Actions

Install Kicksecure ™ inside a folder (chroot)

From Whonix

< Kicksecure



warning Note:

  • Do not use these instructions inside Whonix ™ [archive].
  • These instructions are only for use outside of Whonix; for example, browsing the internet non-anonymously.

You can install Kicksecure ™ on top of your existing Debian (based) Linux installation inside a chroot.

chroot Creation[edit]

Qubes Notes[edit]

Only users of Qubes need to consider these notes in this chapter.

Users that don't use Qubes or don't know what Qubes is should skip this chapter.

TODO: elaborate

  • nosuid / nodev can cause issues?
  • default private image size (/home folder) is too small for Kicksecure ™ XFCE

Install Required Tools[edit]

[1]

Install mmdebstrap apt-transport-https apt-transport-tor tor curl.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the mmdebstrap apt-transport-https apt-transport-tor tor curl package.

sudo apt-get install mmdebstrap apt-transport-https apt-transport-tor tor curl

The procedure of installing mmdebstrap apt-transport-https apt-transport-tor tor curl is complete.

Add Signing Key[edit]

It is required to add the signing key on the host because mmdebstrap will need it.

(Users of Whonix ™ and Kicksecure ™ could skip this step since the signing key is there by default.)

Key could be removed at the end. (Except Whonix ™ and Kicksecure ™ should not do this unless they upgrade from source code.)

Download Whonix Signing Key. [2]

If you are using a Qubes TemplateVM, run.

curl --proxy http://127.0.0.1:8082/ --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc

If you are using Debian, run.

curl --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc

Users can check Whonix Signing Key for better security.

Add Whonix signing key to APT trusted keys.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

The procedure of adding Whonix signing key is now complete.

Set Variables[edit]

File /etc/hostname must exist. [3]

sudo touch /etc/hostname

Set Variables[edit]

Note: You could also replace kicksecure-xfce with kicksecure-cli.

package=kicksecure-xfce
repo=buster-developers
path_to_chroot=~/kicksecure-xfce-chroot
path_to_temp_sources_list=~/temp-sources.list

APT Sources List[edit]

Create temporary APT sources list for mmdebstrap.

echo "
deb https://deb.debian.org/debian-security/ buster/updates main contrib non-free
deb https://deb.debian.org/debian buster main contrib non-free
deb https://deb.whonix.org $repo main contrib non-free
" > "$path_to_temp_sources_list"

APT Cache[edit]

Optional. If you are interested, please press Expand on the right side.

This shouldn't be done unless you are behind a firewall since apt-cacher-ng will by default listen on all network interfaces.

Install apt-cacher-ng.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the apt-cacher-ng package.

sudo apt-get install apt-cacher-ng

The procedure of installing apt-cacher-ng is complete.

apt_cacher_ng_maybe="\
--aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }' \
--aptopt='Acquire::https { Proxy "http://127.0.0.1:3142"; }' \
--aptopt='Acquire::tor { Proxy "http://127.0.0.1:3142"; }' \
"

echo "
deb http://HTTPS///deb.debian.org/debian-security/ buster/updates main contrib non-free
deb http://HTTPS///deb.debian.org/debian buster main contrib non-free
deb http://HTTPS///deb.whonix.org $repo main contrib non-free
" > "$path_to_temp_sources_list"

Run mmdebstrap[edit]

Run mmdebstrap. [4]

sudo \
SECURITY_MISC_INSTALL=force \
WHONIX_APT_REPOSITORY_OPTS="--enable --codename $repo" \
anon_shared_inst_tb=open \
mmdebstrap \
--verbose \
--variant=required \
--include $package \
$apt_cacher_ng_maybe \
buster \
"$path_to_chroot" \
"$path_to_temp_sources_list"

Chroot Post Processing[edit]

Delete the chroot's temporary /etc/apt/sources.list. [5]

sudo rm "$path_to_chroot/etc/apt/sources.list"

Host Cleanup[edit]

Optional: You can delete the signing key from the host.

sudo rm /etc/apt/trusted.gpg.d/whonix.gpg

Usage[edit]

Simple Classic Chroot Method[edit]

sudo chroot ~/kicksecure-xfce-chroot bash

systemd-nspawn Method[edit]

