{{Title|
title=System Hardening Checklist
}}
{{Header}}
{{#seo:
|description=Security hardening instructions for {{project_name_long}} and {{q_project_name_long}}. Improving Linux, Windows and macOS host computer security and networking configurations. Safe Tor, Tor Browser and other online activities.
|image=Hardening-13423213.jpg
}}
{{Contributor|
|status=stable
|about=About this {{PAGENAME}} Page
|difficulty=easy
|contributor=[https://forums.whonix.org/u/torjunkie torjunkie]
|support=[[Support]]
}}
[[File:Kicksecure-seal.png|thumb|200px]]
[[image:Hardening-13423213.jpg|thumb]]
{{intro|
{{project_name_short}} comes with [https://www.whonix.org/#security many security features]. {{project_name_short}} is {{Kicksecure_link
|
|{{Kicksecure}}
}} Hardened by default and also provides extensive [[Documentation]] including this System Hardening Checklist. The more you know, the safer you can be.
This page is targeted at users who wish to improve the security of their systems for even greater protection.
}}
= Introduction =
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Recommendations specific to [[Qubes|{{q_project_name_short}}]] or [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] are marked accordingly.
}}
It is possible to significantly harden the {{project_name_short}} and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.
= Easy =
== Anonymous Blogging, Posting, Chat, Email and File Sharing ==
* To remain anonymous, follow all the [[Surfing_Posting_Blogging|{{project_name_short}} recommendations]] to minimize threats of keyboard/mouse biometrics, [[Surfing_Posting_Blogging#Stylometry|stylometric analysis]] and other covert channels.
** A browser is an unsafe environment to directly write text, regardless of whether it is a forum post, email, webmail or IMAP-related reply.
*** At a minimum users should not type into browsers with JavaScript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.
* Remove [[metadata|metadata]] from documents, pictures, videos or other files before uploading them to the Internet.
* Think twice before sharing [[Surfing_Posting_Blogging#Photographs|"anonymous" photos]] due to unique embedded noise signatures that have no known countermeasures.
* Be careful sharing [[Surfing_Posting_Blogging#Documents|anonymous documents]]. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
* Utilize [[OnionShare|OnionShare]] to anonymously share or receive files securely over the Tor network, anonymously chat, or host anonymous websites. [OnionShare 2.0 and higher enforce v3 onion connections. {{project_name_short}} 16 is based on Debian ]{{Stable project version based on Debian codename}} which provides OnionShare v2.2.
== Command Line Operations ==
* Do not run commands unless they are completely understood -- first refer to a suitable [[Documentation|{{project_name_short}} wiki resource]] if available.
* If [[Root|root privileges]] are required, run the command with sudo rather than logging in as root or using sudo su. [This reduces the likelihood of a successful root or non-root user compromise.]
** Consider [[Root#Disable_Root_Account|disabling the root account]] permanently. [{{project_name_short}} 16 and later versions disable the root account by default.]
** To prevent malware sniffing the root password, before performing administrative tasks that require root access, [[Root#Prevent_Malware_from_Sniffing_the_Root_Password|create an admin user account with sudo permissions]].
** Prefer sudoedit for better security when editing files. [
https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation-and-whonix-software/7599
]
* [[Login spoofing|Defeat login spoofing]] by using the Secure Access Key ("Sak"; SysRq + k) procedure.
* Consider enabling [[SysRq]] "Security Keys" functionality as insurance against system malfunctions -- this assists in system recovery efforts and limits the potential harm of a malware compromise.
== Disabling and Minimizing Hardware Risks ==
* Unplug external devices when not needed.
* Consider [[Hardware_Threat_Minimization#Microphones|disabling microphones]] where possible (muting on the host) or better, physically removing them.
* {{kicksecure_wiki
|wikipage=Hardware_Threat_Minimization#Eavesdropping_Risk_by_Speakers
|text=Since speakers (all audio output devices) can be turned into microphones
}}, if possible, {{kicksecure_wiki
|wikipage=Hardware_Threat_Minimization#Speakers
|text=physically remove speakers on the host and remove/disable the beeper}}. [
This addresses spying techniques:
* [https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit]
* relying on watermarked, (in)audible sounds that can link multiple devices, as well as [https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf headphones/speakers being covertly used as a microphone].
]
* Preferably [[Hardware_Threat_Minimization#Webcams|detach webcams or even better, physically cover webcams with a sticker or switch]] unless they are in use.
** If using [[Qubes|{{q_project_name_short}}]], assign the webcam to an untrusted VM (if needed).
* Avoid using [[Hardware_Threat_Minimization#Wireless_Input_Devices|wireless devices]], since they are insecure.
* Preferably disable or remove [https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns Bluetooth hardware modules].
* Disable or remove [[Protection_Against_Physical_Attacks#Problematic_Interfaces|problematic devices]] like ExpressCard, PCMCIA, FireWire or Thunderbolt which may allow attackers with physical access to read RAM.
* Do not enable audio input to any VM unless strictly required.
* Apply [[Firmware_Security_and_Updates#Firmware_Updating_and_Security_Problems|CPU microcode updates]] [
This applies to both Intel and AMD architecture.
]. [
While this may introduce new vulnerabilities, this is objectively better than running a system that is vulnerable to known attacks.
