Debian Host Operating System Tips

From Whonix

Debian Logo


This chapter describes how to:

  1. securely download and verify Debian;
  2. install Debian as a host operating system; and
  3. configure it to minimize the attack surface.

Readers who are interested in running Whonix ™ for Debian inside VirtualBox should refer to this page.

Prerequisite Knowledge[edit]

Info Everything mention on this wiki page and Debian is completely free in price as well as in freedom. No payment required. No credit card required. No submission of real name or other private information required.

The meaning of "non-free" might be confusing at first. When the Debian website or other Open Source / Free Software related websites write "non-free" they mean actually "non-freedom" (no software freedom or software freedom limitations). Downloads marked "non-free" on the Debian website are always free to download, zero price, free of charge. This also applies generally to most other Debian, Linux and Freedom Software related websites.

Similarly, the meaning of "free" is actually "freedom" which isn't as confusing. It's getting more confusing when negating the meaning with "non-free" as explained above.

This is for historic reasons etc. See footnote for details. [1] See also reasons to avoid non-freedom software.

info amd64 might imply AMD only. This is wrong.

amd64 means Intel and AMD.

For technical reasons, in Debian (and in many other Linux / Freedom Software related places) both, Intel and AMD, is called amd64. This is common knowledge without controversy among technical people, in doubt see Wikipedia X86-64 [archive].

Download and Verification[edit]

This chapter documents how to securely download and perform digital software verification of a Debian installation iso image. The recommended way to verify the Debian Signing key is to use the web of trust. This is more secure, but not available to everyone. This chapter documents an alternative and supplementary way to verify the Debian Signing key. It utilizes an existing installation such as for example Debian, Qubes Debian Template, or Ubuntu, which is already considered trusted by the user; for example one bought from a reseller or provided by a friend who verified it.

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

Info The following method should work for Debian and any Debian derivative including Qubes Debian Template based App Qube.

Qubes users note: It is recommended to use a dedicated App Qubes, perhaps named iso-download.

1. Open a terminal.

2. Open the Debian Stable (bullseye) amd64 download page in a web browser.


Other choices are possible such as the network installation (netinst) CD or other architectures (x86-64) can be substituted if necessary.

This examples uses the following example the non-freedom iso DVD.

If using Whonix ™ or Kicksecure ™ at time of writing to securely download the the command line the following command could be used.

3. Download necessary files.

At the time of writing, Debian 11.1.0 was the latest available ISO image. Change the version to below to reflect any later release:

  • SHA512SUMS
  • SHA512SUMS.sign
  • the .iso, either
    • debian-11.1.0-amd64-DVD-1.iso (freedom version), OR
    • firmware-11.1.0-amd64-DVD-1.iso (non-freedom version)

Note: Either adjust the link if later needed or download using a web browser. (Perhaps wiki Template:stable project version based on Debian version iso needs to be updated.)

Download .iso image.


Download hash sum digital software signature.


Download hash sum file.


4. Install the debian-keyring package, which contains the Debian signing key. [2]

sudo apt-get install debian-keyring

5. Change directory.

Navigate to the folder where the files SHA512SUMS, SHA512SUMS.sign and the ISO were downloaded.

6. Digital software signature verification of the SHA512SUMS file.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign

7. Confirm the signature is valid.

The output must show.

gpg: Good signature

Otherwise something went wrong.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

The above "gpg: WARNING" can be ignored since it does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the developers signing key and the web of trust. To remove this warning, the developers signing key must be personally signed with your own key.

8. Hash sum check

Verify that the .iso matches the signed SHA512SUMS file.

sha512sum --check --ignore-missing SHA512SUMS

The output must show.


9. Done.

The procedure of downloading and digital software signature verification of the Debian .iso is complete.


Writing the iso image to USB[edit]

Qubes users:

These instructions are for users of Qubes only.

It is recommended to use a dedicated App Qubes, perhaps named iso-download.

1. Physically detach all removable USB hard drives, if any.

In dom0.

As per the usual process.

2. Have a look at the Qubes systray area in dom0.

3. However over with the mouse to the yellow symbol which should show "Qubes Devices" in dom0.

4. Left click on Qubes Devices in dom0.

5. Remember the currently available devices.

Consider making a photo or notes.

6. Attach the USB hard drive using Qubes Devices which the ISO should be written in dom0.

7. Recognize the hopefully recognized newly attached USB hard drive in Qubes Devices in dom0.

Should show something like sys-usb:sda.

If there is also sys-usb:sda1 then that is ok. It's a partition. And can be safely ignored for this procedure.

8. Attach the newly added USB hard drive to the VM where the ISO has been downloaded.

In dom0. Using Qubes Devices.

9. Write the iso the the USB hard drive.

Inside the iso-download App Qubes.


