Whonix – Software That Can Anonymize Everything You Do …
Whonix – Software That Can Anonymize Everything You Do Online
Download
Wiki
FAQ
Security Features
Forum
News
Donate
Download, Install, Run FREE
Whonix ™
isn’t a program like most of your applications. It’s a full
operating system that runs inside your current one. Select which
operating system your computer is running.
All activity in a virtual machine, all internet traffic through the
Tor®
network
Whonix is the best way to use
and provides the strongest protection of your IP address.
Applications are reviewed and pre-configured.
Fully Featured and Advanced Security Features
Impossible to leak IP address
Connections are forced through Tor®. DNS leaks are impossible, and
even malware with root privileges cannot discover the user’s real IP
address. Leak tested through corridor (Tor® traffic whitelisting gateway) and other leak tests.
Live Mode
Booting into
VM Live Mode
is as simple as choosing Live Mode in the boot menu.
Alternatively Debian, Kicksecure and perhaps other Debian-based hosts can boot their existing host operating system into
Host Live Mode.
Based on Kicksecure ™
Whonix ™ is based on Kicksecure ™ which is a security-hardened Linux distribution.
Based on Tor®
Whonix utilizes Tor®, which provides an open and distributed relay network to defend against network surveillance.
Unlike Virtual Private Networks (VPN), Tor provides anonymity by design and removes trust from the equation.
Keystroke Anonymization
Keystrokes can be used to track users. To prevent this, Whonix comes with kloak installed by default.
Protect against guard discovery and related traffic analysis attacks
vanguards
Entropy Enhancements
Better encryption thanks to preinstalled random number generators.
Stream Isolation
Distinct applications are routed through different paths in the Tor® network.
AppArmor
AppArmor profiles restrict the capabilities of commonly used, high-risk applications.
Kernel Self Protection Settings
Whonix uses Kernel Hardening Settings as recommended by the Kernel Self Protection Project (KSPP).
Virus Protection
Whonix provides additional security hardening measures and user education to provide better protection from viruses.
Console Lockdown
disables legacy login methods for improved security hardening.
Advanced Firewall
Configured for anonymous Tor® use.
Tor® Browser
Tor® Browser is optimized for anonymity and millions of daily users help you blend in with the crowd.
Visit any destination including modern websites such as YouTube.
swap-file-creator
Running low on RAM isn’t a security problem. swap-file-creator
will create an encrypted swap file.
Complete respect for privacy
Whonix respects data privacy principles. We don’t make advertising deals or collect sensitive personal data. We’re funded directly by user contributions and that’s how it should be.
Warrant Canary
A canary
confirms that no warrants have ever been served on the Whonix project.
Based on Debian
In oversimplified terms, Whonix is just a collection of configuration files and scripts. Whonix is not a stripped down version of Debian; anything possible in “vanilla” Debian GNU/Linux can be replicated in Whonix.
About Whonix
Digitally signed releases
Downloads are signed so genuine Whonix releases can be verified.
Open Source
All the Whonix source code is
licensed under OSI Approved Licenses.
We respect user rights to review, scrutinize, modify, and redistribute Whonix. This improves security and privacy for everyone.
Research and Implementation Project
Whonix makes modest claims and is wary of overconfidence. Whonix is an actively maintained research project making constant improvements; no shortcomings are ever hidden from users.
Upcoming Security Enhancements
VMware – Whonix
At the time of writing, the VMware Workstation Player [archive] software package can be downloaded free of charge for x64 computers running Windows or Linux. The VMware vSphere Hypervisor provides a local virtualization solution for running a second, isolated operating system on a single computer, although it has less features than the commercial VMware Workstation product; see here [archive] for a full description of supported platforms, version history and features. A community website [archive] is also available for discussing and resolving issues that are encountered.
Lead Whonix ™ developer, Patrick Schleizer, has expressed serious reservations about VMware:
In comparison to Free Software [archive], VMware is not very open and transparency is critical for security.
Users of the free VMware Workstation Player are apparently unable to submit bug reports in contrast to users of commercial products.
