The Internet Secret


The Internet Secret

This is the complete DNK guide to Darknet in a single HTML file. It uses pure CSS with no JavaScript and images are Base64-encoded in the HTML. There are links to external URLs but all instructions to follow the guide is offline inside the file.

This guide may not display correctly in a non-Firefox browser. It is only intended for Firefox. Start by navigating in the top menu.

For the good cause of educating, please share this webpage to as many people as you can.

DNK (Do Not Know)

DNK began as an interest, and grew into a dream very quickly. We dreamed of having secure and privacy enforcing systems where people could go and just do what they love without problems. Where journalists could research and collaborate. Where undercover cops could communicate safely with snitches, protecting each ones identity. A place where ethical hackers could create together with feeling monitored all the time. These are just a few (probably pretty shitty) examples of what we had in mind. We want to make this dream a reality.

The problem we face is that the more tools we try to create for this, the more people come to crack them. Everything is hackable. We believe this 200%. Somethings might be extremely difficult to hack, but everything has a flaw somewhere. It can even be as simple as human error. So, we took this responsibility off ourselves and went from protecting users, to enabling users.

We now provide people with the tools and knowledge to do their own thing. We provide reasonably secure platforms (as secure as we can make them) for users to explore. You can use our services, self-host them as they are all open-source and free, or modify freely yourself. You may use the for commercial reasons and distribute them commercially if you want, but we won't. We're 100% free forever, and more importantly, open source. The exact code for all our services (except the database and server details of course) will be available for review and/or download, and we are working hard to create simple guides for each as well.

COS (Collection of Spaces)

COS is our new project. It's a social platform by design, but our tools make it more of, what we like to call, an Extranet. It gives you the tools to create your own communities, static websites, wikis, and documentations. It works on both clearnet and darknet but does require JavaScipt. Again, you can check the code at anytime to make sure we're not up to anything shady. You can also use it as anonymous cloud storage and file-sharing.



The Internet Secret



What Is DNK?

DNK is the future of Tor. With a strong belief in your privacy - DNK is providing the systems for you to truely browse the internet, share files, and connect with others while still being completely anonymous. Our team have spent month and months making sure that we can give you the best solutions we can give. We have recently transformed our platform into what we call the Curiosity Suite. The platform is now managed by Curious but is still owned by D and the rest of the Null Network.

DNK relys on you to do some work too. We ask that you make sure you are smart in how you share your information, and your choice of Operating System. We personally recommend Whonix...

Whonix is an easy to use, Tor-only Operating System that privacy advocates around the world use to protect themselves. It has superior anonymity protection compared to 'Tails' OS and it allows you to keep your files, settings and bookmarks between reboots automatically. You can use it like a normal ongoing operating system, and you can do far more things on a Tor IP than just temporary browsing of the Dark Web. You can literally do anything in Whonix like a full OS, and this can enable more safety.

Furthermore, if you use Qubes OS - Whonix comes installed on this by default as sys-whonix and is even more superior than the stand-alone Whonix VM. Visit the Quebes OS Hompage to find out more about our new favourite OS. We are in the process of making a similar guide for it.

The Whonix project is maintained by hardcore Tor and privacy activists and yet is designed for any non-advanced user to use because they want as many people using it as possible to increase the anonymity of each Whonix and Tor user. The more people use it the more it benefits us all, and as such the Whonix community has steadily grown since its 2012 launch.



Why You Should Use Whonix

Whonix works by using 'VM' technology, or virtual machines. A VM is a software method to run one OS (e.g. Linux) inside another (e.g. macOS), in its own window alongside all your other (e.g. Mac) programs. It's a safer experience than only using Tails because Tails doesn't 'torify' many areas of the Tails OS and it can be very dangerous to use if you don't know what you're doing. The downside of Whonix is extra resources needed to power the VM at the same time as the outer OS. This is because you have to split your PC's RAM and CPU between multiple operating systems - although Linux is very resource efficient.

