System Hardening Checklist

From Whonix
Jump to navigation Jump to search

Whonix comes with many security featuresarchive.org. Whonix is Kicksecure The Web Archive Onion Version Hardened by default and also provides extensive Documentation including this System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their systems for even greater protection.

Introduction[edit]

Info Recommendations specific to Qubes-Whonix or Non-Qubes-Whonix are marked accordingly.

It is possible to significantly harden the Whonix and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.

Upstream[edit]

This page will focus exclusively on aspects related to Whonix/Anonymity. For security hardening and additional insights, users should refer to the Kicksecure page.

Kicksecure: Perform these steps inside Kicksecure.

Instead the user should apply the instructions inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-17 Template.

Instead the user should apply the instructions inside whonix-workstation-17 Template.

Easy[edit]

Anonymous Blogging, Posting, Chat, Email and File Sharing[edit]

  • To remain anonymous, follow all the Whonix recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
    • A browser is an unsafe environment to directly write text, regardless of whether it is a forum post, email, webmail or IMAP-related reply.
      • At a minimum users should not type into browsers with JavaScript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.
  • Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
  • Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
  • Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
  • Utilize OnionShare to anonymously share or receive files securely over the Tor network, anonymously chat, or host anonymous websites. [1]


Dedicated Computer[edit]

For high security, it's best to use a dedicated, physically different computer only for the purpose of using Whonix and nothing else. For other use cases, use completely different hardware including a different screen.

This is to lower the impact of fingerprinting VMs in case they get ever compromised.

Kicksecure logo Use a Dedicated Host Operating System and Computer Onion Version

Related: VM Fingerprinting

Forum discussion: https://forums.whonix.org/t/high-opsec-recommendation/17237archive.org

File Storage Location[edit]

Mandatory Access Control[edit]

  • Enable all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway Templates.
  • Enable seccomp on Whonix-Gateway (sys-whonix ProxyVM).

Tor Browser Series and Settings[edit]

Virtual Machines[edit]

All Virtualizers[edit]

VirtualBox[edit]

Networking[edit]

Spoof MAC Addresses[edit]

Info Tip: MAC spoofingarchive.org is only necessary if traveling with your laptop or PC. It is not required for home PCs that do not change locations.

Time Related[edit]

Tor Settings[edit]

Whonix VM Security[edit]

  • Consider disabling the Control Port Filter Proxy to reduce the attack surface of both the Whonix-Gateway and Whonix-Workstation.
  • Consider hardening systemcheck.
  • Consider the periodic deletion and recreation of VMs that are used for sensitive operations.
    • If a compromise of Whonix-Gateway and/or Whonix-Workstation is suspected, follow the compromise recovery instructions.

Difficult[edit]

Chaining Anonymizing Tunnels[edit]

Disposables[edit]

Info Qubes / Qubes-Whonix only.
Note: Some traces of Disposable usage and data contents will leak into the dom0 filesystem and survive reboots; see herearchive.org for further information. (This is a Qubes-specific issue and unrelated to Whonix.)

Email[edit]

All Platforms[edit]

Qubes-Whonix Only[edit]

  • Use split-GPGarchive.org for email to reduce the risk of key theft used for encryption / decryption and signing.
  • Create an App Qube that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
  • Only open untrusted email attachmentsarchive.org in a Disposable to prevent possible infection.

Mix Personal Tor Traffic with Own Tor Bridge or Relay[edit]

Whitelisting Tor Traffic[edit]

Expert[edit]

Physical Isolation[edit]

Info Non-Qubes-Whonix only.

Footnotes[edit]

  1. OnionShare 2.0 and higher enforce v3 onion connections. Whonix 16 is based on Debian bookworm which provides OnionShare v2.2.
  2. The reason is AppArmor profiles (and possibly other mandatory access control frameworks) are unlikely to allow access to these folders by default.
  3. Tor Blogarchive.org:

    Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

  4. Selfrandoarchive.org (load-time memory randomization) protection has been removed from alpha Tor Browser Linux buildsarchive.org. Although Selfrando provides a security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers, Tor developers believe it is relatively easy for attackers to bypass and not worth the effort.
  5. The "hardened" Tor Browser series has been deprecated, see: https://gitlab.torproject.org/legacy/trac/-/issues/21912archive.org
  6. Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a native sandboxarchive.org.
  7. This may affect usability and proper functioning on some websites.
  8. This is more secure, but increases the user's fingerprinting risk due to selective use of Javascript.
  9. Take care to observe you stay within the Tor network -- 'downgrade' attacks have been observed that result in clearnet URLs being loaded in place of onion services across successive page loads on some sites.
  10. Thereby circumventing any possible future problems, like the breakage of Whonix.
  11. Bidirectional clipboard sharing is currently enabled by default in Whonix VirtualBox VMs. There are security reasons to disable clipboard sharing, for example to prevent the accidental copying of something (non-)anonymous and pasting it in its (non-)anonymous counterpart such as a browser, which would lead to identity correlation.
  12. Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host.
  13. Such as system information, host time, system uptime, and fingerprinting of devices behind a router.
  14. This prevents time-related attack vectors which rely on leakage of the host time.
  15. https://forums.whonix.org/t/tor-connectionpadding/7477archive.org
  16. Via creation of a new Whonix-Gateway (sys-whonix).
  17. For example, Whonix users residing in China.
  18. This is useful when testing later Whonix releases to stymie deanonymization attempts by advanced adversaries, or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.
  19. This is safe in the stable Qubes R4 release, but privacy issuesarchive.org were unresolved in Qubes R3.2 (now unsupported).
  20. Users can configure sys-net, sys-firewall and sys-usb as static Disposables. This option has been available from Qubes R4 onward.
  21. Reminder: The Subject: line and other header fields are not encrypted in the current configuration.
  22. The reason is adversaries observing traffic will need to perform classification of both traffic generated by the Tor relay or bridge and your personal client traffic.
  23. This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical Whonix bugs, but does not address potential Qubes ProxyVM leaks.
  24. https://github.com/rustybird/corridorarchive.org
  25. Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than Qubes' approacharchive.org (software compartmentalization).

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!