Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Is Whonix trustworthy? Is there a backdoor in Whonix? How does Whonix protect itself from backdoors?

Trust Documentation[edit]

Trusting Tor[edit]

Whonix anonymity is based on Tor, which is developed by The Tor Project. Tor is a mature anonymity network with a substantial user base, and it has developed a solid reputation after around two decades of development. Tor's distributed trust model makes it difficult for any single entity to capture a user's traffic and identify them on a consistent basis.

Tor and its general development are subject to heavy public scrutiny by academics, security professionals and a host of developers. ^[1] For example, there is a body of Tor research related to potential attack vectors on onion routing and the adequacy of current defenses, and the source code has undergone several external audits. Like any software project, numerous security issues have been identified and resolved over the years, but a purposeful backdoor has never been discovered. ^[2] Theories about deliberate backdoors in Tor are considered highly speculative and lacking any credible basis.

Trusting Whonix[edit]

In one sense, Whonix is the simple union of Debian and Tor and a mechanism to glue them together. If a user already trusts Debian and The Tor Project, then a method for assessing Whonix trustworthiness is also necessary.

The Whonix project was founded on 11 January, 2012. It previously existed under different project names, including TorBOX and aos. As mentioned earlier, Whonix is Freedom Software which makes the source code available for inspection. In the main, Whonix is comprised of specifications for which Debian software packages should be installed and their appropriate configuration. See also this list of notable reviews and feedback about the security of Whonix.

With a relatively small development team and estimated user base, the "many eyeballs" theory may work against Whonix at present. However, the source code is comparably small and devoid of complexities, meaning the project is in relatively good shape compared to many other similar projects. Interested readers can learn more about the Whonix specification and design here. ^[3]

With these factors in mind, the reader can now make an informed decision about the trustworthiness of Whonix.

Whonix Warrant Canary[edit]

The Whonix warrant canary is intended to provide a mean of communication to users in the event Whonix is served with a secret subpoena, despite legal prohibitions on revealing its existence. For any canary in force, once the signature of the canary file is verified with OpenPGP and/or signify, this confirms that no warrants have been served on the Whonix project.

Note: the canary date of issue is represented by the gpg signature date. A new canary should be released within 4 weeks. ^[4]

The canary and signature are available here:

• Canary text file: canary.txt
• OpenPGP signature: canary.txt.asc
• signify signature: canary.txt.sig

As a backup, the canary and signature are also available on github: ^[5]

• https://github.com/Whonix/canary

Readers are reminded this canary scheme is not infallible. The canary declaration is provided without any guarantee or warranty, and it is not legally binding upon any parties in any form. The signer should never be held legally responsible for any statements made in the canary.

Related:

• Forum Discussion
• Dev/Warrant Canary Draft

Trusting the Download Location[edit]

Binary images can be trusted to some extent if a user verifies that they received exactly the same code as thousands of other users, and no one has found or publicly reported any serious security issues. This requires verification of the Whonix-Workstation^™ and Whonix-Gateway^™ images using the available OpenPGP signatures. ^[6] All source code tags for releases are OpenPGP-signed by lead Whonix developer Patrick Schleizer.

In order of increasing security, the Whonix images can be:

1. Downloaded via https://www.whonix.org. TLS provides some trust and integrity of the hash file, but it is still advisable to check the site's certificate and perform digital software signature verification (instructions).
2. Downloaded over the Whonix v3 onion address with Tor Browser before digital software signature verification. Onion addresses provide a higher standard of authentication than clearnet addresses.
3. Built from source since it is a relatively easy procedure. ^[7]

Trusting Whonix Images[edit]

Table: Maintainer Overview - Platform, Source Code, Binary Images, Permissions

Since Whonix is based on Debian, Debian releases package upgrades. See also: Trusting Debian GNU/Linux.

Trusting Tor Browser[edit]

Tor Browser:

• Developed by The Tor Project (TPO).
• Pre-installed inside Whonix-Workstation. ^[9]
• On the Whonix Intel / amd64 architecture:
  • Tor Browser Internal Updater downloads Tor Browser which is built by TPO from the TPO website.
  • Tor Browser Downloader by Whonix downloads from the TPO website.
• On the Whonix arm64 architecture:
  • Links / status on arm64 architecture support generally: Dev/Porting
  • Tor Browser Internal Updater is unavailable?
  • Tor Browser Downloader by Whonix downloads an unofficial build on sourceforge.
  • Forum discussion: ARM64 Tor Browser Maintainer

Verifiable Builds[edit]

Verifiable .ova Releases[edit]

Whonix previously had a feature which allows the community to check that Whonix .ova ^[10] releases are verifiably created from the project's own source code - verifiable builds. ^[11] This only proves that the person and machine ^[12] building Whonix have not added anything malicious, such as a backdoor. ^[13] It does not prove there are no backdoors present in Debian. This is not possible, because neither Debian ^[14] nor any other operating system provides deterministic builds yet. ^[15]

This feature does not attempt to prove there are not any vulnerabilities present ^[16] in Whonix or Debian. Fatal outcomes are still possible via a remotely exploitable ^[17] bug in Whonix or Debian, a flaw in Whonix's firewall which leaks traffic, or code phoning home ^[18] the contents of the HDD/SSD. Community effort is a precondition to improved security with this feature, particularly auditing of Whonix and Debian source code to check for possible backdoors and vulnerabilities.