The VM - in this case Whonix - is often called the 'guest' OS, and your outer or main OS is 'host' OS. There exist a few main VM programs like VMWare, VirtualBox and Parallels, and Whonix project offers VirtualBox which is free, open-source, and easy to use. The actual Whonix operating system (in the VM) is Linux, and more specifically the Debian variant, and it uses 'Xfce' as its desktop environment. Xfce is extremely fast and light-weight, and yet able to be configured by installing powerful packages or themes to look equally as nice if you want. It's similar enough to Windows that you can feel confident using it, with a little bit of patience and learning.

How Whonix works is that you actually run two VirtualBox VMs concurrently:

1. 'Whonix-Gateway' is the VM that connects to Tor (with obfs4, bridges, and all other Tor connection options available) and refuses to pass on connections if Tor isn't working.

2. 'Whonix-Workstation' is the VM you actually use for your activity like Tor browsing, file playback, file creation and editing, Tor chat, and everything else you'd do in your normal OS.

Whonix-Workstation only receives its Internet through a special 'tunnel' from Whonix-Gateway in its VirtualBox VM configuration, so you can NEVER possibly have your real IP address leak inside Whonix-Workstation. This is the brilliance of Whonix.

However, if you reveal your real identity on Tor while in Whonix then you still compromise everything. Whonix is not a license to suddenly be reckless. OpSec is important, so please read our notes later on how to stay safe as a Tor user.

So... the reasons to use Whonix?

- Because your IP can't leak inside Whonix-Workstation, Whonix opens up a whole world of services, functionalities and possibilities normally not possible or safe to do with just the Tor Browser Bundle (TBB) in your host OS. It's a revolution! In Whonix's Tor Browser, you can safely use JavaScript and Flash to give you full normal functionalities of sites like Google, Do Not Know, COS, YouTube and any other of your favourite sites. If a site blocks Tor exit nodes, no problem, just use Opera browser's built-in VPN inside Whonix or other free VPNs easy to setup and use as instructed in this guide. But most revolutionary of all, you can now use any non-browser Internet-related program outside Tor Browser with Tor anonymity, such as JDownloader, GitHub, BitTorrent, or the Linux MEGASync app to back up your files to an anonymous MEGA account.

- Whonix is a very safe environment for you to do anything on your PC. It is 'sandboxed' and powerfully separated from your host OS. It is way safer than just TBB in your host OS, where you are constantly copying archive passwords for zip files you're sharing in macOS or Windows and if you accidentally paste one of those passwords from your clipboard into your Chrome address bar, now suddenly Google could discover how to read your files.

- Thanks to Whonix's design, you can avoid accidentally opening incriminating data in a non-Tor Internet-connected program, or accidentally saving/gathering Wikileak data from TBB to your hard disk in your RL Dropbox folder, instantly incriminating yourself with law enforcement.

- Further risks of using a normal OS with normal applications (like Adobe Reader for PDFs) can be avoided. These well-known commercial programs are increasingly Internet-connected, and collect data on opened files to Adobe servers and more. It is becoming too unsafe to open files with passwords or private information (or if you're so inclined ... illegal files), even when you're offline, as they may store data in special files ready for the next time you connect. To really be safe, we need Whonix.

- You can safely set Whonix's Tor Browser to remember history and passwords and cookies, because in the password-protected environment of Whonix no one can get to this data but you (or, it's at least anonymous)! If your computer crashes, your Tor Browser session is recoverable again, and browser sessions won't be lost like with standalone TBB or Tails.



Tips for Using the Guide

This guide will assume that you do illegal stuff.

This guide aims to be accessible to beginners, but also serve as a useful reference for advanced users. Some instructions in the guide might be a little under-explained for your level of computer knowledge. This is so the guide is an elegant reference and easy to read.

If you're a beginner and have no idea how to use Terminal, please read How to Use the Terminal before you do anything else.


- By default, the guide is navigated via the top menu which brings up each section one at a time.

- To view the whole guide as a single long page, use the toggle button in the very top right-hand corner. This mode makes it easy to scroll from one section onto the next without endless clicking, and to instantly search of any word contained in the entire guide.

