Easy[edit]

Introduction[edit]

Qubes-Whonix ™ users need to install and update persistant software in the Whonix-Workstation ™ TemplateVM(s) (whonix-ws-14). Using apt-get in the a TemplateBased AppVM (anon-whonix) will only install software for the current session, with changes being lost when the VM is shut down; see Install Software in a TemplateBasedVM.

A primary Whonix ™ goal is to greatly reduce the risk posed by (additional) software installations that are not exclusively designed to work with Tor.

Users can install any software inside Whonix-Workstation ™ using apt-get, since it is based on Debian. However, this is not a recommendation for installing additional software.

Whonix ™ is currently the most secure platform for running Tor-unsafe applications like Adobe Flash; see the operating system comparison.

The Whonix ™ software page lists:

• Pre-installed Whonix ™ applications which are available for different tasks.
• Recommended software for different user activities.
• Safety advice.
• Installation instructions.

Install from Debian stable[edit]

To install a package from Debian stable, follow the steps below. Replace package-name with the name of the software you want to install.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the package-name package.

sudo apt-get install package-name

The procedure of installing package-name is now complete.

There are numerous examples of this procedure in the Software chapter and throughout the wiki.

Best Practices[edit]

Table: Best Software Installation Practices

More Security[edit]

General Advice[edit]

Whonix ™ users are free to install their favorite software packages, but should be aware that additional software increases the attack surface of the platform. Almost any application can be installed, with a few exceptions for programs that are impossible to torify. In addition, Whonix ™ provides:

• Protection from IP and DNS leaks (see above for details).
• Partial protection against protocol leaks and fingerprinting, but this is far from perfect.

Users are responsible for trying to prevent any other protocol leaks using the "Torify: How-to" guide, but most of those are mitigated by Whonix ™.

apt-get Meta-data[edit]

When updating with apt-get, information will leak about which software packages and versions have been installed, unless Tor onion repositories have been configured. ^[9] This meta-data cannot be directly linked to any other activity like web browsing, because the Whonix ™ apt-get uwt wrapper forces it to pass through its own circuit. Despite this isolation, it is still possible for updates to be correlated with the same pseudonym. ^{[10] [11]}

Recommendations[edit]

For greater security when updating:

• Follow the guidelines below.
• Be especially careful when adding custom repositories, particularly Personal Package Archives (PPAs). Single developers are more easily pressured and/or likely to have malicious intent than the main distribution repositories.
• Read the protocol leak and fingerprinting protection entry first. It highlights useful information, like the fact that DNS and IP-related leaks do not apply to Whonix ™.
• Refer to the Tor Project's Torify: How-to which discusses various protocol leaks and how to mitigate them.
• Review the Tor Project's Transparent Proxy Leaks documentation, which is particularly relevant for Microsoft Windows.

How-to: Install or Update with Utmost Caution[edit]

1. Stop all activities and shutdown any open applications like Tor Browser.
2. Change the Tor circuit (this step may not apply if the user is running an onion service). ^[12]
3. Update using apt-get after a random delay. By default, a new Tor circuit is generated after 10 seconds.
4. Change the Tor circuit again.
5. Continue user activities after another random period has elapsed.

Whonix-Workstation ™ is Firewalled[edit]

Note: This section is for users interested in server software or other advanced / uncommon applications.

The Whonix-Gateway ™ firewall ^[13] has several effects upon the Whonix-Workstation ™:

• Incoming connections are not supported.
  • If programs make outgoing connections, then incoming connections are accepted for web browsing, IRC, or other relevant applications.
  • Server ports ("open ports") are blocked.
  • The Ident Protocol / web server listening port is not reachable, unless it is explicitly configured.
• Onion Services can be hosted.
• Standard DNS requests on UDP port 53 are redirected to Tor's DnsPort. ^[14]

Also note:

• Tor does not support UDP. This is not a Whonix ™-specific issue.
• Tor only partially supports IPv6, although full implementation is likely in the near term. ^[15] This is not a Whonix ™-specific issue. ^[16]
• All traffic from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. ^{[17] [18] [19] [20]} Users should read the footnotes on the left-hand side.

The firewall on the Whonix-Gateway ™ is very restrictive. It can be made even more restrictive by activating #OptionalFeatureNr.3# within the firewall script. It is possible to limit which outgoing ports are redirected to Tor's TransPort. Depending on what the user is trying to achieve, it could also be useful to remove all SocksPorts.