]
* Consider [[Security-misc#Restrict_Hardware_Information_to_Root|restricting hardware information to the root user]] in {{project_name_short}}. [
This hides hardware identifiers from unprivileged users.
]
* In [[Qubes|{{q_project_name_short}}]], only use a mouse and keyboard utilizing PS/2 ports (not USB ports) to prevent [https://theinvisiblethings.blogspot.fr/2011/06/usb-security-challenges.html malicious compromise] of dom0 (PS/2 adapters and available controllers are required).
== Entropy ==
* To mitigate against inadequate entropy seeding by the Linux Random Number Generator (RNG), it is recommended to install daemons that inject more randomness into the pool.
** From [https://wiki.debian.org/DebianBuster Debian 10 ("Buster")], [[Dev/Entropy#jitterentropy|jitterentropy-rngd]] is available; see footnote. [{{CodeSelect|code=
sudo apt install jitterentropy-rngd
}}
]
** [[Dev/Entropy#haveged|haveged]] also uses CPU timer jitter to generate entropy and additional entropy sources cannot hurt; see footnote. [{{CodeSelect|code=
sudo apt install haveged
}}
]
== Dedicated Computer ==
For high security, it's best to use a dedicated, physically different computer only for the purpose of using {{project_name_short}} and nothing else. For other use cases, use completely different hardware including a different screen.
This is to lower the impact of fingerprinting VMs in case they get ever compromised.
{{kicksecure_wiki
|wikipage=System_Configuration_and_Access#Use_a_Dedicated_Host_Operating_System_and_Computer
|text=Use a Dedicated Host Operating System and Computer
}}
Related: [[VM Fingerprinting]]
Forum discussion: https://forums.whonix.org/t/high-opsec-recommendation/17237
== File Handling ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = {{q_project_name_short}} only.
}}
* In File Manager, disable previews of files from untrusted sources. Change file preferences in the Template's File Manager so future App Qubes inherit this feature.
* Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a Disposable: Right-click → Open In Disposable
* Untrusted PDFs should be opened in a Disposable or converted into a [https://github.com/QubesOS/qubes-app-linux-pdf-converter trusted (sanitized) PDF] to prevent exploitation of the PDF reader and potential infection of the VM.
== File Folder Permissions ==
* Linux user account nobody has no special meaning.
* Also linux user group nogroup has no special meaning either.
* Therefore the user should avoid running programs under user nobody and/or group nogroup as well as avoid setting file or folder permissions to that user / group.
[
https://forums.whonix.org/t/delete-disable-nobody-user-from-whonix-passwd/14085
]
== File Storage Location ==
* Avoid storing files directly in the root home folder and [[Whonix-Workstation_Security#File_Storage_Location|create appropriate sub-folders instead]].
* Move files downloaded by Tor Browser from the ~/Downloads folder to another specially created one. [The reason is AppArmor profiles (and possibly other mandatory access control frameworks) are unlikely to allow access to these folders by default.]
== Mandatory Access Control ==
* Enable all available [[AppArmor|apparmor profiles]] in the {{project_name_workstation_long}} and {{project_name_gateway_long}} Templates.
* Enable [[{{project_name_gateway_short}}_Security#Seccomp|seccomp]] on {{project_name_gateway_short}} ({{project_name_gateway_vm}} ProxyVM).
== Mobile Devices ==
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = '''Warning:''' Phones, smartphones, smartwatches, tablets and similar mobile devices are {{kicksecure_wiki
|wikipage=Mobile_Phone_Security#Advanced_Mobile_Phone_Spyware
|text=vulnerable to advanced malware
}} and can be abused for eavesdropping, espionage, location tracing and more.
}}
* Since the {{kicksecure_wiki
|wikipage=Mobile_Phone_Security#Best_Practices
|text=mobile devices security best practices for risk mitigation
}} are often difficult / infeasible to adhere to, it might be easier to physically move all mobiles devices to a distant physical location such as a different room and close the door and/or to power off mobile devices.
== Passwords and Logins ==
* Use strong, unique and random [[Passwords|passwords]] for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
* Use a trusted [[Keepassxc|password manager (KeePassXC)]] [[https://packages.debian.org/{{Stable project version based on Debian codename}}/keepassxc Debian KeePassXC package].], so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. [For greater security, store the password manager off-line.]
* For high-entropy passwords, consider using [[Passwords#Generating_Unbreakable_Passwords|Diceware passphrases]]. [To [[Passwords#Diceware_Password_Strength|estimate strength]], an 8-word Diceware passphrase provides ~90 bits of entropy, while a 10-word passphrase provides ~128 bits of entropy.]
* In [[Qubes|{{q_project_name_short}}]], store all login credentials and passwords in an offline vault VM (preferably with KeePassXC) and securely cut and paste them into the Tor Browser. [For greater safety, copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.]
* Read and follow all the [[Passwords#Principles_for_Stronger_Passwords|principles for stronger passwords]].
== Screensavers ==
* At a minimum, [[Protection_Against_Physical_Attacks#Screen_Lock|lock the screen of the host]] when it is unattended.
