Install Kicksecure ™ inside a folder (chroot)
From Whonix
< Kicksecure
You can install Kicksecure ™ on top of your existing Debian (based) Linux installation inside a chroot.
chroot Creation[edit]
Qubes Notes[edit]
Only users of Qubes need to consider these notes in this chapter.
Users that don't use Qubes or don't know what Qubes is should skip this chapter.
TODO: elaborate
- nosuid / nodev can cause issues?
- default private image size (/home folder) is too small for Kicksecure ™ XFCE
Install Required Tools[edit]
Install mmdebstrap apt-transport-https apt-transport-tor tor curl
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the mmdebstrap apt-transport-https apt-transport-tor tor curl
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends mmdebstrap apt-transport-https apt-transport-tor tor curl
The procedure of installing mmdebstrap apt-transport-https apt-transport-tor tor curl
is complete.
Add Signing Key[edit]
It is required to add the signing key on the host because mmdebstrap
will need it.
(Users of Whonix ™ and Kicksecure ™ could skip this step since the signing key is there by default.)
Key could be removed at the end. (Except Whonix ™ and Kicksecure ™ should not do this unless they upgrade from source code.)
Download Whonix Signing Key. [2]
If you are using a Qubes TemplateVM, run.
curl --proxy http://127.0.0.1:8082/ --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
If you are using Debian, run.
curl --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
Users can check Whonix Signing Key for better security.
Add Whonix signing key to APT trusted keys.
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
The procedure of adding Whonix signing key is now complete.
Set Variables[edit]
File /etc/hostname
must exist. [3]
sudo touch /etc/hostname
Set Variables[edit]
Note: You could also replace kicksecure-xfce
with kicksecure-cli
.
package=kicksecure-xfce repo=buster-developers path_to_chroot=~/kicksecure-xfce-chroot path_to_temp_sources_list=~/temp-sources.list
APT Sources List[edit]
Create temporary APT sources list for mmdebstrap
.
echo " deb https://deb.debian.org/debian-security/ buster/updates main contrib non-free deb https://deb.debian.org/debian buster main contrib non-free deb https://deb.whonix.org $repo main contrib non-free " > "$path_to_temp_sources_list"
APT Cache[edit]
Optional. If you are interested, please press Expand on the right side.
This shouldn't be done unless you are behind a firewall since apt-cacher-ng will by default listen on all network interfaces.
Install apt-cacher-ng
.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the apt-cacher-ng
package.
Using apt-get
command line parameter --no-install-recommends
is in most cases optional.
sudo apt-get install --no-install-recommends apt-cacher-ng
The procedure of installing apt-cacher-ng
is complete.
apt_cacher_ng_maybe="\ --aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }' \ --aptopt='Acquire::https { Proxy "http://127.0.0.1:3142"; }' \ --aptopt='Acquire::tor { Proxy "http://127.0.0.1:3142"; }' \ "
echo " deb http://HTTPS///deb.debian.org/debian-security/ buster/updates main contrib non-free deb http://HTTPS///deb.debian.org/debian buster main contrib non-free deb http://HTTPS///deb.whonix.org $repo main contrib non-free " > "$path_to_temp_sources_list"
Run mmdebstrap[edit]
Run mmdebstrap
. [4]
sudo \ SECURITY_MISC_INSTALL=force \ DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $repo" \ anon_shared_inst_tb=open \ mmdebstrap \ --verbose \ --variant=required \ --include $package \ $apt_cacher_ng_maybe \ buster \ "$path_to_chroot" \ "$path_to_temp_sources_list"
Chroot Post Processing[edit]
Delete the chroot's temporary /etc/apt/sources.list
. [5]
sudo rm "$path_to_chroot/etc/apt/sources.list"
Host Cleanup[edit]
Optional: You can delete the signing key from the host.