- When you click on any internal link to a section of the guide, it will jump into single section mode.

Formatting / color map

Italics: The name or URL of a program or web service.

Bold: An item you have to visually look out for or select on the screen, when instructed in a guide.

White background: Text you have to enter into a GUI text box, when instructed in a guide.

Black background: Terminal commands. Don't panic! You won't die! It's all OK. Just...BREATHE...

Tip: Something cool or handy to know during an instruction or mini-guide.

Note: Something important to know or be assisted with when following a mini-guide.

Warning: Something serious about security, privacy, anonymity, data loss, or other possible catastrophe. DO NOT IGNORE.





Setup Instructions

Note: You will need need several USBs of at least 4GB each in size. Possibly up to three of them: one to be your new Linux host OS installer disk, one for a temporary Linux Mint USB disk to wipe your current OS / drive(s) with hdparm and follow the guide safely while you do this, and one to be either a DBAN HDD wiping boot disk, or your SSD manufacturer's bootable disk utility.

Note: In order to follow the setup process (to read instructions while you perform them), you will need either a second computer, or, if you only have one computer, to print this guide on paper. This is because the steps involve completely turning your computer off and booting into other temporary boot disks to do steps like wipe your internal hard drive(s), or to re-install your computer from scratch. Make sure to print off the the hard drive wiping guide as well.

Securely Backup Your Existing Files and Choose a Linux Host OS

First: you may want to backup your existing files because you will be completely re-installing your computer (or at least wiping your hard drives in order to start being safe from now on). See the instructions below on VeraCrypt, and create a hidden VeraCrypt volume on an external drive, then place any existing files into this volume, ready to use with Whonix later.

Next: you must choose a Linux host OS, such as Linux Mint. Windows 10 records everything you type on your keyboard (and lots more) and sends it to Microsoft 24/7 as 'telemetry data'. Windows is not safe for you paranoid people, even as a host OS for Whonix. macOS is also not safe enough. We must use the open-source Linux.

Unless you plan on doing covert stuff on your computer (like getting yourself a hitman) - you don't need to be too concerned about Windows and macOS. They are fine for just basic anonyous browswing. However - they are not safe if you need to use your computer, and time on tor, for more personal reasons.

Download an ISO from the Linux distro's website and use balenaEtcher to flash the ISO to a bootable USB installer disk. Have it ready to install to your computer after securely wiping the old data in the next step.

Tip: Before you wipe your drive(s), now is a convenient time to secure your computer with a BIOS/UEFI or Mac firmware password. This will give strong protection against some attacks like Internet-planted UEFI rootkits or Evil Maid-planted bootloaders or hidden devices impersonating your own which can secretly capture your PC login passwords and all your data. If you are a high-value target, these attacks are more likely to be used by LEA to maximize their success of prosecution, if they think you use plausible deniability and seizure-proof encryption. If you set a BIOS/firmware password, and then they try to tamper with your BIOS, your BIOS password may reset and you could know you are being targeted. But always remember that LEA can plant many types of physical spying devices or hidden hardware keyloggers in your computing environment if they are directly targeting you for prosecution, so the usefulness of this is more to prevent dangerous malware delivered remotely. Use this reference if you are interested in this tip.

Tip for those using Mac hardware: Even though you will use Linux as your host OS, we recommend you create a macOS USB installer disk for handy reference before you wipe the Mac's SSD, because this may be your only convenient (and private) way to perform certain low-level tasks on your computer like setting or changing the firmware password, or doing an NVRAM/PRAM reset.

