users should not run Whonix inside either QEMU or VMWare. Neither is currently maintained by Whonix developers.

3.4 Minimum Qubes-Whonix System Requirements

For Qubes-Whonix, the minimum system requirements are:

  • A 64-bit Intel or AMD processor (x86_64 aka x64 aka AMD64);
  • 4 GB RAM;
  • 32 GB disk space; and
  • Legacy boot mode (UEFI implementation still has bugs).

Note: Generally speaking, UEFI support is implemented. However, a common problem is buggy UEFI firmware, particularly on Lenovo systems. Existing workarounds can be found here:

For better security and performance, the recommended Qubes-Whonix system requirements are:

  • A fast Solid State Drive (SSD) - strongly recommended;
  • An Intel Graphics Processing Unit (GPU) - strongly preferred;*
  • Intel VT-x or AMD-v technology - this is required for running HVM domains, such as Windows-based AppVMs;
  • Intel VT-d or AMD IOMMU technology - this is required for effective isolation of network VMs; and
  • A Trusted Platform Module (TPM) with proper BIOS support - this is required for Anti-Evil Maid (AEM) protections.

Note: Nvidia GPUs may require significant troubleshooting. ATI GPUs have not been formally tested, but potential users can refer to the Qubes Hardware Compatibility List (HCL) for clarification.

Note: AEM does not currently work with UEFI installations. Use legacy BIOS instead if you want this option.

In all cases, the HCL should be referred to before purchasing suitable hardware for Qubes-Whonix. It has a compilation of hardware reports generated and submitted by users across various Qubes versions. Users may also consider a Qubes-certified laptop:


3.4.1 Important Notes

Qubes-Whonix can be installed on systems which do not meet the recommended requirements. Such systems will still offer significant security improvements over traditional operating systems, since mechanisms like Graphical User Interface (GUI) isolation and kernel protection do not require special hardware.

Qubes-Whonix can be installed on a USB flash drive or external disk, and testing has shown that this works very well (a live USB option is also available). A fast USB 3.0 flash drive is recommended for this, but its capacity must be at least 32 GB. Simply plug the flash drive into the computer before booting into the Qubes installer from a separate installation medium, choose the flash drive as the target installation disk, and proceed with the installation normally. After Qubes has been installed on the flash drive, it can then be plugged into other computers in order to boot into Qubes.

A portable copy of Qubes is useful for users to test for hardware compatibility on multiple machines (e.g. at a brick-and-mortar computer store) before deciding on which computer to purchase. Running the following command in a dom0 terminal will indicate whether Intel VT-x (AMD-v) and Intel VT-d (AMD IOMMU) are supported by the architecture and activated in the BIOS:

sudo qubes-hcl-report

If present and active, the output will read:

HVM: Active
I/O MMU: Active

Users should also consider 8-16 GB of RAM if they expect to run a large number of AppVMs in parallel. For further information on system requirements, see:

3.5 Minimum Non-Qubes-Whonix System Requirements

For non-Qubes-Whonix, the minimum system requirements are:

  • 1 GB free RAM (with Whonix-Gateway lowered to 196 MB); and
  • 10 GB disk space.

For better performance and security, the recommended non-Qubes-Whonix system requirements are:

  • A fast SSD;
  • Additional RAM to dedicate to the Whonix-Workstation when multi-tasking;
  • Additional disk space for installing applications into the Whonix-Workstation; and
  • Intel VT-x or AMD-v technology.

3.5.1 Important Notes

  • Whonix-Workstation can run with 196 MB RAM when not using a desktop environment;
  • GNU/Linux users with limited RAM can use a less resource-intensive desktop environment like XFCE or LXDE, rather than KDE or Gnome;
  • Users without Intel VT-x or AMD-v who encounter PAE or “VERR_SSM_FIELD_NOT_CONSECUTIVE” errors should refer to ‘PAE Crash’ Whonix documentation for a workaround; and
  • For low memory and console-only configurations, refer to ‘RAM Adjusted Desktop Starter’ Whonix documentation.

#6

4.0 QUBES-WHONIX INSTALLATION, UPDATING AND CONFIGURATION

This section provides instructions for the installation of a TwoVM split security architecture: an isolated Whonix-Gateway ProxyVM for routing of all traffic over Tor, and a Whonix-Workstation AppVM for user desktop applications.

Once the Whonix TemplateVMs are created, you can customize and create as many Whonix-Gateway ProxyVMs and Whonix-Workstation AppVMs as you’d like, for optimal privacy-enhanced compartmentalization of your digital life.

Reminder: For security, privacy and anonymity purposes, never use templates for normal desktop activities (browsing etc). Only use the tailored Whonix-Workstation AppVM OS environment created from the Whonix-Workstation TemplateVM.

4.1 Install Whonix TemplateVMs

Note: Pre-existing Qubes 3/3.1/3.2 users only. KDE screenshots are shown throughout this section.

a) Launch dom0 Terminal

-> Qubes App Launcher (blue/grey “Q”)

Figure 4: Qubes App Launcher

Then go to:

System Tools -> Konsole (KDE)

Or

System Tools -> XFCE Terminal (XFCE)

b) Install the Whonix-Gateway and Whonix-Workstation TemplateVMs

Inside konsole/terminal, enter the following command:

sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw qubes-template-whonix-ws

c) Make sure inactive VMs are shown in the Qubes VM Manager (QVMM)

Start QVMM.

Figure 5: Start Qubes VM Manager

In QVMM, if you do not see whonix-… in the list, use the “View” menu to toggle the setting “Show/Hide inactive VMs”.

Figure 6: Qubes VM Manager - Show/Hide Inactive VMs

After the download process finishes, you should see whonix-ws and whonix-gw.

Figure 7: whonix-ws and whonix-gw

4.2 Enable AppArmor on TemplateVMs

Note: This is an optional, testers-only security enhancement. Do this at your own risk! If you want to use Tor bridges, AppArmor has been known in the past to cause problems with obfsproxy.

These instructions should be applied to both the Whonix-Gateway and Whonix-Workstation TemplateVMs (commonly referred to as “whonix-gw” and “whonix-ws” in Qubes). These settings should be applied to the TemplateVMs before creating any Whonix AppVMs.

To enable AppArmor in the Whonix-Gateway, complete the following:

a) Open a dom0 terminal.

-> Qubes App Launcher (blue/grey “Q”)

Then go to:

System Tools -> Konsole (KDE)

Or

System Tools -> XFCE Terminal (XFCE)

b) Get a list of current kernel parameters.

Enter the following command in konsole/terminal:

qvm-prefs -l whonix-gw kernelopts

As of Qubes Q3/3.1/3.2, the output will show:

nopat

c) Keep the existing kernel parameters and add ‘apparmor=1 security=apparmor’.

In konsole/terminal, enter the command:

qvm-prefs -s whonix-gw kernelopts “nopat apparmor=1 security=apparmor”

d) Re-run the command to get a list of the current kernel parameters.

Press the arrow up key twice so you don’t have to type the command again):

qvm-prefs -l whonix-gw kernelopts

The output should now reflect the new kernel parameters which apply the AppArmor framework:

nopat apparmor=1 security=apparmor

e) Start the Whonix-Gateway TemplateVM and check whether AppArmor is now active.

In konsole, issue the command:

sudo aa-status --enabled ; echo $?

It should show:

0

To enable Apparmor in the Whonix-Workstation, complete the following:

a) Open a dom0 terminal.

-> Qubes App Launcher (blue/grey “Q”)

Then go to:

System Tools -> Konsole (KDE)

Or

System Tools -> XFCE Terminal (XFCE)

b) Get a list of current kernel parameters.

Enter the following command in konsole/terminal:

qvm-prefs -l whonix-ws kernelopts

As of Qubes Q3/3.1/3.2, the output will show:

nopat

c) Keep the existing kernel parameters and add ‘apparmor=1 security=apparmor’.

In konsole/terminal, enter the command:

qvm-prefs -s whonix-ws kernelopts “nopat apparmor=1 security=apparmor”

d) Re-run the command to get a list of the current kernel parameters.

Press the arrow up key twice so you don’t have to type the command again:

qvm-prefs -l whonix-ws kernelopts

The output should now reflect the new kernel parameters which apply the AppArmor framework:

nopat apparmor=1 security=apparmor

e) Start the Whonix-Workstation TemplateVM and check whether AppArmor is now active.

In konsole, issue the command:

sudo aa-status --enabled ; echo $?

It should show:

0

f) Install AppArmor profiles packages from Whonix’s APT repository.

It is highly recommended to switch to Whonix’s testers repository before installing them, because the profiles in the stable repository are much older and have some issues.

Note: Switching to the testers repository will also update other packages from the testers repository unless you know how to avoid this.

First, enable Whonix’s testers repository in both the Whonix-Workstation and Whonix-Gateway TemplateVMs:

sudo whonix_repository --enable --repository testers

Second, update your package lists:

sudo apt-get update

Third, install all the apparmor profiles (easiest method):

sudo apt-get install apparmor-profiles-whonix

Note: You might end up with a few apparmor profiles for software that you have not installed, but then they don’t have any effect, so it does not matter.

For further information, such as installing only specific AppArmor profiles or how to unload profiles, refer to the Whonix documentation:

[https://www.whonix.org/wiki/AppArmor]

4.3 Create Whonix-Gateway ProxyVMs

QVMM -> Create AppVM

Figure 8: Create a New Whonix-Gateway ProxyVM

Then change the settings as shown below - you can choose any name and color you like.

Figure 9: Change Whonix-Gateway ProxyVM Settings

4.4 Create Whonix-Workstation AppVMs

QVMM -> Create AppVM

Figure 10: Create a New Whonix-Workstation AppVM

4.5 Change TemplateVM Proxy Settings

a) Attach Whonix TemplateVMs to a Whonix-Gateway ProxyVM (sys-whonix).

QVMM -> one right click on TemplateVM whonix-gw -> VM-Settings

Figure 11: Select the Whonix-Gateway TemplateVM

NetVM: -> sys-whonix -> OK

Figure 12: Change the Whonix-Gateway TemplateVM Settings

b) Attach Whonix TemplateVMs to a Whonix-Workstation AppVM (whonix-ws).

QVMM -> one right click on TemplateVM whonix-ws -> VM-Settings

then

NetVM: -> sys-whonix -> OK

Figure 13: Change the NetVM Settings on the Whonix-Workstation TemplateVM

4.6 Update Whonix-Gateway and Whonix-Workstation TemplateVMs

It is critical that the Whonix-Gateway and Whonix-Workstation templates stay updated!

a) Double-check that both templates (whonix-gw and whonix-ws) are attached to sys-whonix (the Whonix-Gateway ProxyVM) as per section 4.5:

QVMM -> right click on TemplateVM whonix-gw -> VM-Settings -> NetVM -> sys-whonix

QVMM -> right click on TemplateVM whonix-ws -> VM-Settings -> NetVM -> sys-whonix

b) Open a TemplateVM terminal:

Qubes App Menu (blue/grey “Q”) -> Template: whonix-gw -> Konsole

Qubes App Menu (blue/grey “Q”) -> Template: whonix-ws -> Konsole

c) Update your package lists.

