File Transfer
From Whonix
This page describes copying files into and out of Whonix ™ Virtual Machines.
If you are interested in installation of Whonix ™ on USB, see Whonix ™ on USB.
If you are interested in sharing files with others, see File Sharing.
Qubes-Whonix[edit]
Qubes-Whonix ™ users can utilize the usual Qubes [archive] capabilities. Please refer to Qubes' copying files documentation [archive] for further instructions.
Non-Qubes-Whonix[edit]
Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.
Security Overview[edit]
Table: File Transfer Security Overview
| Method | Security Considerations |
|---|---|
| All methods |
|
| Adding Host-Only Networking adapter to Whonix-Workstation ™ | This method is unrecommended. For further details, see: Adding a Host-Only Networking Adapter to Whonix-Workstation ™ / SSH into Whonix-Workstation ™. |
| ISO Images |
|
| Mounting Virtual Machine images |
This method is unrecommended:
|
| Shared Folder | This method is currently recommended. |
| SSH |
|
| USB devices plugged into VirtualBox |
This method is unrecommended for several reasons:
|
Transfer Files via ISO Images[edit]
This section describes how to transfer files from the host into Whonix-Gateway ™ or Whonix-Workstation ™ via ISO images.
Linux Host[edit]
Brasero[edit]
Brasero is: [1]
...a free and open-source disc-burning program for Unix-like operating systems, it serves as a graphical front-end (using GTK) to cdrtools, cdrskin, growisofs, and (optionally) libburn.
- Follow the same procedure for burning a data disk with Brasero; see here [archive] and here [archive] for instructions.
- Select the option to create an ISO.
- Navigate to the following area:
Virtual machine window menu→Devices→CD/DVD devices→Choose a virtual disk.
Command line[edit]
genisoimage [archive] is a command-line tool for creating ISO filesystem images from the terminal.
1. Install genisoimage.
sudo apt install genisoimage
2. Create an ISO "files.iso" containing the content of "folder".
Replace files.iso and /path/to/folder with the preferred ISO name and suitable path to the folder content.
genisoimage -o files.iso /path/to/folder
3. Mount the newly created ISO.
Use the VirtualBox GUI to mount the newly created ISO which is a virtual VM CD/DVD drive.
4. Create the /media/cdrom folder inside Whonix-Workstation ™.
sudo mkdir -p /media/cdrom
5. Attach/mount the ISO to the VM.
sudo mount /dev/sr0 /media/cdrom
6. Navigate into the folder.
cd /media/cdrom
7. Review the files.
dir
This procedure is intentionally one-way as the Whonix-Workstation ™ is inherently untrusted. This way it remains isolated to prevent side-channel attacks and covert channel leaks.
KVM[edit]
See KVM: Shared Folders.
VirtualBox[edit]
[edit]
This procedure is recommended.
This method works when Whonix ™ is able to start normally. If Whonix ™ does not start properly, then another option like Mount Disk Image is required. Refer to the VirtualBox Shared Folder entry for further details.
Mount Disk Image[edit]
The following steps are all performed inside the host operating system.
1. Shut down any running Whonix ™ virtual machines.
- It is recommended to back-up data to avoid any potential data loss.
- Never run the Whonix ™ VM that is currently mounted because that can lead to data loss. Always unmount first.
2. Update the package lists.
sudo apt update
3. Install qemu.
sudo apt install qemu
4. Load the Network Block Device kernel module.
sudo modprobe nbd max_part=16
5. Attach the disk image (.vmdk) to one of the newly created network block devices.
The example below uses Whonix-ws.vmdk. This is stored in the default place created by VirtualBox for VMs: /home/user/VirtualBox VMs.
sudo qemu-nbd -c /dev/nbd0 '/home/user/VirtualBox VMs/Whonix-Workstation/Whonix-Workstation-13.0.0.1.5-disk1.vmdk'
6. Create a mount point.
For example.
sudo mkdir -p /mnt/workstation
A partition manager like cfdisk could be run on the block device, but it is more likely you will want to mount an individual partition.
sudo mount /dev/nbd0p1 /mnt/workstation
The procedure is complete. A new partition with Whonix-Workstation ™ mounted inside it will be visible.