  • Do not proceed if other devices are connected to that VM!
  • All data on the device will be lost!

NOTE: Replace debian-11.1.0-amd64-DVD-1.iso with the file name / path to another ISO file if another ISO was downloaded or downloaded in a different location.

  • freedom version:
    sudo dd bs=64K conv=noerror,sync status=progress if=debian-11.1.0-amd64-DVD-1.iso of=/dev/xvdi

  • non-freedom version:
    sudo dd bs=64K conv=noerror,sync status=progress if=firmware-11.1.0-amd64-DVD-1.iso of=/dev/xvdi

10. Check exit code.

Inside the iso-download App Qubes.

echo $?

Expected output if success.


11. Shutdown the VM.

Inside the iso-download App Qube.

sudo poweroff

11. Use Qubes Devices in dom0 to detach the USB hard drive from the iso-download App Qube.

12. Done.

The process of writing the ISO image to the USB drive has been completed.

Debian users: Undocumented!

Upstream Documentation[edit]

For more detailed information on every step in the installation process consult the Debian manual available in HTML [archive] and PDF [archive], preferably on another device than the one that will be formatted.


To successfully and safely complete the installation, note the following:

  • In Linux, the dd utility is utilized to create install media [archive].
  • In Windows, the Debian install USB/DVD can be created with the rufus utility as described here [archive].
  • From a usability perspective, it is recommended to always have a network connection when installing Debian; see here [archive].
  • From a security perspective, it is safest to avoid Internet connections until ready; see here [archive].

Default Desktop Environment[edit]

Readers may have noticed the default desktop environment for Whonix ™ Virtual Machines is Xfce (although that can be changed). The preferred desktop environment is of little consequence; for example the default Debian desktop environment is GNOME. Users who are already accustomed to Whonix ™ (Xfce) can utilize the same environment for the Debian host as well, but this is not compulsory.

## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)

Debian boot menu → Advanced Options → Alternative Desktop Environments →
Feel free to choose:
- Xfce

It is also possible to install another desktop environment later on or configure a switch from one to another.

Other Packages[edit]

To learn more about the "default", "notebook" or "standard" packages see: tasksel [archive].

Post-installation Steps[edit]

Open Ports[edit]

Ambox warning pn.svg.png This section is incomplete.

Ambox warning pn.svg.png Qubes Users Warning: This is a notice for users who already have a Debian Template in Qubes. Other users can ignore this warning.

Do not use this method inside Debian-Qubes because it will destroy and stop the Template / App Qube from starting again.

The commands in this chapter should only be considered on a real Debian system.

1. Check open ports.

su -

netstat -anltp

A safe configuration must show no ports are open (no reply).

2. Remove any services which open ports. [3]

su -

apt-get remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*

apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin avahi*

apt-get autoremove

3. Check open ports again.

su -

netstat -anltp

A safe configuration must show no ports are open (no reply).

Connect to Whonix-Gateway ™[edit]

Info This procedure is not yet documented - contributions are most welcome.


Quote [archive]:

Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default. In any case, the system administrator needs to adapt the security of the system to the local security policy.

It is unclear if Debian is referring to running services after installing them or having no services running (no open ports) after an installation with default settings. Debian does not do the latter, which is a pity. Despite Debian's preference for running services after installation, this issue should not distract from the relative strength of the platform when properly configured.

Some useful security links are listed below. Some content in the references are outdated because they only apply to older Debian versions. Similarly, some content does not apply to Whonix ™ hosts.


Setup sudoers. Add the operating system user account to sudoers.

Info This procedure is optional. Before proceeding, first consider whether this change is desirable. [4]

1. Become root.

su -

2. Add the user account to the sudoer's group. Replace user with the actual operating system user name.

sudo adduser user sudo

3. Reboot so group changes take effect.



  1. Similarly, the meaning of "free" means actually non-freedom". Except in rare cases, the download and use of Freedom Software ("Free Software") in most cases is free in price. This is a very old issue. The founders of the Free Software movement and the Free Software Foundation are adamant about calling it "Free Software" rather than "Freedom Software" what it really is about. The user would have to learn the essentials what Free Software is. Related: Let's call it Freedom Software rather than Free Software or Open Source! [archive] / Why Whonix ™ will always be Free as in Price as well as in Freedom / Whonix ™ Policy On Non-Freedom Software / Dev/nonfree
  2. Verifying authenticity of Debian CDs [archive]
  3. For documentation purposes a Debian installation has been completed with as many services as possible using tasksel, while having a network connection (simulating user misunderstanding). A normal Debian installation with default settings does not install all those packages.
  4. If this action is taken, sudo can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use su as per About#Based_on_Debian.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Debian Tips&body= link= Tips link= Tips link= Tips%20 Tips

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.