Install Kicksecure ™ inside a folder (chroot)
From Whonix
< Kicksecure
Note:
You can install Kicksecure ™ on top of your existing Debian (based) Linux installation inside a chroot.
chroot Creation[edit]
Qubes Notes[edit]
Only users of Qubes need to consider these notes in this chapter.
Users that don't use Qubes or don't know what Qubes is should skip this chapter.
TODO: elaborate
- nosuid / nodev can cause issues?
- default private image size (/home folder) is too small for Kicksecure ™ XFCE
Install Required Tools[edit]
Install mmdebstrap apt-transport-https apt-transport-tor tor curl.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the mmdebstrap apt-transport-https apt-transport-tor tor curl package.
Using apt-get command line parameter --no-install-recommends is in most cases optional.
sudo apt-get install --no-install-recommends mmdebstrap apt-transport-https apt-transport-tor tor curl
The procedure of installing mmdebstrap apt-transport-https apt-transport-tor tor curl is complete.
Add Signing Key[edit]
It is required to add the signing key on the host because mmdebstrap will need it.
(Users of Whonix ™ and Kicksecure ™ could skip this step since the signing key is there by default.)
Key could be removed at the end. (Except Whonix ™ and Kicksecure ™ should not do this unless they upgrade from source code.)
Download Whonix ™ Signing Key. [2]
If you are using Debian, run.
curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc
If you are using a Qubes Debian TemplateVM, run.
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc
Users can check Whonix ™ Signing Key for better security.
Add Whonix ™ signing key to APT trusted keys.
sudo cp derivative.asc /usr/share/keyrings/derivative.asc
The procedure of adding Whonix ™ signing key is now complete.
Set Variables[edit]
File /etc/hostname must exist. [3]
sudo touch /etc/hostname
Set Variables[edit]
Note: You could also replace kicksecure-xfce with kicksecure-cli.
package=kicksecure-xfce repo=bullseye path_to_chroot=~/kicksecure-xfce-chroot path_to_temp_sources_list=~/temp-sources.list
APT Sources List[edit]
Create temporary APT sources list for mmdebstrap.
echo " deb https://deb.debian.org/debian-security/ bullseye/updates main contrib non-free deb https://deb.debian.org/debian bullseye main contrib non-free deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org $repo main contrib non-free " > "$path_to_temp_sources_list"
APT Cache[edit]
Optional. If you are interested, please press Expand on the right side.
This shouldn't be done unless you are behind a firewall since apt-cacher-ng will by default listen on all network interfaces.
Install apt-cacher-ng.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the apt-cacher-ng package.
Using apt-get command line parameter --no-install-recommends is in most cases optional.
sudo apt-get install --no-install-recommends apt-cacher-ng
The procedure of installing apt-cacher-ng is complete.
Set apt_cacher_ng_maybe variable.
apt_cacher_ng_maybe="\
--aptopt='Acquire::http { Proxy \"http://127.0.0.1:3142\"; }' \
--aptopt='Acquire::https { Proxy \"http://127.0.0.1:3142\"; }' \
--aptopt='Acquire::tor { Proxy \"http://127.0.0.1:3142\"; }' \
"
Create apt-cacher-ng https compatible sources.list file.
echo " deb http://HTTPS///deb.debian.org/debian-security/ buster/updates main contrib non-free deb http://HTTPS///deb.debian.org/debian buster main contrib non-free deb http://HTTPS///deb.whonix.org $repo main contrib non-free " > "$path_to_temp_sources_list"
Run mmdebstrap[edit]
Run mmdebstrap. [4]
sudo \ SECURITY_MISC_INSTALL=force \ DERIVATIVE_APT_REPOSITORY_OPTS=stable \ anon_shared_inst_tb=open \ mmdebstrap \ --verbose \ --variant=required \ $apt_cacher_ng_maybe \ --include $package \ buster \ "$path_to_chroot" \ "$path_to_temp_sources_list"
Chroot Post Processing[edit]
Delete the chroot's temporary /etc/apt/sources.list. [5]
sudo rm "$path_to_chroot/etc/apt/sources.list"
Host Cleanup[edit]
Optional: You can delete the signing key from the host.