The following steps (updating and upgrading) should be applied in both TemplateVM terminals and repeated at least daily thereafter.

sudo apt-get update

The output should look similar to this:

Hit http://security.debian.org jessie/updates/Release.gpg
Hit http://security.debian.org jessie/updates/Release
Hit http://deb.torproject.org jessie Release.gpg
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release
Hit http://security.debian.org jessie/updates/contrib i386 Packages
Hit http://ftp.us.debian.org jessie Release
Hit http://security.debian.org jessie/updates/non-free i386 Packages
Hit http://deb.torproject.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/contrib Translation-en
Hit http://ftp.us.debian.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://ftp.us.debian.org jessie/contrib i386 Packages
Hit http://security.debian.org jessie/updates/non-free Translation-en
Hit http://ftp.us.debian.org jessie/non-free i386 Packages
Ign http://ftp.us.debian.org jessie/contrib Translation-en
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists… Done

If you see something like this:

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org jessie Release.gpg
Could not resolve 'ftp.us.debian.org
Err http://deb.torproject.org jessie Release.gpg
Could not resolve 'deb.torproject.org
Err http://security.debian.org jessie/updates Release.gpg
Could not resolve 'security.debian.org
Reading package lists… Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg Could not resolve ‘security.debian.org

W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg Could not resolve ‘ftp.us.debian.org

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg Could not resolve ‘deb.torproject.org

W: Some index files failed to download. They have been ignored, or old ones used instead.

Then something went wrong. It could be a temporary Tor exit relay or server failure that should remedy itself. Usually changing your Tor circuit and trying again is successful. If that fails, running whonixcheck can help to diagnose the problem.

If you see an error message like:

Could not resolve ‘security.debian.org

It helps to run:

nslookup security.debian.org

And then try updating your package lists again.

b) Upgrade Whonix.

In konsole, run:

sudo apt-get dist-upgrade

Note: At first Whonix boot, you are asked if you want to enable or disable Whonix’s apt repository. If you disabled the Whonix APT Repository, then you will have to manually check for new Whonix releases and install them from source code:

[https://www.whonix.org/wiki/Whonix-APT-Repository#Disable_Whonix_APT_Repository]

4.7 Update Precautions

a) Never install unsigned packages!

If you see output like the following:

WARNING: The following packages cannot be authenticated!
icedove
Install these packages without verification [y/N]?

Then don’t proceed! Press N and Enter.

Running apt-get update again should fix the problem. If not, then something is broken or it may be a man-in-the-middle attack. This possibility isn’t that unlikely, since we are updating over Tor exit relays and some of them are malicious. Change your Tor circuit and then try again.

b) Do not ignore signature verification warnings.

There should be none at the moment. If there is such a warning, the output will look like this:

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

In that case, you should be careful even though apt-get will automatically ignore repositories with expired keys or signatures, meaning you will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.

There are two possible reasons for why this could happen. Either you are a victim of a man-in-the-middle attack, or there is an issue with the repository that the maintainers have to fix. The former is not a big issue, either it will automatically resolve after a period of time or you can change your Tor circuit and try again.

If you experience other signature verification errors, these should be reported, but they are unlikely at this time.

c) Be cautious of changed configuration files.

If you see output like the following:

Setting up ifupdown …
Configuration file `/etc/network/interfaces’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : background this process to examine the situation
The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Then be careful. If the updated file isn’t coming from a Whonix specific package (some are called whonix-…), then press N. Otherwise, anonymity/privacy/security settings deployed with Whonix might get lost. If you are an advanced user and know better, you can of course manually check the difference and merge them. Pressing Y will result in the loss of customized settings.

d) Restart and Update Whonix VMs.

To benefit from security updates, particularly kernel upgrades (linux-image-… was upgraded), the best practice is to first shutdown the TemplateVMs:

QVMM -> right click on TemplateVM -> Shutdown VM

Then restart your Whonix-Gateway ProxyVM (sys-whonix) and running Whonix-Workstation AppVMs (anon-whonix)

QVMM -> right click on AppVM -> Shutdown VM

QVMM -> right click on AppVM -> Start/Resume VM

4.8 Starting Whonix-Workstation AppVMs

For example, to start Tor Browser:

Qubes App Launcher (blue/grey “Q”) -> Domain: anon-whonix -> Tor Browser (AnonDist)

4.9 Further Links

Using Tor bridges in Whonix (see also section 6.8 of this guide):
[https://www.whonix.org/wiki/Bridges#How_to_use_bridges_in_Whonix]

Using multiple Whonix-Workstations or Whonix-Gateways:
[https://www.whonix.org/wiki/Multiple_Whonix-Workstations]

Using Whonix-Workstations as Disposable VMs:
[https://www.whonix.org/wiki/Qubes/Disposable_VM]

Re-install Whonix TemplateVMs:

Uninstall Whonix templates:

Security Guide (see also section 8 of this guide):
[https://www.whonix.org/wiki/Security_Guide]

Advanced Security Guide (see also section 8 of this guide):
[https://www.whonix.org/wiki/Advanced_Security_Guide]


#7

5.0 NON-QUBES-WHONIX INSTALLATION AND VERIFICATION

This section provides recommendations for a suitable host OS and Type II hypervisor (virtualizer). Instructions are also provided for installing Whonix in two configurations, namely:

  • Whonix in KVM on a GNU/Linux host OS (production level security); and
  • Whonix in VirtualBox on a Mac, Windows or GNU/Linux host OS (testing-experimental level security).

5.1 Recommended Host Operating System

5.1.1 Avoid Windows Hosts

Windows platforms have commodified users by adopting a business strategy similar to Google, Facebook and other large corporations - seeking to profit from the harvesting and selling of users’ personal information. In addition, Microsoft has subverted the user’s control over their own systems and implemented a host of privacy-invading features which either cannot be disabled easily, or at all. This is particularly true of Windows 10 and system updates which have been backported to earlier platforms like Windows 7, 8 and 8.1.

One small snippet of the Windows 10 ‘privacy statement’ makes their intentions clear:

http://windows.microsoft.com/en-us/windows/preview-privacy-statement

Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage. […] We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

Other Windows ‘features’ include, but are not limited to:

  • Assigning unique advertising IDs to users that enables profiling by advertisement networks;
  • Remote disabling of software or hardware that Microsoft declares to be illegal or harmful;
  • Enabling desktop applications to access your camera, microphone, contact lists, calendar and personal documents;
  • Recording and reporting search functions;
  • Recording and reporting software that is running on your computer;
  • Constant, silent communication with Microsoft servers (‘phoning home’);
  • Placing your data on servers - making it accessible to hackers and future requests from legal authorities or intelligence agencies; and
  • Silently updating users’ machines even if they have update functions disabled.

Frankly speaking, Microsoft platforms are incompatible with anonymity and privacy. Microsoft also has a proven track record of consulting with intelligence agencies and providing information on security weaknesses before informing the public of the risk and providing patches. Logically, active collaboration places Windows users at a higher risk. Microsoft also has a track record of using weak cryptographic verification like MD5 and SHA-1 (now broken).

If you insist on using Whonix on a Windows host, ensure that Windows was installed from a legitimate source and turn off as many privacy-invading features as possible. Do not use a pirated Windows ISO found online, since it could include malware. Also avoid pirated software programs, which usually involve running unverified, possibly malicious binary cracks or key generators.

In addition, always download over https (SSL) and verify software signatures with GPG whenever possible. It is better to use renowned open source software like Firefox, Gimp, 7-zip, and LibreOffice rather than proprietary solutions which are more likely to contain malicious code.

5.1.2 GNU/Linux Hosts

For preserving anonymity, GNU/Linux is strongly recommended in preference to Windows as a suitable host OS.

For intermediate to advanced users, Debian GNU/Linux is recommended as a reasonable compromise of security and usability. Debian is a stable distribution and is used widely by a large community. Further, Debian has ties to Tor, is well-documented, boasts a secure package manager, has good kernel protection, is working on reproducible builds, and has just made package updates available via .onion sites and mirrors.

Users should only use in-repository software that is automatically GPG-signed and installed from the distributor’s reponsitories by package manager. This is far safer than downloading software from the Internet like typical Windows users.

There are of course many other potentially suitable distributions (like Fedora), but users should refer to the link below before making a final decision:

[https://www.whonix.org/wiki/Dev/Operating_System#Why_don.27t_you_use_.3Cyour_favorite_most_secure_operating_system.3E_for_Whonix.3F]

5.2 Harden the Host Operating System

Prior to choosing a virtualizer and installing Whonix, users are recommended to harden their host OS following applicable steps in the link below:

[https://www.whonix.org/wiki/Pre_Install_Advice]

In summary, users should consider:

  • A dedicated computer (host OS) that only runs Whonix VMs and nothing else;
  • Installing and running Whonix on an encrypted, dedicated external disk (USB, FireWire, eSATA etc.) for further security;
  • Not using Whonix on a computer with shared privileges;
  • Not using Whonix on the cloud, a VPS or a foreign server you do not physically control;
  • Updating the BIOS, non-free drivers, or firmware and processor microcode;
  • Disabling TCP timestamps;
  • Disabling ICMP timestamps;
  • Locking down the web interface of your home router, using a secure password and installing the latest router firmware with security patches;
  • Firewall settings that deny all incoming ports;
  • Disabling microphones on your computer or notebook by either unplugging them, turning them off in BIOS settings or muting them on the host;
  • Disabling webcams by physically removing them, turning them off via the BIOS or covering them;
  • Changing the MAC address of your wired and/or wireless network cards, particularly if using an untrusted, public network;
  • Using ‘burner’ WiFi USB sticks if connecting from an intended public destination;
  • Whether the set of Tor guards should be manually changed; and
  • Preventing potential cross-contamination of new Whonix machines by first shutting down running instances of Whonix.

5.3 Choose a Virtualization Platform

The virtualization platform is an essential component of a secure Whonix system. A vulnerable virtualizer may provide opportunities for an attacker to break out from a VM, undoing the security by isolation features that Whonix provides. The decision to install an alternative virtualizer should not be taken lightly.

When setting up Whonix in the form of two VMs running on the same physical host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP address of the user. Any malware running on the host has full control over all VMs.

5.3.1 KVM is Preferable to VirtualBox

KVM [Kernel Virtual Machine] is an openly developed, FOSS GPL licensed hypervisor that comes with a GNU/Linux OS. It provides a familiar, intuitive and easy-to-use GUI when combined with the VirtualMachineManager front-end and is well-rated in research assessing its security merits. KVM is actively maintained by Whonix developers.

On the other hand, VirtualBox does not have a dedicated maintainer because development efforts have shifted to Qubes-Whonix. However, VirtualBox images are still being built, and grave security issues are unlikely due to Whonix’s design. The rudimentary testing of new VirtualBox images and updates on a Debian host explain the ‘testing’ staus of the GNU/Linux platform. The ‘experimental’ staus of VirtualBox images for Windows and Mac is explained by no Whonix team member currently doing testing on those platforms.

There are three other major issues with depending on VirtualBox as a virtualizer. VirtualBox developers (Oracle) recently decided to switch out the BIOS in their hypervisor with one requiring compilation by a toolchain that does not meet the definition of Free Software as per the guidelines of the Free Software Foundation. Consequently, certain restrictions are placed on the use of the software and the licence asserts specific software patents.

Secondly, the security practices of Oracle are of concern. Oracle is infamous for their lack of transparency in disclosing the details of security bugs and for discouraging full public disclosure by third parties. Security through obscurity is the corporation’s modus operandi. Zero day bugs reported to Oracle have at times gone unfixed for years.

Finally, VirtualBox contains significant functionality that is only available as a proprietary extension, such as USB and PCI passthrough and RDP connectivity. Oracle’s unfriendly track record with the free software community - examples include OpenSolaris and OpenOffice - suggest they may charge for proprietary features in the future, or simply abandon the project if they cannot monetize it to their liking.

