Onionizing Repositories

From Whonix

Onionrepository23234.jpg

Introduction[edit]

When software packages from Debian, Whonix ™, Fedora, Qubes (and others) are downloaded prior to the installation of new packages or upgrades, the package repository sources default to the http / https transport protocol, which is non-ideal for security. Instead, experimental Tor onion services can be configured for a number of platforms, which provides several security and privacy benefits: [1]

  • The user cannot be uniquely targeted for malicious updates -- attackers are forced to attack everyone requesting the update.
  • The package repository, or observers watching it, cannot track what programs are installed.
  • The ISP cannot easily learn what packages are fetched.
  • End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.

Be aware that enabling onion repositories may cause system updates to periodically fail due to their unreliability. If this becomes an issue, it is encouraged to Re-enable Clearnet Repositories so packages can be updated.

If the term "comment" is unfamiliar, please follow this link to learn how to comment / uncomment lines in a configuration file.

In this chapter, instructions are provided for onionizing sources on the Debian, Non-Qubes-Whonix ™ and Qubes platforms.

Qubes[edit]

Qubes dom0 and VMs can be onionized by editing the repository configuration files so they point to the corresponding onion mirrors. [2]

Complete the following steps in dom0 and for each template -- not all templates can be completely onionized. The instructions below consider Debian Templates, Whonix TM Templates, and the Fedora Template.

dom0[edit]

dom0 can be updated exclusively over onion services.

1. In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.

sudo nano /etc/yum.repos.d/qubes-dom0.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25 baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25 #metalink = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%/repodata/repomd.xml.metalink

Save and exit.

2. In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.

sudo nano /etc/qubes/repo-templates/qubes-templates.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl #metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink

Save and exit.

3. In dom0 terminal, confirm both onion repositories are functional.

Using --show-output --console is optional but recommended because of a Qubes upstream bug. [3]

sudo qubes-dom0-update --show-output --console

Debian Templates[edit]

Debian templates can be updated exclusively over onion services. Simply edit both Qubes and Debian sources.list files so they point to the respective onion repositories.

Note: to use the tor+http configuration below, apt-transport-tor must be installed. [4] Remove tor+ from the code block if updates over Tor are unwanted.

Onionize qubes-r4.list[edit]

1. In Debian TempateVM, open the qubes-r4.list file in a text editor.

sudo nano /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

# Main qubes updates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.1/vm bullseye main #deb-src https://deb.qubes-os.org/r4.1/vm bullseye main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/vm bullseye main #deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/vm bullseye main

Save and exit.

4. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Onionize Debian sources.list[edit]

The sources.list file can be edited so it points to the Debian onion mirror. [5] This is a more secure method than clearnet for updates and software installation.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Whonix ™ Templates[edit]

Whonix ™ templates can be updated exclusively over onion services by editing the Qubes, Debian [5] and Whonix ™ sources.list files so they point to the respective onion repositories.

Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.

Onionize qubes-r4.list[edit]

1. In Whonix ™ TempateVM, open qubes-r4.list in a text editor.

sudo nano /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

# Main qubes updates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.1/vm bullseye main #deb-src https://deb.qubes-os.org/r4.1/vm bullseye main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/vm bullseye main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/vm bullseye main

Save and exit.

4. Confirm the onionized repositories are functional.

upgrade-nonroot

Onionize debian.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Uncomment the onionized Debian repositories.

Uncomment the following .onion mirrors and comment out (#) the corresponding https repositories (except the fasttrack repository).

#deb tor+https://deb.debian.org/debian bullseye main contrib non-free #deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free #deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free #deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free ## No onion for fasttrack yet: ## https://salsa.debian.org/fasttrack-team/support/-/issues/27

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Onionize derivative.list[edit]

Follow these steps to point the Whonix ™ sources.list file to the v3 onion mirror. [6] [7] See Whonix APT Repository overview for details on the four repository choices.

1. Open the Whonix ™ sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/derivative.list

2. Uncomment the onionized Whonix ™ repository.

Uncomment the following .onion mirror and comment out (#) the corresponding https repository.

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free

Save and exit.

3. Confirm the onionized repository is functional.

upgrade-nonroot

Fedora Template[edit]

Note: Updating Fedora templates exclusively over Onion Services is not possible -- only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.

1. In Fedora Template, open the qubes-r4.repo file in a text editor. [8]

sudo gedit /etc/yum.repos.d/qubes-r*.repo

  • comment the lines that contain yum.qubes-os.org
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r4.1/current/vm/fc$releasever baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.1/current/vm/fc$releasever

Save and exit.

2. In Fedora Template, confirm the onion service repositories are functional.

sudo dnf update

3. Import the Qubes OS signing key if prompted.

Sometimes the following message may appear. Press y and then Enter. [9] [10]

Importing GPG key 0x9E2795E9: Userid : "Qubes OS Release 4 Signing Key" Fingerprint: 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27 95E9 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-primary Is this ok [y/N]:

Debian[edit]

Debian hosts and VMs can be onionized by editing the Debian [5] [11] repository configuration files so they point to the corresponding onion mirrors. Complete the following steps on Debian hosts or in Debian VMs.

Note: to use the tor+http configuration below, apt-transport-tor must be installed. [4] Remove "tor+" from the code block if updates over Tor are unwanted.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Non-Qubes-Whonix ™[edit]

Non-Qubes-Whonix ™ VMs can be onionized by editing both the Debian [5] and Whonix ™ repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.

Debian sources.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Whonix ™ sources.list[edit]

Follow these steps to point the Whonix ™ sources.list file to the v3 onion mirror. [6] [12] See Whonix APT Repository overview for details on the four repository choices.

1. Open the Whonix ™ sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/derivative.list

2. Uncomment the onionized Whonix ™ repository.

Uncomment the following .onion mirror and comment out (#) the corresponding https repository.

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free

Save and exit.

3. Confirm the onionized repository is functional.

upgrade-nonroot

Onionize Tor Project Updates[edit]

For enhanced security, advanced users and testers can onionize Tor Project updates; see Tor Versioning for further details.

Footnotes[edit]

  1. https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions
  2. At present, the available Qubes onion service URLs are:

    Website: www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
    Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
    Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
    ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

  3. qubes-dom0-update shows No updates available in case of network is down / qubes-dom0-update fails to notice if repositories are unreachable / network is down
  4. 4.0 4.1 For support in downloading APT packages anonymously via the Tor network. To install it:
    sudo apt install apt-transport-tor
  5. 5.0 5.1 5.2 5.3 https://onion.debian.org/
  6. 6.0 6.1 Whonix ™ no longer maintains v2 legacy onion addresses which were deprecated by The Tor Project in October 2021; see here.
  7. The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.
  8. At the time of writing Qubes-R4 was the current stable release.
  9. See: Verifying signatures for further information on signing keys.
  10. All Qubes OS signing keys can be found here.
  11. Also edit Whonix ™ sources.list if you are using Whonix ™ Packages for Debian Hosts.
  12. The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.