* For better security, shut down the computer entirely -- screensavers are notoriously insecure. [
For example, [https://www.jwz.org/xscreensaver/faq.html#popup-windows sensitive notifications] (pop up dialog boxes) can [https://github.com/QubesOS/qubes-issues/issues/2026 appear over the screensaver while locked], and screensaver [https://www.debian.org/security/2016/dsa-3438 bypass] [https://web.archive.org/web/20210925121730/https://bugs.archlinux.org/index.php?do=details&task_id=27993 bugs] are common.
[https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128 Screen Locker (In)Security - Can we disable these at least 4 backdoors?]
] [Also see: [https://github.com/QubesOS/qubes-issues/issues/6595 Disconnecting a video output can cause XScreenSaver to crash (QSB-068, CVE-2021-34557)].]
== Secure Downloads ==
* Download Internet files [[Secure_Downloads|securely]] using scurl instead of wget from the command line.
* When downloading with Tor Browser, [[Tor_Browser#Preventing_SSLStrip_Attacks|prevent SSLstrip attacks]] by typing https:// links directly into the URL / address bar.
* Prefer [[Tor_Browser#Other_Precautions|onion services]] file downloads, which provide greater security and anonymity than https.
== Secure Qubes Operation ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = {{q_project_name_short}} only.
}}
* Refer to the {{kicksecure_wiki|wikipage=Kicksecure-Qubes_Security|text={{q_project_name_short}} security recommendations}} and always follow the [https://www.qubes-os.org/news/ latest security news] and [https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md advice] from the Qubes team.
== Secure Software Installation ==
* Default to Debian's {{kicksecure_wiki
|wikipage=Install_Software#Best_Practices
|text=official package manager APT
}} for installing software, and avoid third party package managers.
* When possible, use mechanisms which simplify and automate software upgrades and installations, like apt functions.
* Prefer installation of software from {{kicksecure_wiki
|wikipage=Install_Software#Best_Practices
|text=signed (Debian) GNU/Linux repositories
}} and avoid manually installing software, particularly if it is unsigned.
* Set the Qubes, Debian and {{project_name_short}} package updates to [[Onionizing_Repositories|Tor onion service repositories]]. [The {{project_name_short}} and Debian repositories are no longer set to onion mirrors by default due to stability issues. This decision will be reviewed in the future once v3 onions have further matured.]
* For safer installations or updates, first {{kicksecure_wiki
|wikipage=Install_Software#How-to:_Install_or_Update_with_Utmost_Caution
|text=stop all activity/applications and rotate the Tor circuits
}}.
* Always [[Verifying_Software_Signatures|verify key fingerprints and digital signatures of signed software]] before importing keys or installing software.
** Avoid using [[OpenPGP#Key_Servers|keyservers]] if possible.
** It is safer to [[Secure Downloads|securely download]] the key from a source that is logically connected to the owner, if possible, outside the keyserver model. [If a keyserver is required, utilize the v3 onion address for ]keys.openpgp.org: http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
== Updates ==
* Operating System Updates: It is crucial to regularly check for [[Operating_System_Software_and_Updates#Updates|operating system updates]] on the host operating system, and both the {{project_name_workstation_short}} and {{project_name_gateway_short}}.
* Stay tuned: It is [[Stay_Tuned#Reason|absolutely crucial]] to subscribe to and read the latest {{project_name_short}} news category 'important-news' to stay in touch with ongoing developments. This way users benefit from notifications concerning important security advisories, potential upgrade issues and improved releases which address identified issues, like those affecting the updater or other core elements. [[Stay_Tuned|Follow {{project_name_short}} Developments]].
* Debian Security Announcements: Since {{project_name_short}} is [[About#Based_on_Debian|based on Debian]], users should consider subscribing to the Debian [https://lists.debian.org/debian-security-announce/ security announcement mailing list] to stay informed about the latest security advisories. See also chapter [[Operating_System_Hardening#Debian_Security_Announcements|Debian Security Announcements]].
== Tor Browser Series and Settings ==
* Prefer the stable Tor Browser release over the alpha series in line with Tor developer recommendations; see footnotes. [[https://blog.torproject.org/new-release-tor-browser-90a1 Tor Blog]: ]Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
[[https://www.ics.uci.edu/~perl/pets16_selfrando.pdf Selfrando] (load-time memory randomization) protection has been [https://gitlab.torproject.org/legacy/trac/-/issues/30377 removed from alpha Tor Browser Linux builds]. Although Selfrando provides a security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers, Tor developers believe it is relatively easy for attackers to bypass and not worth the effort.] [The "hardened" Tor Browser series has been deprecated, see: https://gitlab.torproject.org/legacy/trac/-/issues/21912] [Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a [https://wiki.mozilla.org/Security/Sandbox native sandbox].]
* Run the [[Tor_Browser#Security_Slider|Tor Browser Security Slider]] in the highest position. [This may affect usability and proper functioning on some websites.]
* [https://support.torproject.org/#tbb_tbb-34 Disable Javascript] by default and [[Tor_Browser#Security_vs_Usability_Trade-off|only allow it sparingly]] for trusted sites. [This is more secure, but increases the user's fingerprinting risk due to selective use of Javascript.]
* Do not configure [[Tor_Browser#NoScript_Custom_Setting_Persistence|custom NoScript (per-site) settings]] which persist across successive Tor Browser sessions because this aids fingerprinting.