5.3.2 QEMU and VMWare are Not Recommended

Installing Whonix inside either QEMU or VMWare is inadvisable as neither platform is currently maintained by Whonix developers.

QEMU has been deprecated in favor of KVM because the slow performance of QEMU pure emulation makes it non-practical for most of the GNU/Linux user base. Also, most computer systems support the hardware virtualization extensions required by KVM.

VMWare is rarely (officially) tested. Although it works for Windows and GNU/Linux users, it is closed source and therefore relies on security through obscurity - an approach discredited by security experts since it cannot be reasonably determined if VMWare bugs may compromise the user’s anonymity.

GNU/Linux users should default to using KVM, or VirtualBox as a second-tier choice. Windows users should default to using VirtualBox.

5.4 Install a KVM Virtualizer

5.4.1 Debian

To install KVM in Debian stable (Jessie), first update your package lists in terminal:

sudo apt-get update

Then install KVM:

sudo apt-get install qemu-kvm libvirt-bin virt-manager

5.4.2 Arch Linux

To install KVM in Arch Linux, first update your package lists:

sudo pacman -Syu

Then install KVM:

sudo pacman -S qemu libvirt virt-manager

5.4.3 Other Distributions

To install KVM in other GNU/Linux distributions, you need to have qemu-kvm and libvirt-bin. For a graphical user interface, then you will also need virt-manager. These packages can likely be installed using your distribution’s package manager.

If you get one of the following errors while later using virsh define, then you most likely need a more recent version of libvirt and KVM:

error: Failed to define domain from Whonix-Gateway_kvm-8.6.2.8.xml
error: internal error Unknown controller type 'pci

Whonix-Gateway_kvm-8.6.2.8.xml:24: element pm: Relax-NG validity error : Element domain has extra content: pm
Whonix-Gateway_kvm-8.6.2.8.xml fails to validate

Relax-NG validity error : Extra element devices in interleave
Whonix-Gateway_kvm-8.6.2.8.xml:24: element devices: Relax-NG validity error : Element domain failed to validate content
Whonix-Gateway_kvm-8.6.2.8.xml fails to validate

5.4.4 KVM Workarounds on Debian Stable (Jessie)

These workarounds solve problems affecting KVM on Debian stable (Jessie).

KVM refuses to start: on the host, a libvirt bug that conflicts with Apparmor and the VM will cause it to fail. It was fixed upstream but it will be a while until it reaches you.

To fix it run:

sudo ln -s /etc/apparmor.d/libvirt/TEMPLATE.qemu /etc/apparmor.d/libvirt/TEMPLATE.kvm

The KVM qxl package: xserver-xorg-video-qxl suffers from performance bugs caused by the Xorg surfaces feature. The graphics will lag even during mundane tasks such as scrolling down a webpage. This has been reported extensively and fixed upstream in testing. Until testing becomes stable, a workaround provided by a Whonix package is available.

In the guest, install the fix:

sudo apt-get install qxl-xorg-enhance

Whonix 13 users: To get rid of the Whonixcheck PVClock warning, upgrade the packages in the VM. This assumes you have enabled the Whonix stable repository:

sudo apt-get update && apt-get dist-upgrade

Addgroup: In order to manage VMs as regular (non-root) user, you must add that user to the libvirt and KVM group. For Debian users, assuming the simple use case - that you wish to use KVM with the user you are currently logged in as - then use the following command:*

sudo addgroup “$(whoami)” libvirt

sudo addgroup “$(whoami)” kvm

  • In Ubuntu, the group names vary and it is called libvirtd instead.

5.4.5 KVM Workarounds on Other Distributions

If you are using another GNU/Linux distribution, then refer to the distribution’s manual e.g. Arch Linux’s libvirt wiki page.

Post-installation Advice

After installating KVM or adding users to groups, a reboot is required! Run the command:

sudo reboot

To ensure that KVM’s default networking is enabled and started, run the command:

virsh -c qemu:///system net-autostart default

virsh -c qemu:///system net-start default

5.5 Install a VirtualBox Virtualizer

5.5.1 Debian

To install the latest stable VirtualBox package in Debian (recommended), in a terminal run:

sudo apt-get install virtualbox linux-headers-$(uname -r)

To install VirtualBox Guest Additions in Debian:

sudo apt-get install virtualbox-guest-x11

For other GNU/Linux distributions, you can likely install the VirtualBox package and Guest Additions via your distribution’s package manager.

5.5.2 Mac OS X and Windows

To install VirtualBox, download the latest VirtualBox and Guest Additions binaries from Oracle:

https://www.virtualbox.org/wiki/Downloads

At the time of writing these were:

VirtualBox 5.1.2 for Windows hosts x86/amd64
VirtualBox 5.1.2 for OS X hosts amd64

And:

VirtualBox 5.1.2 Oracle VM VirtualBox Extension Pack (all supported platforms)

If you are already using an earlier addition of VirtualBox (4.3.x or 5.0.x), then you can download extension packs instead. Compare the SHA256 checksums file to provided (limited) verification of file integrity. Do not rely on the MD5 checksums.

5.5.3 Installing the Latest VirtualBox Version (Debian)

At the time of writing, the Debian stable version of VirtualBox is 4.3.x, while the latest major release of VirtualBox (from Debian Stretch) is 5.0.x.

If you are sure you wish to install the latest VirtualBox version for newer features, then you are recommended to either install VirtualBox from Debian Testing via Backports or install from the Oracle depository. This is preferable to downloading, verifying and installing binaries manually.

To install from Debian Testing via Backports:

a) Open /etc/apt/sources.list.d/backports.list in an editor with root rights.

If you are using a graphical Whonix environent, run:

kdesudo kwrite /etc/apt/sources.list.d/backports.list

If you are using a terminal-only Whonix environment, run:

sudo nano /etc/apt/sources.list.d/backports.list

b) Add the following line:

deb http://http.debian.net/debian jessie-backports main contrib

(Change “jessie” to the current name of your stable distribution).

c) Update the package lists and install VirtualBox.

sudo apt-get update

sudo apt-get -t jessie-backports install virtualbox

d) Install VirtualBox Guest Additions.

sudo apt-get -t jessie-backports install virtualbox-guest-x11

If you wish to install VirtualBox from the Oracle repository instead:

a) Retrieve the latest Oracle VirtualBox package information.

Open /etc/apt/sources.list.d/oracle.list in an editor with root rights.

b) Edit your apt sources list.

If you are using a graphical Whonix environment, run:

kdesudo kwrite /etc/apt/sources.list.d/oracle.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/oracle.list

c) Add the following line:

deb http://download.virtualbox.org/virtualbox/debian jessie contrib

(Change “jessie” to the current name of your stable distribution).

d) Add Oracle’s signing key to apt-get keyring.

curl --tlsv1.2 --proto =https https://www.virtualbox.org/download/oracle_vbox_2016.asc | sudo apt-key add -

e) Check the signing key’s fingerprint.

sudo apt-key adv --fingerprint B9F8D658297AF3EFC18D5CDFA2F683C52980AECF

The output should read:

Key fingerprint = B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
uid Oracle Corporation (VirtualBox archive signing key) info@virtualbox.org

f) Install VirtualBox.

sudo apt-get update

sudo apt-get install virtualbox-5.0

Note: The VirtualBox Guest Additions ISO is included in the package. To install, mount the ISO in a guest VM following these instructions:

https://www.virtualbox.org/manual/ch04.html#idp46640732075968

5.6 Download Whonix Images

At the time of writing, Whonix 13 was the latest version available. Always first check the Whonix download page for the latest stable release:

[https://www.whonix.org/wiki/Download]

5.6.1 KVM

GNU/Linux users need to download both Whonix Gateway and Workstation VM (.xz) images and PGP signatures (.xz.asc) for later verification of the files. To anonymize the download, use the Tor Browser bundle:

Whonix-Gateway image (1.7 GB)

https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.libvirt.xz
https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.libvirt.xz.asc

Whonix-Workstation image (2.0 GB)

https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.libvirt.xz
https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.libvirt.xz.asc

5.6.2 VirtualBox

For Windows, Mac OS X and GNU/Linux OS, you need to download both Whonix Gateway and Workstation VM (.ova) images and PGP signatures (.ova.asc) for later verification of the files. To anonymize the download, use the Tor Browser bundle:

Whonix-Gateway image (1.7 GB)

https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.ova
https://www.whonix.org/download/13.0.0.1.1/Whonix-Gateway-13.0.0.1.1.ova.asc

Whonix-Workstation image (2.0 GB)

https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.ova
https://www.whonix.org/download/13.0.0.1.1/Whonix-Workstation-13.0.0.1.1.ova.asc

5.7 Download the Whonix Signing Key

Note: This section is for GNU/Linux users in the first instance.

Mac OS X and Windows users should refer to section 5.8 first, and download a compatible GnuPG program (GPGTools for Mac OS X; Gpg4win for Windows) before following instructions to:

  • Download the Whonix signing key;
  • Check the key’s fingerprints are valid;
  • Import the signing key; and
  • Cryptographically verify the Whonix VM images.

a) (Optional) Have GnuPG initialize your user data folder.

If you are new to gnupg or have not already done this, it will fix eventual “gpg: WARNING: unsafe ownership” warnings. Run the following command in terminal:

gpg --fingerprint

Then set warning free permissions:

chmod --recursive og-rwx ~/.gnupg

b) Download Patrick Schleizer’s (adrelanos’) OpenPGP key from:

http://kkkkkkkkkk63ava6.onion/patrick.asc

Or

https://www.whonix.org/patrick.asc

Note: All Whonix releases are signed with the same key. Using these steps, you will not have to verify the key every time, but you will still need to verify the signatures of Whonix images every time you download a new release.

c) Store the key as ~/patrick.asc

d) Check the key’s fingerprints before importing it:

gpg --with-fingerprint patrick.asc

e) Verify the fingerprint shows the following output:

pub 4096R/2EEACCDA 2014-01-16 Patrick Schleizer adrelanos@riseup.net
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
sub 4096R/CE998547 2014-01-16 [expires: 2021-04-17]
sub 4096R/119B3FD6 2014-01-16 [expires: 2021-04-17]
sub 4096R/77BB3C48 2014-01-16 [expires: 2021-04-17]

f) Import the key.

gpg --import patrick.asc

The following output tells you the key was successfully imported:

gpg: key 2EEACCDA: public key “Patrick Schleizer adrelanos@riseup.net” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

If you have already imported the Whonix signing key in the past, the output should state the key was not changed:

gpg: key 2EEACCDA: “Patrick Schleizer adrelanos@riseup.net” not changed
gpg: Total number processed: 1
gpg: unchanged: 1

If you are shown the following message at the end of the output:

gpg: no ultimately trusted keys found

Analyse the other messages as usual. This extra message doesn’t relate to the Whonix signing key that you just downloaded. Usually, this output means you haven’t yet created an OpenPGP key for yourself, which is of no importance to verifying the VM images.

g) For better security, advanced users can check the Web of Trust following these steps:

[https://www.whonix.org/wiki/Whonix_Signing_Key#Web_of_Trust]

5.8 Verify Whonix Images

It is critical to check the integrity of the VM images you downloaded to make sure no man-in-the-middle attack or file corruption occured. All Whonix VM images are cryptographically signed using OpenPGP by Whonix lead developer, Patrick Schleizer.

Warning: If verification fails, do NOT continue! If you ignore this warning, then you risk using infected or corrupted files.

