Introduction[edit]

Whonix ™ comes with many security features ^[archive]. Whonix ™ is Kicksecure ™ security hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page provides security advice, including steps that can be applied after installation of Whonix ™ for better security.

On Whonix-Gateway ™ and Whonix-Workstation ™[edit]

Increase Virtual Machine RAM[edit]

Qubes-Whonix ™ users can skip this section. ^[1]

Whonix-Workstation ™: No changes are necessary for most users.
Whonix-Gateway ™: If enough host RAM is available, ideally the virtual RAM setting of Whonix-Gateway ™ should be increased to 2048 MB RAM. ^[2] If it is infeasible to increase the virtual RAM setting, Whonix-Gateway ™ will still function properly. ^[3]

If it is unknown how much RAM is available, follow these steps on the host: ^[4] ^[5] ^[6]

Windows 10: Task Manager in More details view → Click/tap on the Performance tab → Click/tap on Memory; or Open a command prompt → Run wmic MemoryChip get /format:list
macOS: Apple menu → About This Mac
Linux: Open a terminal → Run free -h ^[7]

To add RAM in VirtualBox the VM must first be powered down.
Virtual machine → Menu → Settings → Adjust Memory slider → Hit: OK

KVM[edit]

1. Shut down the virtual machine(s).

virsh -c qemu:///system shutdown <vm_name>

virsh -c qemu:///system shutdown <vm_name>

2. Increase the maximum memory.

virsh setmaxmem <vm_name> <memsize> --config

virsh setmaxmem <vm_name> <memsize> --config

3. Set the actual memory.

virsh setmem <vm_name> <memsize> --config

virsh setmem <vm_name> <memsize> --config

4. Restart the virtual machine(s).

virsh -c qemu:///system start <vm_name>

virsh -c qemu:///system start <vm_name>

Change Keyboard Layout[edit]

Qubes-Whonix ™ users can skip this section. ^[8]

If you are using a keyboard layout other than qwerty (US), consider changing the keyboard layout. Refer to the dedicated Keyboard Layout entry for further details.

Test Keyboard Layout[edit]

Qubes-Whonix ™ users can skip this section.

Start menu → Accessories → Mousepad; or
Open file ~/testfile in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run.

mousepad ~/testfile

mousepad ~/testfile

If you are using a terminal, run.

nano ~/testfile

nano ~/testfile

Try typing the words user, changeme and qwerty. Try typing further words to ensure the desired keyboard layout is functional.

Change Password[edit]

Qubes-Whonix ™ users can skip this section. ^[9] ^[10]

After Whonix ™ has finished installing, immediately change the password for the user user account in _both_ Whonix-Gateway-XFCE _and_ Whonix-Workstation-XFCE.

1. To avoid possible issues, review the Change Keyboard Layout and Test Keyboard Layout entries before proceeding further.

2. Open a terminal (such as Xfce Terminal Emulator).

Start menu → Applications → System → Terminal

3. Run a test command as root by using sudo.

Run. ^[11]

sudo systemd-detect-virt

sudo systemd-detect-virt

4. Read the note below regarding the username and password.

default username: user
default password: changeme

When typing the password it will not appear on the screen, nor will the asterisk sign (*) be visible. It is necessary to type blindly and trust the procedure.

5. Change the user (and sudo) password.

To change the user (Whonix ™ default user) password, run. ^[11] This will also be the password when running sudo from Linux user account user. ^[12]

sudo passwd user

sudo passwd user

6. Root password.

No changes required. Optional, for details, see root account in Whonix ™.

7. Done.

The procedure of changing passwords is complete.

If issues appear when gaining root, consider using dsudo.

Another option is to boot into recovery mode and change passwords there.

Security Updates[edit]

Regularly check for security updates and apply them in a timely fashion; see Operating System Updates.

Network Time Syncing[edit]

This is a short summary of the Network Time Synchronization wiki page which is recommended reading.

1. Timezone information.

Warning: The system clock inside Whonix ™ is set to UTC to prevent against timezone leaks. This means it may be a few hours ahead or behind the user's host system clock. It is strongly recommended not to change this setting.

2. Check the host clock is reasonably accurate.

A reasonably accurate host clock is required for many general security properties because an inaccurate clock can lead to:

Broken internet connectivity; and
Time Attacks.

Therefore, at all times ensure the host clock has an accuracy of up to ± 30 minutes.

3. Avoid pause / suspend / save / hibernate functions.

In simple terms, most users should avoid the pause / suspend / save / hibernate features. Although discouraged, see Network Time Synchronization for further details on when this is possible.

Better Security[edit]

This chapter is aimed at newcomers and only provides a short and simple overview for basic protection. Anonymity and platform security can be improved by following recommendations outlined in the Security Guide and Advanced Security Guide sections, along with the Time Attacks and Network Time Synchronization page.

Appendix[edit]

How do I Check the Current Whonix ™ Version?[edit]

See /etc/whonix_version.

Whonix-Gateway ™[edit]

Open a terminal.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ™ ProxyVM (commonly named sys-whonix) → Xfce Terminal

If you are using a graphical Whonix ™ with XFCE, run.

Start Menu → Xfce Terminal

cat /etc/whonix_version

cat /etc/whonix_version

Should show.

16

Whonix-Workstation ™[edit]