Actions

Onionizing Repositories

From Whonix


Onionrepository23234.jpg

Introduction[edit]

When software packages from Debian, Whonix ™, Fedora, Qubes (and others) are downloaded prior to the installation of new packages or upgrades, the package repository sources default to the http / https transport protocol, which is non-ideal for security. Instead, experimental Tor onion services can be configured for a number of platforms, which provides several security and privacy benefits: [1]

  • The user cannot be uniquely targeted for malicious updates -- attackers are forced to attack everyone requesting the update.
  • The package repository, or observers watching it, cannot track what programs are installed.
  • The ISP cannot easily learn what packages are fetched.
  • End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.

Be aware that enabling onion repositories may cause system updates to periodically fail due to their unreliability [archive]. If this becomes an issue, it is encouraged to Re-enable Clearnet Repositories so packages can be updated.

If the term "comment" is unfamiliar, please follow this link [archive] to learn how to comment / uncomment lines in a configuration file.

In this chapter, instructions are provided for onionizing sources on the Debian, Non-Qubes-Whonix ™ and Qubes platforms.

Qubes[edit]

Qubes dom0 and VMs can be onionized by editing the repository configuration files so they point to the corresponding onion mirrors. [2]

Complete the following steps in dom0 and for each template -- not all templates can be completely onionized. The instructions below consider Debian Templates, Whonix TM Templates, and the Fedora Template.

dom0[edit]

dom0 can be updated exclusively over onion services.

1. In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.

sudo nano /etc/yum.repos.d/qubes-dom0.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25
#metalink = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%/repodata/repomd.xml.metalink

Save and exit.

2. In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.

sudo nano /etc/yum.repos.d/qubes-templates.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink

Save and exit.

3. In dom0 terminal, confirm both onion repositories are functional.

sudo qubes-dom0-update

Debian Templates[edit]

Debian templates can be updated exclusively over onion services. Simply edit both Qubes and Debian sources.list files so they point to the respective onion repositories.

Note: to use the tor+http configuration below, apt-transport-tor must be installed. [3] Remove tor+ from the code block if updates over Tor are unwanted.

Onionize qubes-r4.list[edit]

1. In Debian TempateVM, open the qubes-r4.list file in a text editor.

sudo nano /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

# Main qubes updates repository
#deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm bullseye main
#deb-src http://deb.qubes-os.org/r4.0/vm bullseye main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main
#deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main

Save and exit.

4. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Onionize Debian sources.list[edit]

The sources.list file can be edited so it points to the Debian onion mirror. [4] This is a more secure method than clearnet for updates and software installation.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bullseye main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free

#deb https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free

#Optional Backports
#deb https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Whonix ™ Templates[edit]

Whonix ™ templates can be updated exclusively over onion services by editing the Qubes, Debian [4] and Whonix ™ sources.list files so they point to the respective onion repositories.

Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.

Onionize qubes-r4.list[edit]

1. In Whonix ™ TempateVM, open qubes-r4.list in a text editor.

sudo nano /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

# Main qubes updates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm bullseye main
#deb-src https://deb.qubes-os.org/r4.0/vm bullseye main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main
#deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main

Save and exit.

4. Confirm the onionized repositories are functional.

upgrade-nonroot

Onionize debian.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Uncomment the onionized Debian repositories.

Uncomment the following .onion mirrors and comment out (#) the corresponding https repositories (except the fasttrack repository).

#deb tor+https://deb.debian.org/debian bullseye main contrib non-free
#deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
#deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
#deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free

deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free
## No onion for fasttrack yet:
## https://salsa.debian.org/fasttrack-team/support/-/issues/27

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Onionize derivative.list[edit]

Follow these steps to point the Whonix ™ sources.list file to the v3 onion mirror. [5] [6] See Whonix APT Repository overview for details on the four repository choices.

1. Open the Whonix ™ sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/derivative.list

2. Uncomment the onionized Whonix ™ repository.

Uncomment the following .onion mirror and comment out (#) the corresponding https repository.

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free
#deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free

#deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free
#deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free

Save and exit.

3. Confirm the onionized repository is functional.

upgrade-nonroot

Fedora Template[edit]

Note: Updating Fedora templates exclusively over Onion Services is not possible -- only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.

1. In Fedora TemplateVM, open the qubes-r4.repo file in a text editor. [7]

sudo gedit /etc/yum.repos.d/qubes-r*.repo

  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever

Save and exit.

2. In Fedora TemplateVM, confirm the onion service repositories are functional.

sudo dnf update

Debian[edit]

Debian hosts and VMs can be onionized by editing the Debian [4] [8] repository configuration files so they point to the corresponding onion mirrors. Complete the following steps on Debian hosts or in Debian VMs.

Note: to use the tor+http configuration below, apt-transport-tor must be installed. [3] Remove "tor+" from the code block if updates over Tor are unwanted.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bullseye main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free

#deb https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free

#Optional Backports
#deb https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Non-Qubes-Whonix ™[edit]

Non-Qubes-Whonix ™ VMs can be onionized by editing both the Debian [4] and Whonix ™ repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.

Debian sources.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bullseye main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free

#deb https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free

#Optional Backports
#deb https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Whonix ™ sources.list[edit]

Follow these steps to point the Whonix ™ sources.list file to the v3 onion mirror. [5] [9] See Whonix APT Repository overview for details on the four repository choices.

1. Open the Whonix ™ sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/derivative.list

2. Uncomment the onionized Whonix ™ repository.

Uncomment the following .onion mirror and comment out (#) the corresponding https repository.

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free
#deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free

#deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free
#deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free

Save and exit.

3. Confirm the onionized repository is functional.

upgrade-nonroot

Onionize Tor Project Updates[edit]

For enhanced security, advanced users and testers can onionize Tor Project updates; see Tor Versioning for further details.

Footnotes[edit]

  1. https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions [archive]
  2. At present, the available Qubes onion service URLs [archive] are:

    Website: www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

    Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

  3. 3.0 3.1 For support in downloading APT packages anonymously via the Tor network. To install it:
    sudo apt-get install apt-transport-tor

  4. 4.0 4.1 4.2 4.3 https://onion.debian.org/ [archive]
  5. 5.0 5.1 While Whonix ™ maintains both v2 and v3 onion addresses, v3 connections should be preferred because they provide additional improvements and security benefits over the v2 legacy system which will soon be deprecated; see here [archive] for further information.
  6. The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.
  7. At the time of writing Qubes-R4 was the current stable release.
  8. Also edit Whonix ™ sources.list if you are using Whonix ™ Packages for Debian Hosts.
  9. The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.


Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Onionizing Repositories&body=https://www.whonix.org/wiki/Onionizing_Repositories link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Onionizing_Repositories&title=Onionizing Repositories link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Onionizing_Repositories&t=Onionizing Repositories link=https://mastodon.technology/share?message=Onionizing Repositories%20https://www.whonix.org/wiki/Onionizing_Repositories&t=Onionizing Repositories

Check out the Whonix ™ News Blog. Rss.png

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.