Build Anonymity
Donate
Staying anonymous while building Whonix from source code.
Build Anonymity[edit]
This applies only if you are going to build Whonix from source, and/or redistribute Whonix, and/or use Physical Isolation. This is not a Whonix-specific problem. Most projects do not even address build anonymity. While building Whonix, software must be downloaded. It involves a unique selection of software, making it inherently non-unique. Therefore, your internet service provider (ISP) could deduce that you are building Whonix. This should not be a concern in a free country (free as per your definition) if the content of your traffic is neither observed nor logged.
Especially, but not exclusively, if you intend to redistribute Whonix, you might wish to hide the fact that you are building Whonix (i.e., maintain anonymity).
To prevent any personally identifiable or fingerprintable information from leaking from the build system into the Whonix images, it is recommended to build inside an already torified Virtual Machine. [1] [2] You can build Whonix inside an existing Whonix-Workstation™, but it can also be built on a headless server.
It is also recommended to build in an already torified Virtual Machine because it prevents leaks from the build system. Such leaks could help an attacker (with root access to the Whonix-Workstation) gather identifiable information about the build system, potentially tracing back to your identity.
Beginning with Whonix 0.4.0, grml-debootstrap and chroot are used for virtual machine image creation. The grml-debootstrap source code indicates that it copies /etc/network/interfaces and /etc/resolv.conf into the chroot. Additionally, grml-debootstrap mounts several devices (/dev, /proc, etc.) inside the chroot, and the Whonix chroot mounts some devices later. This is why it is recommended to build inside an already torified virtual machine.
Building from source code also leaves local traces on the disk, such as the source code itself and build dependencies. If this is a concern, it can be more easily disposed of when contained within a Virtual Machine.
While it is possible to build directly on the host and torify all connections the scripts make, it is unclear what other grml-debootstrap/chroot-related leaks might occur.
It is a known issue that build anonymity requires building inside a VM.
VirtualBox inside VirtualBox[edit]
corridor-Gateway[edit]
corridor, a Tor traffic whitelisting gateway
might be useful. See also discussion on the tor-talk mailing list.
Footnotes[edit]
- ↑ Yes, this creates a bootstrap, chicken-or-egg problem. To solve it, you can either download existing Whonix binary builds or, if you prefer to build from source, create a minimal torified machine yourself first while routing all network traffic through Tor.
- ↑
Whonix’s build process attempts to avoid leaking anything (such as
/etc/resolv.conf) from the host system into the VM image. Such a leak would also be a bug hindering the implementation of reproducible builds. However, in software, nothing can be guaranteed with absolute certainty. Using a VM minimizes this risk.
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!