This page describes copying files into and out of Whonix Virtual Machines.

If you are interested in installation of Whonix on USB, see Whonix on USB.

If you are interested in sharing files with others, see File Sharing.

Qubes-Whonix[edit]

Qubes-Whonix^™ users can utilize the usual Qubes capabilities. Please refer to Qubes' copying files documentation for further instructions.

Non-Qubes-Whonix[edit]

Non-Qubes-Whonix^™ means all Whonix platforms except Qubes-Whonix^™. This includes Whonix KVM, Whonix VirtualBox and Whonix Physical Isolation.

Security Overview[edit]

Table: File Transfer Security Overview

Method	Security Considerations
All methods	There is a risk of transferring Metadata or other sensitive information into Whonix-Workstation^™. Whonix is designed with isolation in mind. Isolation is weakened if data is imported from the host or other media into Whonix-Workstation, therefore this activity must be performed carefully.
Adding Host-Only Networking adapter to Whonix-Workstation	This method is unrecommended. For further details, see: Adding a Host-Only Networking Adapter to Whonix-Workstation ™ / SSH into Whonix-Workstation ™.
ISO Images	ISO files/images can be transferred: `Host` → `Whonix-Gateway^™/Workstation`. This is the safest method of transferring files into Whonix-Workstation.
Mounting Virtual Machine images	This method is unrecommended: It is unknown if this procedure is feasible. If possible, it is unclear what could possibly leak into the Virtual Machine image. See also: Dev/Build Anonymity.
Shared Folder	This method is currently recommended.
SSH	This method is only recommended for developers or experts. File transfers work with Secure Shell Protocol (SSH), Secure Copy Protocol (SCP) and SSH Filesystem (SSHFS); see instructions further below.
USB devices plugged into VirtualBox	This method is unrecommended for several reasons: Hardware serials of the USB controller and/or USB device could leak into Whonix-Workstation. It is a security risk to plug USB controllers into untrusted virtual machines.

Transfer Files via ISO Images[edit]

This section describes how to transfer files from the host into Whonix-Gateway or Whonix-Workstation via ISO images.

Linux Host[edit]

Brasero[edit]

Brasero is: ^[1]

...a free and open-source disc-burning program for Unix-like operating systems, it serves as a graphical front-end (using GTK) to cdrtools, cdrskin, growisofs, and (optionally) libburn.

Follow the same procedure for burning a data disk with Brasero; see here and here for instructions.
Select the option to create an ISO.
Navigate to the following area: Virtual machine window menu → Devices → CD/DVD devices → Choose a virtual disk.

Command line[edit]

genisoimage is a command-line tool for creating ISO filesystem images from the terminal.

1. Install genisoimage.

sudo apt install genisoimage

2. Create an ISO "files.iso" containing the content of "folder".

Replace files.iso and /path/to/folder with the preferred ISO name and suitable path to the folder content.

genisoimage -o files.iso /path/to/folder

3. Mount the newly created ISO.

Use the VirtualBox GUI to mount the newly created ISO which is a virtual VM CD/DVD drive.

4. Create the /media/cdrom folder inside Whonix-Workstation.

sudo mkdir -p /media/cdrom

5. Attach/mount the ISO to the VM.

sudo mount /dev/sr0 /media/cdrom

6. Navigate into the folder.

cd /media/cdrom

7. Review the files.

dir

This procedure is intentionally one-way as the Whonix-Workstation is inherently untrusted. This way it remains isolated to prevent side-channel attacks and covert channel leaks.

KVM[edit]

See KVM: Shared Folders.

VirtualBox[edit]

Shared Folder[edit]

This procedure is recommended.

This method works when Whonix is able to start normally. If Whonix does not start properly, then another option like Mount Disk Image is required. Refer to the VirtualBox Shared Folder entry for further details.

Mount Disk Image[edit]

The following steps are all performed inside the host operating system.

New[edit]

unspecific to Whonix. Use vboximg-mount as per upstream documentation https://www.virtualbox.org/manual/ch05.html#vboximg-mount

Old[edit]

Maybe not needed anymore. Try above method.

1. Shut down any running Whonix virtual machines.

It is recommended to back-up data to avoid any potential data loss.
Never run the Whonix VM that is currently mounted because that can lead to data loss. Always unmount first.

