Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.
Whonix consists of two parts:
- One solely runs Tor and acts as a gateway, which we call Whonix-Gateway.
- Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.
Whonix for Qubes
https://www.whonix.org/wiki/Qubes
Whonix for KVM
https://www.whonix.org/wiki/KVM
Whonix for VirtualBox
https://www.whonix.org/wiki/VirtualBox
If you want to upgrade existing Whonix version using Whonix’s APT repository
Special instructions required:
https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11
Edit 1:
There will be no more support for upgrading Whonix 10 to Whonix 11 after October 17 2015.
If you want to upgrade existing Whonix version from source code
See https://www.whonix.org/wiki/Dev/BuildDocumentation.
Changelog between Whonix 10 and Whonix 11:
See following two blog posts that were calls for testing, these contain the changelogs. Whonix 11.0.0.3.0 has been blessed stable and released as Whonix 11.
– https://www.whonix.org/blog/whonix-11-testers-wanted
– https://www.whonix.org/blog/testers-wanted-rc-11-0-0-3-0
- fixed custom workstation build
- build script: refactoring, use errtrace rather than many traps – https://phabricator.whonix.org/T48
- build script: refactoring, use exit trap to reduce code duplication – https://phabricator.whonix.org/T269
- whonixcheck: warn if whonix-gateway / whonix-workstation package is not installed – https://phabricator.whonix.org/T264
- whonixcheck: warn if there is low entropy – https://phabricator.whonix.org/T202
- build, anon-apt-sources-list, anon-shared-build-apt-sources-tpo, whonix-repository: changed release codename from wheezy to jessie – https://phabricator.whonix.org/T270
- grub-enable-apparmor: Refactoring. Simplified for Debian jessie. Thanks to the new `/etc/default/grub.d` configuration folder, the `grub-enable-apparmor` has been greatly simplified. No longer need to config-package-dev divert `/etc/default/grub`.
- genmkfile: if debuild not available, recommend installation of the devscripts package
- build script: added fakeroot to whonix_build_script_build_dependency (required for verifiable builds)
- genmkfile: if debuild not available, recommend installation of the devscripts package
- genmkfile: fix, do not set automatically make_use_gain_root_command to true if fakeroot is not installed
- genmkfile: run dpkg-checkbuilddeps before lintian to show better hint if build dependencies are missing
- build script: build-steps.d/1200_create-debian-packages: commented out get_extra_packages, no longer need to download packages from testing
- build script: refactoring, created separate help step, help-steps/git_sanity_test
- whonixcheck: verbose output for check_tor_socks_port_reachability
- all packages: packaging, bumped Standards-Version from 3.9.4 to 3.9.6 for jessie support
- lintian warning copyright fix
- tb-updater: show “highest version number is not necessarily the best one” message also on first run if no Tor Browser is installed yet – https://phabricator.whonix.org/T283
- build script: No longer install acpi-support-base by default on jessie, because systemd now implements that functionality. – https://phabricator.whonix.org/T284
- whonixcheck: added link to Whonix Build Version documentation https://www.whonix.org/wiki/Whonixcheck#Whonix_Build_Version – https://phabricator.whonix.org/T276
- build script: Fix commit 287bdcf6ddee007ba579e3ee9a1997edc8188581 ‘”makefile: added –pedantic to default DEBUILD_LINTIAN_OPTS because we are going to fix the last remaining “missing upstream changelog” warning’ – added –pedantic help-steps/variables.
- all packages: added debian/source/lintian-overrides with debian-watch-may-check-gpg-signature to fix lintian warning – https://phabricator.whonix.org/T277
- whonix-setup-wizard, anon-gw-anonyminizer-config, whonixcheck, whonix-ws-start-menu-additions, whonix-host-firewall: added ‘Keywords=’ to ‘.desktop’ files to fix lintian warning ‘desktop-entry-lacks-keywords-entry’ – https://phabricator.whonix.org/T281
- anon-shared-helper scripts: replaced dependency ‘python-support (>= 0.90)’ with dh-python to fix lintian warning
- control-port-filter-python: packaging, use debhelper with python2 to fix lintian warning
- modify apt-get parameters during build to prevent need to remove apt-listchanges – https://phabricator.whonix.org/T282
- build-script: refactoring, moved variables DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND from help-steps/variables to buildconfig.d/30_apt_opts
- genmkfile: hint “Is the build dependency genmkfile installed?” if genmkfile is not installed
- genmkfile: hint ‘dpkg-parsechangelog not found. Do you have the “build-essential” package installed?’ if dpkg-parsechangelog is not available
- sdwdate: removed dependency on ruby1.9.1-dev to fix lintian warning ‘E: sdwdate: depends-on-obsolete-package depends: ruby1.9.1-dev’
- whonixcheck: show diagnostic message on whonixcheck Whonix News gpg verification failure by default
- build script: Fix building Whonix on Whonix, fix if `lsb_release –short –i` returns ‘Whonix’. Temp hack ‘export whonix_build_on_operating_system=”debian”‘ no longer required. Thanks to @nrgaway for the bug report and the analysis. – https://phabricator.whonix.org/T278
- tb-updater: tbbversion_installed parser fix
