Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Onionizing Repositories

About this Onionizing Repositories Page
Support Status stable
Difficulty easy
Maintainer 0brand
Support Support

Introduction[edit]

When software packages such as from Debian, Whonix ™, Fedora, Qubes are downloaded during installation of new packages or upgrades, by distribution default package repository default settings settings point to download sources using http or https transport protocol, which is non-ideal for security. Download over experimental Tor onion services is available for most platforms.

There are several security and privacy benefits of using Tor onion services: [1]

  • The user cannot be uniquely targeted for malicious updates - attackers are forced to attack everyone requesting the update.
  • The package repository, or observers watching it, cannot track what programs are installed.
  • The ISP cannot easily learn what packages are fetched.
  • End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.

Be aware that enabling onion repositories may cause system updates to periodically fail due to their unreliability. If this becomes an issue, users are encouraged to Re-enable Clearnet Repositories so packages can be updated.

If the term "comment" is unfamiliar, please follow this link to learn how to comment / uncomment lines in a configuration file.

Below are instructions for users of Debian, Non-Qubes-Whonix ™ and Qubes.


Qubes[edit]

Qubes dom0 and VMs can be onionized by editing the repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in dom0 and for each template -- not all templates can be completely onionized. The instructions below consider Debian Templates, Whonix TM Templates, and the Fedora Template.

dom0[edit]

dom0 can be updated exclusively over onion services.

1. In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.

sudo nano /etc/yum.repos.d/qubes-dom0.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25
#metalink = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%/repodata/repomd.xml.metalink

Save and exit.

2. In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.

sudo nano /etc/yum.repos.d/qubes-templates.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink

Save and exit.

3. In dom0 terminal, confirm both onion repositories are functional.

sudo qubes-dom0-update

Debian Templates[edit]

Debian templates can be updated exclusively over onion services. Simply edit both Qubes and Debian sources.list files so they point to the respective onion repositories.

Onionize qubes-r4.list[edit]

1. In Debian TempateVM, open the qubes-r4.list file in a text editor.

sudo nano /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

 # Main qubes updates repository
#deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm stretch main
#deb-src http://deb.qubes-os.org/r4.0/vm stretch main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main
#deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main

Save and exit.

4. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Onionize Debian sources.list[edit]

The sources.list file can be edited so it points to the Debian onion mirror. This is a more secure method than clearnet for updates and software installation.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list

2. Reference the onionized Debian repositories.

Note: The settings below are for Debian stretch. Modify it accordingly if Debian buster is in use.

Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.

#deb http://ftp.debian.org/debian stretch main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free

#deb http://security.debian.org stretch/updates main contrib non-free
deb http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free

#Optional Backports
#deb http://ftp.debian.org/debian stretch-backports main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Whonix ™ Templates[edit]

Whonix templates can be updated exclusively over onion services by editing the Qubes, Debian and Whonix sources.list files so they point to the respective onion repositories.

Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™ VMs.

Onionize qubes-r4.list[edit]

1. In Whonix ™ TempateVM, open qubes-r4.list in a text editor.

sudo nano /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

 # Main qubes updates repository
#deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm stretch main
#deb-src http://deb.qubes-os.org/r4.0/vm stretch main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main
#deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main

Save and exit.

4. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Onionize debian.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Reference the onionized Debian repositories.

Note: The settings below are for Debian stretch. Modify it accordingly if Debian buster is in use.

Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.

#deb http://ftp.debian.org/debian stretch main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free

#deb http://security.debian.org stretch/updates main contrib non-free
deb http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free

#Optional Backports
#deb http://ftp.debian.org/debian stretch-backports main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Onionize whonix.list[edit]

The Whonix sources.list file can be pointed to its respective v3 onion mirror with a single command.[2] For further details on the four repository choices; see Whonix APT Repository overview.

In Whonix ™ konsole, run.

sudo whonix_repository --baseuri http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion --enable --repository stable

Next confirm onion repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Fedora Template[edit]

Note: Updating Fedora templates exclusively over Onion Services is not possible -- only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.

1. In Fedora TemplateVM, open the qubes-r4.repo file in a text editor.[3]

sudo gedit /etc/yum.repos.d/qubes-r*.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever

Save and exit.

2. In Fedora TemplateVM, confirm the onion service repositories are functional.

sudo dnf update


Debian[edit]

Debian hosts and VMs can be onionized by editing the Debian [4] repository configuration files so they point to the corresponding onion mirrors. Complete the following steps on Debian hosts or in Debian VMs.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Reference the onionized Debian repositories.

Note: The settings below are for Debian stretch. Modify it accordingly if Debian buster is in use.

Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.

#deb http://ftp.debian.org/debian stretch main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free

#deb http://security.debian.org stretch/updates main contrib non-free
deb http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free

#Optional Backports
#deb http://ftp.debian.org/debian stretch-backports main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade


Non-Qubes-Whonix ™[edit]

Non-Qubes-Whonix ™ VMs can be onionized by editing both the Debian and Whonix repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in Whonix-Gateway ™ and Whonix-Workstation ™ VMs.

Debian sources.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Reference the onionized Debian repositories.

Note: The settings below are for Debian stretch. Modify it accordingly if Debian buster is in use.

Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.

#deb http://ftp.debian.org/debian stretch main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free

#deb http://security.debian.org stretch/updates main contrib non-free
deb http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free

#Optional Backports
#deb http://ftp.debian.org/debian stretch-backports main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Whonix ™ sources.list[edit]


It is possible to point the Whonix ™ sources.list to the onion mirror with a single command.[6]

To use the Whonix ™ v3 onion repository, run.

sudo whonix_repository --baseuri http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion --enable --repository stable

Confirm the onion repositories are functional.

sudo apt-get update && sudo apt-get dist-upgrade

Onionize Tor Project Updates[edit]

For enhanced security, advanced users and testers can onionize Tor Project Updates; see Tor Versioning for further details.


Footnotes[edit]

  1. https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions
  2. Take note that while Whonix ™ maintains both v2 and v3 onion addresses, it is strongly encouraged to prefer v3 .onion connections which provide additional improvements and security benefits over the v2 legacy system; see https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions.
  3. At the time of writing Qubes-R4 was the current stable release.
  4. Also edit Whonix sources.list if you are using Whonix ™ Packages for Debian Hosts
  5. Whonix APT Repository Overview
  6. Take note that while Whonix ™ maintains both v2 and v3 onion addresses, it is strongly encouraged to prefer v3 .onion connections which provide additional improvements and security benefits over the v2 legacy system. For more details; See https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Have you contributed to Whonix ™? If so, feel free to add your name and highlight what you did on the Whonix authorship page.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.