2. Update the package lists.

sudo apt update

3. Install qemu.

sudo apt install qemu

4. Load the Network Block Device kernel module.

sudo modprobe nbd max_part=16

5. Attach the disk image (.vmdk) to one of the newly created network block devices.

The example below uses Whonix-ws.vmdk. This is stored in the default place created by VirtualBox for VMs: /home/user/VirtualBox VMs.

sudo qemu-nbd -c /dev/nbd0 '/home/user/VirtualBox VMs/Whonix-Workstation/Whonix-Workstation-17.2.3.7-disk1.vmdk'

^[2] ^[3]

6. Create a mount point.

For example.

sudo mkdir -p /mnt/workstation

A partition manager like cfdisk could be run on the block device, but it is more likely you will want to mount an individual partition.

sudo mount /dev/nbd0p1 /mnt/workstation

The procedure is complete. A new partition with Whonix-Workstation mounted inside it will be visible.

7. Unmount everything when finished.

sudo umount /mnt/workstation

sudo qemu-nbd -d /dev/nbd0

After unmounting, the Whonix VM can be safely restarted.

Transfer Files via a VDI File[edit]

This section describes how to transfer files from one Whonix-Workstation to a different Whonix-Workstation via a VDI file.

Linux[edit]

The procedure below is one of the more convenient solutions for copying work from one Whonix-Workstation to another.

The virtual machine that will be edited needs to be powered off.
In VirtualBox: Click on "Settings" for the Whonix Workstation that you wish to copy files from → click on "Storage".
Select "Storage" settings → click on the square with a + sign → select "add hard disk" (located next to the "Controller: Whonix" entry).
In the next window that appears, click on create new disk.
When prompted: Choose a "hard drive file type" → select "VDI".
When prompted: Choose "storage on physical hard drive" → select "dynamically allocated".
In the next window: Type "WhonixTransferBackup" for the drive name → choose the needed storage capacity. In many cases, the default "8.00 GB" will be enough.
After returning to the "Settings" window, click the "OK" button.
Start the Whonix Workstation that you wish to transfer files from. After reaching the desktop, open a Terminal/Konsole session.
Format the newly created drive: sudo fdisk /dev/sdb
At the command prompt: Type "n" create a new partition → press "enter" to choose the default options when prompted until returned to fdisk's main menu → type "w" to write the partition and exit fdisk.
In the terminal session, type: sudo mkfs.ext4 /dev/sdb1
Create a new directory to be the mount point for the drive: mkdir temp
Mount the new drive: sudo mount /dev/sdb1 temp
Change the permissions of the mount folder so it is possible to write to the drive: sudo chmod 777 temp
Copy selected files to the new drive by copying them to the "temp" folder. This is possible in the terminal, with the file browser and so on. Once all files have been copied to the "temp" folder, shut down the Whonix Workstation.
After the Whonix Workstation has closed, open the "Virtual Media Manager" in VirtualBox: Click on "File → Virtual Media Manager".
Locate the new VDI file created in steps 2-8 → click on it → click the "copy" button → click the "next" button.
When prompted to choose a "hard drive file type," select "VDI".
When prompted to choose "storage on physical hard drive," select "dynamically allocated".
In the next window: type "WhonixWorkstationFileTransfer" for the drive name → choose a folder to store the VDI file → click on the "copy" button. ^[4]
After returning to the "Virtual Media Manager" window, click the "close" button.
In the main VirtualBox window: Click the Whonix Workstation version that you want to copy the files into → click "settings".
Navigate to the "storage" section → click on the square with a + sign → select "add hard disk" (located next to the "Controller: Whonix" entry).
In the next window: Click on "choose existing disk" → find the saved "WhonixWorkstationFileTransfer.vdi" file and select it.
After returning to the "settings" window, click "OK."
Start the Whonix Workstation that you wish to copy your files into. After reaching the desktop, open a Terminal/Konsole session.
Create a new directory to be the mount point for the drive:mkdir temp
Mount the new drive: sudo mount /dev/sdb1 temp
Finally, copy selected files into the Whonix Workstation. When copying is finished, shut down the Whonix Workstation and delete the temporary "file transfer" VDI files through Virtual Media Manager.

Related forum topic:
How to tranfer data to Whonix 8

Windows[edit]

Refer to the following forum topic: Virtualbox: Transfer files from Whonix to host with disk images.

Add a USB Device to VirtualBox[edit]

This procedure is not recommended for security reasons. ^[5]

By default, Oracle VirtualBox only supports USB 1.1. Additional, closed source extension packs exist for better USB support such as versions 2.0 and 3.0; they can be downloaded from the VirtualBox download page. Note that improved USB support does not require VirtualBox Guest Additions. It is unclear whether a reboot is required after installation of the extension pack(s); refer to the official VirtualBox documentation for additional information:

Since Whonix is based on Debian, any additional research that is required can utilize search terms like "How to get USB in Linux VirtualBox?". See also: Self Support First Policy.

