Post-installation Security Advice

From Whonix
Jump to navigation Jump to search

This page provides security advice, steps that can be applied after installation of Whonix for better security.

Introduction[edit]

Whonix comes with many security features The Web Archive Onion Version . Whonix is Kicksecure The Web Archive Onion Version hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page provides security advice, including steps that can be applied after installation of Whonix for better security.

On Whonix-Gateway and Whonix-Workstation[edit]

Increase Virtual Machine RAM[edit]

Whonix default password info box Qubes-Whonix users can skip this section. [1]

  • Whonix-Workstation: No changes are necessary for most users.
  • Whonix-Gateway: If enough host RAM is available, ideally the virtual RAM setting of Whonix-Gateway should be increased to 2048 MB RAM. [2] If it is infeasible to increase the virtual RAM setting, Whonix-Gateway will still function properly. [3]

If it is unknown how much RAM is available, follow these steps on the host: [4] [5] [6]

  • Windows 10: Task Manager in More details viewClick/tap on the Performance tabClick/tap on Memory; or Open a command promptRun wmic MemoryChip get /format:list
  • macOS: Apple menuAbout This Mac
  • Linux: Open a terminalRun free -h [7]

Related:

VirtualBox[edit]

  1. To add RAM in VirtualBox the VM must first be powered down.
  2. Virtual machineMenuSettingsAdjust Memory sliderHit: OK

KVM[edit]

1. Shut down the virtual machine(s).

virsh -c qemu:///system shutdown <vm_name>

2. Increase the maximum memory.

virsh setmaxmem <vm_name> <memsize> --config

3. Set the actual memory.

virsh setmem <vm_name> <memsize> --config

4. Restart the virtual machine(s).

virsh -c qemu:///system start <vm_name>

Change Keyboard Layout[edit]

WhonixChange Keyboard Layout info box Qubes-Whonix users can skip this section. [8]

If you are using a keyboard layout other than qwerty (US), consider changing the keyboard layout. Refer to the dedicated Keyboard Layout entry for further details.

Test Keyboard Layout[edit]

WhonixTest Keyboard Layout info box Qubes-Whonix users can skip this section.

  • Start menuAccessoriesMousepad; or
  • Open file ~/testfile in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run. mousepad ~/testfile

If you are using a terminal, run. nano ~/testfile

Try typing the words user, changeme and qwerty. Try typing further words to ensure the desired keyboard layout is functional.

Change Password[edit]

Kicksecure: Perform these steps inside Kicksecure.

Instead the user should apply the instructions inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-17 Template.

Instead the user should apply the instructions inside whonix-workstation-17 Template.

Security Updates[edit]

Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.

Network Time Syncing[edit]

This is a short summary of the Network Time Synchronization wiki page which is recommended reading.

1. Timezone information.

Warning: The system clock inside Whonix is set to UTC to prevent against timezone leaks. This means it may be a few hours ahead or behind the user's host system clock. It is strongly recommended not to change this setting.

2. Check the host clock is reasonably accurate.

A reasonably accurate host clock is required for many general security properties because an inaccurate clock can lead to:

Therefore, at all times ensure the host clock has an accuracy of up to ± 30 minutes.

3. Avoid pause / suspend / save / hibernate functions.

In simple terms, most users should avoid the pause / suspend / save / hibernate features. Although discouraged, see Network Time Synchronization for further details on when this is possible.

Better Security[edit]

This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Time Attacks and Network Time Synchronization page.

Appendix[edit]

How do I Check the Current Whonix Version?[edit]

See /etc/*_version.

Open a terminal.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ProxyVM (commonly named sys-whonix)Xfce Terminal

If you are using a graphical Whonix with Xfce, run.

Start MenuXfce Terminal

cat /etc/*_version

Should show.

12.1
17

The first line shows the version of the major and minor version of Debian. The second line shows the version of the derivative (Whonix).

Footnotes[edit]

  1. Qubes has dynamic RAM assignment.
  2. This provides higher performance during upgrades and lowers the likelihood of issuesarchive.org.
  3. Although non-ideal, swap-file-creatorarchive.org will create an encrypted swap file and the system is configured to swap as little as possiblearchive.org.
  4. https://www.tenforums.com/tutorials/66809-determine-system-memory-size-speed-type-windows-10-a.htmlarchive.org
  5. https://vitux.com/how-to-check-installed-ram-on-debian/archive.org
  6. https://support.apple.com/en-us/HT201191archive.org
  7. This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include: cat /proc/meminfo |grep MemTotal, top, and vmstat -s.
  8. By default, Qubes VMs use the same keyboard layout as Qubes dom0.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!