* Use [https://support.torproject.org/onionservices/ .onion services] where possible to stay within the Tor network, such as defaulting searches to the [https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ DuckDuckGo onion service]. [Take care to observe you stay within the Tor network -- 'downgrade' attacks have been observed that result in clearnet URLs being loaded in place of onion services across successive page loads on some sites.]
* Use [[Tor_Browser/Advanced_Users#Multiple_Tor_Browser_Instances_and_Workstations|multiple Tor Browser instances or multiple {{project_name_workstation_short}}]] to better compartmentalize contextual identities.
* Follow all other [[Tor_Browser#Unsafe_Tor_Browser_Habits|{{project_name_short}} recommendations for safe]] and [[Tips_on_Remaining_Anonymous|anonymous]] use of [[Tor_Browser|Tor Browser]].
* [[Install_Tor_Browser_Outside_of_{{project_name_short}}|Install Tor Browser outside of {{project_name_short}}]] so a second, working instance is always available for anonymous activities. [Thereby circumventing any possible future problems, like the breakage of {{project_name_short}}.]
== Virtual Machines ==
=== All Virtualizers ===
* Remove the virtual audio controller to VMs from getting access to a {{kicksecure_wiki
|wikipage=Hardware_Threat_Minimization#Microphones
|text=microphone (eavesdropping risk)
}} or [[Hardware_Threat_Minimization#Speakers|speaker]] ([[Hardware_Threat_Minimization#Profiling_Threat|profiling threat]]).
=== VirtualBox ===
* Remove a host of [[Virtualization_Platform_Security#VirtualBox Hardening|VirtualBox features]] to reduce the attack surface.
* Take regular, clean [[{{project_name_workstation_short}}_Security#VM_Snapshots|VM snapshots]] that are not used for any activities.
* Spoof the initial [[Network_Time_Synchronization#Spoof_the_Initial_Virtual_Hardware_Clock_Offset|virtual hardware clock offset]].
* Consider disabling [[VirtualBox/Guest_Additions#Clipboard_Sharing|clipboard sharing]] to reduce the risk of identity correlation. [Bidirectional clipboard sharing is currently enabled by default in {{project_name_short}} VirtualBox VMs. There are security reasons to disable clipboard sharing, for example to prevent the accidental copying of something (non-)anonymous and pasting it in its (non-)anonymous counterpart such as a browser, which would lead to identity correlation.]
* [[VirtualBox/Guest_Additions#Shared_Folder|Shared folders]] are discouraged because they weaken isolation between the guest and the host. [Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host.]
== Warrant Canary ==
* Learn more about [https://en.wikipedia.org/wiki/Warrant_canary warrant canaries] -- see [[Trust#{{project_name_short}}_Warrant_Canary|{{project_name_short}} Warrant Canary]] ([https://forums.whonix.org/t/whonix-warrant-canary/3208 forum discussion]) and [https://www.eff.org/deeplinks/2016/05/canary-watch-one-year-later limitations of warrant canaries].
= Moderate =
== Create a USB Qube ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = {{q_project_name_short}} only.
}}
* Prepare and safely utilize a [https://www.qubes-os.org/doc/how-to-use-usb-devices/ USB qube]. [A USB qube is automatically created as of Qubes R4.0.] [USB keyboards and mice expose dom0 to attacks, and all USB devices are potential [https://en.wikipedia.org/wiki/Side-channel_attack side channel attack vectors].]
* Configure a [https://www.qubes-os.org/doc/disposable-customization/#create-the-sys-usb-disposable disposable sys-usb].
== Host Operating System Distribution ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = {{non_q_project_name_long}} only.
}}
* For a truly private operating system, install [[Host_Operating_System_Selection|GNU/Linux]] on the host. [[https://www.gnu.org/proprietary/malware-microsoft.html Windows] and [https://www.gnu.org/proprietary/malware-apple.en.html macOS] are surveillance platforms that do not respect user freedom or privacy.]
* The [[Host_Operating_System_Selection#Recommended_Host_Operating_Systems|Debian distribution]] is recommended by {{project_name_short}} as providing a reasonable balance of security and usability.
** Consider installing the [[Kicksecure|{{kicksecure}}]] Debian derivative, since it has considerable security hardening by default. [{{kicksecure}} has an advanced multi-layer defense model, thereby providing in-depth security. In its default configuration, {{kicksecure}} provides protection from many types of malware, with no customization required.]
== Host Operating System Hardening ==
=== All Platforms ===
* Use [[Full_Disk_Encryption_and_Encrypted_Images#Full_Disk_Encryption_on_the_Host|Full Disk Encryption (FDE)]] on the host.
* Apply a [[Protection_Against_Physical_Attacks#BIOS_Password|BIOS password]] for BIOS setup and boot.
* {{kicksecure_wiki|wikipage=Advanced_Host_Security#apt-transport-tor|text=Torrify APT traffic}} on the host to prevent fingerprinting and leakage of sensitive security information.
* Follow all other {{project_name_short}} recommendations to {{kicksecure_wiki|wikipage=Advanced_Host_Security#Key_Hardening_Steps|text=further harden the host OS}} against [[Protection_Against_Physical_Attacks|physical attacks]].
=== {{non_q_project_name_short}} Only ===
* [[Operating_System_Hardening#Harden_Debian|Harden]] the host Debian Linux OS.
