Jump to: navigation, search


This article describes how to 1) securely download and verify Debian, 2) install it, and 3) configure it to minimize attack surface. In the future, it will also describe how to route its traffic through the Whonix-Gateway. A related description of how to configure Ubuntu through the Whonix-Gateway is also available.

Download and Verification[edit]

The recommended way to verify the Debian Signing key is to use the web of trust, which is more secure, but not available to everyone.

This chapter documents an alternative and supplementary way to verify the Debian Signing key using an existing installation such as Ubuntu, which is already trusted, for example because you bought it from a reseller or got it from a friend who verified it.

We'll be using a 32-bit network installation (netinst) CD for the following examples but you can use other forms (CD, DVD) and architectures (x86-64) if desired.

Should work for Debian and any Debian derivative.

(1) Go to the Debian Download Page. Example, the Debian Stable (Wheezy) i386 folder.

(2) Download.

  • SHA512SUMS
  • SHA512SUMS.sign
  • debian-7.6.0-i386-netinst.iso

(3) Install the debian-keyring package, which contains the signing key. This is because the Debian Verify instructions are not accessible over SSL, neither the debian-keyring package can be downloaded over SSL. Downloading the debian-keyring package from the repository, let's apt-get verify its integrity.

sudo apt-get install debian-keyring

(4) Open a terminal and get into the folder where you downloaded SHA512SUMS and SHA512SUMS.sign (and debian-7.6.0-i386-netinst.iso ).

(5) Verify the SHA512SUMS file.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign

(6) Must show.

gpg: Good signature

Otherwise something is wrong.

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in key.

(7) Verify that the .iso matches the signed SHA512SUMS file:

sha512sum -c SHA512SUMS
must show:

debian-7.6.0-i386-netinst.iso: OK

(8) Done.



From usability perspective, you should always have a network connection when installing Debian.

From security perspective, you should not plug to the Internet until ready.

You may have noticed, the default desktop environment for Whonix's Virtual Machines is KDE. (You could change that.) It doesn't matter, which desktop environment you are going to use for Debian. The default desktop environment of Debian is GNOME. If you are already accustomed to Whonix (KDE), you could also use KDE for your Debian host as well (not a must).

## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)

Debian boot menu -> Advanced Options -> Alternative Desktop Environments ->
Feel free to choose:
- Xfce

It's also possible to install another desktop environment after installing or to switch from one to another.

If you are wondering what the "default", "notebook" or "standard" packages are about, see tasksel.


UNFINISHED! Check open ports.

netstat -anltp

Must should be none, i.e no reply.

Remove services, which open ports. [1]

apt-get remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*

apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin

apt-get autoremove

Check open ports again.

netstat -anltp

Must should be none, i.e no reply.



Setup sudoers. Add your operating system user name to sudoers.

Optional! Only if you want this. [2]

Become root.

Add your user account to sudoer's group. Replace user with your actual operating system user name.

sudo adduser user sudo

Reboot so group changes take effect.


Connect to Whonix-Gateway[edit]




Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default.

Are they referring to running services after installing them or having no services running (open ports) after a default installation with default settings? Debian doesn't do the latter, which is a pity.

Don't participate in popularity contest.

Some useful links. Parts of it are outdated (old Debian versions). Some stuff doesn't apply to Whonix hosts.


  1. For documentation purposes a Debian installation has been installed with as much services as possible using taksel, while having a network connection. (Simulating user misunderstanding.) A Debian default installation with default settings does not install all those packages.
  2. If you don't do this, you cannot use sudo as outline below and elsewhere. You then would have to manually switch to root and/or use su as per About#Based_on_Debian.

Random News:

Interested in becoming author for Whonix blog? Writing about anonymity/privacy/security? Get in touch!

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.