Debian Host Operating System Tips
This chapter describes how to:
- securely download and verify Debian;
- install Debian as a host operating system; and
- configure it to minimize the attack surface.
A related description is also available regarding how to configure Ubuntu through the Whonix-Gateway ™.
Readers who are interested in running Whonix ™ for Debian inside VirtualBox should refer to this page.
Download and Verification
The recommended way to verify the Debian Signing key is to use the web of trust. This is more secure, but not available to everyone.
This chapter documents an alternative and supplementary way to verify the Debian Signing key. It utilizes an existing installation such as Ubuntu, which is already trusted; for example one bought from a reseller or provided by a friend who verified it.
In the following example the 64-bit network installation (netinst) CD is used, but other forms (CD, DVD) and architectures (
x86-64) can be substituted if necessary.
For more detailed information on every step in the installation process consult the Debian manual available in HTML [archive] and PDF [archive], preferably on another device than the one that will be formatted.
To successfully and safely complete the installation, note the following:
- In Linux, the
ddutility is utilized to create install media [archive].
- In Windows, the Debian install USB/DVD can be created with the rufus utility as described here [archive].
- From a usability perspective, it is recommended to always have a network connection when installing Debian; see here [archive].
- From a security perspective, it is safest to avoid Internet connections until ready; see here [archive].
Default Desktop Environment
Readers may have noticed the default desktop environment for Whonix ™ Virtual Machines is XFCE (although that can be changed). The preferred desktop environment is of little consequence; for example the default Debian desktop environment is GNOME. Users who are already accustomed to Whonix ™ (XFCE) can utilize the same environment for the Debian host as well, but this is not compulsory.
## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images) Debian boot menu → Advanced Options → Alternative Desktop Environments → Feel free to choose: - KDE - LXDE - Xfce
It is also possible to install another desktop environment later on or configure a switch from one to another.
Connect to Whonix-Gateway ™
Is Debian more secure than X?
A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default. In any case, the system administrator needs to adapt the security of the system to the local security policy.
It is unclear if Debian is referring to running services after installing them or having no services running (no open ports) after an installation with default settings. Debian does not do the latter, which is a pity. Despite Debian's preference for running services after installation, this issue should not distract from the relative strength of the platform when properly configured.
Some useful security links are listed below. Some content in the references are outdated because they only apply to older Debian versions. Similarly, some content does not apply to Whonix ™ hosts.
- Securing Debian Manual [archive]
- Securing Debian Manual Chapter 12: Frequently asked Questions (FAQ) [archive]
- Towards a moderately paranoid Debian laptop setup [archive] (this is also useful for non-laptops)
Setup sudoers. Add the operating system user name to sudoers.
- Verifying authenticity of Debian CDs [archive]
- For documentation purposes a Debian installation has been completed with as many services as possible using tasksel, while having a network connection (simulating user misunderstanding). A normal Debian installation with default settings does not install all those packages.
- If this action is taken, sudo can be used as outlined below and elsewhere. Otherwise, it is necessary to manually switch to root and/or use su as per About#Based_on_Debian.