This article describes how to 1) securely download and verify Debian, 2) install it, and 3) configure it to minimize attack surface. In the future, it will also describe how to route its traffic through the Whonix-Gateway. A related description of how to configure Ubuntu through the Whonix-Gateway is also available.

Download and Verification[edit]

The recommended way to verify the Debian Signing key is to use the web of trust, which is more secure, but not available to everyone.

This chapter documents an alternative and supplementary way to verify the Debian Signing key using an existing installation such as Ubuntu, which is already trusted, for example because you bought it from a reseller or got it from a friend who verified it.

We'll be using a 32-bit network installation (netinst) CD for the following examples but you can use other forms (CD, DVD) and architectures (x86-64) if desired.

Should work for Debian and any Debian derivative.

(1) Go to the Debian Download Page. Example, the Debian Stable (stretch) amd64 folder.

IMPORTANT: For compatibility with laptops download the install images containing the non-free device firmware. This is usually necessary for WiFi, suspend and 3D graphics to work.

(2) Download.

  • SHA512SUMS
  • SHA512SUMS.sign
  • debian-7.6.0-i386-netinst.iso

(3) Install the debian-keyring package, which contains the signing key. This is because the Debian Verify instructions are not accessible over SSL, neither the debian-keyring package can be downloaded over SSL. Downloading the debian-keyring package from the repository, let's apt-get verify its integrity.

sudo apt-get install debian-keyring

(4) Open a terminal and get into the folder where you downloaded SHA512SUMS and SHA512SUMS.sign (and debian-7.6.0-i386-netinst.iso ).

(5) Verify the SHA512SUMS file.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign

(6) Must show.

gpg: Good signature

Otherwise something is wrong.

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in key.

(7) Verify that the .iso matches the signed SHA512SUMS file:

sha512sum -c SHA512SUMS
must show:

debian-7.6.0-i386-netinst.iso: OK

(8) Done.


For more detailed information on every step in the install process consult the Debian manual available in HTML and PDF, preferably on another device than the one you will be formatting.

On Linux the dd utility is used to create install media. To create the Debian install USB/DVD on Windows use the rufus utility as described here.

From usability perspective, you should always have a network connection when installing Debian.

From security perspective, you should not plug to the Internet until ready.

You may have noticed, the default desktop environment for Whonix's Virtual Machines is KDE. (You could change that.) It doesn't matter, which desktop environment you are going to use. The default desktop environment of Debian is GNOME. If you are already accustomed to Whonix (KDE), you could also use KDE for your Debian host as well (not a must).

## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)

Debian boot menu -> Advanced Options -> Alternative Desktop Environments ->
Feel free to choose:
- Xfce

It is also possible to install another desktop environment after installing or to switch from one to another.

If you are wondering what the "default", "notebook" or "standard" packages are about, see tasksel.


UNFINISHED! Check open ports.


netstat -anltp

Must should be none, i.e no reply.

Remove services, which open ports. [1]


apt-get remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*

apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin avahi*

apt-get autoremove

Check open ports again.


netstat -anltp

Must should be none, i.e no reply.

Connect to Whonix-Gateway[edit]




Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default.

Are they referring to running services after installing them or having no services running (open ports) after a default installation with default settings? Debian doesn't do the latter, which is a pity.

Don't participate in popularity contest.

Some useful links. Parts of it are outdated (old Debian versions). Some stuff doesn't apply to Whonix hosts.


Setup sudoers. Add the operating system user name to sudoers.

Optional! First consider whether this change is desirable. [2]

Become root.


Add the user account to the sudoer's group. Replace user with the actual operating system user name.

sudo adduser user sudo

Reboot so group changes take effect.


VirtualBox Guest Additions[edit]

Become root.


Install linux headers. Example for amd64.

apt-get install linux-headers-amd64

Install dependencies. [3]

apt-get install make patch dkms libnotify4 libnotify-bin libgsoap10 libvncserver1

Temporarily enable Debian sid repository, contrib only. [4]

echo "deb sid contrib" > /etc/apt/sources.list.d/temp.list

Update the package lists.

apt-get update

Install guest additions. [5]

apt-get install virtualbox-guest-utils virtualbox-guest-dkms virtualbox-guest-x11 virtualbox

Disable the temporary repository.

rm /etc/apt/sources.list.d/temp.list




  1. For documentation purposes a Debian installation has been installed with as much services as possible using taksel, while having a network connection. (Simulating user misunderstanding.) A Debian default installation with default settings does not install all those packages.
  2. If this action is taken, sudo can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use su as per About#Based_on_Debian.
  3. We install them from stretch before installing guest additions so we do not run into dependency issues by having installed a newer gcc package from sid. libgsoap10 libvncserver1 are required for virtualbox only, not for guest additions.
  4. contrib only to lower the chances of upgrading any packages we better not upgrade to avoid dependency issues.
  5. You could drop the virtualbox if you don't want it installed.

Random News:

Did you know that anyone can edit the Whonix wiki to improve it?

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.