Actions

Install Kicksecure ™ inside a folder (chroot)

From Whonix

< Kicksecure



warning Note:

  • Do not use these instructions inside Whonix ™ [archive].
  • These instructions are only for use outside of Whonix; for example, browsing the internet non-anonymously.

You can install Kicksecure ™ on top of your existing Debian (based) Linux installation inside a chroot.

chroot Creation[edit]

Qubes Notes[edit]

Only users of Qubes need to consider these notes in this chapter.

Users that don't use Qubes or don't know what Qubes is should skip this chapter.

TODO: elaborate

  • nosuid / nodev can cause issues?
  • default private image size (/home folder) is too small for Kicksecure ™ XFCE

Install Required Tools[edit]

[1]

Install mmdebstrap apt-transport-https apt-transport-tor tor curl.

1. Update the package lists. 

sudo apt-get update

2. Upgrade the system. 

sudo apt-get dist-upgrade

3. Install the mmdebstrap apt-transport-https apt-transport-tor tor curl package.

Using apt-get command line parameter --no-install-recommends is in most cases optional. 

sudo apt-get install --no-install-recommends mmdebstrap apt-transport-https apt-transport-tor tor curl

The procedure of installing mmdebstrap apt-transport-https apt-transport-tor tor curl is complete.

Add Signing Key[edit]

It is required to add the signing key on the host because mmdebstrap will need it.

(Users of Whonix ™ and Kicksecure ™ could skip this step since the signing key is there by default.)

Key could be removed at the end. (Except Whonix ™ and Kicksecure ™ should not do this unless they upgrade from source code.)

Download Whonix Signing Key. [2]

If you are using a Qubes TemplateVM, run. 

curl --proxy http://127.0.0.1:8082/ --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc

If you are using Debian, run. 

curl --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc

Users can check Whonix Signing Key for better security.

Add Whonix signing key to APT trusted keys. 

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

The procedure of adding Whonix signing key is now complete.

Set Variables[edit]

File /etc/hostname must exist. [3] 

sudo touch /etc/hostname

Set Variables[edit]

Note: You could also replace kicksecure-xfce with kicksecure-cli. 

package=kicksecure-xfce
repo=buster-developers
path_to_chroot=~/kicksecure-xfce-chroot
path_to_temp_sources_list=~/temp-sources.list

APT Sources List[edit]

Create temporary APT sources list for mmdebstrap. 

echo "
deb https://deb.debian.org/debian-security/ buster/updates main contrib non-free
deb https://deb.debian.org/debian buster main contrib non-free
deb https://deb.whonix.org $repo main contrib non-free
" > "$path_to_temp_sources_list"

APT Cache[edit]

Optional. If you are interested, please press Expand on the right side.

This shouldn't be done unless you are behind a firewall since apt-cacher-ng will by default listen on all network interfaces.

Install apt-cacher-ng.

1. Update the package lists. 

sudo apt-get update

2. Upgrade the system. 

sudo apt-get dist-upgrade

3. Install the apt-cacher-ng package.

Using apt-get command line parameter --no-install-recommends is in most cases optional. 

sudo apt-get install --no-install-recommends apt-cacher-ng

The procedure of installing apt-cacher-ng is complete. 

apt_cacher_ng_maybe="\
--aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }' \
--aptopt='Acquire::https { Proxy "http://127.0.0.1:3142"; }' \
--aptopt='Acquire::tor { Proxy "http://127.0.0.1:3142"; }' \
"

echo "
deb http://HTTPS///deb.debian.org/debian-security/ buster/updates main contrib non-free
deb http://HTTPS///deb.debian.org/debian buster main contrib non-free
deb http://HTTPS///deb.whonix.org $repo main contrib non-free
" > "$path_to_temp_sources_list"

Run mmdebstrap[edit]

Run mmdebstrap. [4] 

sudo \
SECURITY_MISC_INSTALL=force \
DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $repo" \
anon_shared_inst_tb=open \
mmdebstrap \
--verbose \
--variant=required \
--include $package \
$apt_cacher_ng_maybe \
buster \
"$path_to_chroot" \
"$path_to_temp_sources_list"

Chroot Post Processing[edit]

Delete the chroot's temporary /etc/apt/sources.list. [5] 

sudo rm "$path_to_chroot/etc/apt/sources.list"

Host Cleanup[edit]

Optional: You can delete the signing key from the host. 