1. Adjust the Linux user group.

For Linux hosts, the user that is running VirtualBox must be a member of linux user group vboxusers. ^[6] To add the current user to group vboxusers, run.

sudo adduser $(whoami) vboxusers

2. Reboot.

A reboot or re-login is required.

3. Plug in the USB device.

USB devices are plugged into Virtual Machines through the device menu in VirtualBox.

4. Mount the USB device.

Automount of USB devices is disabled in Whonix by default. To mount the device, try: Start menu → System Settings → Removable Media or manually mount the device.

Failures or successes can also be shared in a new forum discussion.

5. Optional: Install the ntfs-3g package.

If the USB device is formatted with NTFS, it is necessary to install the ntfs-3g driver package and run a special mount command, see: Can’t enable USB Drive in VirtualBox – troubleshooting help needed.

SSH into Whonix-Gateway[edit]

Developers / experts only! Only for debugging!

These instructions assume a connection from a local host into Whonix, not SSH to a remotely running Whonix instance.

1. Adjust Whonix-Gateway firewall settings.

Modify Whonix-Gateway^™ User Firewall Settings.

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix^™, complete these steps.
In Whonix-Gateway App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway App Qube (commonly called sys-whonix) → Whonix User Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start Menu → Applications → Settings → User Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.

Note: The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") → Template: whonix-gateway-17 → Whonix Global Firewall Settings

If using a graphical Whonix-Gateway, complete these steps.

Start Menu → Applications → Settings → Global Firewall Settings

If using a terminal-only Whonix-Gateway, complete these steps.

In Whonix-Gateway, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf

2. Add.

GATEWAY_ALLOW_INCOMING_SSH=1

3. Restart the firewall.

Reload Whonix-Gateway^™ Firewall.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ProxyVM (commonly named sys-whonix) → Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu → Applications → System → Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run. sudo whonix_firewall

4. Install openssh-server inside Whonix-Gateway.

Make sure this is run on Whonix-Gateway! Run the command once.

sudo apt install openssh-server

5. Add port forwarding from host into the virtual machine.

Make sure this is run on the host! Run the command once.

Open a terminal. This will forward connections from the host to 127.0.0.1:2200 to the SSH server running inside Whonix-Gateway on port 22.

VBoxManage modifyvm "Whonix-Gateway" --natpf1 "ssh",tcp,127.0.0.1,2200,,22

If it is necessary to undo this change, run.

VBoxManage modifyvm "Whonix-Gateway" --natpf1 delete "ssh"

To verify the change, run.

VBoxManage showvminfo "Whonix-Gateway"

Search for lines beginning with NIC. For example:

NIC 1 Rule(0):   name = ssh, protocol = tcp, host ip = 127.0.0.1, host port = 2222, guest ip = 127.0.0.1, guest port = 22

6. Open a SSH session on the host.

Make sure this is run on the host!

As user.

ssh user@127.0.0.1 -p 2200

Or as root.

ssh root@127.0.0.1 -p 2200

7. Create a folder which will be used to mount the image.

Perform this step on the host or mount Whonix-Gateway as a folder.

This folder must exist before trying to mount.

mkdir ~/mountgateway

8. Mount the folder.

Make sure this is run on the host!

As user.

sshfs user@127.0.0.1:/ -p 2200 ~/mountgateway

Or as root.

sshfs root@127.0.0.1:/ -p 2200 ~/mountgateway

SSH into Whonix-Workstation[edit]

Introduction[edit]

Developers / experts only! Only for debugging!

These instructions assume a connection from a local host into Whonix, not SSH to a remotely running Whonix instance. The connection formed will look like this: host → SSH → Whonix-Gateway → SSH → Whonix-Workstation.

It is not possible to directly SSH into Whonix-Workstation because it only has an internal network interface and no NAT interface. Adding a NAT interface would defeat the purpose of Whonix.

Prerequisite[edit]

Do not attempt this procedure before mastering the steps SSH into Whonix-Gateway.

Firewall[edit]

1. Adjust Whonix-Workstation firewall settings.

Modify Whonix-Workstation^™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix^™, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.

sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly called anon-whonix) → Whonix User Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu → Applications → System → User Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name_short}} is updated, this
## file may be overwritten.

Also see: Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix, complete these steps.

