Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Whonix comes with many security features. Whonix is Kicksecure^™ Hardened by default and also provides extensive Documentation including this System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their systems for even greater protection.

Introduction[edit]

It is possible to significantly harden the Whonix and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.

Upstream[edit]

This page will focus exclusively on aspects related to Whonix/Anonymity. For security hardening and additional insights, users should refer to the Kicksecure page.

Easy[edit]

Anonymous Blogging, Posting, Chat, Email and File Sharing[edit]

• To remain anonymous, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
  • A browser is an unsafe environment to directly write text, regardless of whether it is a forum post, email, webmail or IMAP-related reply.
    • At a minimum users should not type into browsers with JavaScript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.
• Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
• Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
• Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
• Utilize OnionShare to anonymously share or receive files securely over the Tor network, anonymously chat, or host anonymous websites. ^[1]

Dedicated Computer[edit]

For high security, it's best to use a dedicated, physically different computer only for the purpose of using Whonix and nothing else. For other use cases, use completely different hardware including a different screen.

This is to lower the impact of fingerprinting VMs in case they get ever compromised.

Use a Dedicated Host Operating System and Computer

Related: VM Fingerprinting

Forum discussion: https://forums.whonix.org/t/high-opsec-recommendation/17237

File Storage Location[edit]

• Avoid storing files directly in the root home folder and create appropriate sub-folders instead.
• Move files downloaded by Tor Browser from the ~/Downloads folder to another specially created one. ^[2]

Mandatory Access Control[edit]

• Enable all available apparmor profiles in the Whonix-Workstation^™ and Whonix-Gateway^™ Templates.
• Enable seccomp on Whonix-Gateway (sys-whonix ProxyVM).

Tor Browser Series and Settings[edit]

• Prefer the stable Tor Browser release over the alpha series in line with Tor developer recommendations; see footnotes. ^{[3] [4] [5] [6]}
• Run the Tor Browser Security Slider in the highest position. ^[7]
• Disable Javascript by default and only allow it sparingly for trusted sites. ^[8]
• Do not configure custom NoScript (per-site) settings which persist across successive Tor Browser sessions because this aids fingerprinting.
• Use .onion services where possible to stay within the Tor network, such as defaulting searches to the DuckDuckGo onion service. ^[9]
• Use multiple Tor Browser instances or multiple Whonix-Workstation to better compartmentalize contextual identities.
• Follow all other Whonix recommendations for safe and anonymous use of Tor Browser.
• Install Tor Browser outside of Whonix so a second, working instance is always available for anonymous activities. ^[10]

Virtual Machines[edit]

All Virtualizers[edit]

• Remove the virtual audio controller to VMs from getting access to a microphone (eavesdropping risk) or speaker (profiling threat).

VirtualBox[edit]

• Remove a host of VirtualBox features to reduce the attack surface.
• Take regular, clean VM snapshots that are not used for any activities.
• Spoof the initial virtual hardware clock offset.
• Consider disabling clipboard sharing to reduce the risk of identity correlation. ^[11]
• Shared folders are discouraged because they weaken isolation between the guest and the host. ^[12]

Networking[edit]

Spoof MAC Addresses[edit]

• In Qubes-Whonix, follow these steps to spoof the MAC address on the Debian or Fedora Template used for network connections.
• In Non-Qubes-Whonix, follow these steps to spoof the MAC address of the network card on a Linux, Windows or macOS host.

Time Related[edit]

• Non-Qubes-Whonix only: Disable ICMP timestamps and TCP timestamps on the host operating system to prevent leakage of information. ^[13]
• Non-Qubes-Whonix only: Uninstall the NTP client on the host operating system and disable systemd's timdatectl NTP synchronization feature. ^[14]
• Prevent possible time leaks by blocking networking until sdwdate finishes.

Tor Settings[edit]

• Consider enabling Tor connection padding for potentially better anonymity; note it is unclear whether this provides any additional benefit (see footnote). ^[15]
• Consider installing newer Tor versions directly from The Tor Project repository.
• Avoid regenerating the Tor state file or manually rotating Tor guards ^[16] because it degrades anonymity.
• Avoid configuring non-persistent entry guards, as this severely degrades anonymity.
• Consider using Bridges if Tor is censored, dangerous or deemed suspicious in your location.
• If using a bridge, configure alternating bridges for different physical locations.
• Heavily censored users should configure a meek-azure bridge with Anon Connection Wizard. ^[17]
• To help preserve anonymity, copy Tor configuration files and settings to any new sys-whonix instance which is created. ^[18]

Whonix VM Security[edit]

• Consider disabling the Control Port Filter Proxy to reduce the attack surface of both the Whonix-Gateway and Whonix-Workstation.
• Consider hardening systemcheck.
• Consider the periodic deletion and recreation of VMs that are used for sensitive operations.
  • If a compromise of Whonix-Gateway and/or Whonix-Workstation is suspected, follow the compromise recovery instructions.

Difficult[edit]

Chaining Anonymizing Tunnels[edit]

• Avoid this course of action. The anonymity benefits are unproven and it may actually hurt a user's anonymity and security goals.
• Virtual Private Network (VPN) tunnel-links are strongly recommended against due to multiple security and anonymity risks.

Disposables[edit]

• Run all instances of Tor Browser in a Disposable which is preferably uncustomized to resist fingerprinting. ^[19]
• Configure each ServiceVM as a static Disposable to mitigate the threat from persistent malware accross VM reboots. ^[20]
• Until fully ephemeral Disposables are available by default in a future Qubes release, advanced users can consider configuring them manually:
  • Unman's guide to ephemeral Disposables creates a RAM-based storage area.
  • anywaydense's guide to ephemeral PVH Disposables encrypts data written to the disk with an ephemeral encryption key only stored in RAM.

Email[edit]

All Platforms[edit]

• Follow the Whonix recommendations to select an email provider compatible with privacy and anonymity.
• For anonymous PGP-encrypted email over Tor, use Mozilla Thunderbird. ^[21]
• For greater email or message security, consider using the OneTime application or a Physical One-time Pad for military-grade encryption.
• Follow all other email principles for greater safety.

Qubes-Whonix Only[edit]

• Use split-GPG for email to reduce the risk of key theft used for encryption / decryption and signing.
• Create an App Qube that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
• Only open untrusted email attachments in a Disposable to prevent possible infection.

Mix Personal Tor Traffic with Own Tor Bridge or Relay[edit]

• See Host a Bridge or Tor Relay; this configuration might make adversary classification of Tor traffic more difficult. ^[22]

Whitelisting Tor Traffic[edit]

• Qubes-Whonix: Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through. ^{[23] [24]}
• Non-Qubes-Whonix or Qubes-Whonix: Use a standalone corridor as a filtering gateway.

Expert[edit]

Physical Isolation[edit]

• If additional hardware is available, consider Physical Isolation in Non-Qubes-Whonix. ^[25]

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!