In summary, this feature is useful and potentially improves security, but it is not a magical solution for all computer security and trust issues. The following table helps to explain what this feature can achieve.

Table: Verifiable Builds Comparison

	Whonix	Tails	Tor Browser	Qubes OS TorVM	corridor
Deterministic builds [19]	No	No (planned) [20]	Yes [21]	No	Not applicable [22]
Based on a deterministically built [19] operating system	No [23]	No [23]	Not applicable	No [23]	No [23]
Verifiably no backdoor in the project's own source code	Invalid [24]	Invalid [24]	Invalid [24]	Invalid [24]	Invalid [24]
Verifiably vulnerability-free	No [25]	No [25]	No [25]	No [25]	No [25]
Verifiably no hidden source code [26] in upstream distribution / binaries [27]	No [28]	No [28]	No [28]	No [28]	No [28]
Project's binary builds are verifiably created from project's own source code (no hidden source code [26] in the project's own source code)	No (deprecated) [29]	No	Yes	No	Not applicable [22]

Some readers might be curious why Whonix was previously verifiable, while Debian and other distributions are not. In short, this is because Whonix is uncomplicated by comparison. In simple terms, Whonix is a collection of configuration files and scripts, and the source code does not contain any compiled code and so on. In contrast, Debian is a full operating system, without which Whonix would not exist. ^[30]

This feature was first made available in Whonix 8. Only users who download a new image can profit from this feature. ^[31] It is not possible to audit versions older than Whonix 8 with this script. ^[32]

This is only an an introduction to this topic; see Verifiable Builds for full details.

Verifiable Whonix Debian Packages[edit]

This has been deprecated because it is difficult to implement before the experimental, Debian reproducible toolchain is merged into the stable release. ^[33] For full details on this topic, see Verifiable Whonix Debian Packages.

Whonix Updates[edit]

Introduction[edit]

An optional updater has been available in Whonix since version 6 of the platform. ^[34] When it comes to trust, there is a large difference between building Whonix from source code and using the Default-Download-Version.

APT Repository and Binary Builds Trust[edit]

When Whonix is built from source code using the build script and the source code is audited by the builder to be non-malicious and reasonably bug-free, Whonix developers are unable to access the system. On the other hand, if Whonix APT repository is enabled, developers holding a Whonix repository signing key could release a malicious update to gain full access to the machine(s). ^[35]

Even if the Whonix APT repository is not used with the Default-Download version, it is still theoretically possible for Whonix developers to sneak a backdoor into the binary builds which are available for download. ^[36] Although an unpleasant threat, using Whonix APT repository poses a greater risk: a malicious Whonix developer might sneak in a backdoor at any time.

It is easier to sneak backdoors into binary builds, since they contain compiled code in binary packages which are downloaded from the Debian repository when built.

APT Repository Default Settings[edit]

Non-Qubes-Whonix:

• Building from source code: Whonix APT Repository is disabled by default. ^[37]
• Default binary download: Whonix APT Repository is enabled by default.

Qubes-Whonix:

• Qubes/Install: Whonix APT Repository is enabled by default.
• Building from source code: Whonix APT Repository is enabled by default. ^[38]

Most users will have the Whonix APT repository enabled. This means when updated Whonix debian packages are uploaded to the Whonix APT repository, these packages will be automatically installed when the system is upgraded. ^[39] If this behavior is unwanted, this can be disabled. Refer to the previous section outlining security implications before proceeding.

Security Conclusion[edit]

Legend:

• *: poor security.
• ****: best security.

Table: Build and APT Repository Security Comparison

In summary:

• The Whonix binary download using the Whonix APT repository is the most convenient method, but also the least secure.
• It is somewhat safer to use the Whonix binary download and then disable the Whonix APT repository. However, the user must then manually download updated Whonix deb packages upon release, and independently verify and install them.
• The greatest security comes from building Whonix and updated packages from source code, particularly if the source code is verified before building Whonix.

Appendix[edit]

What Digital Signatures Prove[edit]

• Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
• Optional, not required: Digital signatures are optional and not mandatory for using Whonix, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
• Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

See Verifying Software Signatures for details on what digital signatures prove.

In short, a user must be careful to ensure the public keys that are used for signature verification are the Whonix key pair belonging to the Whonix developer of the component specific component. At time of writing there are two different components and signing keys.

• Whonix Main, VirtualBox, KVM, APT Repository and Source Code Signing Key

Footnotes[edit]

License[edit]

Whonix Trust wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Trust wiki page Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos(at)whonix.org (Replace (at) with @.)Please DO NOT use e-mail for one of the following reasons: Private Contact: Please avoid e-mail whenever possible. (Private Communications Policy) User Support Questions: No. (See Support.) Leaks Submissions: No. (No Leaks Policy) Sponsored posts: No. Paid links: No. SEO reviews: No. >

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!