Install Non-Whonix ™ Tor Browser using Tor Browser Downloader (by Whonix ™ developers)

From Whonix

About this Non-Whonix ™ Tor Browser Page
This wiki page is maintained by a contributor.
Support Status stable
Difficulty easy
Contributor torjunkie
Support Support
Tbboutside.jpg

Introduction[edit]

Community Support Only!:
Info

Community Support Only means Whonix ™ developers are unlikely to provide free support for wiki chapters or pages with this tag. See Community Support for further information, including implications and possible alternatives.

Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the Whonix ™ platform. This is useful in various cases:

  • Should Whonix ™ ever break, it is possible to search for a solution anonymously.
  • System-wide Tor problems can be easily detected by testing connectivity outside of Whonix ™.
  • Certain Tor / Tor Browser activities are difficult (or impossible) to configure in Whonix ™, but are much easier in the standard configuration. [1]

In Non-Qubes-Whonix ™, it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In Qubes-Whonix ™, it is recommended to install Tor Browser in a debian-11, debian-11-minimal or kicksecure App Qube (advanced users).

Note: If an expired key signature message like below appears, the steps in this chapter must be performed again due to an update of the Whonix ™ signing key; see Expired key signature.

The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer adrelanos@whonix.org

Easy[edit]

All Platforms: Manual Tor Browser Download[edit]

Follow these instructions to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless Qubes-Whonix ™ users temporarily set sys-whonix as the NetVM for the non-Whonix ™ App Qube.

Debian Linux Hosts[edit]

Tor Browser can optionally be downloaded utilizing the tb-updater software package by Whonix ™ developers. By default the download does not occur over Tor, meaning it is not anonymous.

1. Download the Signing Key.

wget https://www.whonix.org/derivative.asc

2. Optional: Check the Signing Key for better security.

3. Add Whonix ™ signing key.

sudo cp derivative.asc /usr/share/keyrings/derivative.asc

4. Whonix ™ APT repository choices.

Optional: See Whonix ™ Packages for Debian Hosts and Whonix ™ Host Enhancements instead of the next step for more secure and complex options.

5. Add Whonix ™ APT repository.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

5. Update the package lists.

sudo apt update

6. Install tb-updater.

sudo apt install tb-updater

Moderate: Qubes-Whonix ™[edit]

Ambox notice.png Qubes-Whonix ™ R4 only! This method is anonymous.

These instructions:

  1. Anonymously retrieve and verify the Whonix ™ signing key.
  2. Copy the Whonix ™ signing key to a debian-11 (debian-11-tor) or debian-11-minimal (debian-11-minimal-tor) Template clone.
  3. Add the Whonix ™ signing key to the list of trusted keys.
  4. Install apt-transport-tor in the debian-11-tor / debian-11-minimal-tor Template.
  5. Add the Whonix ™ stable APT repository.
  6. Install tb-updater from the Whonix ™ stable repository.
  7. Create a debian-tor-browser / debian-minimal-tor-browser App Qube based on the Template clone.

The debian-11-minimal template provides a smaller attack surface, but is recommended for advanced users. Several package prerequisites are required for full functionality; see footnote. [2] [3]

Clone the Template[edit]

Info Prerequisite: The debian-11 or debian-11-minimal Template must be manually installed first if it not already available. In dom0, run either.

sudo qvm-template install debian-11
Or.
sudo qvm-template install debian-11-minimal

In Qube Manager: Right-click debian-11 or debian-11-minimal templateClone qubeRename to debian-11-tor or debian-11-minimal-tor

anon-whonix Steps[edit]

Run the following commands in anon-whonix terminal. Advanced users can utilize a Whonix ™ DispVM instead in this section.

1. Download the Whonix ™ signing key.

curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc

2. Display the key fingerprint.

gpg --keyid-format long --import --import-options show-only --with-fingerprint derivative.asc

3. Verify the Whonix ™ signing key fingerprint.

Compare the fingerprint to the one found here. The most important check is confirming the fingerprint exactly matches the output below. [4]

      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA

The message gpg: key 8D66066A2EEACCDA: 104 signatures not checked due to missing keys is related to the The OpenPGP Web of Trust. Advanced users can learn more about this here.

4. Rename the Whonix ™ signing key to a temporary derivative.asc file.

mv derivative.asc /tmp/derivative.asc

5. Copy the derivative.asc text file to the debian-11-tor or debian-11-minimal-tor Template.

qvm-copy /tmp/derivative.asc

When prompted, choose either the debian-11-tor or debian-11-minimal-tor Template.

Template Steps[edit]

Complete the following steps in debian-11-tor or debian-11-minimal-tor terminal.

1. Add the Whonix ™ signing key to the list of trusted keys.

sudo cp ~/QubesIncoming/anon-whonix/derivative.asc /usr/share/keyrings/derivative.asc

2. Add the Whonix ™ stable APT repository. [5] [6]

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

3. Update the package lists.

sudo apt update

4. Install tb-updater by Whonix ™.

sudo apt install tb-updater

Note: This step will correctly install tb-updater and should also automatically download Tor Browser. If that does not occur, complete steps 2 to 4 below after creating an App Qube.

App Qube Steps[edit]

1. Create an App Qube based on the debian-11-tor or debian-11-minimal-tor Template.

In Qube Manager: Left-click QubeCreate new qube

Use the following settings:

  • Name and label: debian-tor-browser or debian-minimal-tor-browser
  • Type: App Qube
  • Template: debian-11-tor or debian-11-minimal-tor
  • Networking: default (sys-firewall)

2. Optional: Temporarily set sys-whonix as the NetVM for the Debian App Qube.

If Tor Browser was not downloaded at step 5 in the previous section, complete steps 2 to 4.

In Qube Manager: Right-click debian-tor-browser or debian-minimal-tor-browserQube settingsNetworkingSelect sys-whonixOK

3. Optional: Download Tor Browser.

In terminal, run.

update-torbrowser --input gui

4. Optional: Revert the networking setting to sys-firewall in Qube Manager.

5. Launch Tor Browser from the App Qube menu and check it is functional.

Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the update-torbrowser command again.

Figure: Tor Browser in Qubes' debian-minimal-tor-browser App Qube

Debian10minimaltorbrowser.png

Footnotes[edit]

  1. For example, the Snowflake pluggable transport client is currently experimental in Whonix ™.
  2. At the time of writing the Qubes documentation and forums suggest the following essential packages for browsing purposes:
    • qubes-core-agent-passwordless-root
    • qubes-core-agent-networking
    • pulseaudio-qubes
    To utilize nautilus file manager so a GUI can be used to interact with downloaded files (optional):
    • qubes-core-agent-nautilus
    • nautilus
    • zenity
    If you plan on mounting encrypted drives (optional):
    • gnome-keyring
    • policykit-1
    • libblockdev-crypto2
  3. Also see automate debian-minimal based template creation
  4. Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
  5. Alternatively use the stable onion APT repository:
    echo "deb [signed-by=/usr/share/keyrings/derivative.asc] http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
  6. Note: tor+http does not work in this configuration.