There is no known list of open bugs which means it is difficult to determine VMware’s suitability for Whonix ™, such as potential threats to anonymity.
Attempted bug reports go entirely unanswered, meaning there is little motivation to investigate issues, make contributions, or submit further bug reports.
Free VMware products only have community support and not professional support.
VMware warning:
Declined feature request.
Although pairing Whonix ™ with VMware is occasionally reported as functional, it is considered highly experimental and recommended against.
It is far safer to use a supported platform.
Table: Unofficial Supported VMware Products
Product
Functionality
VMware Workstation
Previous tests of VMware Workstation were found to be in a working state. Please note it is rarely tested.
VMware ESX(i)
Up to version 6. 0, VMWare ESX(i) was tested and functional.
VMware Server
VMware Server and all other products are untested, but are most likely functional.
VMware Player
VMware Player was previously tested by an anonymous user and found to be functional, [1]. although this has not been confirmed by Whonix ™ developers. Note that the internal network setup can sometimes be difficult; refer to How to create multiple networks on VMware Player [archive] for further instructions.
After installing Whonix ™ in VMWare, refer to existing Documentation for additional security and anonymity advice.
For newer, third party VMware configuration instructions, see: How to Run Whonix 15 for Anonymous Web Browsing [archive]
VMware Workstation[edit]
Importing Appliances[edit]
Either import the Download version or manually build from source.
Import and
Due to an upstream VMware bug, it might be necessary to press retry when importing the images (to relax the importing requirements).
Network Setup[edit]
1. Connect the virtual network adapter to custom.
This is important! Do not use host-only, NAT or bridging for the virtual network adapter! For example, in testing the vmnet9 virtual network was configured because it was not used by anything else.
2. Adjust the adapter settings.
Whonix-Gateway ™: set network adapter 2 to custom → /dev/vmnet8 (or on Windows probably: vmnet9)
Whonix-Workstation ™ set network adapter 1 to custom → /dev/vmnet8 (or on Windows probably: vmnet9)
Note: if vmnetX — for example vmnet8 — is already in use by the NAT adapter, do not re-use it for the custom adapter. In that case, utilize something else like vmnet9.
3. Adjust time settings.
Due to an upstream VMware bug, the VM time is not set to UTC. Manually make this change, otherwise Tor connections might fail.
VMware ESX(i)[edit]
Simply importing the templates will not work because ESX(i) will not recognize the hardware family. Existing workarounds include using VMware Workstation or extracting the and then editing the files.
Importing Virtual Disk Files[edit]
One method of running Whonix ™ on ESXi is to extract the (VM virtual disk) files; one example can be found here [archive].
To import the appliances:
Create two virtual machines in ESX(i) with default settings — do not create a virtual disk for them.
Import and in VirtualBox (this is not a typo! ). Do not check the setting Import as VDI.. [2]
Once both are imported, retrieve the disk files from their physical location on the disk (VirtualBox extracts them from the).
Upload both disk files to the datastore that is being used in ESX(i).
Attach the disk files to the appropriate virtual machines.
Warning: Double check the vSwitch logic in the following setup!
Ensure Whonix-Gateway ™ has two network adapters configured as a virtual machine, while Whonix-Workstation ™ only has one.
Attach the first Whonix-Gateway ™ network adapter to the outside network vSwitch (this can be WAN, LAN, DMZ etc. )
Attach the second Whonix-Gateway ™ network adapter to an isolated vSwitch. Preferably create a new vSwitch which will only be used by Whonix-Gateway ™ and Whonix-Workstation ™. Note: Do not attach physical NICs to this vSwitch! Ensure a new vSwitch is created and not simply a new portgroup. Promiscuous mode within a vSwitch might jeopardize anonymity.
Attach the Whonix-Workstation ™ network adapter to the isolated vSwitch from the previous step.
Boot the machines and check online connectivity has been established.
Alternate Workflow[edit]
These instructions are unfinished.
If you prefer building from source or the previous instructions did not work, the following method was successfully tested with Whonix ™ 14. 0. 9. 9 and ESX(i) 6. 7.
