Onionizing Repositories
From Whonix
Introduction[edit]
When software packages from Debian, Whonix ™, Fedora, Qubes (and others) are downloaded prior to the installation of new packages or upgrades, the package repository sources default to the http / https transport protocol, which is non-ideal for security. Instead, experimental Tor onion services can be configured for a number of platforms, which provides several security and privacy benefits: [1]
- The user cannot be uniquely targeted for malicious updates -- attackers are forced to attack everyone requesting the update.
- The package repository, or observers watching it, cannot track what programs are installed.
- The ISP cannot easily learn what packages are fetched.
- End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.
Be aware that enabling onion repositories may cause system updates to periodically fail due to their unreliability [archive]. If this becomes an issue, it is encouraged to Re-enable Clearnet Repositories so packages can be updated.
If the term "comment" is unfamiliar, please follow this link [archive] to learn how to comment / uncomment lines in a configuration file.
In this chapter, instructions are provided for onionizing sources on the Debian, Non-Qubes-Whonix ™ and Qubes platforms.
Qubes[edit]
Qubes dom0 and VMs can be onionized by editing the repository configuration files so they point to the corresponding onion mirrors. [2]
Complete the following steps in dom0 and for each template -- not all templates can be completely onionized. The instructions below consider Debian Templates, Whonix TM Templates, and the Fedora Template.
dom0[edit]
dom0 can be updated exclusively over onion services.
1. In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.
sudo nano /etc/yum.repos.d/qubes-dom0.repo
- comment the lines that contain
metalink - uncomment the lines that contain
qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25 baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25 #metalink = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%/repodata/repomd.xml.metalink
Save and exit.
2. In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.
sudo nano /etc/yum.repos.d/qubes-templates.repo
- comment the lines that contain
metalink - uncomment the lines that contain
qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl #metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
Save and exit.
3. In dom0 terminal, confirm both onion repositories are functional.
sudo qubes-dom0-update
Debian Templates[edit]
Debian templates can be updated exclusively over onion services. Simply edit both Qubes and Debian sources.list files so they point to the respective onion repositories.
Note: to use the tor+http configuration below, apt-transport-tor must be installed. [3] Remove tor+ from the code block if updates over Tor are unwanted.
Onionize qubes-r4.list[edit]
1. In Debian TempateVM, open the qubes-r4.list file in a text editor.
sudo nano /etc/apt/sources.list.d/qubes-r*.list
2. Comment the first line underneath "Main qubes updates repository".
The first code block should look similar to this.
# Main qubes updates repository #deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm buster main #deb-src http://deb.qubes-os.org/r4.0/vm buster main
3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".
The first code block should look similar to this.
# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main #deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main
Save and exit.
4. Confirm the onionized repositories are functional.
sudo apt-get update && sudo apt-get dist-upgrade
Onionize Debian sources.list[edit]
The sources.list file can be edited so it points to the Debian onion mirror. [4] This is a more secure method than clearnet for updates and software installation.
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list
2. Reference the onionized Debian repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb http://deb.debian.org/debian buster main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster main contrib non-free #deb http://security.debian.org buster/updates main contrib non-free deb tor+http://sgvtcaew4bxjd7ln.onion buster/updates main contrib non-free #Optional Backports #deb http://deb.debian.org/debian buster-backports main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt-get update && sudo apt-get dist-upgrade
Whonix ™ Templates[edit]
Whonix templates can be updated exclusively over onion services by editing the Qubes, Debian [4] and Whonix sources.list files so they point to the respective onion repositories.
Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.
Onionize qubes-r4.list[edit]
1. In Whonix ™ TempateVM, open qubes-r4.list in a text editor.
sudo nano /etc/apt/sources.list.d/qubes-r*.list
2. Comment the first line underneath "Main qubes updates repository".
The first code block should look similar to this.
# Main qubes updates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster main #deb-src https://deb.qubes-os.org/r4.0/vm buster main
3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".
The first code block should look similar to this.
# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main
Save and exit.