7. Unmount everything when finished.
sudo umount /mnt/workstation
sudo qemu-nbd -d /dev/nbd0
After unmounting, the Whonix ™ VM can be safely restarted.
Transfer Files via a VDI File[edit]
This section describes how to transfer files from one Whonix-Workstation ™ to a different Whonix-Workstation ™ via a VDI file.
Linux[edit]
The procedure below is one of the more convenient solutions for copying work from one Whonix-Workstation ™ to another.
- The virtual machine that will be edited needs to be powered off.
- In VirtualBox:
Click on "Settings" for the Whonix ™ Workstation that you wish to copy files from→click on "Storage". Select "Storage" settings→click on the square with a + sign→select "add hard disk" (located next to the "Controller: Whonix ™" entry).- In the next window that appears, click on
create new disk. - When prompted:
Choose a "hard drive file type"→select "VDI". - When prompted:
Choose "storage on physical hard drive"→select "dynamically allocated". - In the next window:
Type "WhonixTransferBackup" for the drive name→choose the needed storage capacity. In many cases, the default "8.00 GB" will be enough. - After returning to the "Settings" window, click the "OK" button.
- Start the Whonix ™ Workstation that you wish to transfer files from. After reaching the desktop, open a Terminal/Konsole session.
- Format the newly created drive:
sudo fdisk /dev/sdb
- At the command prompt:
Type "n" create a new partition→press "enter" to choose the default options when prompted until returned to fdisk's main menu→type "w" to write the partition and exit fdisk. - In the terminal session, type:
sudo mkfs.ext4 /dev/sdb1
- Create a new directory to be the mount point for the drive:
mkdir temp
- Mount the new drive:
sudo mount /dev/sdb1 temp
- Change the permissions of the mount folder so it is possible to write to the drive:
sudo chmod 777 temp
- Copy selected files to the new drive by copying them to the "temp" folder. This is possible in the terminal, with the file browser and so on. Once all files have been copied to the "temp" folder, shut down the Whonix ™ Workstation.
- After the Whonix ™ Workstation has closed, open the "Virtual Media Manager" in VirtualBox:
Click on "File → Virtual Media Manager". Locate the new VDI file created in steps 2-8→click on it→click the "copy" button→click the "next" button.- When prompted to choose a "hard drive file type," select "VDI".
- When prompted to choose "storage on physical hard drive," select "dynamically allocated".
- In the next window:
type "WhonixWorkstationFileTransfer" for the drive name→choose a folder to store the VDI file→click on the "copy" button. [4] - After returning to the "Virtual Media Manager" window, click the "close" button.
- In the main VirtualBox window:
Click the Whonix ™ Workstation version that you want to copy the files into→click "settings". Navigate to the "storage" section→click on the square with a + sign→select "add hard disk" (located next to the "Controller: Whonix ™" entry).- In the next window:
Click on "choose existing disk"→find the saved "WhonixWorkstationFileTransfer.vdi" file and select it. - After returning to the "settings" window, click "OK."
- Start the Whonix ™ Workstation that you wish to copy your files into. After reaching the desktop, open a Terminal/Konsole session.
- Create a new directory to be the mount point for the drive:
mkdir temp
- Mount the new drive:
sudo mount /dev/sdb1 temp
- Finally, copy selected files into the Whonix ™ Workstation. When copying is finished, shut down the Whonix ™ Workstation and delete the temporary "file transfer" VDI files through Virtual Media Manager.
Related forum topic:
How to tranfer data to Whonix ™ 8 [archive]
Windows[edit]
Refer to the following forum topic: Virtualbox: Transfer files from Whonix to host with disk images [archive].