Tip: As a precaution against some attacks (like pre-FDE malware 'bootkits' in the bootloader area that can capture your host OS password) or LEA forensics upon SSD seizure, right after wiping your SSD you can give it a pre-boot password that must be entered to use the SSD every time you power on any computer to which it is connected. This 'ATA security' technology is called 'self-encrypting drive' or 'SED', and it uses AES-256 encryption at the SSD hardware level. It doesn't protect against key disclosure laws, but is an excellent protection against advanced malware that might be placed on LEA-hijacked marketplaces or in other attack situations. To set up, first unfreeze the drive from the instructions earlier, then do after this example:hdparm --user-master u --security-mode m --security-set-pass 'mySEDpassword' /dev/sda. Then shut down the computer and to use each time, permanently keep an Arch Linux USB plugged in and each time you turn on the computer (after a full poweroff), the BIOS will at first not recognize the SED so will boot into your Linux USB. Do after this example: hdparm --security-unlock 'mySEDpassword' /dev/sda && reboot and the computer will reboot without powering down but this time the BIOS will recognize the unlocked SED and will boot into that instead of the USB. The SED will remain unlocked until the next time you fully power off. To remove this feature and return the SED to work like a normal HDD again, unfreeze the drive once more then do after this example: hdparm --security-disable 'mySEDpassword' /dev/sda. Read these pages for reference and more info.



Securely Wipe Any Existing Unencrypted Files

Before you install Whonix, you should stay safe by securely wiping any files that has formerly not been stored inside a hidden VeraCrypt volume. Othe crucial data can also include file/archive passwords copied to your former host OS clipboard.

Your storage media could be the system hard drive you will now put Whonix on, or any other external drives you own. To be safe, either physically destroy the disk (e.g. melting it with flame), or follow the software steps contained in our hard drive wiping guide, which contain the best non-physically destructive instructions possible:

Yes. This is overkill. But like why not just do it lol? The dangers of not doing it are simple. Even if your files aren't illegal or even questionable, they can still be used in identifying you. Almost every file on your computer contains metadata - and this metadata stores which account made the file, what time the file was made, to who/how it has been shared. Not wiping this information leave you vunerable to being identified.

How to securely wipe your SSD / HDD



Install Your Linux Host OS

Now that your old data is securely wiped and/or backed up, boot from your previously-created bootable USB installer disk for your chosen host OS (e.g. Linux Mint), and follow its installation wizard to install that OS to your computer's main hard drive. Choose full disk encryption (FDE) as soon as you see the option available during the process. For Linux this is called 'LUKS' (chosen during the Linux installation). If you have a choice to format the hard drive with a 'quick' option or a 'long' or 'full' formatting method, choose the non-quick method.

Note: You can easily run your Linux host OS from a USB disk, and even put the hidden VeraCrypt volume (containing Whonix) on it too. However, performance may not be good when you try it out, so in that case install the host OS onto the computer's SSD. If you have a high-performing USB 3.0 disk and compatible port, it might work well.



Create and Mount a Hidden VeraCrypt Volume

In the new host OS you've just installed, LUKS encryption is actually useless against key disclosure laws now common worldwide, because LEA can legally force you to decrypt your hard drive and files upon seizure or forced inspection.

VeraCrypt (the successor to the now-discontinued TrueCrypt) is our solution, with its Hidden VeraCrypt volume feature. It provides a reliable example of 'plausible deniability', which means that if your hard drive is seized by LEA, they cannot prove by simply looking at the unlocked disk that it even contains meaningful data.

A 'volume' is a virtual disk that VeraCrypt creates on the storage media you choose, protected by a password you choose, that you then mount with VeraCrypt which mounts it as a 'drive' appearing as if you inserted it as an external USB, and then you put your sensitive files into that virtual drive.

It's safest to create the volume as a whole disk partition during the VeraCrypt wizard. This means you need to make your VC volume take up an entire drive. This could be an internal hard disk in your computer, or an external USB. Both options work very well.

The 'hidden' volume design works by creating an outer 'decoy' volume with its own decoy password of your choice which is what you could give to LEA (to survive their key disclosure laws), and inside which you could put a few harmless, non-sensative files.

After creating the 'outer' volume in the creation wizard, VeraCrypt will create the 'hidden volume' inside the outer one, for which you should set a good, long, unique password (of at least 24 characters), which will unlock a separate and secret 'hidden' area of the volume, which is what you will use to store your Whonix VM (and any other files you may want to hide).