4. Confirm the onionized repositories are functional.
upgrade-nonroot
Onionize debian.list[edit]
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/debian.list
2. Reference the onionized Debian repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb http://deb.debian.org/debian buster main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster main contrib non-free #deb http://security.debian.org buster/updates main contrib non-free deb tor+http://sgvtcaew4bxjd7ln.onion buster/updates main contrib non-free #Optional Backports #deb http://deb.debian.org/debian buster-backports main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt-get update && sudo apt-get dist-upgrade
Onionize whonix.list[edit]
Follow these steps to point the Whonix sources.list file to the v3 onion mirror. [5] [6] See Whonix APT Repository overview for details on the four repository choices.
1. Open the Whonix sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/derivative.list
2. Reference the onionized Whonix repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb https://deb.whonix.org buster main contrib non-free deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free #deb-src https://deb.whonix.org buster main contrib non-free #deb-src tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
upgrade-nonroot
Fedora Template[edit]
Note: Updating Fedora templates exclusively over Onion Services is not possible -- only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.
1. In Fedora TemplateVM, open the qubes-r4.repo file in a text editor.[7]
sudo gedit /etc/yum.repos.d/qubes-r*.repo
- uncomment the lines that contain
qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever
Save and exit.
2. In Fedora TemplateVM, confirm the onion service repositories are functional.
sudo dnf update
Debian[edit]
Debian hosts and VMs can be onionized by editing the Debian [4] [8] repository configuration files so they point to the corresponding onion mirrors. Complete the following steps on Debian hosts or in Debian VMs.
Note: to use the tor+http configuration below, apt-transport-tor must be installed. [3] Remove "tor+" from the code block if updates over Tor are unwanted.
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/debian.list
2. Reference the onionized Debian repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb http://deb.debian.org/debian buster main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster main contrib non-free #deb http://security.debian.org buster/updates main contrib non-free deb tor+http://sgvtcaew4bxjd7ln.onion buster/updates main contrib non-free #Optional Backports #deb http://deb.debian.org/debian buster-backports main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt-get update && sudo apt-get dist-upgrade
Non-Qubes-Whonix ™[edit]
Non-Qubes-Whonix ™ VMs can be onionized by editing both the Debian [4] and Whonix repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.
Debian sources.list[edit]
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/debian.list
2. Reference the onionized Debian repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb http://deb.debian.org/debian buster main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster main contrib non-free #deb http://security.debian.org buster/updates main contrib non-free deb tor+http://sgvtcaew4bxjd7ln.onion buster/updates main contrib non-free #Optional Backports #deb http://deb.debian.org/debian buster-backports main contrib non-free deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt-get update && sudo apt-get dist-upgrade
Whonix ™ sources.list[edit]
Follow these steps to point the Whonix sources.list file to the v3 onion mirror. [5] See Whonix APT Repository overview for details on the four repository choices.
1. Open the Whonix sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/derivative.list
2. Reference the onionized Whonix repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb https://deb.whonix.org buster main contrib non-free deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free #deb-src https://deb.whonix.org buster main contrib non-free #deb-src tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
upgrade-nonroot
Onionize Tor Project Updates[edit]
For enhanced security, advanced users and testers can onionize Tor Project updates; see Tor Versioning for further details.
Footnotes[edit]
- ↑ https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions [archive]
- ↑ At present, the available Qubes onion service URLs [archive] are:
Website: www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
- ↑ 3.0 3.1 For support in downloading APT packages anonymously via the Tor network. To install it:
sudo apt-get install apt-transport-tor
- ↑ 4.0 4.1 4.2 4.3 https://onion.debian.org/ [archive]
- ↑ 5.0 5.1 While Whonix ™ maintains both v2 and v3 onion addresses, v3 connections should be preferred because they provide additional improvements and security benefits over the v2 legacy system which will soon be deprecated; see here [archive] for further information.
- ↑ The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.
- ↑ At the time of writing Qubes-R4 was the current stable release.
- ↑ Also edit Whonix sources.list if you are using Whonix ™ Packages for Debian Hosts.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
.svg.png&filetimestamp=20200623163525&){kind=small}
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.