Add a USB Device to VirtualBox[edit]
This procedure is not recommended for security reasons. [5]
By default, Oracle VirtualBox only supports USB 1.1. Additional, closed source extension packs exist for better USB support such as versions 2.0 and 3.0; they can be downloaded from the VirtualBox download page [archive]. Note that improved USB support does not require VirtualBox Guest Additions. It is unclear whether a reboot is required after installation of the extension pack(s); refer to the official VirtualBox documentation for additional information:
Since Whonix ™ is based on Debian, any additional research that is required can utilize search terms like "How to get USB in Linux VirtualBox?". See also: Free Support Principle.
1. Adjust the Linux user group.
For Linux hosts, the user that is running VirtualBox must be a member of linux user group vboxusers. [6] To add the current user to group vboxusers, run.
sudo adduser $(whoami) vboxusers
2. Reboot.
A reboot or re-login is required.
3. Plug in the USB device.
USB devices are plugged into Virtual Machines through the device menu in VirtualBox.
4. Mount the USB device.
Automount of USB devices is disabled in Whonix ™ by default. To mount the device, try: Start menu → System Settings → Removable Media or manually mount the device.
Also refer to this old forum topic [archive]. Failures or successes can also be shared in a new forum discussion [archive].
5. Optional: Install the ntfs-3g package.
If the USB device is formatted with NTFS, it is necessary to install the ntfs-3g driver package [archive] and run a special mount command, see: Transfer Files from Whonix ™ - USB [archive] and Can’t enable USB Drive in VirtualBox – troubleshooting help needed [archive].
SSH into Whonix-Gateway ™[edit]
Developers / experts only! Only for debugging!
These instructions assume a connection from a local host into Whonix ™, not SSH to a remotely running Whonix ™ instance.
1. Adjust Whonix-Gateway ™ firewall settings.
Modify Whonix-Gateway ™ User Firewall Settings.
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Gateway ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ™ App Qube (commonly called sys-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Gateway ™, complete these steps.
Start Menu → Applications → Settings → User Firewall Settings
If using a terminal-only Whonix-Gateway ™, complete these steps.
In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.
Note: The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-gw-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Gateway ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Gateway ™, complete these steps.
In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
2. Add.
GATEWAY_ALLOW_INCOMING_SSH=1
3. Restart the firewall.
Make sure this is run on Whonix-Gateway ™!
sudo /usr/bin/whonix_firewall
4. Install openssh-server inside Whonix-Gateway ™.
Make sure this is run on Whonix-Gateway ™! Run the command once.
sudo apt install openssh-server
5. Add port forwarding from host into the virtual machine.
Make sure this is run on the host! Run the command once.
Open a terminal. This will forward connections from the host to 127.0.0.1:2200 to the SSH server running inside Whonix-Gateway ™ on port 22.
VBoxManage modifyvm "Whonix-Gateway" --natpf1 "ssh",tcp,127.0.0.1,2200,,22
If it is necessary to undo this change, run.
VBoxManage modifyvm "Whonix-Gateway" --natpf1 delete "ssh"
To verify the change, run.
VBoxManage showvminfo "Whonix-Gateway"
Search for lines beginning with NIC. For example:
NIC 1 Rule(0): name = ssh, protocol = tcp, host ip = 127.0.0.1, host port = 2222, guest ip = 127.0.0.1, guest port = 22
6. Open a SSH session on the host.
Make sure this is run on the host!
As user.
ssh user@127.0.0.1 -p 2200
Or as root.
ssh root@127.0.0.1 -p 2200
7. Create a folder which will be used to mount the image.
Perform this step on the host or mount Whonix-Gateway ™ as a folder.
This folder must exist before trying to mount.
mkdir ~/mountgateway
8. Mount the folder.
Make sure this is run on the host!
As user.
sshfs user@127.0.0.1:/ -p 2200 ~/mountgateway
Or as root.
sshfs root@127.0.0.1:/ -p 2200 ~/mountgateway
SSH into Whonix-Workstation ™[edit]
Introduction[edit]
Developers / experts only! Only for debugging!
These instructions assume a connection from a local host into Whonix ™, not SSH to a remotely running Whonix ™ instance. The connection formed will look like this: host → SSH → Whonix-Gateway ™ → SSH → Whonix-Workstation ™.