Build Images[edit]
1. Using a 64-bit Linux machine, build both Whonix-Gateway ™ and Whonix-Workstation ™ with the –target raw instruction.
Example build phrase: sudo. /build_whonix –flavor whonix-gateway-cli –vmsize 20G –target raw –build
2. Use qemu-img to convert the raw images to vmdk.
Example: qemu-img convert
3. Move or copy the disks to a data store on ESX(i).
Example: scp
Create VMs[edit]
1. From ESX(i), create a new virtual switch for internal traffic.
Important: Delete the uplink by clicking the x! Create a new port group for internal traffic using the virtual switch that was just created.
2. Create a new virtual machine named Whonix-Workstation ™.
Guest Linux Debian 10 64-bit → one network interface (change network to internal switch/portgroup) → delete disk → add existing disk → select vmdk created for workstation → expand dropdown and select IDE controller.
Then boot the machine.
3. Create a new virtual machine named Whonix-Gateway ™.
Guest Linux Debian 10 64-bit → two network interfaces (leave first one default, add second and change to internal switch) → delete disk → add existing disk → select created for gateway → expand dropdown and select IDE controller.
Note: This machine will have no WAN access unless a static route is added or eth0 is modified to DHCP.
Using VMWare Workstation as an Intermediary[edit]
If VMware Workstation is available, the following method works without manual extraction and repacking:
Import both VMs to VMware Workstation.
Check all settings are properly applied as per the guide above.
Either export the VMs to and import them on the ESX(i) server, or if the server is connected to the Workstation instance, migrate via VMware Workstation. This generally works out of the box, although the networking should be reviewed and isolated as per the guide above.
In addition to the steps outlined below, also refer to the System Hardening Checklist and the Essential Security Guide and Advanced Security Guide Documentation entries.
General[edit]
The following measures are recommended for improved security:
remove printer
disable 3D acceleration
remove CD/DVD drive
remove Floppy drive
remove USB controller (or at least disable the automatic connection of new devices)
remove sound card
do not install VMware Tools or open-vm-tools — trading security for convenience is unrecommended because VMware Tools leak information to the host operating system or hypervisor.
Additional Security[edit]
Some users might wish to access the Whonix-Workstation ™ via SSH and therefore consider adding a second network adapter with Host-Only Networking [archive]. Be cautious of this configuration because it can cause information leakage:
If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network.
On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host’s dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing.
VMware bug report: failed to import image [archive]
VMware bug report: image internal network becomes bridged network [archive]
VirtualBox bug report Ticket #11160: image created with VirtualBox, failed to import in VMware [archive]
↑ See this thread [archive] in the old Whonix ™ forum.
↑
Alternatively is might work to extract the archive.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Follow:
Support:
Donate:
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why? )
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
Whonix ™ for VirtualBox with XFCE
From Whonix < VirtualBox 1. Download Whonix ™ XFCE for Windows, MacOS and Linux FREE 2. Install VirtualBox Recommended VirtualBox version: 6. 1. 26 Linux: please press expand on the right side. Recommendations for Linux users: The recommended host Linux kernel version is the same version that Debian bullseye is using, see linux-image-amd64 [archive]. Linux users only: use the recommended Linux distribution as a host for Whonix ™ VirtualBox is Debian Linux [archive] version bullseye. Hosts using a non-Debian OS: Install VirtualBox as per the normal mechanism for your Linux distribution. Whonix ™ has has been tested with, expects VirtualBox version 6. 26 For example VirtualBox version 5. 2. 18 has been reported to not be compatible. Ubuntu hosts: Ubuntu bionic (18. 04LTS) APT repository ships only VirtualBox version 5. 18 and Whonix ™ will probably not work. You might want to release-upgrade to Ubuntu hirsute (21. 