To create your hidden VeraCrypt volume:

Download, install and open VeraCrypt in your host OS, then click on Create Volume, following the wizard at Create a volume within a partition/drive > Hidden VeraCrypt volume, selecting your storage media as the chosen destination.

Next in the wizard, it is important for Whonix to choose a sufficiently large enough container size (for both Outer Volume Size and Hidden Volume Size in the wizard) or you will run into problems.

Note: We recommend you to create your your hidden VeraCrypt volume in a partition/drive of at least 110 GB in size, or you will run into problems later. Whonix is designed to automatically expand its VM files to 100 GB per VM, depending on whether you fill the file system inside them, and if you create a hidden VeraCrypt volume of only 50 GB and then expand your Whonix-Workstation beyond 50 GB it will run out of bytes in the VeraCrypt container, crash your running Whonix, and immediately irreversibly corrupt it and all data inside it. Make your VC volume at least 110 GB in size just to be safe, and also keep regular backups of your volume and regularly keep an eye on how much space your VMs are expanding to.

Right after the Hidden Volume Password stage of the wizard, it takes you to Large Files. Make sure to choose I will store files larger than 4 GB on the volume, or you might accidentally choose a file system that can't contain the Whonix VMs.

Finally, you must choose the Filesystem type of Linux Ext4.

Tip: If you are extra paranoid or at a higher spot on the LEA watchlist, you can choose something more heavy duty than the default AES VeraCrypt option during the Encryption Options. Some people think AES is now crackable by NSA, but only you can know what you believe, based on conjecture. Either choose AES(Twofish) as a double encryption option or even the triple AES(Twofish(Serpent)) for full-blown paranoia. These extra levels come at a huge performance cost, possibly affecting the smoothness of video playback or slowing down the speed of creating and extracting archives or file processing like re-encoding videos inside Whonix, depending on how good your CPU, SSD and other components are. You can measure the performance difference with your hardware by using VeraCrypt's Benchmark feature under Tools or during the same wizard step, but only a real-world test can really reveal the difference.

Warning: Once you have created your hidden VeraCrypt volume, it is best to NEVER mount your outer volume ever again when you're using your computer. Using the outer volume can overwrite and permanently corrupt your inner hidden volume, even when just reading it without writing files. However, DO remember what that decoy password is - it is what will protect you from having to share your private files if LEA seize your hardware! Write it down somewhere so you don't forget, which is safe to do since it will reveal nothing sensitive. If you do want to mount the outer volume at any time, only mount it while using the Protect hidden volume when mounting outer volume or Mount volume as read-only feature in the Mount window's Options > button.



Now Install Whonix

In your new host OS, go to and follow the below modifications (which are easier methods) and an additional 3.5 step:

1. Download Whonix Xfce for Windows, macOS and Linux

Download the OVA file via the big Download button.

2. Install VirtualBox

If your host OS is Linux Mint (which is currently at 19.3) and you are new to Linux, the easiest way to install VirtualBox is to just download the Ubuntu 18.04 ... .deb file from VirtualBox's Linux downloads page and install it by double-clicking on the file and following instructions.

In the case of any type of Linux host OS (this is an example for Debian-based distros), after you install VirtualBox, you need to then do in the host OS Terminal this command: sudo apt update && sudo apt install dkms virtualbox-dkms linux-headers-$(uname -r)

3. Import Whonix into VirtualBox

When you import the dual Whonix VMs, be very careful in the Appliance Settings section for both VMs to modify the base folder to set the location of the installed VM files to your mounted VeraCrypt volume (e.g /media/veracrypt1), and not the default location that VirtualBox chooses like /home/<username>/VirtualBox VMs.

Tip: Keep a copy of the OVA Whonix file in case you ever need to start again or you ruined your current Whonix for some reason.