It is not possible to directly SSH into Whonix-Workstation ™ because it only has an internal network interface and no NAT interface. Adding a NAT interface would defeat the purpose of Whonix ™.
Prerequisite[edit]
Do not attempt this procedure before mastering the steps SSH into Whonix-Gateway ™.
Firewall[edit]
1. Adjust Whonix-Workstation ™ firewall settings.
Modify Whonix-Workstation ™ User Firewall Settings
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly called anon-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → System → User Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
Open /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_workstation_default.conf.
The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_workstation_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
Also see: Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-ws-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Workstation ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Workstation ™, complete these steps.
In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf
2. Add the necessary port.
Replace 80 with the actual port that should be opened.
EXTERNAL_OPEN_PORTS+=" 80 "
Save.
3. Reload the firewall.
Reload Whonix-Workstation ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Workstation ™ App Qube (commonly named anon-whonix) → Reload Whonix ™ Firewall
If you are using a graphical Whonix-Workstation ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Workstation ™, run.
sudo whonix_firewall
Setup Workstation[edit]
On Whonix-Workstation ™, run.
sudo apt install openssh-server
Setup Gateway[edit]
On Whonix-Gateway ™, run.
/usr/bin/ssh.anondist-orig root@10.152.152.11
user@ can also be substituted in the above command.
Setup Host[edit]
Note:
- It is possible to use one command to SSH from the host into Whonix-Gateway ™ and then SSH into Whonix-Workstation ™. This is called SSH hopping.
- SSH hopping is also possible for SSHFS; see here [archive]. [7]
- The filesystem of Whonix-Workstation ™ can also be mounted with two commands.
1. SSH from the host into Whonix-Gateway ™.
host → Whonix-Gateway ™
ssh -t user@127.0.0.1 -p 2200 "ssh.anondist-orig user@10.152.152.11"
root@ can also be substituted in the above command.
2. Create a directory to mount Whonix-Workstation ™.
mkdir ~/mountworkstation
3. SSH into Whonix-Workstation ™ and map to localhost:2222.
Whonix-Gateway ™ → Whonix-Workstation ™
Perform this step on the host.
ssh -f user@127.0.0.1 -p 2200 -L 2222:10.152.152.11:22 -N
root@ can also be substituted in the above command.
4. Mount the Whonix-Workstation ™ folder on the host.
sshfs -p 2222 user@127.0.0.1:/ ~/mountworkstation
If these instructions did not work, try the alternative standalone instructions SSHFS into Whonix-Workstation.
Mount and Inspect Images[edit]
Introduction[edit]
- Developers / experts only! Only for debugging!
- Warning: If a guest image file is mounted and the image is compromised by malware, the system can be infected. [8]
Required knowledge:
- This method is not compulsory. Standard vdi (or raw) images are used, but the user can mount them with another preferred method.
- The mounting and inspecting of images has only been researched for Linux hosts. It may be possible on Windows, but it is undocumented.
- The purpose and use of raw and vdi images must be understood, which is explained on the Dev/Source Code Intro page.
- The Whonix ™ source code is required; see chapter Build and Update Whonix ™ from Source Code.
- Whonix ™ source code should be verified with OpenPGP, although this is not compulsory.
- Several dependencies are required and can be installed using the build-steps.d/1100_prepare-build-machine script.
VDI Images[edit]
Mount Whonix-Gateway ™ VDI Images[edit]
sudo ./help-steps/mount-vdi --target virtualbox --build --flavor whonix-gateway
cd "/home/user/whonix_binary/Whonix-Gateway_image"
Inspect.
cd ~
sudo ./help-steps/unmount-vdi --target virtualbox --build --flavor whonix-gateway
Mount Whonix-Workstation ™ VDI Images[edit]
sudo ./help-steps/mount-vdi --target virtualbox --build --flavor whonix-workstation
cd "/home/user/whonix_binary/Whonix-Gateway_image"
Inspect.
