Whonix adds a layer of anonymity to your business tasks
Learn why the Whonix operating system is a nice solution if your SMB is looking for a cheap layer of anonymity.
There may be times when you need to do certain tasks over the web and be assured that no one can discover the address you’re using. For instance, you might need to transmit business information, transfer files, or more securely connect to your company network when overseas. If your task requires an anonymity that standard platforms cannot offer, Whonix may be the solution for you.
Whonix uses the Tor anonymity network to help protect privacy. Tor accomplishes this by bouncing communications around a distributed network of relays run by volunteers around the world. The Tor anonymity network prevents somebody watching your Internet connection from learning what sites you visit and your IP address; it also prevents the sites you visit from learning your physical location. By using Tor, Whonix prevents traffic analysis Internet surveillance.
Features
Tor browser included
Support for messengers like Pidgin with the Jabber protocol and the OTR plugin.
Privacy friendly email client: Mozilla Thunderbird with TorBirdy
scp for secure data transfer from and to a server.
Unobserved administration of servers via SSH
Web servers: Apache, ngnix, IRC servers, etc. via Hidden Services
Installing Whonix
This installation requires the use of VirtualBox. For this tutorial, I will assume you either have VirtualBox installed or know how to install this software. Because VirtualBox can be run on multiple platforms, you are not limited to what you can host this Debian-based platform on.
The first step is to download two virtual machine files: and After you download those files, open VirtualBox and prepare to import the virtual appliances. Follow these steps for both of the downloaded files:
Go to File | Import Appliance.
In the first window of the Appliance Import Wizard, click Choose.
Click Next.
Click Import in the final window (Figure A).
Figure A
Do not make changes to each entry.
After both virtual appliances are imported, go back to the VirtualBox main window (Figure B), select the Whonix-Gateway, and click Start. After that virtual machine boots, go back to the VirtualBox main window, select the Whonix-Workstation, and click Start.
Figure B
Start the Whonix-Gateway first and then the Whonix-Workstation.
You will be prompted for a login. The default credentials are:
username: user
password: changeme
Once you’re logged in, you should be able to start using Whonix.
I ran a very simple test with Whonix. I opened the Tor browser and went to the What Is My IP Address site to see what IP address was returned. The IP address provided by the site was not the IP associated with my network. Mission accomplished.
If you get a PAE error during startup (causing neither to start), here’s how to resolve it:
From the VirtualBox main window, right-click Whonix-Gateway and select Settings.
In the Settings window, click Processor and enable PAE/NX.
Click OK.
Repeat these steps for Whonix-Workstation and start both.
Once they’re up and running, you should change the user and root password on both the Whonix-Workstation and the Whonix-Gateway.
Go to the Whonix-Gateway terminal (Figure C).
Log in with the default credentials.
Issue the command sudo su to log in as the root user.
Issue the command passwd.
Enter a new password.
Confirm the new password.
Issue the command passwd user.
Figure C
The Whonix-Gateway looks like a standard Linux terminal.
You should check for security updates with the command sudo apt-get update && sudo apt-get dist-upgrade. Because Whonix is running on the Tor network, this command will take more time than you might expect.
Once Whonix is up and running, you should test the various tools it offers. Employing this platform could make for a nice, pseudo-portable security layer for your business. It might take a bit of work to get Whonix exactly how you need it, but the operating system is a nice solution if you’re looking for a cheap layer of anonymity.
Innovation Newsletter
Be in the know about smart cities, AI, Internet of Things, VR, AR, robotics, drones, autonomous driving, and more of the coolest tech innovations.
Delivered Wednesdays and Fridays
Sign up today
Post-installation Security Advice – Whonix
Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ security hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.
This page provides security advice, including steps that can be applied after installation of Whonix ™ for better security.
Increase Virtual Machine RAM[edit]
Whonix-Workstation ™: No changes are necessary for most users.
Whonix-Gateway ™: If enough host RAM is available, ideally the virtual RAM setting of Whonix-Gateway ™ should be increased to 2048 MB RAM. [2] If it is infeasible to increase the virtual RAM setting, Whonix-Gateway ™ will still function properly. [3]
If it is unknown how much RAM is available, follow these steps on the host: [4] [5] [6]
Windows 10: Task Manager in More details view → Click/tap on the Performance tab → Click/tap on Memory; or Open a command prompt → Run wmic MemoryChip get /format:list
macOS: Apple menu → About This Mac
Linux: Open a terminal → Run free -h [7]
Related:
Low RAM Issues
Advice for Systems with Low RAM
VirtualBox[edit]
To add RAM in VirtualBox the VM must first be powered down.