Related:

• Whonix-Workstation ™ Firewall
• Ports

Advanced[edit]

Backports[edit]

Replace package-name below with the package you actually want to install.

sudo su -c "echo -e 'deb https://deb.debian.org/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"

sudo apt-get update

sudo apt-get -t stretch-backports install package-name

sudo rm /etc/apt/sources.list.d/backports.list

Install from Debian Testing[edit]

Mixing packages from Debian stable with those from a later release like testing can destabilize the system due to associated software dependencies required for full functionality.

Before completing steps in this section, first read Prefer Packages from Debian Stable Repository. Carefully check how packages will change before proceeding -- a host of upgrades is usually safe, but no Whonix ™ packages should be removed as part of the process; see Whonix Debian Packages. Be aware that problems are still possible - see here for an example.

It is recommended to complete this process in a separate Whonix-Workstation ™ (whonix-ws-14-debian-testing-mix) due to the risks. Ask for advice in the forums on a case-by-case basis.

sudo su -c "echo -e 'deb http://http.debian.net/debian buster main' > /etc/apt/sources.list.d/testing.list"

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster main' > /etc/apt/sources.list.d/testing.list"

sudo apt-get update

sudo apt-get -t buster install packagename

sudo rm /etc/apt/sources.list.d/testing.list

Install from Debian Unstable[edit]

Managing security updates for the "stable" distribution remains the hightest priority for the Debian security team. This means security-fixes for Debian "unstable" are managed by the maintainers themselves and not not by the Debian security team. Therefore, "unstable" does not receive security updates in a timely manner.[24] [25]

Before completing steps in this section, first read Prefer Packages from Debian Stable Repository.

Mixing packages from Debian stable with those from a later release like unstable can destabilize the system due to associated software dependencies required for full functionality. First carefully check how packages will change before proceeding ^[26] -- a host of upgrades is usually safe, but no Whonix ™ packages should be removed as part of the process; see Whonix Debian Packages. It is recommended to complete this process in a separate Whonix-Workstation ™ (whonix-ws-14-debian-unstable-mix) due to the risks. Ask for advice in the forums on a case-by-case basis.

Prior to installing package-name from Debian unstable read Install software from Debian unstable to understand the risks involved and circumvention options. Mixing packages from Debian stable with later release packages like Debian unstable can lead to instability. [27]

kdesudo kwrite /etc/apt/apt.conf.d/70defaultrelease

kdesudo mousepad /etc/apt/apt.conf.d/70defaultrelease

sudo nano /etc/apt/apt.conf.d/70defaultrelease

APT::Default-Release "stretch";

sudo su -c "echo -e 'deb http://http.debian.net/debian sid main' > /etc/apt/sources.list.d/unstable.list"

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian sid main' > /etc/apt/sources.list.d/unstable.list"

sudo apt-get update

sudo apt-get install package-name/sid

sudo rm /etc/apt/sources.list.d/unstable.list

sudo rm /etc/apt/apt.conf.d/70defaultrelease

Package Reinstallation[edit]

As per the free support principle, package reinstallation utilizes normal Debian processes.

The example below shows how the thunderbird package would be reinstalled. It is possible to substitute thunderbird with many other packages, so long as they do not have too many dependencies. These instructions are not suitable for any packages needed for connectivity such as tor, because the reinstallation would be very difficult and is currently unsupported.

Even in the thunderbird package example, dependency complications emerge. The anon-workstation-packages-recommended package also depends on thunderbird. Further, the whonix-workstation package depends on anon-workstation-packages-recommended.

sudo apt-get purge thunderbird

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  anon-workstation-packages-recommended* thunderbird* whonix-workstation*
0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded.
After this operation, 90.8 MB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 100681 files and directories currently installed.)
Removing whonix-workstation (3:2.9-1) ...
Removing anon-workstation-packages-recommended (3:2.9-1) ...
Removing thunderbird (38.4.0esr-1~deb8u1) ...
Purging configuration files for thunderbird (38.4.0esr-1~deb8u1) ...
Processing triggers for hicolor-icon-theme (0.13-1) ...
Processing triggers for menu (2.1.47) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for desktop-file-utils (0.22-1) ...
Processing triggers for qubes-core-agent (3.0.20-1+deb8u1) ...
Processing triggers for mime-support (3.58) ...

rm -r ~/.thunderbird

sudo apt-get install --no-install-recommends thunderbird anon-workstation-packages-recommended whonix-workstation

Install Software in a TemplateBasedVM[edit]

Qubes-Whonix ™ only! Custom scripting is recommended, which is beyond the scope of this entry. Numerous free articles and instructions can be easily found with a search engine.

There is no reason to avoid installing software in TemplateBasedVMs, although software installed this way will not persist across reboots. Users can opt to use a custom script to automate this process, thereby minimizing time spent re-installing packages.