3.5. Turn off VM 'Preview' in VirtualBox

To permanently prevent some of Whonix's images leaking into the host OS, before you power Whonix on, do the following: Single-click on any single VM in VirtualBox, right-click anywhere inside the main pane on the right-hand area of the program (underneath New, Settings, Discard, Start), and make sure the Preview menu item is unticked.



Whonix Is Now Ready to Power On

Tip: If you are comfortable enough with the terminal, you can put Gateway-XFCE in CLI mode to free up extra memory for Workstation.

Gateway only provides Workstation's Internet, so just a few simple commands are ever needed to maintain it. When you turn on Gateway, you don't even need to log into its terminal window for Gateway's Tor to connect in the background. (If you want to log in, the username is user and password changeme.)

You will still have to periodically apply updates or check Gateway's Tor status when troubleshooting, so FYI the most common commands are: whonixcheck (and you read its output), sudo apt update && sudo apt full-upgrade if whonixcheck instructs you to, and if the Tor connection is not working just close off Gateway by doing sudo poweroff then start the VM again, no need to turn off Whonix-Workstation during this process.

To set Gateway-XFCE to CLI mode, in VirtualBox right-click on the Whonix-Gateway-XFCE VM and select Settings... and go to System. Change the Base memory down to 256 MB, then click OK.

Before you power on Whonix, try the next section to optimize the performance of your VMs before using them.

Once ready, you can turn on Whonix-Gateway and Whonix-Workstation by double-clicking each one in VirtualBox and letting them load up at the same time. Follow the two Whonix first-run wizards that show up and choose all defaults. As you will briefly need to use the Terminal to apply system updates in both VMs, refer to the How to Use the Terminal section if you need help.

Tip: To speed up loading of any Whonix VM, press or Enter during each of the two logo screens at the VM startup. The first is the VirtualBox logo splash, and the second is Debian's 5-second delay for alternative bootup options.



Recommended Settings to Optimize Your VM

Note: Power down Whonix-Workstation before performing the steps under this entire 'Optimize Your VM' section.

Warning: Do not change VM settings for your Whonix VMs apart from anything instructed in this guide, unless you know what you're doing! It could change settings in ways to completely deanonymize you!

Hardware Virtualization

To ensure good VM performance on your hardware, make sure hardware virtualization is enabled in your BIOS or Mac Firmware. For Macs, it is enabled by default and re-enabled by doing a NVRAM/PRAM reset. For PCs, it depends on your manufacturer so we cannot give a one-size-fits-all instruction here for every model and make. Research, or explore your BIOS.

Note: For Mac hardware, if you have a firmware password turned on you must temporarily turn it off in order to reset the NVRAM.



Performance Optimizations

Right-click on Whonix-Workstation in VirtualBox and select Settings... for the below steps:

- System > Motherboard > Base memory: Assign as much as you can from your computer's available memory (even up to half but always leaving at least 1 GB of RAM for the host). This allocation is used for both normal RAM and Video RAM in Whonix.

- System > Processor: Here you can choose how many CPU cores Whonix can access when doing CPU-intensive tasks. Set to the maximum level for optimum performance, especially if you will be doing multi-thread tasks in Whonix like compressing archives or compliling code.

Tip: Ignore any warning messages if you set it past the orange levels. For top performance, set to full orange maxed out.

- Increase video memory from the default 128 MB to 256 (the maximum possible). In your Linux host OS, in Terminal do: VBoxManage modifyvm "Whonix-Workstation-XFCE" --vram 256 then confirm it's changed under Display > Screen > Video memory.



Security Optimizations

Right-click on both Whonix-Gateway and Whonix-Workstation in VirtualBox and select Settings... for the below steps:

- General > Advanced > Set both Shared Clipboard: and Drag'n'Drop: to Disabled.

Note: You can password-protect any VM at the VirtualBox level if you feel it is useful. To turn it on for Whonix-Workstation, power down the VM and select it with a single click in VirtualBox and go to Settings > General > Disk Encryption, tick Enable Disk Encryption, choose the AESXTS-256-PLAIN64 Cipher option, and type your password in the box. VirtualBox will now prompt for the password each time you power Workstation on. We don't recommend this however, as it may slow your VM down and it brings no benefit to most use cases if you already have the powerful protection of the hidden VeraCrypt volume.