== Kernels / Kernel Modules ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Note:
* Cutting-edge kernels can destabilize the system or cause boot failures.
* Newer kernels can expose additional vulnerabilities; see footnotes. [[https://grsecurity.net/the_truth_about_linux_4_6 The Truth about Linux 4.6]: ]The real "hard truth" about Linux kernel security is that there's no such thing as a free lunch. Keeping up to date on the latest upstream kernel will generally net all the bug fixes that have been created thus far, but with it of course brings completely new features, new code, new bugs, and new attack surface. The majority of vulnerabilities in the Linux kernel are ones that have been released just recently, something any honest person active in kernel development can attest to.
[{{project_name_short}} contributor madaidan has [https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598?page=11 noted]: ]LTS kernels have less hardening features and not all bug fixes are backported but it has less attack surface and potentially less chance of having bugs. Stable kernels have more hardening features and all bug fixes but more attack surface and more bugs.
* Kernel modules in Qubes and {{q_project_name_short}} usually require configuration of a Qubes VM Kernel.
}}
* To benefit from additional protections, [Including [https://grsecurity.net/ grsecurity elements] being mainlined by the [https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project Kernel Self Protection Project].] consider installing [[Kernel|newer kernels]].
** On the [https://wiki.debian.org/KernelFAQ host Linux platform].
** In {{project_name_short}} VMs.
** Qubes: in [https://www.qubes-os.org/doc/how-to-install-software-in-dom0/ dom0] and in Qubes VMs (see [https://www.qubes-os.org/doc/managing-vm-kernels/ Qubes VM Kernel]). [This will likely become the default in future, see: [https://github.com/QubesOS/qubes-issues/issues/5212 Simplify and promote using in-vm kernel].] [Do not raise Qubes VM Kernel issues at {{project_name_short}}. Instead, contact [https://www.qubes-os.org/support/ Qubes support].] [https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not/2275]
* In [[Qubes|{{q_project_name_short}}]], consider installing the [https://github.com/Kicksecure/tirdad tirdad] kernel module to protect against [https://bitguard.wordpress.com/2019/09/03/an-analysis-of-tcp-secure-sn-generation-in-linux-and-its-privacy-issues/ TCP ISN-based CPU information leaks]. [The TCP Initial Sequence Numbers (ISNs) are randomized.] [[https://github.com/Kicksecure/tirdad tirdad] is installed in {{non_q_project_name_short}} by default.]
* Advanced users can undertake host kernel hardening to significantly increase security and privacy.
== Live-mode ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = {{non_q_project_name_short}} only.
}}
* Consider running {{project_name_short}} with [[Live Mode]] in a VM or even better in {{project_name_short}} as HOST os, so all writes go to RAM instead of the hard disk.
** If Debian is run as the host OS, consider also booting into [[Live Mode]].
* [[Anti-Forensics_Precautions|Disable swap and program crash dumps]] as an anti-forensics precaution.
* When using [[Live Mode]] in a VM, consider enabling [[VM_Live_Mode/Read_Only_Mode_Hard_Drive|read-only hard drive mode]] to make it harder for malware to gain persistence. [This prevents remounting of the hard drive as read-write.]
== Networking ==
=== All Platforms ===
* If possible, use a [[Host_Firewall#Dedicated_Connection|dedicated network connection]] (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
* If using a shared network via a common cable modem/router or ADSL router, configure a {{kicksecure_wiki|wikipage=Advanced_Host_Security#DMZ|text=de-militarized zone}} (perimeter network). [This restricts {{project_name_gateway_short}} accessibility to/from other nodes on the network such as printers, phones and laptops.]
* Test the [[Host_Firewall#Port_Scan|LAN's router/firewall]] with either an internet port scanning service or preferably a port scanning application from an external IP address.
* Change the default administration password on the router to a unique, random, and suitably long [[Passwords#Generating_Unbreakable_Passwords|Diceware passphrase]] to prevent bruteforcing attacks.
* WiFi users should default to the [https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access WPA2-AES] or [https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements WPA3] standard; the protocols are safer and have stronger encryption. [[https://www.malwarebytes.com/blog/news/2018/01/wpa3-will-secure-wi-fi-connections-in-four-significant-ways-in-2018 WPA3 protocol improvements] include:
* Protection against brute force “dictionary” attacks -- adversaries cannot make multiple login attempts with commonly used passwords.
* Stronger encryption: WPA2 relies on a 64-bit or 128-bit encryption key, but WPA3 uses 192-bit encryption.
* Use of individualized data encryption in open networks to strengthen user privacy.
* [https://www.schneier.com/blog/archives/2018/07/wpa3.html Forward secrecy]: if an adversary captures encrypted Wi-Fi transmissions and cracks the password, they cannot use it to read older data.] [Do not rely on WiFi Protected Set-up (WPS), which has [https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup major security flaws].]
* Follow all other {{project_name_short}} recommendations to [[Router_and_Local_Area_Network_Security#Recommended_Router_Settings|lock down the router]].
* [[Whonix-Workstation_Security_Hardening#Disable_TCP_SACK|Disable TCP SACK]] to limit the risk of remote DoS and other attacks.