5.8.1 KGpg in GNU/Linux

KGpg is a simple, free, open source KDE frontend for gpg.

a) To install KGpg in Debian, in a terminal run the commands:

sudo apt-get update

sudo apt-get install kgpg

b) Start KGpg and open patrick.asc that you downloaded and imported at step 5.7.

When you start KGpg, a system tray icon will appear. A left mouse button click will open the Key Manager window, while a right mouse button click will open a menu allowing quick access to some important features.

Having already imported the key, you should see the following message:

Figure 14: KGpg - Key Already Imported

If you did not already download and import the key, you should see the following message:

Figure 15: KGpg - New Key Imported

c) Verify the VM images against the cryptographic signatures.

The cryptographic signatures (.asc) must be in the same folder as the VM images you wish to verify (.ova for VirtualBox, .xz for KVM).

Start kgpg, and go to:

KGpg -> File -> Open Editor -> Signature -> Verify Signature… -> Choose the downloaded cryptographic signature (.asc)

This process can take a few minutes and there is no progress meter. Repeat this procedure for both the Whonix-Gateway and Whonix-Workstation images.

If the virtual machine image is correct you will get a notification telling you that the signature is good:

Figure 16: KGpg Good Signature

Note: The e-mail has changed to adrelanos at riseup do net, but this doesn’t change anything, since the key fingerprint remains the same as step 5.7.e.

d) Click on the ‘Details’ button to check the gpg signature for both files.

The first line includes the signature creation timestamp and it should make sense. For example, if you previously saw a signature from 2016 and you are now seeing a signature from 2015, then you could be target of a rollback (downgrade) or indefinite freeze attack.

An example signature creation timestamp is below:

[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2015-01-19

e) Click on the ‘Details’ button to check the file name has not been tampered with.

Note: OpenPGP signatures sign files, not file names. Beginning from Whonix version 9.6, by convention the file@name OpenPGP notation includes the file name.

An example is provided below:

NOTATION_NAME file@name [GNUPG:] NOTATION_DATA Whonix-Gateway-9.6.ova

f) Do not install files with bad signatures!

If the VM image is not correct, then you will get a notification telling you that the signature is bad:

Figure 17: KGpg Bad Signature

(Again, the e-mail has changed to adrelanos at riseup do net, but this doesn’t change anything, since the key fingerprint remains the same as step 5.7.e.)

5.8.2 Terminal in GNU/Linux

a) Ensure you have GnuPG installed.

GnuPG is the common OpenPGP implementation for Linux. It is installed by default under Debian, Ubuntu, Whonix and many other distributions.

b) Ensure the VM images and cryptographic signatures are in the same folder.

The cryptographic signatures (.asc) must be in the same folder as the VM images you wish to verify (.ova for VirtualBox, .xz for KVM).

c) Cryptographically verify the Whonix-Gateway image.

This process can take a few minutes and there is no progress meter.

cd [the directory in which you downloaded the .ova or .xz and the .asc]

Then, start the cryptographic verification of the Whonix-Gateway image:

gpg --verify-options show-notations --verify Whonix-Gateway-.ova.asc Whonix-Gateway-.ova

Or

gpg --verify-options show-notations --verify Whonix-Gateway-.xz.asc Whonix-Gateway-.xz

d) Cryptographically verify the Whonix-Workstation image.

cd [the directory in which you downloaded the .ova or .xz and the .asc]

Then, start the cryptographic verification of the Whonix-Workstation image:

gpg --verify-options show-notations --verify Whonix-Workstation-.ova.asc Whonix-Workstation-.ova

Or

gpg --verify-options show-notations --verify Whonix-Workstation-.xz.asc Whonix-Workstation-.xz

e) Confirm the signatures are good for both the Whonix-Gateway and Whonix-Workstation.

If the VM images are correct, the output of the last step will show a good signature. For example:

gpg: Signature made Mon 19 Jan 2015 11:45:41 PM CET using RSA key ID 77BB3C48
gpg: Good signature from “Patrick Schleizer adrelanos@riseup.net” [unknown]
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=Whonix-Gateway-9.6.ova
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

This last warning doesn’t alter the validity of the (good) signature according to the Whonix signing key you downloaded. It only refers to the trust level you place on the Whonix signing key and the web of trust. Removing this warning would require you to personally sign the Whonix key with your own.

f) Check the gpg signature timestamp makes sense.

If you previously saw a signature from in 2016 and are now seeing a signature from 2015, then you could be target of a rollback (downgrade) or indefinite freeze attack.

The first line includes the signature creation timestamp. In this example:

gpg: Signature made Mon 19 Jan 2015 11:45:41 PM CET using RSA key ID 77BB3C48

g) Check the file name has not been tampered with.

Note: OpenPGP signatures sign files, not file names. Beginning from Whonix version 9.6, by convention the file@name OpenPGP notation includes the file name.

An example is provided below:

gpg: Signature notation: file@name=Whonix-Gateway-9.6.ova

h) Do not install files with bad signatures!

If the VM image is not correct you will get a notification telling you that the signature is bad:

gpg: Signature made Sun Nov 25 21:48:54 2012 UTC
gpg: using RSA key 77BB3C48
gpg: BAD signature from “Patrick Schleizer adrelanos@riseup.net

5.8.3 Gpg4win in Windows

GnuPG, a common free software implementation of OpenPGP has versions and graphical frontends for Windows.

Note: Due to the weaknesses in Kleopatra, advanced users may instead prefer to verify VM images using the command line instructions outlined in:

a) Download Gpg4win.

https://www.gpg4win.org/

If you wish to download a GnuPG version for Windows securely, then you are advised to follow these directions:

https://lists.torproject.org/pipermail/tor-talk/2013-August/029256.html

b) Install Gpg4win.

The “Gpg4win-Compendium” is the end-user documentation for Gpg4win and has almost 200 pages on how to install and use the software:

http://wald.intevation.org/frs/download.php/1385/gpg4win-compendium-en-3.0.0.pdf
https://www.gpg4win.org/doc/en/gpg4win-compendium.html

Installation instructions are specifically found in Chapter 6:

https://www.gpg4win.org/doc/en/gpg4win-compendium_11.html

c) Download Patrick Schleizer’s (adrelanos’) OpenPGP key from:

http://kkkkkkkkkk63ava6.onion/patrick.asc

Or

https://www.whonix.org/patrick.asc

d) Import the Whonix signing key.

Follow the directions of Chapter 10 of the compendium:

https://www.gpg4win.org/doc/en/gpg4win-compendium_15.html

e) Inspect the signing key with Kleopatra.

Follow the directions of Chapter 11 of the compendium:

https://www.gpg4win.org/doc/en/gpg4win-compendium_16.html

Advanced users may wish to use the gpg command line instead, since this process is cumbersome. As long as the signing key is only listed under “other certificates” in Kleopatra, you will get the message “Not enough information to check signature validity”.

The signing key needs to be listed under “trusted certificates”. To achieve that, you need to create your own OpenPGP key first:

Kleopatra -> File -> New Certificate.

To sign Whonix’s singing key:

Right click on it and click “Certify Certificate”. Creating a local signature suffices.

f) Check the cryptographic signature of the VM image you want to certify.

Follow the directions in Chapter 18 of the compendium to check the integrity of the VM image and VirtualBox signature you downloaded in section 5.6.2:

https://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4

If you see the error message “Not enough information to check signature validity” as shown below:

Figure 18: Kleopatra Error Message

Then you either did not import Whonix’s signing key or you did not sign Whonix’s signing key with your own key.

If you see:

Signature valid.
Signed on 2014-04-13 06:52 with unknown certificate
0x63979B28A6F37C43BE30AFA1CB8D50BB77BB3C48

Figure 19: Kleopatra Valid Signature and Unknown Certificate

Then this is a bug in Kleopatra which they have not fixed since 2011.

g) Check the gpg signature timestamp makes sense.

If you previously saw a signature from in 2016 and are now seeing a signature from 2015, then you could be target of a rollback (downgrade) or indefinite freeze attack.

h) Check the file name has not been tampered with.

Note: OpenPGP signatures sign files, not file names. Beginning from Whonix version 9.6, by convention the file@name OpenPGP notation includes the file name.

5.8.4 GPGTools in Mac OS X

GnuPG, a common free software implementation of OpenPGP has versions and graphical frontends for Mac OS X.

The website has detailed documentation on how to install and use the software suite.

a) Download GPGTools for Mac OS X:

https://gpgtools.org/

b) Install GPGTools.

After installing GPGTools, you should be now be able to follow the GNU/Linux command line instructions in this guide.

c) Open the command line.

Navigate to your Applications folder -> open Utilities -> double click on Terminal.

c) Follow the instructions in section 5.7 to download and check the fingerprints of the Whonix signing key before importing it.

e) Follow the instructions in section 5.8.2 to cryptographically verify the Whonix VM images.

5.9 Install (Import) Whonix Images

The section outlines how to install (import) the verified Whonix VM images into the chosen virtualizer.

5.9.1 Install Whonix in KVM

a) Decompress the archived Whonix-Gateway and Whonix-Workstation archives.

Use tar to decompress the archive:

tar -xvf Whonix-Gateway*.libvirt.xz

tar -xvf Whonix-Workstation*.libvirt.xz

Note: Do not use unxz!

b) Import the Whonix VM Templates.

The supplied XML files serve as a description for libvirt, which describe the properties and networking of a Whonix machine.

First, the Whonix-Gateway is defined:

virsh -c qemu:///system define Whonix-Gateway*.xml

Second, the Whonix isolated internal network is defined. This XML is also in the same folder as the Whonix Gateway:

virsh -c qemu:///system net-define Whonix_network*.xml

Note: if the definition of the Whonix internal network fails because the network bridge “virbr1” already exists, the Whonix_network*.xml file must be edited. Change the name to one that doesnt exist e.g. “virbr2”. You can list all existing bridge adapters with “sudo brctl show”.

virsh -c qemu:///system net-autostart Whonix

virsh -c qemu:///system net-start Whonix

Lastly, the Whonix-Workstation is defined:

virsh -c qemu:///system define Whonix-Workstation*.xml

c) Move the Whonix image files.

The XML files are configured to point to the default storage location: /var/lib/libvirt/images

This step will move the images there in order for the machines to boot.

Note: It is highly recommended you use this default path for storing the images to avoid any conflicts with AppArmor or SELinux, which will prevent the machines from booting.

It is best to move the image files, instead of copying them:

sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2

sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2

Whonix disk images are known as ‘sparse files’, meaning they expand when filled rather than allocating their entire size (100 GB outright). Special commands are needed when copying them to ensure they don’t lose this property, leading them to occupy all the actual space.

To copy to a privileged system location, higher privileges (sudo) is required:

sudo cp --sparse=always Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2

sudo cp --sparse=always Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2

d) Cleanup after importing Whonix.

Post-installation, the archives (.libvirt.xz files) and the temporarily extracted folders can be deleted or moved to a custom location. This helps avoid conflicts and confusion should you later download a new Whonix version.

To delete them:

rm Whonix-Gateway*.libvirt.xz

rm Whonix-Workstation*.libvirt.xz

rm -r Whonix-Gateway*

rm -r Whonix-Workstation*

rm -r Whonix_network*

5.9.2 Install Whonix in VirtualBox

a) Start VirtualBox.

Figure 20: VirtualBox Welcome Page

b) Select ‘Import Applicance’:

File -> Import Appliance…

Figure 21: Import Appliance Into VirtualBox

c) Navigate and select the Whonix-Gateway image (.ova) and press ‘Next’:

Figure 22: Select the Whonix-Gateway Image

d) Do NOT change any settings! Just click on ‘Import’:

Figure 23: Select the Import Button

e) Select ‘Agree’ to the license agreement:

Figure 24: Select Agree with the License

f) Wait until the Whonix-Gateway image has been imported.

