Debian Tips

From Whonix

Ambox warning pn.svg.png Warning:

Do Not! Use this method inside Debian-Qubes because it will destroy and stop the Template/Appvm from starting again.

This article describes how to 1) securely download and verify Debian, 2) install it as a host operating system, and 3) configure it to minimize attack surface.

A related description of how to configure Ubuntu through the Whonix-Gateway ™ is also available.

If you are interested in Whonix ™ for Debian, then switch over to the Debian page.

Download and Verification[edit]

The recommended way to verify the Debian Signing key is to use the web of trust, which is more secure, but not available to everyone.

This chapter documents an alternative and supplementary way to verify the Debian Signing key using an existing installation such as Ubuntu, which is already trusted, for example because you bought it from a reseller or got it from a friend who verified it.

We'll be using a 32-bit network installation (netinst) CD for the following examples but you can use other forms (CD, DVD) and architectures (x86-64) if desired.

Should work for Debian and any Debian derivative.

(1) Go to the Debian Download Page. Example, the Debian Stable (buster) amd64 folder.

IMPORTANT: For compatibility with laptops download the install images containing the non-free device firmware. This is usually necessary for WiFi, suspend and 3D graphics to work.

(2) Download.

  • SHA512SUMS
  • SHA512SUMS.sign
  • debian-7.6.0-i386-netinst.iso

(3) Install the debian-keyring package, which contains the signing key. This is because the Debian Verify instructions are not accessible over SSL, neither the debian-keyring package can be downloaded over SSL. Downloading the debian-keyring package from the repository, let's apt-get verify its integrity.

sudo apt-get install debian-keyring

(4) Open a terminal and get into the folder where you downloaded SHA512SUMS and SHA512SUMS.sign (and debian-7.6.0-i386-netinst.iso ).

(5) Verify the SHA512SUMS file.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign

(6) Must show.

gpg: Good signature

Otherwise something is wrong.

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in key.

(7) Verify that the .iso matches the signed SHA512SUMS file:

sha512sum -c SHA512SUMS
must show:

debian-7.6.0-i386-netinst.iso: OK

(8) Done.


For more detailed information on every step in the install process consult the Debian manual available in HTML and PDF, preferably on another device than the one you will be formatting.

On Linux the dd utility is used to create install media. To create the Debian install USB/DVD on Windows use the rufus utility as described here.

From usability perspective, you should always have a network connection when installing Debian.

From security perspective, you should not plug to the Internet until ready.

You may have noticed, the default desktop environment for Whonix ™ Virtual Machines is KDE. (You could change that.) It doesn't matter, which desktop environment you are going to use. The default desktop environment of Debian is GNOME. If you are already accustomed to Whonix ™ (KDE), you could also use KDE for your Debian host as well (not a must).

## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)

Debian boot menu → Advanced Options → Alternative Desktop Environments →
Feel free to choose:
- Xfce

It is also possible to install another desktop environment after installing or to switch from one to another.

If you are wondering what the "default", "notebook" or "standard" packages are about, see tasksel.


UNFINISHED! Check open ports.


netstat -anltp

Must should be none, i.e no reply.

Remove services, which open ports. [1]


apt-get remove dovecot-core openbsd-inetd bind9 samba cups cups-daemon apache2 postgres*

apt-get remove exim4 exim4-daemon-light rpcbind openssh-server apache2.2-bin avahi*

apt-get autoremove

Check open ports again.


netstat -anltp

Must should be none, i.e no reply.

Connect to Whonix-Gateway ™[edit]




Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default.

Are they referring to running services after installing them or having no services running (open ports) after a default installation with default settings? Debian doesn't do the latter, which is a pity.

Don't participate in popularity contest.

Some useful links. Parts of it are outdated (old Debian versions). Some stuff doesn't apply to Whonix ™ hosts.


Setup sudoers. Add the operating system user name to sudoers.

Optional! First consider whether this change is desirable. [2]

Become root.


Add the user account to the sudoer's group. Replace user with the actual operating system user name.

sudo adduser user sudo

Reboot so group changes take effect.


VirtualBox Guest Additions[edit]

These instructions are outdated! Using sid is no longer required. Stretch users can use stretch-backports and buster users don't need any extra repository.

Become root.


Install linux headers. Example for amd64.

apt-get install linux-headers-amd64

Install dependencies. [3]

apt-get install make patch dkms libnotify4 libnotify-bin libgsoap10 libvncserver1

Temporarily enable Debian sid repository, contrib only. [4]

echo "deb sid contrib" > /etc/apt/sources.list.d/temp.list

Update the package lists.

apt-get update

Install guest additions. [5]

apt-get install virtualbox-guest-utils virtualbox-guest-dkms virtualbox-guest-x11

Disable the temporary repository.

rm /etc/apt/sources.list.d/temp.list




  1. For documentation purposes a Debian installation has been installed with as much services as possible using taksel, while having a network connection. (Simulating user misunderstanding.) A Debian default installation with default settings does not install all those packages.
  2. If this action is taken, sudo can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use su as per About#Based_on_Debian.
  3. We install them from stretch before installing guest additions so we do not run into dependency issues by having installed a newer gcc package from sid. libgsoap10 libvncserver1 are required for virtualbox only, not for guest additions.
  4. contrib only to lower the chances of upgrading any packages we better not upgrade to avoid dependency issues.
  5. You could drop the virtualbox if you don't want it installed.

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

There are five different options for subscribing to Whonix source code changes.

https | (forcing) onion

Follow: Twitter | Facebook | | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.