=== {{q_project_name_short}} Only ===
* Prefer the Debian Template for networking (sys-net and sys-firewall) since it is [https://github.com/QubesOS/qubes-issues/issues/1781 minimal in nature] and does not "ping home", unlike the Fedora Template. [https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952]
* Consider using customized [https://www.qubes-os.org/doc/templates/minimal/ minimal templates] for NetVMs to reduce the attack surface and memory requirements. Four options are currently available:
** [https://github.com/Qubes-Community/Contents/blob/master/docs/os/centos.md CentOS] [Example: {{CodeSelect|code=
sudo qvm-template install centos-8-minimal
}}]
** [https://www.qubes-os.org/doc/templates/debian/ Debian]. [Example: {{CodeSelect|code=
sudo qvm-template install debian-{{Stable project version based on Debian version short}}-minimal
}}]
*** Debian can optionally be morphed into a {{kicksecure_wiki
|wikipage=Main_Page
|text={{kicksecure}} Template
}} for greater security.
** [https://www.qubes-os.org/doc/templates/fedora/ Fedora] [Example: {{CodeSelect|code=
sudo qvm-template install fedora-36-minimal
}}]
** [https://github.com/Qubes-Community/Contents/blob/master/docs/os/gentoo.md Gentoo]
* For greater security, higher performance and a lower resource footprint, consider using an experimental [https://github.com/talex5/qubes-mirage-firewall MirageOS-based unikernel firewall] that can run as a QubesOS ProxyVM.
* Consider utilizing [https://github.com/unman/notes/blob/master/openBSD_as_netvm OpenBSD for sys-net] to reduce the attack surface. [
Qubes tracker: [https://github.com/QubesOS/qubes-issues/issues/5294 Use OpenBSD as NetVM]. OpenBSD is assessed as having a lower attack surface than Linux, uses less system resources, and has strong exploit mitigations. Note that OpenBSD cannot currently be configured as ]sys-firewall.
See also [[Dev/Operating_System#OpenBSD|other OpenBSD considerations]].
== Sandboxing ==
* Consider using [[{{project_name_workstation_short}}_Security#Firejail|Firejail]] to restrict Tor Browser, Firefox-ESR, VLC and other regularly used applications -- note this comes with an increased [https://forums.whonix.org/t/tor-browser-hardening-hardened-malloc-firejail-apparmor-vs-web-fingerprint/7851/54 fingerprinting risk] and any vulnerability in Firejail [https://madaidans-insecurities.github.io/linux.html#firejail can allow escalation to root privileges]. [Previously The Tor Project's [[Deprecated#Sandboxed_Tor_Browser|alpha sandbox]] was recommended to restrict Tor Browser, but [https://gitlab.torproject.org/legacy/trac/-/issues/25540 the project has unfortunately been abandoned].]
* In a future [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] release, consider using [[Sandbox-app-launcher|sandbox-app-launcher (Sandboxed Application Launcher)]] to restrict applications within a bubblewrap sandbox and confined by AppArmor. [Although not implemented yet, all user-installed applications will be automatically configured to run in the sandbox and a prompt will ask which permissions should be granted to the application.]
== Spoof MAC Addresses ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = '''Tip:''' [https://en.wikipedia.org/wiki/MAC_spoofing MAC spoofing] is only necessary if traveling with your laptop or PC. It is not required for home PCs that do not change locations.
}}
* In [[Qubes|{{q_project_name_short}}]], [https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md follow these steps] to spoof the MAC address on the Debian or Fedora Template used for network connections.
* In [[Non-Qubes-Whonix|{{non_q_project_name_short}}]], follow [[MAC_Address#Changing_MAC_Addresses|these steps]] to spoof the MAC address of the network card on a Linux, Windows or macOS host.
== Time Related ==
* {{non_q_project_name_short}} only: [[Disable_TCP_and_ICMP_Timestamps#Disable_ICMP_Timestamps|Disable ICMP timestamps]] and [[Disable_TCP_and_ICMP_Timestamps#Disable_TCP_Timestamps|TCP timestamps]] on the host operating system to prevent leakage of information. [Such as system information, host time, system uptime, and fingerprinting of devices behind a router.]
* {{non_q_project_name_short}} only: [[Time_Attacks#Mitigations|Uninstall the NTP client]] on the host operating system and disable systemd's timdatectl NTP synchronization feature. [
This prevents time-related attack vectors which rely on leakage of the host time.
]
* Prevent possible time leaks by [[Network_Time_Synchronization#Block_Networking_until_sdwdate_Finishes|blocking networking until sdwdate finishes]].
== Tor Settings ==
* Consider enabling [[{{project_name_gateway_short}}_Security#Tor_Connection_Padding|Tor connection padding]] for potentially better anonymity; note it is unclear whether this provides any additional benefit (see footnote). [https://forums.whonix.org/t/tor-connectionpadding/7477]
* Consider installing [[Tor_Versioning|newer Tor versions]] directly from The Tor Project repository.
* Avoid [[Tor_Entry_Guards#Regenerate_the_Tor_State_After_Saving_the_Tor_State_Folder|regenerating the Tor state file]] or [[Tor_Entry_Guards#Manual_Rotation_of_Tor_Guards|manually rotating Tor guards]] [Via creation of a new {{project_name_gateway_short}} (]{{project_name_gateway_vm}}). because it degrades anonymity.