Virtual machine → Menu → Settings → Adjust Memory slider → Hit: OK
KVM[edit]
1. Shut down the virtual machine(s).
virsh -c qemu/system shutdown
2. Increase the maximum memory.
virsh setmaxmem
3. Set the actual memory.
virsh setmem
4. Restart the virtual machine(s).
virsh -c qemu/system start
Change Keyboard Layout[edit]
If you are using a keyboard layout other than qwerty (US), consider changing the keyboard layout. Refer to the dedicated Keyboard Layout entry for further details.
Test Keyboard Layout[edit]
Start menu → Accessories → Mousepad; or
Open file ~/testfile in an editor as a regular, non-root user.
If you are using a graphical environment, run.
If you are using a terminal, run.
Try typing the words user, changeme and qwerty. Try typing further words to ensure the desired keyboard layout is functional.
Change Password[edit]
After Whonix ™ has finished installing, immediately change the password for the user user account in _both_ Whonix-Gateway-XFCE _and_ Whonix-Workstation-XFCE.
1. To avoid possible issues, review the Change Keyboard Layout and Test Keyboard Layout entries before proceeding further.
2. Open a terminal (such as Xfce Terminal Emulator).
Start menu → Applications → System → Terminal
3. Run a test command as root by using sudo.
Run. [11]
4. Read the note below regarding the username and password.
default username: user
default password: changeme
When typing the password it will not appear on the screen, nor will the asterisk sign (*) be visible. It is necessary to type blindly and trust the procedure.
5. Change the user (and sudo) password.
To change the user (Whonix ™ default user) password, run. [11] This will also be the password when running sudo from Linux user account user. [12]
6. Root password.
No changes required. Optional, for details, see root account in Whonix ™.
7. Done.
The procedure of changing passwords is complete.
If issues appear when gaining root, consider using dsudo.
Another option is to boot into recovery mode and change passwords there.
Security Updates[edit]
Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.
This is a short summary of the Network Time Synchronization wiki page which is recommended reading.
1. Timezone information.
Warning: The system clock inside Whonix ™ is set to UTC to prevent against timezone leaks. This means it may be a few hours ahead or behind the user’s host system clock. It is strongly recommended not to change this setting.
2. Check the host clock is reasonably accurate.
A reasonably accurate host clock is required for many general security properties because an inaccurate clock can lead to:
Broken internet connectivity; and
Time Attacks.
Therefore, at all times ensure the host clock has an accuracy of up to ± 30 minutes.
3. Avoid pause / suspend / save / hibernate functions.
In simple terms, most users should avoid the pause / suspend / save / hibernate features. Although discouraged, see Network Time Synchronization for further details on when this is possible.
This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Time Attacks and Network Time Synchronization page.
How do I Check the Current Whonix ™ Version? [edit]
See /etc/whonix_version.
Whonix-Gateway ™[edit]
Open a terminal.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey “Q”) → Whonix-Gateway ™ ProxyVM (commonly named sys-whonix) → Xfce Terminal
If you are using a graphical Whonix ™ with XFCE, run.
Start Menu → Xfce Terminal
Should show.
16
Whonix-Workstation ™[edit]
Qubes App Launcher (blue/grey “Q”) → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Xfce Terminal
↑
Qubes has dynamic RAM assignment.
This provides higher performance during upgrades and lowers the likelihood of issues [archive].
Although non-ideal, swap-file-creator [archive] will create an encrypted swap file and the system is configured to swap as little as possible [archive].
↑ [archive]
↑ This command works in Red Hat, CentOS, Suse, Ubuntu, Fedora, Debian and other distributions. Alternative commands include: cat /proc/meminfo |grep MemTotal, top, and vmstat -s.
By default, Qubes VMs use the same keyboard layout as Qubes dom0.
By default, Qubes does not require a password for superuser access.
[archive]
↑ 11. 0 11. 1
Type the command in the terminal and press
Usual Debian / sudo default. Unspecific to Whonix ™,
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Follow:
Support:
Donate:
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why? )
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
Platform-specific Desktop Tips – Whonix
[edit]
The following greeting banner appears when a terminal shell bash prompt is opened.
Welcome to Whonix!
[archive]
Whonix Copyright (C) 2012 – 2021 ENCRYPTED SUPPORT LP
Whonix is Freedom Software, and you are welcome to redistribute it under certain conditions; type “whonix-license”
Whonix is a compilation of software packages, each under its own copyright and license. The exact license terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Whonix GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law; for details type “whonix-disclaimer”
Whonix is a derivative of Debian GNU/Linux and based on Tor.