Advantages[edit]

This software installation method means a single VM assumes many of the positive characteristics found in both TemplateBasedVMs and StandaloneVMs.

• Centralized Updates: AppVMs are based on a TemplateVM. This means the AppVM's root filesystem is based on the corresponding template's root filesystem. Users need only update the TemplateVM and those updates will be reflected in the TemplateBasedVM's root filesystem upon restart.^[30]
• Minimal Disk Usage: TemplateBasedVMs require much less disk space than StandaloneVMs, since the AppVM's root filesystem is based the corresponding template. The AppVM only requires enough disk space to hold user files in the /home directory.
• Semi-persistent Storage: User data stored in /home , /rw and /usr/local survives reboot. Many applications like Signal and Wire store user data in the /home folder. Since the custom script installs the software seamlessly with little or no user interaction, the AppVM has "quasi-full persistence", not unlike a StandaloneVM's full persistence.

AppVM Preparation[edit]

AppVM Use[edit]

The AppVM's root filesystem does not provide a strong non-persistent security feature. The persistence of the /home, /rw, and /usr/local filesystem means malware can be specifically written to target Qubes-based AppVMs, inserting hooks inside these directory's files. [31] [32]

Once user preparation is complete and the AppVM is started, it will automatically start the script to begin installing software. When the process finishes, the AppVM can be used like any other TemplateBasedVM. However when the AppVM is shutdown, all data outside of the persistent /home folder will be lost, including the newly installed software packages. Following reboot, the VM will again install the software packages automatically.

Using bind-dirs Selective Persistence[edit]

Using selective bind-dirs persistence is currently a difficult problem and undocumented. Further research is required to ascertain which files require persistence across VM reboots.

Add Application Launcher to Start Menu[edit]

Create folder ~/.local/share/applications.

mkdir -p ~/.local/share/applications

Create a new file ~/.local/share/applications/program-name.desktop using an editor.

mousepad ~/.local/share/applications/program-name.desktop

Paste the following contents.

[Desktop Entry]
Type=Application
Exec=/path/to/program
Name=program-name
Categories=Other

Save.

The procedure is now complete.

You can find the launcher here:

Start Menu -> Other -> program-name

Foreign Sources[edit]

In most cases, the extensive software range available from the official Debian repositories should be enough to satisfy the user's needs. A selection of more than 50,000 programs can be installed within a couple of steps. These packages are constantly maintained for bug/security fixes and tightly integrated to provide a stable distribution.

To guarantee stability, no new versions are uploaded to Debian stable archives to avoid breaking the system. This makes Debian stable a dependable distribution and an excellent base for downstream distributions. However, the Linux software scene is very dynamic and sometimes the user will want software that is not yet packaged in Debian. In this instance, it may be necessary to install software from separate sources; either from third party repositories, as a stand-alone precompiled .deb binary, or directly compiled source packages. ^[33]

Risks[edit]

The use of foreign sources should be kept to a minimum, as it may cause problems. Note this is simply a warning about the worst case scenario and not a predetermined outcome of installing third party software.

Security Issues[edit]

Keep in mind that foreign sources pose important security implications for the user's system. Installing software is tantamount to granting root privileges to the developers. Software originating from dubious sources could replace important system components with malicious versions that allow backdoors or Trojan horses to be installed on the system.

In general, the installation of software is a matter of trust. The fact is that users have to trust every software source they install. This trust is two-fold: firstly that the developers have integrity, and secondly that the community will notice any suspicious code, which might indicate compromise of the developers' machines. ^[34]

Dependency Hell[edit]

Manually installed packages can contain library versions not available in the standard repositories. This causes problems with dependency resolution when installing additional software from the official repository. Individual applications are less critical in this context, but when important system libraries in the third-party software are considered, complications are inevitable.

Depending on the severity of the complications, upgrades to the next version of the operating system might fail, or the system may become unbootable or generally unstable.

Mitigation[edit]

Users can reduce security risks and eliminate the risk of making the workstation unusable by using Multiple Whonix-Workstation ™s.

Footnotes[edit]

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Sort by date Sort by score

Enable comment auto-refresher

You are ignoring the author of this comment

Show comment | Manage ignore list

Anonymous user #1

2 months ago

Score 0 You

apt-get and then what? you kinda leave me hanging here.

how does one actually get to the program that they want to install?

Permalink | Reply

You are ignoring the author of this comment

Show comment | Manage ignore list

Patrick

2 months ago

Score 0

Thanks. Mention this here fits the subject. Wiki has now been updated to add your suggestion. Can be found in this new chapter:

https://www....ebian_stable

Permalink

Add your comment

Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.