Figure 25: Importing of VirtualBox Image

g) Repeat steps a-f with the Whonix-Workstation image (.ova)

When finished, you will now see both the Whonix-Gateway and Whonix-Workstation VMs in a powered off state in VirtualBox.

Figure 26: Successfully Imported Whonix Images


#8

6.0 FIRST STEPS IN NON-QUBES-WHONIX

6.1 Launch and Connection

6.1.1 Start Whonix in KVM

If you know Virtual Machine Manager, there is nothing special about starting Whonix VMs compared to starting other VMs. First start Whonix-Gateway, followed by Whonix-Workstation.

Using the Graphical User Interface, start the Virtual Machine Manager:

Start Menu -> Applications -> System -> Virtual Machine Manager

Then, start the Whonix-Gateway:

Click on Whonix-Gateway -> click open -> click the play symbol

Repeat these steps for Whonix-Workstation.

If you prefer the command line interface, run:

virsh -c qemu:///system start Whonix-Gateway

To start Whonix-gateway. Then run:

virsh -c qemu:///system start Whonix-Workstation

To start the Whonix-Workstation.

Note: If you want to adjust the display resolution seamlessly to match your host screen size after starting, do the following:

Virt-Manager Whonix-Workstation window -> View -> Scale Display -> Always | Check: Auto resize VM with window

If you later decide to remove the Whonix KVM VMs, Whonix network and images, follow the ‘Uninstall’ instructions in this link:

[https://www.whonix.org/wiki/KVM]

6.1.2 Start Whonix in VirtualBox

Starting Whonix is simple: either double click on the Whonix-Gateway and Whonix-Workstation, or highlight each selection in turn and press ‘Start’.

Figure 27: Start Whonix in VirtualBox

6.2 Change Passwords

On the first run of Whonix, you should immediately change the passwords on BOTH the Whonix-Gateway and Whonix-Workstation (this step is not relevant for Qubes-Whonix users).

The passwords for both the account, user user and user root, must be changed. By default, the password is changeme.

Open a terminal:

Start menu -> Applications -> System -> Terminal.

Login as root:

sudo su

Change root and user password:

passwd

passwd user

and follow the instructions.

Note: Consider using diceware passphrases for better security. Diceware passphrases of 6-7 words in length cannot be feasibly brute-forced within your lifetime using standard (non-quantum) computers.

http://world.std.com/~reinhold/diceware.html

6.3 Run Whonixcheck (Optional)

By default, Whonixcheck runs automatically from time to time whenever the user starts up a Whonix-Workstation. Whonixcheck’s purpose is to verify that the Whonix system is up-to-date and that everything is in proper working order. You may want to manually run Whonixcheck before updating your system. It usually takes a few minutes to run.

If you are using a graphical Whonix environment, complete the following step:

Start Menu -> System -> whonixcheck

If you are using a terminal-only Whonix environment, complete the following step:

whonixcheck

If everything is functioning properly, the output should show each heading “INFO” in green (not red). For example:

INFO: SocksPort Test Result: Connected to Tor. IP: 146.10.104.240
INFO: TransPort Test Result: Connected to Tor. IP: 91.89.96.88
INFO: Stream Isolation Test Result: Functional.
INFO: Whonix News Result:
√ Up to date: whonix-workstation-packages-dependencies 2.5-1
√ Up to date: Whonix Build Version: 11.0.0.3.0
INFO: Debian Package Update Check Result: No updates found via apt-get.
INFO: Whonix APT Repository: Enabled. When the Whonix team releases JESSIE updates, they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade) along with updated packages from the Debian team. Please read https://www.whonix.org/wiki/Trust to understand the risk. If you want to change this, use:
Start menu -> Applications -> System -> Whonix Repository
INFO: Tor Browser Update Check Result: Up to date.
INFO: Please consider making a small reoccurring donation. See: https://www.whonix.org/wiki/Donate

6.4 Update Whonix

It is critical that the Whonix-Gateway and Whonix-Workstation VMs stay updated! Unpatched software is one of the most common attack vectors identified in research.

a) Update your package lists.

The following steps (updating and upgrading) should be applied in both the Whonix-Gateway and Whonix-Workstation terminals and repeated at least daily thereafter.

sudo apt-get update

The output should look similar to this:

Hit http://security.debian.org jessie/updates/Release.gpg
Hit http://security.debian.org jessie/updates/Release
Hit http://deb.torproject.org jessie Release.gpg
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release
Hit http://security.debian.org jessie/updates/contrib i386 Packages
Hit http://ftp.us.debian.org jessie Release
Hit http://security.debian.org jessie/updates/non-free i386 Packages
Hit http://deb.torproject.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/contrib Translation-en
Hit http://ftp.us.debian.org jessie/main i386 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://ftp.us.debian.org jessie/contrib i386 Packages
Hit http://security.debian.org jessie/updates/non-free Translation-en
Hit http://ftp.us.debian.org jessie/non-free i386 Packages
Ign http://ftp.us.debian.org jessie/contrib Translation-en
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists… Done

If you see something like this:

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org jessie Release.gpg
Could not resolve 'ftp.us.debian.org
Err http://deb.torproject.org jessie Release.gpg
Could not resolve 'deb.torproject.org
Err http://security.debian.org jessie/updates Release.gpg
Could not resolve 'security.debian.org
Reading package lists… Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg Could not resolve ‘security.debian.org

W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg Could not resolve ‘ftp.us.debian.org

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg Could not resolve ‘deb.torproject.org

W: Some index files failed to download. They have been ignored, or old ones used instead.

Then something went wrong. It could be a temporary Tor exit relay or server failure that should remedy itself. Usually changing your Tor circuit and trying again is successful. If that fails, running whonixcheck can help to diagnose the problem.

If you see an error message like:

Could not resolve ‘security.debian.org

It helps to run:

nslookup security.debian.org

And then try updating your package lists again.

b) Upgrade Whonix.

In konsole, run:

sudo apt-get dist-upgrade

Note: At first Whonix boot, you are asked if you want to enable or disable Whonix’s apt repository. If you disabled the Whonix APT Repository, then you will have to manually check for new Whonix releases and manually install them from source code:

[https://www.whonix.org/wiki/Whonix-APT-Repository#Disable_Whonix_APT_Repository]

6.5 Update (Upgrade) Precautions

a) Never install unsigned packages!

If you see output like the following:

WARNING: The following packages cannot be authenticated!
icedove
Install these packages without verification [y/N]?

Then don’t proceed! Press N and Enter.

Running apt-get update again should fix the problem. If not, then something is broken or it may be a man-in-the-middle attack. This possibility isn’t that unlikely, since we are updating over Tor exit relays and some of them are malicious. Change your Tor circuit and then try again.

b) Do not ignore signature verification warnings.

There should be none at the moment. If there is such a warning, the output will look like this:

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

In that case, you should be careful even though apt-get will automatically ignore repositories with expired keys or signatures, meaning you will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.

There are two possible reasons for why this could happen. Either you are a victim of a man-in-the-middle attack, or there is an issue with the repository that the maintainers have to fix. The former is not a big issue, either it will automatically resolve after a period of time or you can change your Tor circuit and try again.

If you experience other signature verification errors, these should be reported, but they are unlikely at this time.

c) Be cautious of changed configuration files.

If you see output like the following:

Setting up ifupdown …
Configuration file `/etc/network/interfaces’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : background this process to examine the situation
The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Then be careful. If the updated file isn’t coming from a Whonix specific package (some are called whonix-…), then press N. Otherwise, anonymity/privacy/security settings deployed with Whonix might get lost. If you are an advanced user and know better, you can of course manually check the difference and merge them. Pressing Y will result in the loss of customized settings.

d) Restart and Update Whonix VMs.

To benefit from security updates, particularly kernel upgrades (linux-image-… was upgraded) which require a full reboot, the best practice is to shutdown the VMs and restart them.

In terminal:

sudo reboot

If you want to omit rebooting, use needrestart and follow instructions in this link:

[https://www.whonix.org/wiki/Update]

6.6 Take VM Snapshots

A good security practice is to keep a master copy of your updated, ‘clean’ Whonix-Gateway and Whonix-Workstation VMs and only use snapshots (or clones) of these VMs for anonymous activity. The master copies should not have any settings edited or additional software installed on them. Also, the ‘clean’ and ‘unclean’ VM states should not be mixed up from the start.

Users who may be targeted should regularly ‘roll back’ after risky activity and whenever the user suspects the integrity of the system may have been compromised. That is, the unclean VMs should be deleted and fresh clones created from the ‘clean’ templates for additional activities.

If this advice is ignored and the VMs are compromised, then an attacker potentially has access to all data contained therein: all credentials, browser data, passwords etc. Although the IP address is never leaked, this information is probably enough to de-anonymize most users.

Following this advice, you should now stop and not browse anywhere or open any unauthenticated communication channels to the Internet with the VMs freshly created from the previous steps. The only exception to this rule is running apt, which has a guaranteed way to securely download and verify packages. It is recommended you now:

  • Shutdown the virtual machines; and
  • Create snapshots of their clean state.

This process is easy in VirtualBox, using copy/paste, cloning and exporting/importing. VirtualBox’s VM Snapshort feature is not recommended, as users have experienced data loss with it (corrupted virtual hard drives). However, for users who wish to use it and experience no problems, it provides a convenient and useful feature for making snapshots of live running systems prior to the installation of new applications. Use at your own risk!

Users are instead recommended to use SubVersioN (SVN) which is a more reliable and efficient tool for making backups of VM operating environments across multiple operating systems. Before installing SVN, users should familiarize themselves with SVN and how to use it:

https://subversion.apache.org/
https://subversion.apache.org/docs/

6.7 General Advice

For a more thorough consideration of safe and unsafe user actions in Whonix, see section 8.

6.7.1 Only Use the Whonix-Workstation

All your desktop activities should take place in the Whonix-Workstation. You should never use Whonix-Gateway for anything other than running Tor on it! Also, do not install additional software in the Whonix-Gateway unless you know what you are doing.

If you ignore this advice and the Whonix-Gateway is compromised, the attacker can access your identity (public IP address) as well as all destinations, clear-text and hidden service communication.

6.7.2 Avoid Interrupting the Virtualizer

To prevent against time zone leaks, the system clock inside Whonix is set to UTC. This means the clock may be a few hours before or ahead of your host system clock. Do not change the system clock!

It is recommended users not use pause/suspend/save/resume features of virtualizers or hibernation functions on the host OS while Whonix-Workstation is running. If this advice is ignored, users should manually run TimeSync afterwards:

Start Menu -> Applications -> System -> Time Synchronization Monitor (sdwdate-gui)

It is also recommended to not pause/suspend/save/resume the Whonix-Gateway, because it is difficult to properly restore the clock afterwards. Specifically, if your host clock (in UTC) is more than 1 hour in the past or more than 3 hours in the future, Tor can’t connect.

If this advice is ignored, the user should check the host’s battery status and fix the host clock manually (right clicking on the clock). The Whonix-Gateway can then be powered off and on again, and Tor should be able to connect. If your host clock is too inaccurate, you may experience problems in updating your host operating system.