- anon-meta-packages: removed dependency on libupower-glib1 which is no longer available in Debian jessie (which has been replaced by upower, that already gets installed)
- anon-base-files, whonix-developer-meta-files: implemented WHONIX_BUILD_QUBES=true environment variable support – https://phabricator.whonix.org/T298
- anon-meta-packages: whonix-gateway and whonix-workstation package no longer depend on anon-shared-build-fix-grub because it has been made a weak dependency for better physical isolation and Qubes support
- – code simplification, removed support for environment variable ANON_BUILD_INSTALL_TO_ROOT=true because anon-shared-build-fix-grub now gets only installed on required platforms
- implemented build parameter ‘–unsafe-io true’, that speeds up builds, that uses ‘-o Dpkg::Options::=–force-unsafe-io’, eatmydata and ignores ‘sync’. – Thanks to @nrgaway for the suggestion! – https://phabricator.whonix.org/T295
- implemented $apt_misc_opts – https://phabricator.whonix.org/T295
- whonixcheck: new –verbose debug feature, showing output of systemd-detect-virt
- vbox-disable-timesync: more robust implementation that is compatible with systemd – https://phabricator.whonix.org/T106
- timesync: compatibility with systemd – https://phabricator.whonix.org/T106
- whonixcheck, msgdispatcher: ported to systemd – https://phabricator.whonix.org/T106
- qubes-whonix: skip rads on Qubes – https://phabricator.whonix.org/T306
- systemd unit files: workaround/fix, removed spaces from ‘WantedBy = ‘, likely bug in ‘deb-systemd-helper’ that prevents enabling the service by default – https://phabricator.whonix.org/T316
- created a hellodaemon package, useful for Debian systemd packaging debugging – not part of Whonix – https://github.com/adrelanos/hellodaemon
- whonixcheck: debian/control: fix, added to ‘Build-Depends:’ ‘ruby-ronn (>= 0.7.3)’
- disable torsocks warning spam – https://phabricator.whonix.org/T317
- whonix-libvirt: fixed CI builds
- whonix-libvirt: added driver name=’qemu’ – Thanks to HulaHoop! – https://github.com/Whonix/whonix-libvirt/pull/20 https://github.com/Whonix/whonix-libvirt/pull/19 https://github.com/Whonix/whonix-libvirt/pull/18
- anon-meta-packages: added obfs4proxy to anon-gateway-packages-recommended – https://phabricator.whonix.org/T323
- anon-meta-packages: added apt-transport-tor to anon-shared-packages-recommended – https://phabricator.whonix.org/T92
- whonix-gw-network-conf, whonix-ws-network-conf: Removed ‘pre-up /usr/bin/whonix_firewall’, because /etc/network/if-pre-up.d to load the firewall, because of a Debian upstream bug interface comes up even if a script in /etc/network/if-pre-up.d/ fails http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68
- whonix-gw-firewall, whonix-ws-firewall, whonix-host-firewall: Made package more standalone. Requiring ‘pre-up /usr/bin/whonix_firewall’ in /etc/network/interfaces is no longer necessary. Added etc/network/if-pre-up.d/30_whonix_firewall to load the firewall, because of a Debian upstream bug ‘interface comes up even if a script in /etc/network/if-pre-up.d/ fails’ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68
- whonixsetup, whonix-setup-wizard: fix ‘Tor fails after reload related to torrc DisableNetwork setting issue’ by only restarting Tor, no longer trying to reload Tor – https://phabricator.whonix.org/T320
- rads: Improved implementation. When there is enough RAM… On ‘enter’: instantly start login manager. On ‘ctrl + c’: instantly abort and do not start login manager. On ‘timeout’: start login manager. Thanks to ‘dh_systemd_start –no-start’ we can now use ‘StandardInput=tty’ and ‘read’ instead of ‘systemd-ask-password’. Now we could even implement an interactive menu at boot (that allows to configure wait time and/or disabling rads). – https://phabricator.whonix.org/T57
- whonixcheck: abolished random wait by default – https://phabricator.whonix.org/T299
- anon-ws-disable-stacked-tor: fixed ‘insserv: script tor.anondist-orig: service tor already provided!’ warning during upgrades – https://phabricator.whonix.org/T303
- anon-ws-disable-stacked-tor: systemd compatibility – https://phabricator.whonix.org/T303
- anon-base-files: no longer ‘set -o pipefail’ in /usr/lib/pre.bsh. config-package-dev doesn’t like ‘set -o pipefail’ – http://mailman.mit.edu/pipermail/config-package-dev/2015-May/000041.html – https://phabricator.whonix.org/T329
- upstream bug report: spaces in Tor’s systemd unit file causes issues – https://trac.torproject.org/projects/tor/ticket/16162
- upstream bug report: Tor dies on reload when swichting to ‘DisableNetwork 0’ when using ‘DnsPort 127.0.0.1:53’ – https://trac.torproject.org/projects/tor/ticket/16161
- build script: fix, support ‘–verifiable false’ (was ‘–verifiable minimal’ while build documentation said ‘false’)
- uwt: multi user fix – https://www.whonix.org/forum/index.php/topic,1267
- Qubes: WiFi Realtek RTL8191SEvB Issue and Solution https://groups.google.com/forum/#!topic/qubes-users/kMGTSwP72aU
- whonix-setup-wizard API proposal: https://www.whonix.org/wiki/Dev/whonixsetup
If you want to build images from source code
See https://www.whonix.org/wiki/Dev/BuildDocumentation.
Call for Help
– If you know javascript, python, shell scripting (/bin/bash) and/or linux sysadmin, please join us!
– Contribute: https://www.whonix.org/wiki/Contribute
– Donate: https://www.whonix.org/wiki/Donate
Source: https://www.whonix.org
Download Whonix