Onionizing Repositories
Contents
Introduction[edit]
When Whonix, Debian and Qubes packages are installed or updated, default settings point to repositories with a http:// URI. However, experimental Tor onion services are already available for the Whonix, Debian and Qubes packages.
There are several security and privacy benefits of using Tor onion services: [1]
- The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update).
- The package repository, or observers watching it, can't track what programs are installed.
- The ISP cannot easily learn what packages are fetched.
- End-to-end authentication and encryption provides protection against man-in-the-middle attacks (like version downgrade attacks).
 | While Qubes and Whonix maintain both v2 and v3 onion addresses, users are strongly encouraged to enforce v3 .onion connections which provide additional improvements and security benefits over the v2 legacy system.[2] [3] |
Qubes Packages[edit]
The following commands must be run in dom0 in order to use Qubes’ Tor onion service repositories for each type of VM. [4]
The downside of this approach is that repository definitions are managed by a Qubes package, meaning manual updates are needed if the the definitions change in the future.
| Users that are currently enforcing v2 .onion connections can update their system to v3 .onion connections by replacing all instances of the http/URI address (qubes-os.org) below with qubesos4rrrrz6n4.onion |
dom0[edit]
In dom0, run.
sudo sed -i 's/yum.qubes-os.org/yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo
sudo sed -i 's/yum.qubes-os.org/yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/' /etc/yum.repos.d/qubes-templates.repo && cat /etc/yum.repos.d/qubes-templates.repo
Fedora Template[edit]
In dom0, run.
qvm-run -a --nogui -p -u root <your_fedora_template> 'sed -i "s/yum.qubes-os.org/yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/" /etc/yum.repos.d/qubes-r* && cat /etc/yum.repos.d/qubes-r*'
Debian and Whonix Templates[edit]
In dom0, run.
qvm-run -a --nogui -p -u root <your_debian_template> 'sed -i "s/deb.qubes-os.org/deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/" /etc/apt/sources.list.d/qubes-r* && cat /etc/apt/sources.list.d/qubes-r*'
Whonix and Debian Packages[edit]
| Tip: Whonix 14 will prefer v3 Tor onion services (.onion repositories) by default, even when adding third-party resources. |
Until Whonix 14 is released, users may consider manually editing their sources.list to point to the Whonix and Debian .onion mirrors in order to install or update more securely.
The whonix.list and debian.list files in the /etc/apt/sources.list.d directory should be changed in both the Whonix-Workstation and Whonix-Gateway. Qubes-Whonix users note: Complete these steps in the whonix-gw and whonix-ws TemplateVMs.
1. Edit sources.list
In the Whonix-Gateway, edit the debian.list file using an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run.
kdesudo kwrite /etc/apt/sources.list.d/debian.list
If you are using a terminal-only Whonix, run.
sudo nano /etc/apt/sources.list.d/debian.list
2. Reference the Onionized Debian Repositories
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb http://ftp.debian.org/debian jessie main contrib non-free deb http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free #deb http://security.debian.org jessie/updates main contrib non-free deb http://sgvtcaew4bxjd7ln.onion jessie/updates main contrib non-free #Optional Backports #deb http://ftp.debian.org/debian jessie-backports main contrib non-free deb http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free
Save and exit.
3. Reference the Onionized Whonix APT Repository
| Tip: Whonix users have four package preferences available: stable, stable-proposed-updates, testers and developers. Change the entry below to reflect this preference. [5] |
To use the v3 onion, run. [6]
sudo whonix_repository --baseuri http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion --enable --repository stable
4. Confirm the Onionized Repositories are Functional
sudo apt-get update && sudo apt-get dist-upgrade
5. Repeat Steps 1 to 4 for the Whonix-Workstation
| Tip: Qubes users can repeat these steps in the Debian TemplateVM to onionize future installations and updates. |
6. Optional: Onionize Tor Project Updates
Only complete this step if the Tor versions from The Tor Project repository are being used. The Tor Project deb apt signing key must be added first (see the link above), or the user will receive error messages when completing these steps.
The following commands are run in either the Whonix-Gateway or whonix-gw TemplateVM (for Qubes R3.2 users).
Note: Qubes-R4.0 TemplateVMs are non-network connected by default which will cause attempts to download the apt key in whonix-gw to fail.[7] To work around this issue users can fetch the Tor apt singing key from a (networked) anon-whonix AppVM. Then copy the key over to whonix-gw in a text file.
To add the Tor Project deb apt signing key, run. (In anon-whonix VM for Qubes-R4.0)
| Note: Whonix 14 users must replace the address keys.gnupg.net with .onion address jirk5u4osbsr34t5.onion |
sudo apt-key adv --keyserver keys.gnupg.net --recv-keys A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
To display the keys fingerprint, run.
sudo apt-key adv --fingerprint A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
Compare the fingerprint displayed in terminal with the one listed on this website https://www.torproject.org/docs/signing-keys.html
(Qubes-R4.0 only!) In anon-whonix, copy the Tor singing key to a new text file named tor.key
sudo apt-key export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 > /tmp/tor.key
(Qubes-R4.0 only!) In anon-whonix, copy the tor.key text file over to whonix-gw.
qvm-copy /tmp/tor.key whonix-gw
If the following error appears, it can be safely ignored (hit "OK" when prompted).
qfile-agent: Fatal error: stat whonix-gw-version (error type: No such file or directory)
(Qubes-R4.0 only!) In whonix-gw, add the Tor signing key to the list of trusted keys.
sudo apt-key add ~/QubesIncoming/anon-whonix/tor.key
To onionize Tor Project updates first create a torproject.list file using an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run.
kdesudo kwrite /etc/apt/sources.list.d/torproject.list
If you are using a terminal-only Whonix, run.
sudo nano /etc/apt/sources.list.d/torproject.list
Next, cut and paste the following text and comment out (#) the corresponding http repository.
#Tor Project Mirror #deb http://deb.torproject.org/torproject.org jessie main deb http://sdscoq7snqtznauu.onion/torproject.org jessie main
Save and exit.
Footnotes[edit]
- ↑ https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions
- ↑ https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions
- ↑ Tor v3.2 or higher must be running in Whonix-Gateway (
sys-whonix). - ↑ The cat commands are optional and for confirmation only.
- ↑ https://www.whonix.org/wiki/Whonix-APT-Repository#Whonix_APT_Repository_Overview
- ↑ Requires Tor v3.2 or above running in Whonix-Gateway (
sys-whonix). - ↑ https://github.com/QubesOS/qubes-issues/issues/1854
Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)