6.7.3 VirtualBox Hardening

As many users default to VirtualBox, consider removing unnecessary features which increase the attack surface. Many features can be safely removed and do not impact core functionality:

  • Disable Audio;
  • Do not enable Shared Folders;
  • Do not enable video acceleration;
  • Do not enable 3D acceleration;
  • Do not enable the Serial Port;
  • Remove the Floppy drive;
  • Remove the CD/DVD drive;
  • Do not attach USB devices;
  • Disable the USB controller (enabled by default) - this requires setting Pointing Device to “PS/2 Mouse” or changes will revert;
  • Do not enable the Remote Display server;
  • Do not enable IO APIC or EFI; and
  • Enable PAE/NX (NX is a security feature).

6.8 Bridges for Censored Whonix Users

6.8.1 When to Use Bridges

When using Tor with Whonix in its default configuration, anyone observing the traffic of your Internet connection - your ISP, your government, law enforcement and intelligency agencies - can easily determine you are using Tor. This may be a problem if the following applies in your country:

a) Tor is blocked by censorship: since all connections to the Internet are Tor-routed, this would make Whonix useless for everything except working offline on documents etc; or
b) Using Tor is dangerous or considered suspicious: in this case starting Whonix in its default configuration might get you into serious trouble with authorities.

Tor bridges (Tor bridge relays) are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your ISP to know that you are using Tor. Before using bridges, familiarize yourself with what bridges are and how obfsproxy works. Obfsproxy is the application that Tor uses to connect bridges, see:

[https://www.whonix.org/wiki/Bridges]

Bridges are less reliable and tend to have lower performance than other entry points to the Tor network. If you live in a uncensored area, they are not necessarily more secure than entry guards.

Warning: Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could make to identify Tor users.

6.8.2 Finding a Bridge and Suitable Protocol

When Whonix starts for the first time, it won’t automatically connect to the public Tor network. Whonix Setup Wizard, which is automatically started, will guide you.

In order to use bridges, you must know in advance the address of at least one bridge. The Tor Project distributes public bridge addresses in several ways, for example from their website and via email. The easiest way to find a list of public bridges is from The Tor Project Bridge Database.

Recommendations:

a) Only use obfuscated bridges since they are harder to identify than other bridges. The Tor Project only recommends the obfs4 protocol at the time of writing (not obfs2 or obfs3), since it defends more effectively against active probing.

b) It is better to use a private obfuscated bridge than a publicly known one. The latter have a greater likelihood of being censored since they are publicly listed. Unfortunately, since some bridge addresses can be obtained by anyone from the Tor website or by email, it is also possible for an adversary to get the same bridge information by the same means. The Tor Project has some protections against that, but they are far from being perfect.

Warning: Intelligence agencies are known to monitor emails to the Tor Project requesting bridges. That is, XKEYSCORE selection rules target and record in a database those sending email to:

bridges@bridges.torproject.org

with the line “get bridges” in the body. Notably, XKEYSCORE selection rules also include those just visiting the websites of the Tor Project and TAILS.

If you wish to use this method anyhow, then follow the directions in the following link:

https://www.torproject.org/docs/bridges

c) The safest method is to find a trusted friend or organization in a different country who can run a private obfuscated bridge for you. In this case “private” means that the bridge is configured with the option PublishServerDescriptor 0. Without this option the Tor Project can learn about the bridge and may distribute its address to others and so it could end up in the hands of an adversary.

6.8.3 Configure a Bridge in Whonix

Whonix does not include a wizard to set up private or public obfuscated bridges. The graphical tor-launcher screenshots seen on the Tor Project’s website cannot be used in Whonix. Instead, bridges are configured on the Whonix-Gateway in the same way as if you were using vanilla Debian GNU/Linux (Whonix is based on Debian).

a) Access /etc/tor/torrc on the Whonix-Gateway to add bridges.

If you are using a graphical Whonix-Gateway:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway:

sudo nano /etc/tor/torrc

b) Edit /etc/tor/torrc on the Whonix-Gateway and configure bridges.

Once inside /etc/tor/torrc, scroll to the very bottom and copy-paste the following text:

UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed

Now you must add the IP addresses for your bridges that your sourced from earlier steps. Copy-paste the IP addresses at the bottom of /etc/tor/torrc. Make sure to manually add the text “bridge” at the beginning of each line entry.

Below is a text example for obfs3 and obfs4 (do not copy-paste this list; these IP’s will not work). Note: your torrc file will have EITHER obfs3 or obfs4, not both at the same time.

bridge obfs3 109.195.132.77:22321 4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 55.32.27.22:38123 4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 192.24.131.513:62389 4352e58420e68f5e40bf7c74faddccd9d1349413

bridge obfs4 192.235.207.85:42086 0EEB10BF4B4FAF56D46E cert=oue8sYYw5wi4n3mf2WDOg iat-mode=0
bridge obfs4 34.218.26.20:43263 DD21A551767816A0C9495 cert=7qzS6KASquPvJU82Fm7qoJw iat-mode=0
bridge obfs4 161.217.177.95:10703 B3B8009D01BB7E5FDFAEC cert=4RaIqGiOytEXm6Hw iat-mode=0

Once you have completed editing /etc/tor/torrc, save and exit:

Ctrl-X --> press Y --> Enter

c) Enable Tor.

If you have not already enabled Tor, then do so via the whonix-setup-wizard.

If you are using a graphical Whonix-Gateway:

Start Menu -> Applications -> System -> Whonix Setup Wizard

Select “Enable Tor” and press next

For terminal-only Whonix-Gateway:

sudo whonixsetup

Select “Enable Tor” and press next

d) Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect.

If you are using a graphical Whonix-Gateway:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway (reload Tor and check Tor’s daemon status):

sudo service tor@default reload

sudo service tor@default status

It should output a message saying:

Active: active (running) since …

In case of issues, check Tor’s configuration:

sudo -u debian-tor tor --verify-config

The output should show something like:

Sep 17 17:40:41.416 [notice] Read configuration file “/etc/tor/torrc”.
Configuration was valid

Note: If you are not able to connect to Tor after completing all these steps, you have most likely done something wrong. Go back and check your /etc/tor/torrc file and redo the steps outlined in the sections above. If problems persist, refer to this link for troubleshooting:

[https://www.whonix.org/wiki/Bridges]

6.9 Further Links

Change the keyboard layout:
[https://www.whonix.org/wiki/Keyboard_Layout]

Change the system language:
[https://www.whonix.org/wiki/Language]


Proxmox - A dedicated KVM platform for Whonix?
#9

7.0 COMMON WHONIX TASKS

7.1 Internet Browsing

It is recommended that only Tor Browser is used in Whonix for browsing the Internet.

Tor Browser is a fork of the Mozilla Firefox web browser, developed by the Tor Project, which is optimized and designed for anonymity. If you use other browsers in Whonix, your IP address/DNS is still protected, but you don’t benefit from Tor Browser’s protocol level sanitization and privacy-enhancing patches and add-ons. As a result you become pseudonymous, rather than anonymous. Another benefit of using Tor Browser is that you blend in with the near two million other Tor users, and share a common browser fingerprint.

When using Tor browser, users should visit encrypted (HTTPS) sites as often as possible, rather than unencrypted (HTTP) alternatives. Websites with the .onion extension are even safer, since man-in-the-middle attacks with fraudulently issued certificates are impossible (for instance, the Whonix onion is http://kkkkkkkkkk63ava6.onion). The benefit of HTTPS is that it (generally) prevents a Tor exit relay eavesdropping on your communications as data is exchanged between your browser and the server.

HTTPS includes mechanisms to authenticate the server you are communicating with - although this is an imperfect system. It is important to only use HTTPS services when you are sending or retrieving sensitive information (like passwords), otherwise it is very easy for an eavesdropper to steal whatever information you are sending or to modify the content of a page on its way to your browser.

Tor Browser ships with the HTTPS Everywhere extension. It automatically encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

Another benefit of using Tor Browser is the built-in Torbutton and NoScript add-on. With advanced privacy and security settings, the Torbutton helps to defend against elements which can defeat the anonymity of the Tor network: JavaScript, Adobe Flash, cookies and other trackable/fingerprintable features. The benefit of NoScript is that JavaScript, Java and other plugins are only allowed for trusted domains of your choice, helping to reduce the attack surface of the browser.

For better security and anonymity when using Tor Browser, follow these recommendations:

  • Generally only allow JavaScript for sites that you trust - this mitigates many browser exploits and opportunities for browser fingerprinting;
  • Do not install additional add-ons or plugins which can harm your anonymity, reduce your security and increase your browser fingerprint;
  • Do not add any custom themes;
  • Do not change any Tor Browser default settings in about:config unless you know what you’re doing;
  • Do not maximize the Tor Browser window (a fingerprinting vector);
  • Don’t change or remove any Tor Browser proxy settings;
  • Try to maintain only one tab of browser activity at a time for better anonymity (or alternatively use multiple instances of Tor Browser in multiple Whonix-Workstations);
  • Re-set Tor circuits with the ‘New Identity’ function from time to time (best security practice is to close the browser entirely and restart it);
  • Run the Torbutton privacy slider in the medium-high to high position for better security and anonymity;
  • Consider using the Application Boundaries Enforcer (ABE), ClearClick Protection, and additional restrictions for untrusted sites in the NoScript options (disabled by default);
  • Always keep the Tor Browser updated (if you don’t have Tor Browser, use the Whonix Tor Downloader feature);
  • Use the hardened, 64-bit Linux Tor Browser if running Qubes-Whonix and benefit from additional memory protections (Selfrando is now built in);
  • Don’t run Flash - use HTML5 video instead or stream the media via VLC media player;
  • Circumvent most re-Captcha warnings on websites with the Startpage proxy feature;
  • Set passwords for WebGUIs listening on localhost;
  • Run sensitive daemons with local WebGUIs on a separate dedicated Whonix-Workstation; and
  • Confine Tor Browser with Apparmor (see https://www.whonix.org/wiki/AppArmor).

This is only a general introduction to remaining anonymous and secure when browsing the Internet. For a comprehensive overview of other issues like chatting, hosting location hidden servers, filesharing/bittorent, anonymous money, VOIP etc. please refer to “Connect to the Internet Anonymously” section in the Whonix documentation and section 9.3 of this guide:

[https://www.whonix.org/wiki/Documentation]

7.2 Pre-Installed Applications

Basically, any program can be used together with Whonix. Whonix comes with a host of free software pre-installed and pre-configured with safe defaults, including:

Browsing, Email and Messaging/Chat

  • Tor Browser for Internet browsing;
  • Messengers like Pidgin, with the Jabber protocol and the OTR plugin;
  • IRC client (HexChat);
  • Mozilla Thunderbird with TorBirdy for privacy-friendly email;
  • KGpg and OpenPGP (GnuPG frontend) to encrypt, decrypt, sign, and verify text; and
  • Mixmaster (anonymous remailer).

Servers

  • scp for secure data transfer to and from a server;
  • SSH for unobserved administration of servers; and
  • Web servers: Apache, ngnix, IRC servers, etc. via hidden services.

Other Tools

  • Media Player (VLC Media Player);
  • Image Viewer;
  • Calculator;
  • Terminal; and
  • scurl.

Note: scurl is a SSL command line downloader which provides a simple wrapper around curl. /usr/bin/scurl simply adds --tlsv1 --proto =https to all runs of curl. It also has Stream Isolation in Whonix, because /usr/bin/curl is an uwt wrapper symlinked to /usr/lib/whonix/uwtwrapper which will ultimately run /usr/bin/curl.real. To use scurl, follow the instructions at this link:

[https://www.whonix.org/wiki/Software#scurl_-_SSL_command_line_downloader]

7.3 Install Software for Work on Sensitive Documents

7.3.1 Recommended Software

If you need to work on sensitive documents, then install the recommended software below or other applications of your choosing.

a) Office Suite - LibreOffice

LibreOffice is a full-featured office productivity suite that provides a near drop-in replacement for Microsoft Office. A word processor, a spreadsheet and a presentation application is included.