Install systemd-nspawn[edit]

sudo apt install systemd-container

systemd-nspawn Simple Chroot[edit]

sudo systemd-nspawn -D ~/kicksecure-xfce-chroot

systemd-nspawn Boot Chroot CLI Only[edit]

sudo systemd-nspawn -D ~/kicksecure-xfce-chroot /sbin/init

systemd-nspawn Boot Chroot with GUI Support[edit]

This is unfinished. Unspecific to Kicksecure ™. Could be resolved as per Free Support Principle.

xhost +local:

sudo systemd-nspawn --setenv=DISPLAY=$DISPLAY -D ~/kicksecure-xfce-chroot /sbin/init

Exit systemd-nspawn Chroot[edit]

To leave the chroot press keep holding key CTRL and press key 5 quickly 3 times within 1 second. [6]

Limitations of systemd-nspawn based Chroot[edit]

Despite these limitations, systemd-nspawn should probably preferred over classic chroot. Depends on what you are trying to accomplish.

  • sdwdate (and Boot Clock Randomization) cannot work inside systemd-nspawn.
  • Tor will fail to start inside systemd-nspawn chroot if Tor is already running on the host in default config (local listen post 9050). But that shouldn't matter. The systemd-nspawn chroot will use the host's Tor in this case. systemd-nspawn has also option to run private networking but these have not been researched for Kicksecure ™ yet.

Footnotes[edit]

    • apt-transport-https is required for some older Debian based Linux distributions that have not integrated https support into APT yet. If not available in your distribution, can be safely ignored.
    • apt-transport-tor is required because /etc/apt/sources.list.d/debian.list [archive] is using tor+https. Otherwise we would see the following error.
    I: cleaning package lists and apt cache...
    Reading package lists...
    E: The method driver /usr/lib/apt/methods/tor+https could not be found.
    E: The method driver /usr/lib/apt/methods/tor+https could not be found.
    E: The method driver /usr/lib/apt/methods/tor+https could not be found.
    E: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease  
    E: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease  
    E: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease  
    E: Some index files failed to download. They have been ignored, or old ones used instead.
    E: apt-get --option Dir::Etc::SourceList=/dev/null update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
    
    • tor is required so apt-transport-tor can use Tor. Otherwise we would see the following error.
    I: cleaning package lists and apt cache...
    Err:1 tor+https://deb.debian.org/debian-security buster/updates InRelease
      Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
    Err:2 tor+https://deb.debian.org/debian buster InRelease
      Unable to connect to 127.0.0.1:9050:
    Err:3 tor+https://deb.whonix.org buster-developers InRelease
      Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
    Reading package lists...
    W: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease  Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
    W: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease  Unable to connect to 127.0.0.1:9050:
    W: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease  Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused)
    W: Some index files failed to download. They have been ignored, or old ones used instead.
    
    • Actually package apt-transport-tor recommends package tor but listing it here anyhow for those using APT with parameter --no-install-recommends.
    • apt-transport-https is suggested below to download the signing key.
  1. For reasoning why wget is not being used and why curl is and parameters --tlsv1.2 --proto =https are being used instead, see Secure Downloads.
  2. Fixed in mmdebstrap 0.5.0. Quote changelog [archive]:

    do not copy /etc/resolv.conf or /etc/hostname if the host system doesn't have them

    Therefore no longer required in Debian bullseye.

  3. debootstrap cannot be used since it is a single-mirror Debian chroot creation tool. I.e. it cannot use multiple APT repositories at the same time. And Kicksecure ™ APT repository does not ships no packages available from packages.debian.org. Therefore using mmdebstrap which is a multi-mirror Debian chroot creation. If you cannot use mmdebstrap either (cross platform builds?), you could first create a Debian chroot using debootstrap (or anything) and then install a Kicksecure ™ meta package manually inside the chroot.
  4. During chroot build process the following files were already created.
    • /etc/apt/sources.list.d/debian.list
    • /etc/apt/sources.list.d/whonix.list
  5. https://unix.stackexchange.com/questions/577065/connected-to-container-mycontainer-press-three-times-within-1s-to-exit-sessi [archive]


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.