Onionizing Repositories
Contents
Introduction[edit]
Starting with Whonix 14, Debian and Whonix packages are preferably updated using available onion services. Clearnet is used as a fallback. [1] However, users can opt to manually configure Debian and Whonix updates to take place exclusively via a Tor onion service for better security. This is currently undocumented.
Qubes package updates still point to repositories with a http:// URI. However, users can opt to manually configure Qubes package updates to take place via a Tor onion service.
There are several security and privacy benefits of using Tor onion services: [2]
- The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update).
- The package repository, or observers watching it, can't track what programs are installed.
- The ISP cannot easily learn what packages are fetched.
- End-to-end authentication and encryption provides protection against man-in-the-middle attacks (like version downgrade attacks).
 | While Qubes and Whonix maintain both v2 and v3 onion addresses, users are strongly encouraged to prefer v3 .onion connections which provide additional improvements and security benefits over the v2 legacy system. [3] |
Qubes Packages[edit]
The following commands must be run in dom0 in order to use Qubes’ Tor onion service repositories for each type of VM. [4]
The downside of this approach is that repository definitions are managed by a Qubes package, meaning manual updates are needed if the the definitions change in the future.
| Users that are currently enforcing v2 .onion connections can update their system to v3 .onion connections by replacing all instances of the http/URI address (qubes-os.org) below with sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion |
dom0[edit]
In dom0, run.
sudo sed -i 's/yum.qubes-os.org/yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo
sudo sed -i 's/yum.qubes-os.org/yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/' /etc/yum.repos.d/qubes-templates.repo && cat /etc/yum.repos.d/qubes-templates.repo
Fedora Template[edit]
To update Qubes packages in Qubes Fedora Template exclusively over onions.
In dom0, run.
qvm-run -a --nogui -p -u root <your_fedora_template> 'sed -i "s/yum.qubes-os.org/yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/" /etc/yum.repos.d/qubes-r* && cat /etc/yum.repos.d/qubes-r*'
Debian and Whonix Templates[edit]
To update Qubes packages in Qubes Debian and Whonix Template exclusively over onions.
In dom0, run.
qvm-run -a --nogui -p -u root <your_debian_template> 'sed -i "s/deb.qubes-os.org/deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/" /etc/apt/sources.list.d/qubes-r* && cat /etc/apt/sources.list.d/qubes-r*'
Fedora Packages[edit]
Updating Fedora packages in Qubes Fedora Template exclusively over onions is unavailable since Fedora does not provide updates over onions.
Whonix and Debian Packages[edit]
Whonix Templates[edit]
| Tip: From Whonix 14, the v3 onion service is preferred for Whonix package updates, while Debian's v2 onion service is also preferred for updates. Clearnet is enabled by default as well as backup. It is no longer necessary to manually configure this setting, unless you like to try onion-only. |
Debian Templates[edit]
Advanced Qubes-Whonix users may want to edit the sources.list of their Debian TemplateVM, so that it points to the Debian .onion mirrors. This is a more secure method for updates or general software installation.
1. Edit sources.list
Edit the debian.list file using an editor with root rights.
2. Reference the Onionized Debian Repositories
Note: This setting below is for Debian stretch. Modify it accordingly if Debian buster is in use.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb http://ftp.debian.org/debian stretch main contrib non-free deb http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free #deb http://security.debian.org stretch/updates main contrib non-free deb http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free #Optional Backports #deb http://ftp.debian.org/debian stretch-backports main contrib non-free deb http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free
Save and exit.
3. Confirm the Onionized Repositories are Functional
Optionally repeat steps 1 to 3 for any other Debian templates in use.
Onionize Tor Project Updates[edit]
Only complete this step if the Newer Tor versions from The Tor Project Repository are being used. The Tor Project deb apt signing key must be added first (see the link above), or the user will receive error messages when completing these steps.
Non-Qubes-Whonix and Qubes-Whonix R3.2[edit]
The following commands are run in either the Whonix-Gateway or whonix-gw-14 TemplateVM.
To onionize Tor Project updates first create a torproject.list file using an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run.
If you are using a terminal-only Whonix, run.
Next, cut and paste the following text and comment out (#) the corresponding http repository.
#Tor Project Mirror #deb http://deb.torproject.org/torproject.org stretch main deb http://sdscoq7snqtznauu.onion/torproject.org stretch main
Save and exit.
Qubes R4[edit]
| Qubes R4.0 and above TemplateVMs are non-network connected by default which will cause attempts to download the apt key in whonix-gw-14 to fail. [5] |
Add the Tor Signing Key[edit]
To work around this issue, users can fetch the Tor apt singing key from a (networked) anon-whonix AppVM, then copy the key over to whonix-gw-14 in a text file.
To add the Tor Project deb apt signing key, run the following in anon-whonix:
sudo apt-key adv --keyserver jirk5u4osbsr34t5.onion --recv-keys A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
To display the keys fingerprint, run.
Compare the fingerprint displayed in the terminal with the one listed on this website https://www.torproject.org/docs/signing-keys.html (v2 onion).
In anon-whonix, copy the Tor singing key to a new text file named tor.key
In anon-whonix, copy the tor.key text file over to whonix-gw-14.
If the following error appears, it can be safely ignored (hit "OK" when prompted).
qfile-agent: Fatal error: stat whonix-gw-14-version (error type: No such file or directory)
In whonix-gw-14, add the Tor signing key to the list of trusted keys.
Onionize the Sources File[edit]
To onionize Tor Project updates first create a torproject.list file using an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run.
If you are using a terminal-only Whonix, run.
Next, cut and paste the following text and comment out (#) the corresponding http repository.
#Tor Project Mirror #deb http://deb.torproject.org/torproject.org stretch main deb http://sdscoq7snqtznauu.onion/torproject.org stretch main
Save and exit.
Footnotes[edit]
- ↑ https://forums.whonix.org/t/onionizing-qubes-whonix-repositories
- ↑ https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions
- ↑ https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions
- ↑ The cat commands are optional and for confirmation only.
- ↑ https://github.com/QubesOS/qubes-issues/issues/1854
We are looking for video production specialists to help create demonstration, promotional and conceptual videos or tutorials.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)