Debian Host Operating System Tips

From Whonix

Debian Logo


Ambox warning pn.svg.png Warning: do not use this method inside Debian-Qubes because it will destroy and stop the TemplateVM/AppVM from starting again.

This chapter describes how to:

  1. securely download and verify Debian;
  2. install Debian as a host operating system; and
  3. configure it to minimize the attack surface.

A related description is also available regarding how to configure Ubuntu through the Whonix-Gateway ™.

Readers who are interested in running Whonix ™ for Debian inside VirtualBox should refer to this page.

Download and Verification[edit]

Info The following method should work for Debian and any Debian derivative.

The recommended way to verify the Debian Signing key is to use the web of trust. This is more secure, but not available to everyone.

This chapter documents an alternative and supplementary way to verify the Debian Signing key. It utilizes an existing installation such as Ubuntu, which is already trusted; for example one bought from a reseller or provided by a friend who verified it.

In the following example the 64-bit network installation (netinst) CD is used, but other forms (CD, DVD) and architectures (x86-64) can be substituted if necessary.

1. Navigate to the Debian Stable (buster) amd64 folder [archive].

Info Important: For compatibility with laptops download the install images [archive] containing the non-free device firmware. This is usually necessary for WiFi, suspend and 3D graphics functionality.

2. Download necessary files.

At the time of writing, Debian 10.10 was the latest available ISO image. Change the version to below to reflect any later release:

  • SHA512SUMS
  • SHA512SUMS.sign
  • debian-10.10.0-amd64-netinst.iso

3. Install the debian-keyring package, which contains the signing key. [1]

Downloading the debian-keyring package from the repository will allow apt-get to verify its integrity.

sudo apt-get install debian-keyring

4. Open a terminal.

Navigate to the folder where the SHA512SUMS, SHA512SUMS.sign and debian-10.10.0-amd64-netinst.iso files were downloaded.

5. Verify the SHA512SUMS file.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign

6. Confirm the signature is valid.

The output must show.

gpg: Good signature

Otherwise something went wrong.

This output might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This warning does not alter the validity of the signature according to the key you downloaded. Instead, this warning relates to the trust that you place in the key.

7. Verify that the .iso matches the signed SHA512SUMS file.

sha512sum -c SHA512SUMS | grep debian-10.10.0-amd64-netinst.iso

The output must show.


The procedure is complete.


For more detailed information on every step in the installation process consult the Debian manual available in HTML [archive] and PDF [archive], preferably on another device than the one that will be formatted.


To successfully and safely complete the installation, note the following:

  • In Linux, the dd utility is utilized to create install media [archive].
  • In Windows, the Debian install USB/DVD can be created with the rufus utility as described here [archive].
  • From a usability perspective, it is recommended to always have a network connection when installing Debian; see here [archive].
  • From a security perspective, it is safest to avoid Internet connections until ready; see here [archive].

Default Desktop Environment[edit]

Readers may have noticed the default desktop environment for Whonix ™ Virtual Machines is XFCE (although that can be changed). The preferred desktop environment is of little consequence; for example the default Debian desktop environment is GNOME. Users who are already accustomed to Whonix ™ (XFCE) can utilize the same environment for the Debian host as well, but this is not compulsory.

## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)

Debian boot menu → Advanced Options → Alternative Desktop Environments →
Feel free to choose:
- Xfce

It is also possible to install another desktop environment later on or configure a switch from one to another.

Other Packages[edit]

To learn more about the "default", "notebook" or "standard" packages see: tasksel [archive].

Post-installation Steps[edit]

Open Ports[edit]

Ambox warning pn.svg.png This section is incomplete.

1. Check open ports.


netstat -anltp

A safe configuration must show no ports are open (no reply).

2. Remove any services which open ports. [2]


apt-get remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*

apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin avahi*

apt-get autoremove

3. Check open ports again.


netstat -anltp

A safe configuration must show no ports are open (no reply).

Connect to Whonix-Gateway ™[edit]

Info This procedure is not yet documented - contributions are most welcome.


Quote [archive]:

Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default. In any case, the system administrator needs to adapt the security of the system to the local security policy.

It is unclear if Debian is referring to running services after installing them or having no services running (no open ports) after an installation with default settings. Debian does not do the latter, which is a pity. Despite Debian's preference for running services after installation, this issue should not distract from the relative strength of the platform when properly configured.

Some useful security links are listed below. Some content in the references are outdated because they only apply to older Debian versions. Similarly, some content does not apply to Whonix ™ hosts.


Setup sudoers. Add the operating system user name to sudoers.

Info This procedure is optional. Before proceeding, first consider whether this change is desirable. [3]

Become root.


Add the user account to the sudoer's group. Replace user with the actual operating system user name.

sudo adduser user sudo

Reboot so group changes take effect.



  1. Verifying authenticity of Debian CDs [archive]
  2. For documentation purposes a Debian installation has been completed with as many services as possible using tasksel, while having a network connection (simulating user misunderstanding). A normal Debian installation with default settings does not install all those packages.
  3. If this action is taken, sudo can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use su as per About#Based_on_Debian.

Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Debian Tips&body= link= Tips link= Tips link= Tips%20 Tips

Did you know that anyone can edit the Whonix ™ wiki to improve it?

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.