04) and install the virtualbox package from the hirsute-updates backports repository which provides at time of writing VirtualBox version 6. 26. Debian hosts: Notes: These instructions are for host operating systems running Debian bullseye, which is recommended. Other Debian releases might work, but this is untested. To acquire the Recommended VirtualBox version tested with Whonix ™, package virtualbox should be installed from Debian fasttrack repository [archive] according to the following instructions. [3] 1. On the host. Open a terminal. 2. Add Debian the fasttrack repository. Update the package lists. Install the Debian fasttrack signing key. sudo apt-get install fasttrack-archive-keyring Add the Debian fasttrack repository. echo 'deb bullseye-fasttrack main contrib non-free' | sudo tee /etc/apt/ 3. Update the package lists again. [4] 4. Install VirtualBox and Linux kernel headers. sudo apt-get install virtualbox linux-headers-$(dpkg --print-architecture) 5. Add your current user to group vboxusers. [5] sudo adduser $(whoami) vboxusers The procedure is now complete. 3. Import Whonix ™ into VirtualBox For Whonix ™ VirtualBox import instructions, please press on expand on the right. Start VirtualBox Click on File then choose Import Appliance... Navigate and select Whonix ™ image and press next Do NOT change anything! Just click on Import Then press Agree Wait until Whonix ™ has been imported Now start both Whonix-Gateway ™ and Whonix-Workstation ™ Miscellaneous There are also Video Tutorials. If you still need help, please check the Support page. For command line import instructions, see footnote. [6] 4. Start Whonix ™ Starting Whonix ™ is simple. Start VirtualBox → Double-click the Whonix-Gateway ™ and Whonix-Workstation ™. First time user? default username: user default password: changeme Warning: If you do not know what metadata or a man-in-the-middle attack is. If you think nobody can eavesdrop on your communications because you are using Tor. If you have no idea how Whonix ™ works. Then read the Design and Goals, Whonix ™ and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix ™ is the right tool for you based on its limitations. Footnotes and Experimental Spectre / Meltdown Defenses Please press on expand on the right. VirtualBox Stable Version | VirtualBox Testers Only Version Testers only! For more information please press on expand on the right. These experimental [archive] Spectre/Meltdown defenses are related to issues outlined in Firmware Security and Updates. Due to the huge performance penalty and unclear security benefits of applying these changes, it may not be worth the effort. The reason is VirtualBox is still likely vulnerable, even after: A host microcode upgrade. A host kernel upgrade. A VM kernel upgrade. A "not vulnerable" result from spectre-meltdown-checker run on the host. Installation of the latest VirtualBox version. [7] All Spectre/Meltdown-related VirtualBox settings are tuned for better security as documented below. To learn more, see: VirtualBox 5. 18 vulnerable to spectre/meltdown despite microcode being installed [archive] and the associated VirtualBox forum discussion [archive]. [8] Users must patiently wait for VirtualBox developers to fix this bug. On the host. [9] [10] [11] [12] [13] [14] [15] VBoxManage modifyvm "Whonix-Gateway" --ibpb-on-vm-entry on VBoxManage modifyvm "Whonix-Gateway" --ibpb-on-vm-exit on VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-vm-entry on VBoxManage modifyvm "Whonix-Gateway" --l1d-flush-on-sched on VBoxManage modifyvm "Whonix-Gateway" --spec-ctrl on VBoxManage modifyvm "Whonix-Gateway" --nestedpaging off VBoxManage modifyvm "Whonix-Gateway" --mds-clear-on-vm-entry on VBoxManage modifyvm "Whonix-Gateway" --mds-clear-on-sched on VBoxManage modifyvm "Whonix-Workstation" --ibpb-on-vm-entry on VBoxManage modifyvm "Whonix-Workstation" --ibpb-on-vm-exit on VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-vm-entry on VBoxManage modifyvm "Whonix-Workstation" --l1d-flush-on-sched on VBoxManage modifyvm "Whonix-Workstation" --spec-ctrl on VBoxManage modifyvm "Whonix-Workstation" --nestedpaging off VBoxManage modifyvm "Whonix-Workstation" --mds-clear-on-vm-entry on VBoxManage modifyvm "Whonix-Workstation" --mds-clear-on-sched on These steps must be repeated for every Whonix ™ or non-Whonix VirtualBox VM, including multiple and custom VMs. The above instructions only apply to the default VM names Whonix-Gateway ™ and