cd ~
sudo ./help-steps/unmount-vdi --target virtualbox --build --flavor whonix-workstation
Raw Images[edit]
Mount Whonix-Gateway ™ Raw Images[edit]
sudo ./help-steps/mount-raw --target virtualbox --build --flavor whonix-gateway
cd "/home/user/whonix_binary/Whonix-Gateway_image"
Inspect.
cd ~
sudo ./help-steps/unmount-raw --target virtualbox --build --flavor whonix-gateway
Mount Whonix-Workstation ™ Raw Images[edit]
sudo ./help-steps/mount-raw --target virtualbox --build --flavor whonix-workstation
cd "/home/user/whonix_binary/Whonix-Gateway_image"
Inspect.
cd ~
sudo ./help-steps/unmount-raw --target virtualbox --build --flavor whonix-workstation
VMDK Images[edit]
Mount Whonix-Workstation ™ VDMK Images[edit]
These instructions are broken because the virtualbox-fuse package is no longer available in Debian jessie and above. [9] They have been kept in case the situation changes.
Use this method to mount any VirtualBox file type (VMDK, VDI, VHD, or raw) on a Linux host. It utilizes a VirtualBox utility named "vdfuse" [10] and the VirtualBox access library to open a VirtualBox supported image file and mount it as a Fuse file system.
1. Optional: Update the system.
sudo apt update
2. Install the VirtualBox vdfuse utility. [11]
sudo apt install virtualbox-fuse
3. Edit the /etc/fuse.conf file.
sudo vi /etc/fuse.conf
Uncomment the line #user_allow_other and then save the file.
4. Set the permissions on /etc/fuse.conf.
sudo chmod 644 /etc/fuse.conf
5. Create a mount point and mount the Whonix ™ Workstation image.
This example shows a .vmdk file type, but any VirtualBox file type should work (VMDK, VDI, VHD, or raw).
mkdir /mnt/whonix
vdfuse -f /path/to/Whonix-Workstation/Whonix-Workstation-disk1.vmdk /mnt/whonix
The path /mnt/whonix/ will now contain files like EntireDisk, Partition1, etc.
6. Mount Partition1 at a second mount point.
mkdir /mnt/workstation
sudo mount -o loop /mnt/whonix/Partition1 /mnt/workstation
7. Copy files to/from the Whonix ™ workstation disk image.
8. Unmount each of the mount points.
sudo umount /mnt/workstation
sudo umount /mnt/whonix
See Also[edit]
Usability Development Tickets[edit]
All solutions listed here are far from user friendly. Help is most welcome to improve this situation.
Please refer to existing tickets about this issue:
See Also[edit]
Footnotes[edit]
- ↑ https://en.wikipedia.org/wiki/Brasero_(software) [archive]
- ↑
sudo modprobe nbd max_part=16is used instead ofsudo modprobe nbdto avoid the following error:sudo qemu-nbd -c /dev/nbd0 '/home/user/VirtualBox VMs/Whonix-Workstation/Whonix-Workstation-13.0.0.1.5-disk1.vmdk'
Failed to open /dev/nbd0: No such file or directory /build/qemu-XXUWBP/qemu-2.1+dfsq/nbd.c:nbd_receive_request ():L756: read failed
This might relate to an old bug.
- ↑ https://forums.gentoo.org/viewtopic-t-822672-start-0.html [archive]
- ↑ If copying does not work, power down the old VM and attach the same VDI to the new VM.
- ↑ A malicious guest can flash the low level firmware of the USB thumb drive, turning it into an attack vehicle against any machine it is plugged into.
- ↑
Otherwise VirtualBox GUI will show
no devices available. - ↑ http://www.webcitation.org/6FDYtApEP [archive]
- ↑ https://www.berrange.com/posts/2013/02/20/a-reminder-why-you-should-never-mount-guest-disk-images-on-the-host-os/ [archive]
- ↑ https://unix.stackexchange.com/questions/99044/running-debian-jessie-missing-some-packages [archive]
- ↑ Broken link: virtualbox-fuse package [archive]
- ↑ This only works up to Debian wheezy.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
100px |
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
.svg.png&filetimestamp=20200623163525&.html){kind=small}
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.