Start menu -> Applications -> System -> Terminal

sudo apt-get update

sudo apt-get install libreoffice

b) Desktop Screenshot Creator - Shutter (non-Qubes-Whonix only)

Start menu -> Applications -> System -> Terminal

sudo apt-get update

sudo apt-get install shutter

Note: Qubes-Whonix users use the Screenshot tool available in dom0.

c) Desktop Video Recorder - RecordMyDesktop

Start menu -> Applications -> System -> Terminal.

sudo apt-get update

sudo apt-get install gtk-recordmydesktop

d) Image Editing - kolourpaint4

Start menu -> Applications -> System -> Terminal

sudo apt-get update

sudo apt-get install kolourpaint4

e) Video Editing - Kdenlive

Start menu -> Applications -> System -> Terminal

sudo apt-get update

sudo apt-get install kdenlive

f) Publishing - Scribus

Scribus is an Open Source Desktop Page Layout that can be used for many tasks; from booklets design to newspapers, magazines, newsletters and posters to technical documentation.

Start menu -> Applications -> System -> Terminal

sudo apt-get update

sudo apt-get install scribus

g) Audio Editing - kwave

kwave is a multi-track audio editor for GNU/Linux, Mac OS X and Windows. It is designed for easy recording, playing and editing of digital audio.

Start menu -> Applications -> System -> Terminal

sudo apt-get update

sudo apt-get install kwave

7.3.2 Printers and Scanners Warning

Printing is risky. This is not a Whonix-related problem, but a general issue with printers. As the eff.org notes:

Imagine that every time you printed a document it automatically included a secret code that could be used to identify the printer - and potentially the person who used it. Sounds like something from an episode of “Alias” right?

Unfortunately the scenario isn’t fictional.

We don’t know if scanners also add extra hidden data which can uniquely identify a user. To be safe, you might consider buying an extra printer and/or scanner which you only use for anonymous activity. Another non-technical consideration is forensic evidence left on printers and peripherals e.g. fingerprints, DNA etc.

7.4 Install Other Software

If you don’t like the available Whonix software options, then you can install other applications of your choosing. You can install any software inside the Whonix-Workstation using apt-get, since it’s based on Debian.

Due to the Whonix design, it is possible to torrify almost all applications which are not capable of proxy support by themselves. However, it is generally inadvisable to install additional software unless you really need it, because it increases the risk of using software that is not exclusively designed to work with Tor.

Reminder: Qubes-Whonix users need to install persistent software in their Workstation TemplateVM(s). Using apt-get in an AppVM will install software for the current session only, and those changes will be lost when the VM is shut down.

7.4.1 Install Software From Debian Stable

The general recommendation is to install packages from the Debian Stable repository, rather than the Testing/Unstable or third party repositories. Further, manually installed packages, even trusted ones, tend not to get updated by users in a timely fashion. As the Debian FAQ notes:

https://www.debian.org/doc/manuals/debian-faq/ch-choosing.en.html#s3.1

Stable is rock solid. It does not break and has full security support. But it not might have support for the latest hardware.

If security or stability are at all important for you: install stable. Period. This is the most preferred way.

Since there is typically over 1 year between releases you might find that stable contains old versions of packages. However, they have been tested in and out. One can confidently say that the packages do not have any known severe bugs, security holes etc., in them. The packages in stable integrate seamlessly with other stable packages. These characteristics are very important for production servers which have to work 24 hours a day, 7 days a week.

On the other hand, packages in testing or unstable can have hidden bugs, security holes etc. Moreover, some packages in testing and unstable might not be working as intended.

In respect of Debian Backports, they state:

https://backports.debian.org/

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

7.4.2 Don’t Login As Root

Never login as root user (sudo su or run GUI applications using sudo application). This will fail. This is a limitation inherited by Debian and you will see error messages.

As a KDE user (Whonix default) use kdesudo application or otherwise use gksudo application. The example below shows how to open /etc/tor/torrc in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/tor/torrc

If you are using a terminal-only Whonix, run:

sudo nano /etc/tor/torrc

For more information on securely installing additional software, refer to the following link:

[https://www.whonix.org/wiki/Install_Software]


New Qubes Website! New Whonix Website?
#10

8.0 PRESERVING ANONYMITY AND PRIVACY

In this section, an anonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP address/location) of that connection nor to associate it with an identifier.

A pseudonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP address/location) of a connection, but can associate it with an identifier.

While the information below provides an overview of safe and unsafe Whonix user actions, it is not a substitute for reading the full Whonix documentation. At-risk users should always refer to the detailed information outlined in these links:

[https://www.whonix.org/wiki/Documentation]
[https://www.whonix.orgwiki/DoNot]

8.1 Unsafe Whonix User Actions

Websites and Accounts

  • Don’t visit your own personal website where either real names or pseudonyms have been used (risk of de-anonymization via Tor exit correlation of activity);
  • Don’t login to a real life (personal) Facebook account, even if you have used a no real name policy or pseudonym (immediate de-anonymization; physical IP address/location still remains hidden);
  • Don’t login to accounts you ever used without Tor (ISP and website logs of non-Tor usage de-anonymize you);
  • Don’t login into bank accounts, PayPal, EBay or other important personal accounts with Tor (risk of account suspension due to ‘suspicious activity’; pseudonymous only in protecting location);
  • Don’t use different online identities at the same time (de-anonymization risk from corelation i.e. not separating different contextual identities);
  • Don’t log into Twitter, Facebook, Google, etc. longer than necessary (de-anonymization risk from website integration buttons e.g. ‘I like’ and ‘Twitter this’ and trackers like Google analytics that tell the originating service that you visited a particular website because you were logged in);
  • Don’t connect to the same server anonymously and non-anonymously at the same time (de-anonymization risk via correlational analysis or sudden break in network functioning revealing the Tor and non-Tor IP addresses);
  • Don’t be the first person to spread your own link regarding an anonymous blog or hidden service that you ‘secretly’ created (de-anonymization risk - just ask the original Silk Road founder!); and
  • Don’t do (mobile) phone verification when logging into websites like Google and Facebook (de-anonymization risk via the SIM card and phone logs on the mobile network).

Browsers

  • Don’t ‘fine tune’ Tor Browser unless you know what you are doing (de-anonymization and security risk);
  • Don’t use a clearnet browser and Tor Browser at the same time (de-anonymization risk by confusing which browser you are currently using);
  • Don’t use other browsers like Firefox and push them over the Tor network (de-anonymization risk from identifiers like cookies which make the connection only pseudonymous); and
  • Refer to the detailed advice in section 7.1 regarding the safe operation of Tor Browser and recommended settings.

Networks

  • Don’t alternate Tor with open WiFi (risk of de-anonymization via approximate location and possible MAC address logging);
  • Don’t use Tor over Tor scenarios e.g. start a Tor session from the client as well as from the transparent proxy (theoretical de-anonymization risk of using a six Tor-circuit hop); and
  • Don’t manually select preferred entry/exit points to and from the Tor network (reducing the randomness of Tor routing theoretically increases the risk of de-anonymization).

Application and Whonix Settings/Operation

  • Don’t change application settings if you don’t know their consequences (de-anonymization risk);
  • Don’t change default Whonix settings unless you have read the documentation and clearly understand it (de-anonymization and security risk);
  • Don’t run Whonix on computers that have sharing privileges; and
  • Don’t host Whonix on your cloud, a VPS or a foreign server you don’t control.

Note: Changing user interface settings for applications which do not connect to the internet is mostly safe. For example, checking a box “don’t show this tip of the day anymore” or “hide this menu bar” will have no effect on anonymity. For those applications attached to the internet, changing settings (even on the user interface) must be carefully reviewed.

Communication

  • Don’t send sensitive data without using end-to-end encryption (risk of Tor exit relay eavesdropping and man-in-the-middle attacks);
  • Don’t open random links or files: the sender/mailbox/account/key could be compromised and prepared to infect your system (de-anonymization and security risk); and
  • Don’t disclose identifying data about yourself (de-anonymization risk via correlational analysis) e.g.:
    • Do not include personal information in your nickname
    • Do not discuss personal information (where you are from, age, marital status etc.)
    • Do not mention your gender, tattoos, piercings, physical capacities or disabilities
    • Do not mention your profession, hobbies or involvement in activist groups
    • Do not use special characters on the keyboard, which exist only in your language
    • Do not post information to the regular internet (clear net) while you are anonymous
    • Do not use Twitter and Facebook
    • Do not post links to Facebook images (they contain a personal ID)
    • Do not connect to the same destination at the same time of the day (try to alternate)
    • Remember IRC, other chats, forums, mailing lists etc. are public arenas
    • Don’t be a hero (they are targeted)

Note: Qubes-Whonix users can safely open links or PDFs in a DisposableVM.

Anonymity Modes

  • Do not mix modes of anonymity. These are:
    • (1) User anonymous; any recipient e.g. post to forum (you are anonymous, real IP address/location is hidden)
    • (2) User knows recipient; both use Tor e.g. communication with each other (you are NOT anonymous, real IP address/location is hidden)
    • (3) User with no anonymity using Tor; any recipient e.g. login to Facebook with real name (you are NOT anonymous, real IP address/ocation is hidden)
    • (4) User with no anonymity; any recipient e.g. normal non-Tor browsing (you are NOT anonymous, real IP address/location is revealed)
  • It is unwise to mix mode (1) and mode (2) e.g. don’t use the same email/IM account for both purposes (de-anonymizes the user);
  • It is unwise to mix two or more modes inside the same Tor session (identity correlation via the same Tor exit relay); and
  • It is possible that other mode combinations are dangerous and could leak personal information or your physical location.

8.2 Safe User Actions

Essentially, safe user actions can be defined as the opposite of those just mentioned, plus others already mentioned throughout this guide. Be sure to educate yourself by referring to these links:

[https://www.whonix.org/wiki/Security_Guide]
[https://www.whonix.org/wiki/Advanced_Security_Guide]

As a reminder, recommended actions include:

General Systems Advice

  • Try to use only one computer that is dedicated to running Whonix;
  • Keep your host OS, Whonix (Qubes-Whonix) OS, and all applications updated (check at least daily);
  • Consider keeping all firmware updated and applying BIOS and processor microcode updates;
  • Use software from open source, stable repositories of major distributions in preference to proprietary software or third party solutions;
  • Limit installation of unnecessary software on either the host OS or in Whonix (Qubes-Whonix) to reduce the attack surface;
  • Harden Whonix (Qubes-Whonix) with AppArmor, sandboxing (Firejail etc.) and seccomp kernel restrictions;
  • Take heed of Whonix warnings when updating (upgrading) systems;
  • Use an Internet-based port scanner to check your LAN’s router/firewall is safely configured;
  • Always lock the screen when leaving the computer unattended - a password should be required to unlock the screen;
  • Set a BIOS password for BIOS setup and boot; and
  • Only use the Whonix-Workstation for normal desktop activities, not the Whonix-Gateway.

Qubes-Whonix

  • Regularly discard AppVMs and create fresh VMs for better security;
  • Consider using disposable Whonix-Workstation AppVMs for critical activities;
  • Use MAC address spoofing options as per the Qubes website documentation;
  • Resist dual-booting Qubes-Whonix with another OS, as it is a known security risk;
  • Use full VT-d, VT-x and TXT protections with compatible CPUs and chipsets;
  • Use an integrated Intel GPU when possible in your configuration;
  • If physical security of your computer is an issue, install a TPM in order to run AEM protections;
  • Use minimal (Fedora) templates where possible to reduce the attack surface of the system; and
  • Resist pausing appVMs.