Whonix-Workstation ™. Therefore, if Multiple Whonix-Workstation ™ and/or Multiple Whonix-Gateway ™ are configured, then repeat these instructions using the relevant name/s. ↑ It does not matter if the bulk download is done over an insecure channel if software signature verification is used at the end. ↑ OpenPGP is a standard for data encryption that provides cryptographic privacy and authentication through the use of keys owned by its users. ↑ This is non-ideal but required since VirtualBox in unavailable in official Debian bullseye and bullseye repository and difficult to install due to VirtualBox Installation Challenges. Alternatively you could install VirtualBox from the Oracle () Repository, but this comes with different risks. VirtualBox might be updated by VirtualBox developers before being tested with Whonix ™ which could then lead to issues. (Described in footnote here. ) This is to acquire the Debian fasttrack repository package sources. Optional: See: [archive] Also spams ~/ log if not done. On the Linux platform. 1. Read License Agreement: vboxmanage import --vsys 0 --eula show --vsys 1 --eula show 2. Import Whonix-Gateway ™ and Whonix-Workstation ™. vboxmanage import --vsys 0 --eula accept --vsys 1 --eula accept VirtualBox version 5. 18 or above is required since only that version comes with Spectre/Meltdown defenses. See [archive]. ↑ Also see the following Whonix ™ forum discussion: Whonix ™ vulerable due to missing processor microcode packages? spectre / meltdown / retpoline / L1 Terminal Fault (L1TF) [archive] --ibpb-on-vm-[enter|exit] on|off: Enables flushing of the indirect branch prediction buffers on every VM enter or exit respectively. This could be enabled by users overly worried about possible spectre attacks by the VM. Please note that these options may have sever impact on performance. [archive] There is a mistake in the VirtualBox manual stating enter which does not work. It is actually entry. --l1d-flush-on-vm-enter on|off: Enables flushing of the level 1 data cache on VM enter. See Section 13. 4. 1, “CVE-2018-3646”. --l1d-flush-on-sched on|off: Enables flushing of the level 1 data cache on scheduling EMT for guest execution. 1, “CVE-2018-3646 [archive]”. For users not concerned by this security issue, the default mitigation can be disabled using VBoxManage modifyvm name --l1d-flush-on-sched off Since we want to enable the security feature we set --l1d-flush-on-sched on. --spec-ctrl on|off: This setting enables/disables exposing speculation control interfaces to the guest, provided they are available on the host. Depending on the host CPU and workload, enabling speculation control may significantly reduce performance. According to this VirtualBox ticket [archive] --spec-ctrl should be set to on. --nestedpaging on|off: If hardware virtualization is enabled, this additional setting enables or disables the use of the nested paging feature in the processor of your host system; see Section 10. 7, “Nested paging and VPIDs” and Section 13. 1, “CVE-2018-3646”. Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki Follow: Support: Donate: Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media. Priority Support | Investors | Professional Support Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why? ) The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
Frequently Asked Questions about whonix workstation download
How do I install Whonix on VMware workstation?
VMware Workstation[edit]Either import the Download version or manually build from source.Import Whonix-Gateway. ova and Whonix-Workstation. ova .Due to an upstream VMware bug, it might be necessary to press retry when importing the . ova images (to relax the importing requirements).
How do I download Whonix on VirtualBox?
For Whonix ™ VirtualBox import instructions, please press on expand on the right.Start VirtualBox.Click on File then choose Import Appliance…Navigate and select Whonix ™ image and press next.Do NOT change anything! … Then press Agree.Wait until Whonix ™ .ova has been imported.More items…
How install Whonix on Windows?
ChaptersGoogle Search Whonix. … Select on what OS you will run it. … Remember to install VirtualBox from Oracle. … Open the download folder. … Select virtualbox manager to load the image file. … You can click import or change some of the settings. … Now go to settings and change some of the preconfigured settings.More items…•Jul 16, 2019