Secure communication on the Internet with Whonix
No Way!
The curiosity of various players on the Internet is making anonymity increasingly important. The Debian derivative Whonix offers an easy-to-install, comprehensive solution with a complete virtual work environment to protect your privacy.
Specific groups, such as journalists, lawyers, whistleblowers, and political activists, are often the focus of intelligence agencies and other authorities. Business owners and researchers also can attract unwanted attention and find themselves the targets of attack. To communicate in an encrypted and anonymous way over the Internet and protect themselves from intrusion attempts and sniffer software, these groups often rely on special technological protections.
To shut out unauthorized eavesdroppers, the Whonix project now offers an interesting approach – but not just for these target groups: A specially hardened and isolated system with a connection to the Internet through the Tor network runs on a virtual machine (VM), allowing for encrypted and hard-to-trace communication.
Quartet
Whonix for Linux comes in four packages. In addition to a prepared gateway for VirtualBox weighing in at approximately 1.8GB, the developers supply a complete work environment based on Debian "Stable" with a size of around 2.1GB, which also runs as a separate system in VirtualBox. The two packages are completely preconfigured in OVA format and available for download [1]. Although this solution is aimed at newcomers with little network knowledge, the developers describe it as still in the test phase.
Whonix runs completely in a VirtualBox machine, which means you need it in place on your system. Most distributions have VirtualBox in their repositories, so the installation is typically just a matter of a few mouse clicks. Alternatively, you can download the software directly from Oracle [2], which is also where you will find the appropriate instructions for installing.
Your computer must have a CPU that supports the VT-x or AMD-V hardware virtualization extensions. Additionally, it needs at least 4GB of RAM, because you need to run two VMs for Whonix in addition to the host operating system. To check whether your computer supports the appropriate technology, run:
$ egrep '(vmx|svm)' /proc/cpuinfo flags : fpu [...] ds_cpl vmx est [...] dtherm arat [...]
If the command returns an empty result, the PC is too old, or you need to enable hardware virtualization in the computer BIOS.
Whonix also creates two virtual disks, each 100GB, in the VMs; they initially occupy a total of around 10GB of the drive. Because VirtualBox dynamically allocates mass storage, the virtual disks will only grow if disk utilization increases, so you do not need to provide 200GB of mass storage capacity for the two Whonix components. However, the free disk space should be more than 20GB total.
In two other stable packages, Whonix uses KVM technology embedded in the Linux kernel to run in a VM under KVM/Qemu. A gateway and a workstation of about the same size as that for VirtualBox are available, too [3], and can be controlled by graphical front ends such as Microsoft's Virtual Machine Manager, much like VirtualBox.
For both solutions, the download area also offers matching OpenPGP signatures and keys with which you can check the data integrity of downloaded packages. The developers provide a how-to for beginners [4].
Operations
Whonix relies on preset firewall rules to direct all traffic via the Tor connection configured in the gateway, and the Whonix workstation acts as the user interface downstream of the gateway. The workstation uses a network that is isolated from the host system to connect to the Internet.
The gateway has two virtual network interfaces – the project's attempt to achieve maximum security for the user. Among other things, this design keeps unauthorized users from sniffing IP addresses or the websites you have visited. Additionally, the VM is decoupled from the host system to prevent damage to it, should an attacker compromise it with malware unnoticed by the user.
The system thus prevents DNS and IP protocol leaks and effectively prevents an identity correlation using stream isolation, a technique that allows an attacker to draw conclusions about the identity of a user when identical transmission paths are used for various applications on the Tor network.
To maintain the high level of security, you should also be cautious when working with the host running the VMs. A compromise by malicious software can also affect VMs under certain circumstances, so it is advisable to install Whonix on a fresh host system.
Installation
To set up the two Whonix machines, start VirtualBox, and integrate the gateway and the workstation one after another from the File | Import Appliance menu. In the dialog that follows, select the corresponding OVA file in the file manager and click Next. Once the appliance settings appear, you can click Import (Figure 1). VirtualBox now integrates the appropriate package and prepares the VM for use.
Please note that VirtualBox does not support some Linux security features possible in Debian, such as the Grsecurity kernel extensions. A KVM/Qemu-based VM with an existing Grsecurity extension under Debian is generally safer than a standard system with VirtualBox. However, KVM/Qemu requires detailed knowledge of the Linux system for the installation and configuration. For detailed instructions on activating KVM and installing the Whonix components, see the wiki on the project site [5].
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.