







About this System Hardening Checklist Page Support Status stable Difficulty easy Contributor torjunkie [archive] Support Support

Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ Security Hardened by default and also provides extensive Documentation including this Security Hardening Checklist. The more you know, the safer you can be.

This page is targeted at users who wish to improve the security of their systems for even greater protection.

Introduction [ edit ]

It is possible to significantly harden the Whonix ™ and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.

Easy [ edit ]

Anonymous Blogging, Posting, Chat, Email and File Sharing [ edit ]

To remain anonymous, follow all the Whonix ™ recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.

Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.

Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.

Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.

Utilize OnionShare to share or receive files securely and anonymously over the Tor network, or to host anonymous websites. High-risk users should manually install OnionShare 2.0 or higher to enforce v3 onion connections.



Command Line Operations [ edit ]

Disabling and Minimizing Hardware Risks [ edit ]

Entropy [ edit ]

To mitigate against inadequate entropy seeding by the Linux Random Number Generator (RNG), it is recommended to install daemons that inject more randomness into the pool. From Debian 10 ("Buster") [archive] , jitterentropy-rngd is available; see footnote. [8] haveged also uses CPU timer jitter to generate entropy and additional entropy sources cannot hurt; see footnote. [9]



File Handling [ edit ]

In File Manager, disable previews of files from untrusted sources. Change file preferences in the TemplateVM's File Manager so future AppVMs inherit this feature.

Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a DisposableVM: Right-click → Open In DisposableVM

→ Untrusted PDFs should be opened in a DisposableVM or converted into a trusted (sanitized) PDF [archive] to prevent exploitation of the PDF reader and potential infection of the VM.

File Storage Location [ edit ]

Avoid storing files directly in the root home folder and create appropriate sub-folders instead.

Move files downloaded by Tor Browser from the ~/Downloads folder to another specially created one. [10]

Mandatory Access Control [ edit ]

Enable all available apparmor profiles in the Whonix-Workstation ™ and Whonix-Gateway ™ TemplateVMs.

Enable seccomp on Whonix-Gateway ™ ( sys-whonix ProxyVM).

Passwords and Logins [ edit ]

Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.

Use a trusted password manager [archive] , so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. [11]

, so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. For high-entropy passwords, consider using Diceware passphrases. [12]

In Qubes-Whonix ™, store all login credentials and passwords in an offline vault VM (preferably with KeePassXC) and securely cut and paste them into the Tor Browser. [13]

Read and follow all the principles for stronger passwords.

Screensavers [ edit ]

At a minimum, lock the screen of the host when it is unattended.

For better security, shut down the computer entirely -- screensavers are notoriously insecure. [14]

Secure Downloads [ edit ]

Download Internet files securely using scurl instead of wget from the command line.

instead of from the command line. When downloading with Tor Browser, prevent SSLstrip attacks by typing https:// links directly into the URL / address bar.

links directly into the URL / address bar. Prefer onion services file downloads, which provide greater security and anonymity than https.

Secure Qubes Operation [ edit ]

Secure Software Installation [ edit ]

Tor Browser Series and Settings [ edit ]

VirtualBox [ edit ]

Moderate [ edit ]

Create a USB Qube [ edit ]

Host Operating System Distribution [ edit ]

For a truly private operating system, install GNU/Linux on the host. [28]

The Debian distribution is recommended by Whonix ™ as providing a reasonable balance of security and usability.

Host Operating System Hardening [ edit ]

All Platforms [ edit ]

Non-Qubes-Whonix Only [ edit ]

Harden the host Debian Linux OS.

Kernels / Kernel Modules [ edit ]

Note : Cutting-edge kernels can destabilize the system or cause boot failures.

Newer kernels can expose additional vulnerabilities; see footnotes. [29] [30]

Kernel modules in Qubes and Qubes-Whonix ™ usually require configuration of a Qubes VM Kernel.

Memory Allocator [ edit ]

Networking [ edit ]

All Platforms [ edit ]

Qubes-Whonix ™ Only [ edit ]

Sandboxing [ edit ]

Consider using Firejail to restrict Tor Browser, Firefox-ESR, VLC and other regularly used applications -- note this comes with an increased fingerprinting risk [archive]. [51]

Spoof MAC Addresses [ edit ]

Tip: MAC spoofing [archive] is only necessary if traveling with your laptop or PC. It is not required for home PCs that do not change locations.

In Qubes-Whonix ™, follow these steps [archive] to spoof the MAC address on the Debian or Fedora TemplateVM used for network connections.

to spoof the MAC address on the Debian or Fedora TemplateVM used for network connections. In Non-Qubes-Whonix ™, follow these steps to spoof the MAC address of the network card on a Linux, Windows or macOS host.

Time Stamps and NTP Clients [ edit ]

Tor Settings [ edit ]

Whonix ™ VM Security [ edit ]

Consider disabling the Control Port Filter Proxy to reduce the attack surface of both the Whonix-Gateway ™ and Whonix-Workstation ™.

On Whonix-Workstation ™, consider hardening whonixcheck.

Difficult [ edit ]

Anti-Evil Maid [ edit ]

If a Trusted Platform Module is available, use AEM protection [archive] to attest that only desired (trusted) components are loaded and executed during the system boot. [58]

to attest that only desired (trusted) components are loaded and executed during the system boot. Consider the Android Haven application [archive] for sensitive devices -- motion, sound, vibration and light sensors can monitor and protect physical areas. [59]

Chaining Anonymizing Tunnels [ edit ]

Avoid this course of action. The anonymity benefits are unproven and it may actually hurt a user's anonymity and security goals.

Virtual Private Network (VPN) tunnel-links are strongly recommended against due to multiple security and anonymity risks.

DisposableVMs [ edit ]

Run all instances of Tor Browser in a DisposableVM which is preferably uncustomized to resist fingerprinting. [60]

Configure each ServiceVM as a Static DisposableVM [archive] to mitigate the threat from persistent malware accross VM reboots. [61]

Email [ edit ]

All Platforms [ edit ]

Qubes-Whonix ™ Only [ edit ]

Use split-GPG [archive] for email to reduce the risk of key theft used for encryption / decryption and signing.

for email to reduce the risk of key theft used for encryption / decryption and signing. Create an AppVM that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").

Only open untrusted email attachments [archive] in a DisposableVM to prevent possible infection.

Ethernet/FDDI Station Activity Monitor [ edit ]

Flash the Router with Opensource Firmware [ edit ]

Warning: risk of bricking your router!

Flash the insecure, limited-utility, proprietary firmware on the router with a powerful, open-source GNU/Linux alternative.

Multi-Factor User Authentication [ edit ]

Configure PAM USB [archive] as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored.

as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored. For secure account logins, utilize a Yubikey [archive] hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols. Qubes: Follow the Yubikey [archive] instructions to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.

hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols.

Whitelisting Tor Traffic [ edit ]

Qubes-Whonix ™ : Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through. [66] [67]

: Configure sys-whonix to use corridor as a filtering gateway to ensure only connections to Tor relays pass through. Non-Qubes-Whonix ™ or Qubes-Whonix : Use a standalone corridor [archive] as a filtering gateway.

Expert [ edit ]

Disable Intel ME Blobs [ edit ]

Warning: high risk of bricking your computer!

Opensource Firmware [ edit ]

Physical Isolation [ edit ]



Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow:

Donate:

Share: Twitter | Facebook

Do you wonder why Whonix will always be free? Check out Why Whonix is Freedom Software [archive].

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.