Actions

Install Kicksecure ™ inside Debian

From Whonix

< Kicksecure



Introduction[edit]

warning Note:

  • Do not use these instructions inside Whonix ™ [archive].
  • These instructions are only for use outside of Whonix; for example, browsing the internet non-anonymously.

An existing Debian bullseye installation can be converted into Kicksecure ™ by installing the Kicksecure ™ deb package. This procedure is also called distro-morphing [archive].

There is no downloadable iso yet but it will be available in the future. In the meantime install Debian on the host or inside a VM, then install Kicksecure ™ on top.

To increase the chances of success, it is best to start with a minimal installation without GUI (or Xfce if there must be a GUI) and then install a meta package (cli or xfce). [1] It is easiest to set the Linux user account name to user during the installation of Debian bullseye.

Prerequisites[edit]

1. Confirm prerequisites are met.

  • Debian bullseye is installed.
  • User account user exists.

2. Become root. [2]

su

3. Install sudo and adduser packages.

1. Update the package lists.

apt-get update

2. Upgrade the system.

apt-get dist-upgrade

3. Install sudo and adduser packages.

apt-get install --no-install-recommends sudo adduser

4. Set user rights.

The following commands must be run either by root or using sudo. [3]

Create group console.

/usr/sbin/addgroup --system console

Add user user to group console.

/usr/sbin/adduser user console

Add user user to group sudo.

/usr/sbin/adduser user sudo

5. Reboot.

/sbin/reboot

Installation[edit]

Add the Whonix ™ Signing Key[edit]

Complete the following steps to add the Whonix ™ Signing Key to the system's APT keyring.

Open a terminal.

Package curl needs to be installed.

Install curl.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the curl package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends curl

The procedure of installing curl is complete.

Download Whonix ™ Signing Key. [4]

If you are using Debian, run.

curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc

If you are using a Qubes Debian TemplateVM, run.

curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc

Users can check Whonix ™ Signing Key for better security.

Add Whonix ™ signing key to APT trusted keys.

sudo cp derivative.asc /usr/share/keyrings/derivative.asc

The procedure of adding Whonix ™ signing key is now complete.

Add the Whonix ™ Repository[edit]

Add Whonix ™ Repository.

Choose either: Option A, Option B OR Option C.

Option A: Add Whonix ™ Onion Repository.

To add Whonix ™ Repository over Onion please press on expand on the right.

Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was bullseye.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Option B: Add Whonix ™ Clearnet Repository over Tor.

To add Whonix ™ Repository over torified clearnet please press on expand on the right.

Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was bullseye.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Option C: Add Whonix Clearnet Repository over clearnet.

To add Whonix ™ Repository over clearnet please press on expand on the right.

Add Whonix's APT repository for default Whonix using Debian stable. At the time of writing this was bullseye.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Install the Kicksecure ™ Package[edit]

1. Pick a Kicksecure ™ package.

  • kicksecure-cli: command line interface (CLI) version only. This does not modify the graphical desktop environment. This package provides better kernel hardening, improved entropy, and other security features.
  • kicksecure-xfce: this is the same as kicksecure-cli but it installs the Xfce graphical desktop environment and default applications. This is useful if Debian was installed without a graphical desktop environment and the Kicksecure ™ graphical desktop environment (Xfce) is desired.
  • Qubes users:
    • kicksecure-qubes-cli
    • kicksecure-qubes-gui

2. Install a Kicksecure ™ package such as kicksecure-cli.

Install kicksecure-cli.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the kicksecure-cli package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends kicksecure-cli

The procedure of installing kicksecure-cli is complete.

3. Finalize configuration file settings.

When asked about Configuration file '/etc/machine-id', type:

  • y (yes) → Enterinstall

4. Check APT sources.

Check if some APT sources in /etc/apt/sources.list should be kept.

Move the original /etc/apt/sources.list file out of the way (or delete it) because it is replaced by Kicksecure ™'s /etc/apt/sources.list.d/debian.list.

sudo mv /etc/apt/sources.list ~/

5. Create an empty /etc/apt/sources.list file. [5]

sudo touch /etc/apt/sources.list

The Kicksecure ™ installation is complete.

Footnotes[edit]

  1. http://forums.whonix.org/t/sudo-apt-get-install-whonix-part-i-distro-morphing/2346/8 [archive]
  2. Other methods are possible.
  3. It is necessary to use the full path to addgroup, adduser and reboot because when using su the PATH environment variable is not adjusted for use with root rights. See echo "$PATH". user rights PATH:
    /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    

    root rights PATH:

    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    

    When using sudo using /full/path/to/application is not required.

  4. See Secure Downloads to understand why curl and the parameters --tlsv1.3 --proto =https are used instead of wget.
  5. https://forums.whonix.org/t/command-not-found-warningcould-not-open-file-etc-apt-sources-list/7903 [archive] This can be avoided once package whonix-legacy is renamed and ported to Kicksecure ™ because it automates this process.


Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.