Whonix Installation On Debian
Whonix Tor is a high security (and anonymity focused) operating system ran as a virtual machine. In this post, I am going over installing it on a system with debian as the host with KVM. If you are confused about any steps, just refer to the documentation.
I am following this page. I’ve already got KVM set up properly on my system so I am skipping that part.
Download And Verify
I do not have the patience to build from source but that is an option. Current download link is for 16.0.9.0.
After downloading, you should verify. I will be verifying using the signing key. After importing hulahoop’s key and finish downloading the .xz file and the current openPGP signature for the version I am downloading, I verify by running gpg --verify Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz.asc Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz (structure being gpg --verify signature.sig file). If good, it should return something like the output below.
gpg: Signature made Wed 28 Dec 2022 22:01:24 GMT
gpg: using RSA key 66F46246C900707FF10DC1E4EB27D2F8CEE41ACC
gpg: Good signature from "HulaHoop" [ultimate]
You can also verify by checking the sha512 hash. sha512 sum Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz and comparing this to the hashes on the site for the current version. They provide signed versions of the hashes too.
Decompress the file running tar -xvf Whonix*.libvirt.xz in a new folder. You need to accept the license agreement. If you accept, you should run touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted.
Import VM Templates
sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml
Move Image Files
Move the image files to a location you want them to be on your system. A generic location is at /var/lib/libvirt/images/. You can also change the file names to something more simple instead of with the version numbering and all.
sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
If copying instead of moving, make sure to keep them as sparse files.
sudo cp --sparse=always Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
sudo cp --sparse=always Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
Cleanup
Remove any other files left around other than the two required qcow2 files.
Boot
In your virt-manager, you should see the options whonix-gateway and whonix-workstation. Make any changes before first boot if you would like to such as regarding the qcow2 disk locations and RAM allocation. After you finish configuring both, start both of them up.
After booting in on the workstation, accept the agreement and continue with the setup connecting to tor and all. The default username and password is “user” and “changeme” which you need to enter the tty on the gateway VM. After you are connected and in, run sudo setup-dist for the gateway following the instructions in the ncurses menu and update both machines with sudo apt update && sudo apt upgrade. Installing neofetch with sudo apt install neofetch -y.
Post-installation
There are a lot of things that you may want to do post-install. A lot of it isn’t required but it is good to follow some of it such as with changing the password for the user “user”.
Other
The documentation page for KVM installation continues to go on about a lot of other things you may want to look into like snapshot migration, nesting, adding more vCPUs, creating shared folders between host and guest (be very careful with this) and a few other things. They do also list some unsafe features to enable so think very hard before doing any of those things especially in my opinion device passthroughs.
If you have any issues, read through the troubleshooting page to find a solution. If you can’t find an answer there, go to the forums.
Conclusion
Whonix is a very secure operating system but make sure to follow best practices and to keep your host safe too otherwise keeping the VM safe becomes mostly pointless.