Whonix is produced independently from the Tor (r) anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.
Whonix is experimental software by means of concept and design.
Do not rely on it for strong anonymity.
Type: “whonix”
uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:
uwt INFO: [archive]
To disable the banner, follow these steps.
1. Open a terminal.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey “Q”) → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Xfce Terminal
If you are using a graphical Whonix ™ with XFCE, run.
Start Menu → Xfce Terminal
2. Run the following command.
cp /etc/skel/ ~/
The process is now complete.
See also: Disable Virtual Console Banner.
Shut Down Whonix-Gateway ™ (sys-whonix)[edit]
To shut down Whonix-Gateway ™ (sys-whonix), open a terminal and run.
Alternatively, use the menu option:
Qubes-Whonix ™: Blue Q button → sys-whonix → Shutdown
Non-Qubes-Whonix ™: Start → Leave…
Virtual Consoles[edit]
On the Host[edit]
Virtual consoles [archive] is a feature inherited from Debian GNU/Linux which is unfamiliar to many users. The following keyboard shortcuts activate the Debian (not Whonix ™) feature:
Text console: Press Alt + Crtl + F1
Additional text consoles: Press Alt + Crtl + F2 or F3 and so on.
Graphical console: Press Alt + Crtl + F7
Virtual Machines[edit]
Table: Virtual Console Activation
Platform
Steps
KVM
The desired virtual console key shortcut can be selected under the Send Key option in a VM’s graphical window.
Qubes dom0
Qubes dom0 inherited the same feature (Alt + Crtl + F1… ).
Qubes VMs
In order to access VMs in dom0, run: [1] sudo xl console vm-name. Replace “vm-name” with the name of the actual VM, for example.
sudo xl console sys-whonix
See also add Qubes host key to allow switching virtual console (ctrl + alt + F1) or SysRq for HVM [archive].
VirtualBox
The VirtualBox default is Right Ctrl + F1. [2]
Text console: Press Right Ctrl + F1 (F2,… ) for one or more text consoles.
Graphical console: Press Host Key + F7 for a graphical console inside VirtualBox.
In the Whonix case, the virtual console will show host login:. This can be confusing and has nothing to do with the actual host that Whonix is running on. The string host is retrieved from file /etc/hostname which for privacy reasons is set to host in Whonix. Therefore do not enter your host (the system Whonix is running on) username or host password.
Due to technical limitations, an easier to understand presentation like Whonix ™ username login: or something similar cannot be shown. [3]
Enter your username (this is most likely user) and press
Enter your password and press
default username: user
default password: changeme
This process is similar to Disable Terminal Emulator Banner.
1. Open a virtual console.
2. Run the following command to restore the original bashrc (untested). [4]
[5]
The procedure is complete.
Disable Autologin[edit]
See also Login Screen.
[6]
sudo rm -f /etc/lightdm/
[7]
RAM Adjusted Desktop Starter[edit]
RAM Adjusted Desktop Starter will not start the desktop environment. The terminal-based Whonix-Gateway ™ can be used instead.
When booting up, a prompt will appear offering to prevent Xfce from starting. Users can also manually press Ctrl + C for the same effect.
By default, Whonix-Gateway ™ is configured with 1280 MB virtual RAM. This can be reduced on systems with low available resources.
If total RAM is more than 512 MB, the default desktop environment (Xfce) is started.
If total RAM is less than 512 MB (for example, the minimum 256 MB RAM requirement), Xfce (lightdm) is not started.
Users with low RAM resources should find this convenient because Whonix-Gateway ™ RAM can be reduced to 256 MB and still function.
Further, if something needs configuring or checking, 512 MB RAM can be assigned to automatically boot into the graphical Xfce desktop. Additional settings are available in folder /etc/rads. d to configure this feature: additional RAM can be added (but still not choosing to boot into a desktop environment), different display managers can be used and so on. See file etc/rads. d/ for configuration examples.
For more information, see RAM Adjusted Desktop Starter.
Use Full-screen Mode[edit]
It is recommended to work in full-screen; this feature is also inherited from VirtualBox. To activate and deactivate full-screen mode, press the VirtualBox Host Key + F. The current Host Key is visible in the bottom right corner of VirtualBox. The VirtualBox default is Right Ctrl + F.
Host key can be changed using VirtualBox → Global Settings → Input → Host Key.
