From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Whonix Logo
Whonix-Workstation-XFCE 16 01 2021 11 00 00.png
DeveloperWhonix Developers
OS familyLinux (Unix-like)
Working stateActive
Source modelOpen source
Initial release29 February 2012; 9 years ago (2012-02-29)
Latest release16[1] / September 10, 2021; 9 days ago (2021-09-10)
Marketing targetPersonal Computing, Servers (onion service hosting)
Platformsx86, arm64 (RPi 3)
Kernel typeMonolithic (Linux)
LicenseMainly the GNU GPL v3 and various other free software licenses
Official websitewww.whonix.org

Whonix[2] (formerly TorBOX[3]) is a Debian–based security-focused[4] Linux distribution.[5] It aims to provide privacy, security and anonymity on the internet. The operating system consists of two virtual machines, a "Workstation" and a Tor "Gateway", running Debian Linux. All communications are forced through the Tor network to accomplish this.[6][7][8][9][10]


Whonix is based on Kicksecure, a hardened Debian derivative with anonymity packages installed on top.[11] It is distributed as two virtual machine images: a "Gateway" and a "Workstation". These images are installed on a user-provided host operating system. Each VM image contains a customized Linux instance based on Debian. Updates are distributed via Tor using Debian's apt-get package manager.

The supported virtualization engines are VirtualBox, Qubes OS, and Linux KVM.

An "advanced" configuration uses two physically separate computers, with the Gateway running on the actual hardware of one of the computers, and the Workstation running in a VM hosted on the second. This protects against attacks on hypervisors at the cost of flexibility. Supported physical hardware platforms include the Raspberry Pi 3[12] and unofficial community efforts on the PowerPC workstation hardware, Talos, from Raptor Computing.[13]

On first startup, each VM runs a check to ensure that the software is up to date. On every boot, the date and time are set correctly using the sdwdate secure time daemon that works over Tor's TCP protocol.[14]

The Gateway VM is responsible for running Tor, and has two virtual network interfaces. One of these is connected to the outside Internet via NAT on the VM host, and is used to communicate with Tor relays. The other is connected to a virtual LAN that runs entirely inside the host.

The Workstation VM runs user applications. It is connected only to the internal virtual LAN, and can directly communicate only with the Gateway, which forces all traffic coming from the Workstation to pass through the Tor network. The Workstation VM can "see" only IP addresses on the Internal LAN, which are the same in every Whonix installation.

User applications therefore have no knowledge of the user's "real" IP address, nor do they have access to any information about the physical hardware. In order to obtain such information, an application would have to find a way to "break out" of the VM, or to subvert the Gateway (perhaps through a bug in Tor or the Gateway's Linux kernel).

The Web browser pre-installed in the Workstation VM is the modified version of Mozilla Firefox provided by the Tor Project as part of its Tor Browser package. This browser has been changed to reduce the amount of system-specific information leaked to Web servers.

Since version 15, like Tails, Whonix supports an optional "amnesiac" live-mode.[15] This combines the best of both worlds by allowing Tor's entry guard system to choose long-lived entry points for the Tor network on the Gateway, reducing adversaries' ability to trap users by running malicious relays, while rolling back to a trusted state. Some precautions on the host may be needed to avoid data being written to the disk accidentally. Grub-live, an additional separate project,[16] aims to allow bare-metal Debian hosts to boot into a live session, avoiding forensic remnants on disc. Additional testing to confirm the efficacy of the package is needed as of yet.

For the best defense against malicious guards, it is recommended to boot up the gateway from a pristine state and have a unique guard paired to each user activity. Users would take a snapshot to be able to switch to and use that guard consistently.[17] This setup guarantees that most activities of the user remain protected from malicious entry guards while not increasing the risk of running into one as a completely amnesiac system would.