sudo rm /etc/apt/trusted.gpg.d/whonix.gpg
Usage[edit]
Simple Classic Chroot Method[edit]
sudo chroot ~/kicksecure-xfce-chroot bash
systemd-nspawn Method[edit]
Install systemd-nspawn[edit]
sudo apt install systemd-container
systemd-nspawn Simple Chroot[edit]
sudo systemd-nspawn -D ~/kicksecure-xfce-chroot
systemd-nspawn Boot Chroot CLI Only[edit]
sudo systemd-nspawn -D ~/kicksecure-xfce-chroot /sbin/init
systemd-nspawn Boot Chroot with GUI Support[edit]
This is unfinished. Unspecific to Kicksecure ™. Could be resolved as per Free Support Principle.
xhost +local:
sudo systemd-nspawn --setenv=DISPLAY=$DISPLAY -D ~/kicksecure-xfce-chroot /sbin/init
Exit systemd-nspawn Chroot[edit]
To leave the chroot press keep holding key CTRL
and press key 5
quickly 3 times within 1 second. [6]
Limitations of systemd-nspawn based Chroot[edit]
Despite these limitations, systemd-nspawn
should probably preferred over classic chroot
. Depends on what you are trying to accomplish.
- sdwdate (and Boot Clock Randomization) cannot work inside
systemd-nspawn
. - Tor will fail to start inside
systemd-nspawn
chroot
if Tor is already running on the host in default config (local listen post9050
). But that shouldn't matter. Thesystemd-nspawn
chroot
will use the host's Tor in this case.systemd-nspawn
has also option to run private networking but these have not been researched for Kicksecure ™ yet.
Footnotes[edit]
- ↑
apt-transport-https
is required for some older Debian based Linux distributions that have not integrated https support into APT yet. If not available in your distribution, can be safely ignored.apt-transport-tor
is required because /etc/apt/sources.list.d/debian.list [archive] is usingtor+https
. Otherwise we would see the following error.
I: cleaning package lists and apt cache... Reading package lists... E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease E: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease E: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease E: Some index files failed to download. They have been ignored, or old ones used instead. E: apt-get --option Dir::Etc::SourceList=/dev/null update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
tor
is required soapt-transport-tor
can use Tor. Otherwise we would see the following error.
I: cleaning package lists and apt cache... Err:1 tor+https://deb.debian.org/debian-security buster/updates InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) Err:2 tor+https://deb.debian.org/debian buster InRelease Unable to connect to 127.0.0.1:9050: Err:3 tor+https://deb.whonix.org buster-developers InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) Reading package lists... W: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) W: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease Unable to connect to 127.0.0.1:9050: W: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) W: Some index files failed to download. They have been ignored, or old ones used instead.
- Actually package
apt-transport-tor
recommends packagetor
but listing it here anyhow for those using APT with parameter--no-install-recommends
. apt-transport-https
is suggested below to download the signing key.
- ↑
See Secure Downloads to understand why
curl
and the parameters--tlsv1.2 --proto =https
are used instead ofwget
. - ↑
Fixed in
mmdebstrap
0.5.0
. Quote changelog [archive]:do not copy /etc/resolv.conf or /etc/hostname if the host system doesn't have them
Therefore no longer required in Debian
bullseye
. - ↑
debootstrap
cannot be used since it is a single-mirror Debian chroot creation tool. I.e. it cannot use multiple APT repositories at the same time. And Kicksecure ™ APT repository does not ships no packages available from packages.debian.org. Therefore usingmmdebstrap
which is a multi-mirror Debian chroot creation. If you cannot usemmdebstrap
either (cross platform builds?), you could first create a Debian chroot usingdebootstrap
(or anything) and then install a Kicksecure ™ meta package manually inside the chroot. - ↑
During chroot build process the following files were already created.
/etc/apt/sources.list.d/debian.list
/etc/apt/sources.list.d/whonix.list
- ↑ https://unix.stackexchange.com/questions/577065/connected-to-container-mycontainer-press-three-times-within-1s-to-exit-sessi [archive]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.