Post-Install Steps

Your Whonix-Workstation is now ready to power on. Welcome to Whonix! At this point in the guide, you can open Tor Browser in your new Whonix-Workstation and continue the guide from there. Copy and paste all terminal commands from here in Tor Browser into Terminal to make life easy for yourself.

Essential Tools You Must Install to Follow This Guide

First, in Terminal (Terminal Emulator) do: sudo apt update && sudo apt full-upgrade

(This is your first time installing updates in the Whonix OS.)

Then in Terminal do:

sudo apt install xfce4-goodies eject file-roller rar unrar unar tar zip unzip unace arj p7zip p7zip-full p7zip-rar liblzma-dev libwxgtk3.0-dev bzip2 gzip pulseaudio git exfat-fuse exfat-utils jq netcat xterm xdotool firefox-esr gdebi -y

What these packages enable: basic Xfce extended functionality, ability to mount and eject external drives in Whonix, basic function for extracting and creating password-protected archives, audio playback in Firefox, functionality to easily install various programs in the guide, support for the exFAT file system in Whonix (e.g. to mount or create an exFAT VeraCrypt volume), 'jq' (just look it up), 'nc' (a package needed for PlayOnLinux needed for some programs), 'xterm' (a tiny but useful third-party terminal app for a couple things in the guide that you won't even notice), 'xdotool' (common tool for automation and keyboard shortcuts used by different apps) and 'firefox-esr' which is Firefox ESR, a vanilla version of Firefox which is useful for using a VPN IP with to bypass Tor blocking inside Whonix. Overall they're packages needed for many things in this Whonix guide which just won't work if you don't follow this step.

Then in Terminal do:

sudo mv /usr/bin/gdebi-gtk{,.bak} && echo -e '#!/bin/bash\npkexec /usr/share/gdebi/gdebi-gtk "$@"' | sudo tee /usr/bin/gdebi-gtk && sudo chmod +x /usr/bin/gdebi-gtk && sudo cp /usr/share/polkit-1/actions/com.ubuntu.pkexec.gdebi-gtk.policy{,.bak} && sudo sed -i -e 's#/usr/bin/gdebi-gtk#/usr/share/gdebi/gdebi-gtk#g' -e 's#_active>auth_admin#_active>yes#g' /usr/share/polkit-1/actions/com.ubuntu.pkexec.gdebi-gtk.policy

Then in Terminal do:

sudo cp /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy{,.bak} && sudo sed -i -e 's#_active>auth_admin_keep#_active>yes#g' -e 's#_active>auth_admin#_active>yes#g' /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy

Warning: The above Terminal commands are a current workaround for a GUI bug in Whonix. While we wait for the bug to be fixed, this is the smoothest fix for your Whonix. Please be aware that this step turns off password authorization for the installation of .deb files in your Whonix OS and the manual GUI mounting of external drives, which is a potential security hazard, but with low likelihood of happening. This is not ideal but for now it's the smoothest solution.

Note: If you do not follow these steps, many of the following mini-guides or instructions will not work. This post-install step is to make this guide's how-to's more streamlined. Advanced users may be able to avoid some of these packages, if they know what they're doing.



Improve Whonix Appearance

Depending on your hardware, Whonix's fonts and system text rendering may look unattractively blurry by default.

To make them clearer and sharper, open Appearance from the Whisker Menu > go to Fonts tab. Try setting Hinting: to Full. Also try changing the Sub-pixel order setting.

Tip: There are more improvements you can make to Xfce in the 'Further Tips, Tweaks, and How-To's' section, such as Make the Taskbar Better.

Note: A newer version of Xfce version (4.14) has now been released and it will finally bring proper display of fonts on HiDPI displays to make it as crisp as your host OS would be. But for now, it's not ready to be included in Whonix.