* Avoid configuring [[Tor_Entry_Guards#Fresh_Tor_Entry_Guards_by_Regenerating_the_Tor_State_File|non-persistent entry guards]], as this ''severely'' degrades anonymity.
* Consider using [[Bridges]] if Tor is censored, dangerous or deemed suspicious in your location.
* If using a bridge, configure [[Tor_Entry_Guards#Alternating_Bridges|alternating bridges]] for different physical locations.
* Heavily censored users should configure a ''meek-azure'' bridge with [[Anon_Connection_Wizard|Anon Connection Wizard]]. [For example, {{project_name_short}} users residing in China.]
* To help preserve anonymity, copy [[Tor_Entry_Guards#Copy_Tor_Configuration_files_and_Settings_to_Another_{{project_name_gateway_vm}}_Instance|Tor configuration files and settings]] to any new {{project_name_gateway_vm}} instance which is created. [This is useful when testing later {{project_name_short}} releases to stymie deanonymization attempts by advanced adversaries, or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.]
== {{project_name_short}} VM Security ==
* Consider disabling the [[{{project_name_gateway_short}}_Security_Hardening#How-to:_Disable_Control_Port_Filter_Proxy|Control Port Filter Proxy]] to reduce the attack surface of both the {{project_name_gateway_short}} and {{project_name_workstation_short}}.
* Consider [[systemcheck_Hardening|hardening systemcheck]].
* Consider the periodic deletion and recreation of VMs that are used for sensitive operations.
** If a compromise of {{project_name_gateway_short}} and/or {{project_name_workstation_short}} is suspected, follow the [[Disaster_Recovery|compromise recovery]] instructions.
= Difficult =
== Anti-Evil Maid ==
* Consider the Android [https://guardianproject.github.io/haven/ Haven application] for sensitive devices -- motion, sound, vibration and light sensors can monitor and protect physical areas. [Notifications are made in real time for any potentially suspicious activity.]
* If a Trusted Platform Module (TPM) is available, enable it in BIOS/UEFI and [https://paolozaino.wordpress.com/2021/02/21/linux-configure-and-use-your-tpm-2-0-module-on-linux/ configure the required services] to protect against [[AEM|Evil Maid Attacks]].
** {{q_project_name_short}}: Utilize [https://www.qubes-os.org/doc/anti-evil-maid/ AEM protection] to attest that only desired (trusted) components are loaded and executed during the system boot. [Unauthorized modifications to BIOS or the boot partition will be notified.]
* See {{kicksecure_wiki
|wikipage=AEM
|text={{Kicksecure}} AEM Documentation
}}
== Chaining Anonymizing Tunnels ==
* Avoid this course of action. The [[Tunnels/Introduction|anonymity benefits are unproven]] and it may actually hurt a user's anonymity and security goals.
* Virtual Private Network (VPN) tunnel-links are [[Tunnels/Introduction#VPN_Tunnel_Risks|strongly recommended against]] due to multiple security and anonymity risks.
== Disposables ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Qubes / {{q_project_name_short}} only.
Note: Some traces of Disposable usage and data contents will leak into the dom0 filesystem and survive reboots; see [https://github.com/QubesOS/qubes-issues/issues/4972 here] for further information. (This is a Qubes-specific issue and [[Unspecific|unrelated to {{project_name_short}}.]])
}}
* Run all instances of Tor Browser in a [[Qubes/Disposables|Disposable]] which is preferably uncustomized to resist fingerprinting. [This is safe in the stable Qubes R4 release, but [https://phabricator.whonix.org/T695 privacy issues] were unresolved in Qubes R3.2 (now unsupported).]
* Configure each ServiceVM as a [https://www.qubes-os.org/doc/disposable-customization/ static Disposable] to mitigate the threat from persistent malware accross VM reboots. [Users can configure ]sys-net, sys-firewall and sys-usb as static Disposables. This option has been available from Qubes R4 onward.
* Until fully ephemeral Disposables are available by default in [https://github.com/QubesOS/qubes-issues/issues/4972 a future Qubes release], advanced users can consider configuring them manually:
** [https://github.com/unman/notes/blob/master/Really_Disposable_Qubes.md Unman's guide to ephemeral Disposables] creates a RAM-based storage area.
** [https://github.com/anywaydense/QubesEphemerize anywaydense's guide to ephemeral PVH Disposables] encrypts data written to the disk with an ephemeral encryption key only stored in RAM.
== Email ==
=== All Platforms ===
* Follow the [[E-Mail#Email_Provider_Comparison|{{project_name_short}} recommendations]] to select an email provider compatible with privacy and anonymity.
* For [[E-Mail#Encrypted_Email|anonymous PGP-encrypted email]] over Tor, use [[Encrypted_Email_with_Thunderbird|Mozilla Thunderbird]]. [Reminder: The ''Subject:'' line and other header fields are not encrypted in the current configuration.]
* For greater email or message security, consider using the [[PQCrypto#OneTime|OneTime]] application or a [[One_Time_Pad|Physical One-time Pad]] for military-grade encryption.
* Follow all other [[E-Mail#Safe_Email_Principles|email principles for greater safety]].
=== {{q_project_name_short}} Only ===
* Use [https://www.qubes-os.org/doc/split-gpg/ split-GPG] for email to reduce the risk of key theft used for encryption / decryption and signing.