Full-screen mode leads to the Whonix ™ (and Debian) default resolution and color depth of 1920x1080x24. Having a common value for these identifiers reduces the fingerprinting risk to the user. Full-screen mode also helps to prevent users from accidentally launching applications on the host (such as a clearnet browser), instead of within Whonix ™.
XFCE Scaling[edit]
A number of displays found in high-end laptops and desktops have High Dots Per Inch (HiDPI), providing a high resolution in a relatively small format. High-resolution mode can cause problems with certain software and the following adjustments may be necessary to improve HiDPI presentation in XFCE. [8]
Table: XFCE Scaling Options
Configuration
Description
Fonts
Change the DPI parameter as follows: [8]
Settings Manager → Appearance → Fonts → DPI → Increase
For example, it is reported that a value of 180 or 192 seems to work well on Retina screens, but trial and error may be necessary to get a more precise number for the relevant display.
gtk2 Menus and Buttons
Follow these steps to change the default icon sizes of gtk2 menus, buttons and so on: [8]
Settings Manager → Settings Editor → xsettings → Gtk → IconSizes → in row Value → add the following line.
gtk-large-toolbar=96, 96:gtk-small-toolbar=64, 64:gtk-menu=64, 64:gtk-dialog=96, 96:gtk-button=64, 64:gtk-dnd=64, 64
Note that the “gtk-dnd” parameter is for the icons during drag’n’drop, while the others are self-evident based on their name. Any value supported by the icon theme can be used.
System Tray Icon Size
Follow these steps to enlarge icons in the system tray: [8]
Right-click on system tray: aim for empty space / top pixels / bottom pixels, so the the icons are not activated themselves.
Properties → Set “Maximum icon size” to 32, 48 or 64.
Task Bar Size
To change the size of the task bar:
Right-click on empty space in task bar → Panel → Panel Preferences → Row Size (Pixels) → move slider
Window Manager Style
Xfwm has two hidpi themes: Default-hdpi and Default-xhdpi. Change the theme as follows: [8]
Settings Manager → Window Manager → Style → Theme → Default-hdpi or Default-xhdpi
Default Home Folder Configuration Files Reset[edit]
Before following these instructions to wipe the whole XFCE settings folder and restore defaults, it is recommended to backup existing XFCE settings.
2. Logout from and stop XFCE by halting lightdm.
sudo systemct stop lightdm
3. Trash folder ~/
4. Delete the file.
sudo rm /var/cache/anon-base-files/
5. Re-add Whonix ™ XFCE configuration files.
Whonix ™ 15:
sudo /usr/lib/anon-base-files/first-boot-skel
Whonix ™ 16 and above:
sudo /usr/libexec/helper-scripts/first-boot-skel
6. Restart lightdm to restart XFCE.
sudo systemctl restart lightdm
Avoid VM Full Screen Mode[edit]
It is unrecommended to allow Qubes-Whonix ™ or other VMs to completely “own” the full screen [archive]. Overriding Qubes’ GUI virtualization daemon restrictions means the colored decorations drawn by each VM window will not be visible. In this case, a malicious application might not actually release the full screen (while it appears normal), or the full desktop may be emulated so users are tricked into entering sensitive information inside false “trusted” domains. [9]
Keyboard Layout
↑
This is not a real virtual console, but using login.
Inside VirtualBox, the Alt + Ctrl keys are already registered by the host operating system.
The login program unfortunately does not provide this option.
↑ Please leave feedback if this step works correctly.
3. Run the following command.
↑ 6. 0 6. 1
legacy
vm-config-dist [archive]
↑ 8. 0 8. 1 8. 2 8. 3 8. 4 [archive]
↑ [archive]
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Follow:
Support:
Donate:
Did you know that anyone can edit the Whonix ™ wiki to improve it?
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why? )
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
Frequently Asked Questions about whonix password
What to do after installing Whonix?
After Whonix ™ has finished installing, immediately change the password for the user user account in _both_ Whonix-Gateway-XFCE _and_ Whonix-Workstation-XFCE. 1. To avoid possible issues, review the Change Keyboard Layout and Test Keyboard Layout entries before proceeding further.
How do I turn off Whonix?
To shut down Whonix-Gateway ™ ( sys-whonix ), open a terminal and run. Alternatively, use the menu option: Qubes-Whonix ™: Blue Q button → sys-whonix → Shutdown.
Is Whonix safe to use?
In Non-Qubes-Whonix ™, using a separate computer for Physical Isolation is certainly more secure than using the same computer for everything in the standard host OS / Type 2 hypervisor configuration. However, it is not clear this is superior to Qubes’ compartmentalized software approach [archive].