sudo rm /etc/apt/trusted.gpg.d/derivative.gpg
Usage[edit]
Simple Classic Chroot Method[edit]
sudo chroot ~/kicksecure-xfce-chroot bash
systemd-nspawn Method[edit]
Install systemd-nspawn[edit]
sudo apt install systemd-container
systemd-nspawn Simple Chroot[edit]
sudo systemd-nspawn -D ~/kicksecure-xfce-chroot
systemd-nspawn Boot Chroot CLI Only[edit]
sudo systemd-nspawn -D ~/kicksecure-xfce-chroot /sbin/init
systemd-nspawn Boot Chroot with GUI Support[edit]
This is unfinished. Unspecific to Kicksecure ™. Could be resolved as per Free Support Principle.
xhost +local:
sudo systemd-nspawn --setenv=DISPLAY=$DISPLAY -D ~/kicksecure-xfce-chroot /sbin/init
Exit systemd-nspawn Chroot[edit]
To leave the chroot press keep holding key CTRL and press key 5 quickly 3 times within 1 second. [6]
Limitations of systemd-nspawn based Chroot[edit]
Despite these limitations, systemd-nspawn should probably preferred over classic chroot. Depends on what you are trying to accomplish.
- sdwdate (and Boot Clock Randomization) cannot work inside
systemd-nspawn. - Tor will fail to start inside
systemd-nspawnchrootif Tor is already running on the host in default config (local listen post9050). But that shouldn't matter. Thesystemd-nspawnchrootwill use the host's Tor in this case.systemd-nspawnhas also option to run private networking but these have not been researched for Kicksecure ™ yet.
Footnotes[edit]
- ↑
apt-transport-httpsis required for some older Debian based Linux distributions that have not integrated https support into APT yet. If not available in your distribution, can be safely ignored.apt-transport-toris required because /etc/apt/sources.list.d/debian.list [archive] is usingtor+https. Otherwise we would see the following error.
I: cleaning package lists and apt cache... Reading package lists... E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: Failed to fetch tor+https://deb.debian.org/debian-security/dists/{{Stable project version based on Debian codename}}/updates/InRelease E: Failed to fetch tor+https://deb.debian.org/debian/dists/{{Stable project version based on Debian codename}}/InRelease E: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease E: Some index files failed to download. They have been ignored, or old ones used instead. E: apt-get --option Dir::Etc::SourceList=/dev/null update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failedtoris required soapt-transport-torcan use Tor. Otherwise we would see the following error.
I: cleaning package lists and apt cache... Err:1 tor+https://deb.debian.org/debian-security buster/updates InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) Err:2 tor+https://deb.debian.org/debian buster InRelease Unable to connect to 127.0.0.1:9050: Err:3 tor+https://deb.whonix.org buster-developers InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) Reading package lists... W: Failed to fetch tor+https://deb.debian.org/debian-security/dists/{{Stable project version based on Debian codename}}/updates/InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) W: Failed to fetch tor+https://deb.debian.org/debian/dists/{{Stable project version based on Debian codename}}/InRelease Unable to connect to 127.0.0.1:9050: W: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) W: Some index files failed to download. They have been ignored, or old ones used instead.- Actually package
apt-transport-torrecommends packagetorbut listing it here anyhow for those using APT with parameter--no-install-recommends. apt-transport-httpsis suggested below to download the signing key.
- ↑
See Secure Downloads to understand why
curland the parameters--tlsv1.3 --proto =httpsare used instead ofwget. - ↑
Fixed in
mmdebstrap0.5.0. Quote changelog [archive]:do not copy /etc/resolv.conf or /etc/hostname if the host system doesn't have them
Therefore no longer required in Debian
bullseye. - ↑
debootstrapcannot be used since it is a single-mirror Debian chroot creation tool. I.e. it cannot use multiple APT repositories at the same time. And Kicksecure ™ APT repository does not ships no packages available from packages.debian.org. Therefore usingmmdebstrapwhich is a multi-mirror Debian chroot creation. If you cannot usemmdebstrapeither (cross platform builds?), you could first create a Debian chroot usingdebootstrap(or anything) and then install a Kicksecure ™ meta package manually inside the chroot. - ↑
During chroot build process the following files were already created.
/etc/apt/sources.list.d/debian.list/etc/apt/sources.list.d/derivative.list
- ↑ https://unix.stackexchange.com/questions/577065/connected-to-container-mycontainer-press-three-times-within-1s-to-exit-sessi [archive]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
|
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media.
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.