sudo rm /etc/apt/trusted.gpg.d/whonix.gpg

Usage[edit]

Simple Classic Chroot Method[edit]

sudo chroot ~/kicksecure-xfce-chroot bash

systemd-nspawn Method[edit]

Install systemd-nspawn[edit]

sudo apt install systemd-container

systemd-nspawn Simple Chroot[edit]

sudo systemd-nspawn -D ~/kicksecure-xfce-chroot

systemd-nspawn Boot Chroot CLI Only[edit]

sudo systemd-nspawn -D ~/kicksecure-xfce-chroot /sbin/init

systemd-nspawn Boot Chroot with GUI Support[edit]

This is unfinished. Unspecific to Kicksecure ™. Could be resolved as per Free Support Principle. 

xhost +local:

sudo systemd-nspawn --setenv=DISPLAY=$DISPLAY -D ~/kicksecure-xfce-chroot /sbin/init

Exit systemd-nspawn Chroot[edit]

To leave the chroot press keep holding key CTRL and press key 5 quickly 3 times within 1 second. [6]

Limitations of systemd-nspawn based Chroot[edit]

Despite these limitations, systemd-nspawn should probably preferred over classic chroot. Depends on what you are trying to accomplish.

  • sdwdate (and Boot Clock Randomization) cannot work inside systemd-nspawn.
  • Tor will fail to start inside systemd-nspawn chroot if Tor is already running on the host in default config (local listen post 9050). But that shouldn't matter. The systemd-nspawn chroot will use the host's Tor in this case. systemd-nspawn has also option to run private networking but these have not been researched for Kicksecure ™ yet.

Footnotes[edit]

    • apt-transport-https is required for some older Debian based Linux distributions that have not integrated https support into APT yet. If not available in your distribution, can be safely ignored.
    • apt-transport-tor is required because /etc/apt/sources.list.d/debian.list [archive] is using tor+https. Otherwise we would see the following error.
    I: cleaning package lists and apt cache...
Reading package lists...
E: The method driver /usr/lib/apt/methods/tor+https could not be found.
E: The method driver /usr/lib/apt/methods/tor+https could not be found.
E: The method driver /usr/lib/apt/methods/tor+https could not be found.
E: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease  
E: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease  
E: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease  
E: Some index files failed to download. They have been ignored, or old ones used instead.
E: apt-get --option Dir::Etc::SourceList=/dev/null update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
    • tor is required so apt-transport-tor can use Tor. Otherwise we would see the following error.
    I: cleaning package lists and apt cache...
Err:1 tor+https://deb.debian.org/debian-security buster/updates InRelease
  Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
Err:2 tor+https://deb.debian.org/debian buster InRelease
  Unable to connect to 127.0.0.1:9050:
Err:3 tor+https://deb.whonix.org buster-developers InRelease
  Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
Reading package lists...
W: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease  Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
W: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease  Unable to connect to 127.0.0.1:9050:
W: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease  Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
W: Some index files failed to download. They have been ignored, or old ones used instead.
    • Actually package apt-transport-tor recommends package tor but listing it here anyhow for those using APT with parameter --no-install-recommends.
    • apt-transport-https is suggested below to download the signing key.
  2. See Secure Downloads to understand why curl and the parameters --tlsv1.2 --proto =https are used instead of wget.
  3. Fixed in mmdebstrap 0.5.0. Quote changelog [archive]:

    do not copy /etc/resolv.conf or /etc/hostname if the host system doesn't have them

    Therefore no longer required in Debian bullseye.

  4. debootstrap cannot be used since it is a single-mirror Debian chroot creation tool. I.e. it cannot use multiple APT repositories at the same time. And Kicksecure ™ APT repository does not ships no packages available from packages.debian.org. Therefore using mmdebstrap which is a multi-mirror Debian chroot creation. If you cannot use mmdebstrap either (cross platform builds?), you could first create a Debian chroot using debootstrap (or anything) and then install a Kicksecure ™ meta package manually inside the chroot.
  5. During chroot build process the following files were already created.
    • /etc/apt/sources.list.d/debian.list
    • /etc/apt/sources.list.d/whonix.list
  6. https://unix.stackexchange.com/questions/577065/connected-to-container-mycontainer-press-three-times-within-1s-to-exit-sessi [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

Retrieved from "https://www.whonix.org/w/index.php?title=Kicksecure/chroot&oldid=63596"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information