Anonymity is a complex problem with many issues beyond IP address masking that are necessary to protect user privacy. Whonix focuses on these areas to provide a comprehensive solution. Some features:

  • Kloak - A keystroke anonymization tool that randomizes the timing between key presses. Keystroke biometric algorithms have advanced to the point where it is viable to fingerprint users based on soft biometric traits with extremely high accuracy. This is a privacy risk because masking spatial information—such as the IP address via Tor—is insufficient to anonymize users.
  • Tirdad - A Linux kernel module for overwriting TCP ISNs. TCP Initial Sequence Numbers use fine-grained kernel timer data, leaking correlatable patterns of CPU activity in non-anonymous system traffic. They may otherwise act as a side-channel for long running crypto operations.[18]
  • Disabled TCP Timestamps - TCP timestamps leak system clock info down to the millisecond which aids network adversaries in tracking systems behind NAT.[19]
  • sdwdate - A secure time daemon alternative to NTP that uses trustworthy sources and benefits from Tor's end-to-end encryption. NTP suffers from being easy to manipulate and surveil. RCE flaws were also discovered in NTP clients.[20]
  • MAT 2 - Software and filesystems add a lot of extraneous information about who, what, how, when and where documents and media files were created. MAT 2 strips out this information to make it safer to share files without divulging identifying information about the source.
  • LKRG - Linux Kernel Runtime Guard (LKRG) is a Linux security module that thwarts classes of kernel exploitation techniques. Hardening the guest OS makes it more difficult for adversaries to break out of the hypervisor and deanonymize the user.


The Whonix wiki includes a collection of operational security guides for tips on preserving anonymity while online. Additionally, a number of original content guides on what security tools to use and how, have been added over time. This includes how to access the I2P[21] and Freenet[22] networks over Tor.


  1. ^ "Whonix 16 has been Released! (Debian 11 bullseye based) - for VirtualBox - Major Release".
  2. ^ "Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not ." 7 January 2018 – via GitHub.
  3. ^ "doc/TorBOX – Tor Bug Tracker & Wiki". trac.torproject.org.
  4. ^ "About". Whonix.
  5. ^ "DistroWatch.com: Put the fun back into computing. Use Linux, BSD". distrowatch.com.
  6. ^ "Devs cook up 'leakproof' all-Tor untrackable platform". The Register. 13 Nov 2012. Retrieved 10 July 2014.
  7. ^ Greenburg, Andy (17 June 2014). "How to Anonymize Everything You Do Online". Wired. Retrieved 10 July 2014.
  8. ^ "Whonix adds a layer of anonymity to your business tasks". TechRepublic. 4 January 2013. Retrieved 10 July 2014.
  9. ^ "Whonix Home Page". Retrieved 10 July 2014.
  10. ^ "About". Whonix.
  11. ^ "Kicksecure ™: A Security-hardened, Non-anonymous Linux Distribution". Whonix. 2020-10-17. Retrieved 2020-12-11.
  12. ^ https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation#How_To_Install_Whonix-Gateway_.E2.84.A2_on_the_Raspberry_Pi_3_B_.28RPI3.29
  13. ^ https://wiki.raptorcs.com/wiki/Whonix>
  14. ^ "sdwdate: Secure Distributed Web Date". Whonix. 2020-09-14. Retrieved 2020-12-11.
  15. ^ "VM Live Mode: Stop Persistent Malware". Whonix. 2020-09-28. Retrieved 2020-12-11.
  16. ^ "grub-live: Boot existing Host Operating System or VM into Live Mode". Whonix. 2020-11-24. Retrieved 2020-12-11.
  17. ^ "Tor Entry Guards". Whonix. 2020-08-13. Retrieved 2020-12-11.
  18. ^ "Add research idea for Linux TCP Initial Sequence Numbers may aid correlation (#16659) · Issues · Legacy / Trac". GitLab. Retrieved 2020-12-11.
  19. ^ "[Tails-dev] Risks of enabled/disabled TCP timestamps?". 2017-02-01. Archived from the original on 2017-02-01. Retrieved 2020-12-11.
  20. ^ "Don't update NTP – stop using it - Hanno's blog". blog.hboeck.de. Retrieved 2020-12-11.
  21. ^ "Invisible Internet Project (I2P)". Whonix. 2020-11-26. Retrieved 2020-12-11.
  22. ^ "Freenet". Whonix. 2020-08-08. Retrieved 2020-12-11.

External links[edit]