* Create an App Qube that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
* Only open [https://micahflee.com/2016/07/how-qubes-makes-handling-pdfs-way-safer/ untrusted email attachments] in a Disposable to prevent possible infection.
== Ethernet/FDDI Station Activity Monitor ==
* Consider running [https://packages.debian.org/{{Stable project version based on Debian codename}}/arpon ArpON] as a daemon to defend against ARP attacks like [https://web.archive.org/web/20230330072313/https://fossbytes.com/arp-spoofing-attacks-detection-prevention/ ARP spoofing], [https://www.techopedia.com/definition/27471/address-resolution-protocol-poisoning-arp-poisoning ARP cache poisoning] and [https://networklessons.com/switching/arp-poisoning ARP poison routing]. [Attackers use these methods to redirect local network traffic and execute [[Warning#Man-in-the-middle_Attacks|Man-in-the-middle Attacks]].]
* Consider utilizing [https://packages.debian.org/{{Stable project version based on Debian codename}}/arpwatch Arpwatch] to be alerted about any changes to the database of Ethernet MAC addresses seen on the network. [Administrators are advised of any changes via email, such as new station/activity, flip-flops and re-used/changed old addresses.]
== Flash the Router with Opensource Firmware ==
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = '''Warning:''' risk of bricking your router!
}}
* Flash the insecure, limited-utility, proprietary firmware on the router with a [[Router_and_Local_Area_Network_Security#Router_Firmware|powerful, open-source GNU/Linux alternative]].
== Mix Personal Tor Traffic with Own Tor Bridge or Relay ==
* See [[Host a Bridge or Tor Relay]]; this configuration ''might'' make adversary classification of Tor traffic more difficult. [The reason is adversaries observing traffic will need to perform classification of both traffic generated by the Tor relay or bridge and your personal client traffic.]
== Multi-Factor User Authentication ==
* Set up [[2FA|two-factor authentication (2FA)]] to strengthen the security of online accounts, smartphones, web services, access to physical locations and other implementations.
* Configure [https://wiki.debian.org/pamusb PAM USB] as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored.
* For secure account logins, utilize a [https://www.nitrokey.com/ Nitrokey] hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols.
** Qubes: Check the [https://www.qubes-os.org/doc/yubikey/ YubiKey] (will be not much different from Nitrokey) instructions to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.
== Systemd Sandboxing ==
* Create drop-in .conf files to [https://git.sr.ht/~krathalan/systemd-sandboxing sandbox systemd services].
== Whitelisting Tor Traffic ==
* [[Qubes|{{q_project_name_short}}]]: Configure {{project_name_gateway_vm}} to use [[Corridor|corridor]] as a filtering gateway to ensure only connections to Tor relays pass through. [This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical {{project_name_short}} bugs, but does not address potential Qubes ProxyVM leaks.] [https://github.com/rustybird/corridor]
* [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] or {{q_project_name_short}}: Use a standalone [https://github.com/rustybird/corridor corridor] as a filtering gateway.
= Expert =
== Disable Intel ME Functionality ==
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = '''Warning:''' high risk of bricking your computer!
}}
* It is possible to [https://hardenedlinux.github.io/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html partially deblob] Intel's despicable ME firmware image by [https://github.com/corna/me_cleaner/blob/master/me_cleaner.py removing unnecessary partitions] from it.
* Alternatively, [[Out-of-band_Management_Technology#Hardware|Intel ME's "High-Assurance Platform" mode]] can be set manually to disable most ME capabilities.
== Disable SUID-enabled Binaries ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = This is an experimental feature recommended for testers.
}}
* Consider enforcing the [[SUID_Disabler_and_Permission_Hardener|SUID Disabler and Permission Hardener]] to increase the security of the system; see [[Security-misc#SUID_Disabling_and_Permission_Hardening|here]] for instructions. [This reduces the attack surface by disabling SUID-enabled binaries and improves [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]. Some SUID binaries have a history of privilege escalation security vulnerabilities. This feature is part of [[security-misc]].]
== Opensource Firmware ==
* [https://libreboot.org/ Libreboot] is no longer recommended as a proprietary firmware alternative; see footnote. [Although Libreboot is a free, opensource BIOS or UEFI replacement that initializes the hardware and starts the bootloader for the OS, the absence of proprietary firmware means important microcode security updates are unavailable. Also, even experts risk bricking their hardware during the process and it is incompatible with newer architectures, making it impractical for the majority of the {{project_name_short}} population.]
* [https://www.coreboot.org/ Coreboot] is a possible BIOS/UEFI firmware alternative -- consider [[Open-source_Hardware#Buyer_Considerations|purchasing hardware]] that has it pre-installed (like Chromebooks), or research flashing procedures for the handful of refurbished motherboards that support it.
** Exception: Several laptops meet [https://www.qubes-os.org/doc/certified-hardware/ Qubes' Certified Hardware] requirements and are configured with Coreboot, Heads and a partially disabled Intel Management Engine.
== Physical Isolation ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = {{non_q_project_name_short}} only.
}}
* If additional hardware is available, consider [[Dev/Build_Documentation/Physical_Isolation|Physical Isolation]] in [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]. [Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than [https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf Qubes' approach] (software compartmentalization).]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]