Qubes App Launcher (blue/grey "Q") → Template: whonix-workstation-17 → Whonix Global Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start Menu → Applications → Settings → Global Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

In Whonix-Workstation, open the whonix_firewall configuration file in an editor. nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

2. Add the necessary port.

Replace 80 with the actual port that should be opened.

EXTERNAL_OPEN_PORTS+=" 80 "

Save.

3. Reload Whonix-Workstation^™ Firewall.

If you are using Qubes-Whonix^™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Workstation App Qube (commonly named anon-whonix) → Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu → Applications → System → Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run. sudo whonix_firewall

Setup Workstation[edit]

On Whonix-Workstation, run.

sudo apt install openssh-server

Notes if using a Whonix-Custom-Workstation:

Some Linux distributions only install the server service by default but do not enable/start it by default. In that case, it is up to the user to start the service.
Make sure it listens not only on localhost. It must listen on the external interface (or all interfaces) too.

Setup Gateway[edit]

On Whonix-Gateway, run. ^[7]

Note: root@ can also be substituted for user@ or similar in following command.

sudo -u tunnel ssh.anondist-orig root@10.152.152.11

Setup Host[edit]

Note:

It is possible to use one command to SSH from the host into Whonix-Gateway and then SSH into Whonix-Workstation. This is called SSH hopping.
SSH hopping is also possible for SSHFS; see here.
The filesystem of Whonix-Workstation can also be mounted with two commands.

1. SSH from the host into Whonix-Gateway.

host → Whonix-Gateway

ssh -t user@127.0.0.1 -p 2200 "sudo -u tunnel ssh.anondist-orig user@10.152.152.11"

root@ can also be substituted in the above command.

2. Create a directory to mount Whonix-Workstation.

mkdir ~/mountworkstation

3. SSH into Whonix-Workstation and map to localhost:2222.

Whonix-Gateway → Whonix-Workstation

Perform this step on the host.

ssh -f user@127.0.0.1 -p 2200 -L 2222:10.152.152.11:22 -N

root@ can also be substituted in the above command.

4. Mount the Whonix-Workstation folder on the host.

sshfs -p 2222 user@127.0.0.1:/ ~/mountworkstation

If these instructions did not work, try the alternative standalone instructions SSHFS into Whonix-Workstation.

Usability Development Tickets[edit]

All solutions listed here are far from user friendly. Help is most welcome to improve this situation.

Please refer to existing tickets about this issue:

Whonix Host Additions

Footnotes[edit]

↑ https://en.wikipedia.org/wiki/Brasero_(software)
↑ sudo modprobe nbd max_part=16 is used instead of sudo modprobe nbd to avoid the following error: sudo qemu-nbd -c /dev/nbd0 '/home/user/VirtualBox VMs/Whonix-Workstation/Whonix-Workstation-13.0.0.1.5-disk1.vmdk' Failed to open /dev/nbd0: No such file or directory /build/qemu-XXUWBP/qemu-2.1+dfsq/nbd.c:nbd_receive_request ():L756: read failed This might relate to an old bug.
↑ https://forums.gentoo.org/viewtopic-t-822672-start-0.html
↑ If copying does not work, power down the old VM and attach the same VDI to the new VM.
↑ A malicious guest can flash the low level firmware of the USB thumb drive, turning it into an attack vehicle against any machine it is plugged into.
↑ Otherwise VirtualBox GUI will show no devices available.
↑ sudo -u tunnel is required because user user on Whonix-Gateway is not supposed to be used for (virtual) local LAN activity as per Whonix firewall.

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

[1] ttps://en.wikipedia.org/wiki/Brasero_(software)

[2] sudo modprobe nbd max_part=16 is used instead of sudo modprobe nbd to avoid the following error: sudo qemu-nbd -c /dev/nbd0 '/home/user/VirtualBox VMs/Whonix-Workstation/Whonix-Workstation-13.0.0.1.5-disk1.vmdk' Failed to open /dev/nbd0: No such file or directory /build/qemu-XXUWBP/qemu-2.1+dfsq/nbd.c:nbd_receive_request ():L756: read failed This might relate to an old bug.

[3] ttps://forums.gentoo.org/viewtopic-t-822672-start-0.html

[4] If copying does not work, power down the old VM and attach the same VDI to the new VM.

[5] A malicious guest can flash the low level firmware of the USB thumb drive, turning it into an attack vehicle against any machine it is plugged into.

[6] Otherwise VirtualBox GUI will show no devices available.

[7] sudo -u tunnel is required because user user on Whonix-Gateway is not supposed to be used for (virtual) local LAN activity as per Whonix firewall.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

File Transfer

Contents