Warning: Do Not! Use this method inside Debian-Qubes because it will destroy and stop the Template/Appvm from starting again.
This article describes how to 1) securely download and verify Debian, 2) install it, and 3) configure it to minimize attack surface. In the future, it will also describe how to route its traffic through the Whonix-Gateway. A related description of how to configure Ubuntu through the Whonix-Gateway is also available.
Download and Verification
The recommended way to verify the Debian Signing key is to use the web of trust, which is more secure, but not available to everyone.
This chapter documents an alternative and supplementary way to verify the Debian Signing key using an existing installation such as Ubuntu, which is already trusted, for example because you bought it from a reseller or got it from a friend who verified it.
We'll be using a 32-bit network installation (netinst) CD for the following examples but you can use other forms (CD, DVD) and architectures (x86-64) if desired.
Should work for Debian and any Debian derivative.
IMPORTANT: For compatibility with laptops download the install images containing the non-free device firmware. This is usually necessary for WiFi, suspend and 3D graphics to work.
(3) Install the debian-keyring package, which contains the signing key. This is because the Debian Verify instructions are not accessible over SSL, neither the debian-keyring package can be downloaded over SSL. Downloading the debian-keyring package from the repository, let's apt-get verify its integrity.
sudo apt-get install debian-keyring
(4) Open a terminal and get into the folder where you downloaded SHA512SUMS and SHA512SUMS.sign (and debian-7.6.0-i386-netinst.iso ).
(5) Verify the SHA512SUMS file.
gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign
(6) Must show.
gpg: Good signature
Otherwise something is wrong.
This might be followed by a warning saying:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in key.
(7) Verify that the .iso matches the signed SHA512SUMS file:
sha512sum -c SHA512SUMS
From usability perspective, you should always have a network connection when installing Debian.
From security perspective, you should not plug to the Internet until ready.
You may have noticed, the default desktop environment for Whonix's Virtual Machines is KDE. (You could change that.) It doesn't matter, which desktop environment you are going to use. The default desktop environment of Debian is GNOME. If you are already accustomed to Whonix (KDE), you could also use KDE for your Debian host as well (not a must).
## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images) Debian boot menu -> Advanced Options -> Alternative Desktop Environments -> Feel free to choose: - KDE - LXDE - Xfce
It is also possible to install another desktop environment after installing or to switch from one to another.
If you are wondering what the "default", "notebook" or "standard" packages are about, see tasksel.
UNFINISHED! Check open ports.
Must should be none, i.e no reply.
Remove services, which open ports. 
apt-get remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*
apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin avahi*
Check open ports again.
Must should be none, i.e no reply.
Connect to Whonix-Gateway
NOT YET DOCUMENTED!
Is Debian more secure than X?
A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default.
Are they referring to running services after installing them or having no services running (open ports) after a default installation with default settings? Debian doesn't do the latter, which is a pity.
Don't participate in popularity contest.
Some useful links. Parts of it are outdated (old Debian versions). Some stuff doesn't apply to Whonix hosts.
- Securing Debian Manual
- Securing Debian Manual Chapter 12 - Frequently asked Questions (FAQ)
- Towards a moderately paranoid Debian laptop setup (not only useful for laptops)
Setup sudoers. Add the operating system user name to sudoers.
VirtualBox Guest Additions
Install linux headers. Example for amd64.
apt-get install linux-headers-amd64
Install dependencies. 
apt-get install make patch dkms libnotify4 libnotify-bin libgsoap10 libvncserver1
Temporarily enable Debian sid repository, contrib only. 
echo "deb http://http.debian.net/debian sid contrib" > /etc/apt/sources.list.d/temp.list
Update the package lists.
Install guest additions. 
apt-get install virtualbox-guest-utils virtualbox-guest-dkms virtualbox-guest-x11 virtualbox
Disable the temporary repository.
- For documentation purposes a Debian installation has been installed with as much services as possible using taksel, while having a network connection. (Simulating user misunderstanding.) A Debian default installation with default settings does not install all those packages.
- If this action is taken, sudo can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use su as per About#Based_on_Debian.
- We install them from stretch before installing guest additions so we do not run into dependency issues by having installed a newer gcc package from sid. libgsoap10 libvncserver1 are required for virtualbox only, not for guest additions.
- contrib only to lower the chances of upgrading any packages we better not upgrade to avoid dependency issues.
- You could drop the virtualbox if you don't want it installed.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.