For MAC spoofing see: https://www.qubes-os.org/doc/anonymizing-your-mac-address/

Recent research shows MAC spoofing is ineffective for WiFi, however, it should still work for hard-wired connections. Use of ‘burner’ WiFi USB sticks is one possible solution for the former case.

Non-Qubes-Whonix

  • Use a GNU/Linux host OS in preference to a Windows or Mac OS X host OS;
  • Harden the host OS as outlined in section 5.2 of this guide;
  • Apply full disk encryption on the host OS;
  • If using a Debian host OS, consider installing a grsecurity kernel (advanced users only; available in Debian Stretch);
  • Install apt-transport-tor on GNU/Linux hosts for updates - this prevents package fingerprinting and leakage of sensitive security information;
  • Use KVM in preference to VirtualBox;
  • Harden your virtualizer where possible e.g. remove unnecessary VirtualBox features;
  • Spoof the initial virtual hardware clock offset to prevent clock correlation attacks;
  • Resist interrupting (pausing, hibernating etc.) the virtualizer or host OS;
  • Regularly discard old VM snapshots and create fresh new VMs for better security, particularly after sensitive activities;
  • Have strong (diceware) passwords set in both the Whonix-Gateway and Whonix-Workstation VMs; and
  • For safer upgrades, shutdown any running Whonix instances currently attached to the internal virtual network - this prevents any potential cross-contamination of new machines you are importing.

Tor and Tor Browser

  • As per section 6.8, do use (private) obfuscated bridges if Tor usage is potentially dangerous or considered suspicious in your country;
  • Keep Tor Browser/Tor Browser bundle updated and use the hardened Tor Browser series if possible in your configuration;
  • Regularly refresh/change Tor circuits, particularly after having logged into surveillance-friendly platforms like Google, Twitter and Facebook;
  • After critical activities, completely shut down Tor Browser and run a new instance for better security;
  • Limit the number of tabs running in Tor Browser - it is better to run multiple Tor Browsers in many Whonix-Workstations for better security if connecting to multiple servers; and
  • Follow the advice regarding the safe operation of the Tor Browser outlined in section 7.1.

Note: A possible alternative to Tor bridges is configuring optional tunnels (VPNs etc) before (or after) connecting to Tor, but note the warnings attached where it is discussed.

Applications

  • Check that your applications have stream isolation if they are run in parallel in the same Whonix-Workstation (if not, then run them separately in different Whonix-Workstations VMs at the same time).

See: https://www.whonix.org/wiki/Stream_Isolation#List

Other

  • Keep up-to-date with Whonix, Tor Project and Qubes OS developments; and
  • Heed the warnings regarding the limitations of Whonix as an anonymity solution, particularly against global adversaries (see section 2.5).

#11

9.0 ADVANCED TOPICS AND FURTHER LINKS

9.1 Multiple Browsers, Gateways and Workstations

a) Multiple Browsers
[https://www.whonix.org/wiki/Advanced_Security_Guide#More_than_one_Tor_Browser_in_Whonix]

b) Multiple Whonix-Workstations
[https://www.whonix.org/wiki/Multiple_Whonix-Workstations]

c) Multiple Whonix-Gateways
[https://www.whonix.org/wiki/Multiple_Whonix-Workstations#Multiple_Whonix-Gateways]

d) Chaining Anonymous Gateways
[https://www.whonix.org/wiki/Advanced_Security_Guide#Chaining_Anonymizing_Gateways]

9.2 Advanced Tunneling Options

Numerous chaining configurations are possible using VPNs, SSH, I2P, JonDonym, Lantern etc.

Warning: It is unclear whether complicated chaining configurations actually improve or worsen anonymity, nor whether the use of Tor can be sufficiently disguised by this method (if that is the intention). Further, not all chaining methods provide an equal level of protection!

Carefully read the documentation and blog entry below before committing to this course of action:

[https://www.whonix.org/blog/combining-tor-vpn-proxy-can-make-less-anonymous]
[https://www.whonix.org/wiki/Hide_Tor_and_Whonix_from_your_ISP]
[https://www.whonix.org/wiki/Using_Tunnels_with_Whonix]
[https://www.whonix.org/wiki/Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services]

9.2.1 Connecting to a Tunnel Link Before Tor

a) VPN -> Tor
[https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor]

b) Proxy -> Tor
[https://www.whonix.org/wiki/Tunnels/Connecting_to_a_proxy_before_Tor]

c) SSH -> Tor
[https://www.whonix.org/wiki/Tunnels/Connecting_to_SSH_before_Tor]

d) JonDonym -> Tor
[https://www.whonix.org/wiki/JonDonym#Connecting_to_JonDonym_before_Tor]

e) Lantern -> Tor
[https://www.whonix.org/wiki/Lantern#Connecting_to_Lantern_before_Tor]

9.2.2 Connecting to a Tunnel Link After Tor

a) Tor -> VPN
[https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN]

b) Tor -> Proxy
[https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_proxy]

c) Tor -> SSH
[https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_SSH]

d) Tor -> I2P
[https://www.whonix.org/wiki/I2P#Connecting_to_Tor_before_I2P]

e) Tor -> JonDonym
[https://www.whonix.org/wiki/JonDonym#Connecting_to_Tor_before_JonDonym]

9.3 Other Popular Topics

a) Controlling and Monitoring Tor
[https://www.whonix.org/wiki/Tor_Controller]

b) Anonymous Chatting
[https://www.whonix.org/wiki/Chat]

c) Hosting Location Hidden Services
[https://www.whonix.org/wiki/Hosting_Location_Hidden_Services]

d) File Sharing/Bittorent
[https://www.whonix.org/wiki/File_Sharing]

e) Anonymous Email
[https://www.whonix.org/wiki/E-Mail]

f) Anonymous Money
[https://www.whonix.org/wiki/Money]

g) VOIP
[https://www.whonix.org/wiki/VoIP]

h) Cleaning Metadata
[https://www.whonix.org/wiki/Metadata]


#12

10.0 SUPPORT

Before requesting personal support, please first search the known issues, guides, documentation, issue tracker, web, and past support requests found on the forums. In most cases, your support needs will have already been addressed.

Be aware of the Free Support Principle when requesting help:
[https://www.whonix.org/wiki/Support]

For general Qubes-related issues, use Qubes Support:

For general Whonix, Debian, Tor, etc. related issues, use Whonix Support:
[https://forums.whonix.org/c/support]

For Qubes-Whonix specific issues, use the Qubes-Whonix Forum:
[https://forums.whonix.org/c/qubes-whonix]

A list of frequently asked questions can be found here:
[https://forums.whonix.org/wiki/FAQ]


#13

11.0 CREDITS

The vast majority of the information contained in this guide has been sourced from Whonix documentation:

[https://www.whonix.org/wiki/Documentation]

A big thankyou to the many anonymous contributers, the Whonix development team, and lead developer Patrick Schleizer for collating this information and placing it in the public domain.

Additional material has been sourced from the Tor Project and Qubes OS websites:

https://torproject.org


#14

Good day,

I have to say that I am quite impressed. Great effort and incredibly detailed.

Have a nice day,

Ego


#15

What a tremendous amount of work! Congratulations!

When I imagined a Quick-Start Guide, I envisioned something tailored to a “prototypical journalist” accustomed to using a Windows PC for basic office and communications tasks: web browsing, email, chatting, video conference, word processing, spreadsheets. In other words, unfamiliar with Linux, Virtualization, and Anonymity Software. The guide would allow this journalist to communicate with a source securely while allowing the source to preserve their anonymity. The journalist might be under deadline pressure, and/or not be interested in achieving anything more than a reasonably secure setup.

I think your Guide does a good job of sticking to the important topics. The final version will appear much shorter since it will fork after choice of virtualizer and hide non-applicable info. I would suggest cutting out the sections on Stream Isolation & Physical Isolation. The proper place to mention (or link to) Stream Isolation is in the section “Install Other Software” since any user that confines themselves to the pre-installed programs will be stream isolated by default. Physical Isolation has been unsupported for quite some time and is difficult to troubleshoot remotely - especially if the user is new to Linux.

I think the most important section of this guide (in terms of UX) would have to be the section devoted to Host & Virtualizer choice. This needs to be worded very carefully. Despite all of our long-held criticisms of Windows, that OS is for many the only computer experience they have ever had. I think for a guide like this we need to leave open the possibility of using Windows. Obviously it’s important to state limitations / warnings regarding use of Windows but at the same time, the goal is not to scare the crap out of a potential user (not necessarily anyway).

To that end, I would approach the decision along these lines:

  1. If you have the resources to dedicate a separate hardware system for Whonix-only use, that is highly recommended. If you are comfortable or willing to learn to use Linux, both Whonix-Qubes and Whonix-KVM are under active development and are considered relatively secure. Windows and Mac users have the option of using VirtualBox to run Whonix as long as they are mindful of the following precautions [link]. [Note: no idea how to present Qubes vs KVM decision.]

  2. If you require using your existing system to run Whonix, please regard these Warnings [link] before proceeding. Linux users have the option to use KVM or VirtualBox as their virtualization platform. [Insert decision criteria.] Windows and Mac users can use Virtualbox to run Whonix, as long as they are comfortable with the following additional Warnings [link].

[I don’t think you need to mention QEMU, VMWare, ArchLinux. Again, my recommendations are for a Guide written to MY specs. Those are some high-level suggestions - will drill down as guide progresses.]

Great job!


#16

An incredible amount of work.

I fear you unfortunately misinterpreted the goal I tried to formulate in
https://forums.whonix.org/t/splitting-whonix-documentation-into-a-short-and-long-edition-for-better-usability.

In essence, this single page https://www.whonix.org/wiki/Documentation is a mess currently. Too big. It should be replaced by a a shorter version. The goal was just a shorter, better table of contents. Not to rewrite the existing documentation pages.

A quick-start guide can be useful, but at it’s current length and detail it’s not really quick start. Quite expert, detailed.

Please do not take this as discouragement. There is a huge amount of improved documentation that should be merged. Such as “What is Whonix”, “Should I use Whonix”, “Whonix Advantages and Disadvantages” and a lot more I have not read yet.

Such a huge amount of suggestions is difficult to handle in one thread.

Can you please suggest all your suggestions step by step into Whonix wiki? Why not let’s start with “Whonix Advantages and Disadvantages”. Looks like that belongs to https://www.whonix.org/wiki/Features? Looks like you got better wording, additions and what not.

For non-controversial changes, just edit the wiki. For other stuff, open new forum threads.


  • Leave out physical isolation.
  • Leave out KVM. The decision VirtualBox vs KVM is impossible to make and the current length of the KVM instructions and difficulty makes that geek-only.
  • Keep Qubes. Although that adds confusion and most Qubes users would learn about Whonix through other means, Qubes is sponsoring most of my development time. So it cannot be left out.

More points to leave out to make it shorter:

  • AppArmor

Some more but that should be enough for now.


New Qubes Website! New Whonix Website?
#17

@Patrick @Ego @entr0py

Thanks!

No problem - this material can easily be shortened in the coming weeks based on your feedback. It is easier to reduce drafts in size, rather than the other way around. I’ll do that in another thread.

I have to find some time to do that, but I hope the work can be finished relatively soon, so it might be okay for publishing when the new website is ready to go.