Turn off Private Browsing Mode

In the safe environment of Whonix, you can reasonably turn off private browsing mode in Tor Browser to turn it into 'normal' mode so it saves your browsing history, bookmarks and more for handy re-use each session. Go to Preferences > Privacy & Security and untick always use private browsing mode and restart Firefox. You can then go to Preferences and set When Tor Browser starts to Show your windows and tabs from last time. You can also go to Preferences > Privacy & Security and tick Remember logins and passwords for websites. Now you can save your sites with their unique and long passwords without compromising your security, making it both safer and easier for you to navigate the online world!



Disable JavaScript on Specific Sites

Even though it is generally extremely safe to browse the Internet in Whonix with JavaScript fully enabled, due to the targeted nature of some sites and our common knowledge that LEA secretly seizes them to plant malware in JavaScript to infect users' computers to deanonymize them, it is still recommended to disable JavaScript for some specific sites, even inside Whonix.

Remember - we're assuming you're here for nefarious purposes :)

It's very unlikely for LEA malware to be Linux malware (and thus affect Whonix users), and even if it is, it's even more unlikely for it to be able to penetrate the wall of virtualization between the Whonix VM and your non-Tor IP address outside VirtualBox.

But inside Whonix, JavaScript-planted malware could still spy on and deanonymize you in creative ways, such as a Linux keylogger which can reveal secret passwords or other information normally private to your Whonix which deanonymizes you in that way.

  • 2. While browsing a site, click on the uBlock Origin button and then the script blocking button in the bottom right-hand corner, to permanently block JS on any webpages on that domain. Refresh the page and you will no longer see the common JS warnings such as in the below screenshot.

Warning: If you are particularly concerned about browser fingerprinting, you will not only NOT want to install uBlock Origin but you will also want to disable JavaScript entirely in your Tor Browser by setting its Security Level to Safest. Visit to test your fingerprinting uniqueness if this is a metric that matters for your particular needs. To many users, due to Whonix's robust anti IP leakage design, fingerprinting won't matter so much. You may be a 100% unique Internet user to LEA, but still an anonymous one because your real IP is still extremely hard to determine.



Enable Win Key Shortcuts of Any Type

To enable the Whisker Menu to be invoked by the Win key and yet also use Win as a modifier for other system hotkeys, you must do the following:
  • 1. Download the latest ksuperkey .deb file from its repository such as this latest one.

    2. Open the file and click on Install Package, using password changeme when asked, and finally click close, then it's ready to use.

    3. Next, to turn on ksuperkey and also add it to Whonix startup, do the following command in Terminal:
    ksuperkey && echo -e "[Desktop Entry]\nName=ksuperkey\nExec=ksuperkey\nType=Application\nMimeType=text/plain;\n" | sudo tee /etc/xdg/autostart/ksuperkey.desktop
    4. Next, you can configure the Whisker Menu to be toggled by the single Win key. Open Keyboard from the Whisker Menu. In Application shortcuts tab, first remove the existing item called xfce4-popup-applicationsmenu, then add a new item with command xfce4-popup-whiskermenu and assigning it Alt-F1.

    5. Now you can configure other hotkeys in your Whonix to simultaneously be able to use the Win key. For system shortcuts open Window Manager from the Whisker Menu then Keyboard tab. For application shortcuts open Keyboard from the Whisker Menu then Application Shortcuts tab. Find examples in these five successive mini-guides.


Add Desktop Icons

Once you have a program installed (some of which are already there like Tor Browser), in the Whisker Menu you can right-click on any item and Add to Desktop for your convenience.



Add Support for Other Languages in Whonix

If you're an activist against large corporations for example, some classified files you might download are named in other languages using non-Latin characters. Chinese, Japanese and Russian work fine in the current Whonix Xfce, but others like Korean, Thai, and Hindi need extra packages to make them display properly.

To add support for languages like those ones above, in Terminal do: sudo apt install fonts-unfonts-core fonts-ipafont-mincho fonts-arphic-ukai fonts-thai-tlwg fonts-indic




How to Use the Terminal