Debian Tips

From Whonix

Debian Logo

Ambox warning pn.svg.png Warning:

Do Not! Use this method inside Debian-Qubes because it will destroy and stop the Template/Appvm from starting again.

This article describes how to 1) securely download and verify Debian, 2) install it as a host operating system, and 3) configure it to minimize attack surface.

A related description of how to configure Ubuntu through the Whonix-Gateway ™ is also available.

If you are interested in Whonix ™ for Debian, then switch over to the Debian page.

Download and Verification[edit]

The recommended way to verify the Debian Signing key is to use the web of trust, which is more secure, but not available to everyone.

This chapter documents an alternative and supplementary way to verify the Debian Signing key using an existing installation such as Ubuntu, which is already trusted, for example because you bought it from a reseller or got it from a friend who verified it.

We'll be using a 64-bit network installation (netinst) CD for the following examples but you can use other forms (CD, DVD) and architectures (x86-64) if desired.

Should work for Debian and any Debian derivative.

(1) Debian Stable (buster) amd64 folder [archive]

IMPORTANT: For compatibility with laptops download the install images [archive] containing the non-free device firmware. This is usually necessary for WiFi, suspend and 3D graphics to work.

(2) Download.

  • SHA512SUMS
  • SHA512SUMS.sign
  • debian-10.2.0-amd64-netinst.iso

(3) Install the debian-keyring package, which contains the signing key. [1] Downloading the debian-keyring package from the repository, let apt-get verify its integrity.

sudo apt-get install debian-keyring

(4) Open a terminal and get into the folder where you downloaded SHA512SUMS and SHA512SUMS.sign (and TODO ).

(5) Verify the SHA512SUMS file.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign

(6) Must show.

gpg: Good signature

Otherwise something is wrong.

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in key.

(7) Verify that the .iso matches the signed SHA512SUMS file:

sha512sum -c SHA512SUMS | grep TODO

must show:


(8) Done.


For more detailed information on every step in the install process consult the Debian manual available in HTML [archive] and PDF [archive], preferably on another device than the one you will be formatting.

On Linux the dd utility is used to create install media [archive]. To create the Debian install USB/DVD on Windows use the rufus utility as described here [archive].

From usability perspective, you should always have a network connection when installing Debian [archive].

From security perspective, you should not plug to the Internet until ready [archive].

You may have noticed, the default desktop environment for Whonix ™ Virtual Machines is XFCE. (You could change that.) It doesn't matter, which desktop environment you are going to use. The default desktop environment of Debian is GNOME. If you are already accustomed to Whonix ™ (XFCE), you could also use XFCE for your Debian host as well (not a must).

## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)

Debian boot menu → Advanced Options → Alternative Desktop Environments →
Feel free to choose:
- Xfce

It is also possible to install another desktop environment after installing or to switch from one to another.

If you are wondering what the "default", "notebook" or "standard" packages are about, see tasksel [archive].

Open Ports[edit]

UNFINISHED! Check open ports.


netstat -anltp

Must should be none, i.e no reply.

Remove services, which open ports. [2]


apt-get remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*

apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin avahi*

apt-get autoremove

Check open ports again.


netstat -anltp

Must should be none, i.e no reply.

Connect to Whonix-Gateway ™[edit]



Quote [archive]:

Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default.

Are they referring to running services after installing them or having no services running (open ports) after a default installation with default settings? Debian doesn't do the latter, which is a pity.

Don't participate in popularity contest.

Some useful links. Parts of it are outdated (old Debian versions). Some stuff doesn't apply to Whonix ™ hosts.


Setup sudoers. Add the operating system user name to sudoers.

Optional! First consider whether this change is desirable. [3]

Become root.


Add the user account to the sudoer's group. Replace user with the actual operating system user name.

sudo adduser user sudo

Reboot so group changes take effect.



  1. Debian Verify [archive]
  2. For documentation purposes a Debian installation has been installed with as much services as possible using taksel, while having a network connection. (Simulating user misunderstanding.) A Debian default installation with default settings does not install all those packages.
  3. If this action is taken, sudo can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use su as per About#Based_on_Debian.

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Do you wonder why Whonix will always be free? Check out Why Whonix is Freedom Software [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.