Onionizing Repositories
| About this Onionizing Repositories Page | |
|---|---|
| Support Status | stable |
| Difficulty | easy |
| Maintainer | 0brand |
| Support | Support |
Contents
Introduction[edit]
When Whonix, Debian and Qubes packages are installed or updated, default settings point to repositories with a http:// URI. However, experimental Tor onion services are already available for the Whonix, Debian and Qubes packages.
There are several security and privacy benefits of using Tor onion services: [1]
- The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update).
- The package repository, or observers watching it, can't track what programs are installed.
- The ISP cannot easily learn what packages are fetched.
- End-to-end authentication and encryption provides protection against man-in-the-middle attacks (like version downgrade attacks).
 | While Qubes and Whonix maintain both v2 and v3 onion addresses, users are strongly encouraged to prefer v3 .onion connections which provide additional improvements and security benefits over the v2 legacy system. [2] |
Qubes Packages[edit]
Configuring Qubes to use Tor onion service repositories for updates is a simple process. Since Qubes .onion repositories definitions are installed by default, users only need to comment out the http:// URI repository definitions and uncomment the Tor .onion repositories definitions.
If the term "comment" is unfamiliar, please follow this link to learn how to comment / uncomment lines in a configuration file.
dom0[edit]
1. In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.
sudo nano /etc/yum.repos.d/qubes-dom0.repo
Next, comment out (#) the 4 lines that contain 'metalink'
Then, uncomment the 4 lines that contain sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
When completed each of the 4 code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25 baseurl = http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/current/dom0/fc25 #metalink = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%/repodata/repomd.xml.metalink
Save and exit.
2. In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.
sudo nano /etc/yum.repos.d/qubes-templates.repo
Next, comment out (#) all lines that contain 'metalink'
Then, uncomment all lines that contain sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
When completed each of the 2 code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl baseurl = http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/templates-itl #metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
Save and exit.
3. In dom0 terminal, confirm both onionized repositories are functional.
sudo qubes-dom0-update
Fedora Template[edit]
1. In Fedora TemplateVM, open the qubes-r4.repo configuration file in a text editor.
sudo gedit /etc/yum.repos.d/qubes-r4.repo
Next, comment out (#) all lines that contain qubes-os.org
Then, uncomment all lines that contain an sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
When completed each of the 4 code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever baseurl = http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/current/vm/fc$releasever
Save and exit.
2. In Fedora terminal, confirm the onionized repositories are functional.
sudo dnf update
Debian and Whonix Templates[edit]
1. In Debian and Whonix TempateVMs, open the sources.list file in a text editor.
sudo nano /etc/apt/sources.list.d/qubes-r*.list
2. Comment out (#) the first line under Main qubes updates repository.
The first code block should look similar to this.
# Main qubes updates repository #deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm stretch main #deb-src http://deb.qubes-os.org/r4.0/vm stretch main
3. Uncomment the corresponding line under Qubes Tor updates repositories.
The first code block should look similar to this.
# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm stretch main #deb-src http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/vm stretch main
Save and exit.
Fedora Packages[edit]
Updating Fedora packages in Qubes Fedora Template exclusively over onions is unavailable since Fedora does not provide updates over onions.
Whonix and Debian Packages[edit]
| Due to issues with onion unreliability, clearnet repositories are now preferred in Whonix 14 by default. If users wish to enable v2 or v3 onion repositories it is possible that system updates will periodically fail due to the aforementioned unreliability. If this becomes an issue, it is recommended that users Re-enable Clearnet Repositories so the Whonix VMs can be updated. |
Debian[edit]
Qubes-Whonix and Non-Qubes-Whonix.
Advanced users may wish to edit their sources.list so they point to the Debian .onion mirrors. This is a more secure method for updates or general software installation. Complete the following steps in both Whonix-Gateway (whonix-gw-14) and Whonix-Workstation (whonix-ws-14).
1. Edit sources.list
Edit the debian.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/debian.list
2. Reference the onionized Debian repositories.
Note: This setting below is for Debian stretch. Modify it accordingly if Debian buster is in use.
Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories.
#deb http://ftp.debian.org/debian stretch main contrib non-free deb http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free #deb http://security.debian.org stretch/updates main contrib non-free deb http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free #Optional Backports #deb http://ftp.debian.org/debian stretch-backports main contrib non-free deb http://vwakviie2ienjx6t.onion/debian stretch-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt-get update && sudo apt-get dist-upgrade
Optionally, repeat steps 1 to 3 for any other Debian templates in use.
Whonix[edit]
| Tip: Whonix users have four package preferences available: stable, stable-proposed-updates, testers and developers. Change the entry below to reflect this preference.[3] |
Whonix packages can be updated/installed via onion services using a single command.
To use the v3 onion, run.
sudo whonix_repository --baseuri http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion --enable --repository stable
Next, confirm onion repositories are functional
sudo apt-get update && sudo apt-get dist-upgrade
Onionize Tor Project Updates[edit]
Only complete this step if the Newer Tor versions from The Tor Project Repository are being used. The Tor Project deb apt signing key must be added first (see the link above), or the user will receive error messages when completing these steps.
Non-Qubes-Whonix and Qubes-Whonix R3.2[edit]
The following commands are run in either the Whonix-Gateway or whonix-gw-14 TemplateVM.
To onionize Tor Project updates first create a torproject.list file using an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run.
Open /etc/apt/sources.list.d/torproject.list in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix with KDE, run.
kdesudo kwrite /etc/apt/sources.list.d/torproject.list
If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.
kdesudo mousepad /etc/apt/sources.list.d/torproject.list
If you are using a terminal-only Whonix, run.
sudo nano /etc/apt/sources.list.d/torproject.list
Next, cut and paste the following text and comment out (#) the corresponding http repository.
#Tor Project Mirror #deb http://deb.torproject.org/torproject.org stretch main deb http://sdscoq7snqtznauu.onion/torproject.org stretch main
Save and exit.
Qubes R4[edit]
| Qubes R4.0 and above TemplateVMs are non-network connected by default which will cause attempts to download the apt key in whonix-gw-14 to fail. [4] |
Add the Tor Signing Key[edit]
To work around this issue, users can fetch the Tor apt singing key from a (networked) anon-whonix AppVM, then copy the key over to whonix-gw-14 in a text file.
To add the Tor Project deb apt signing key, run the following in anon-whonix:
sudo apt-key adv --keyserver jirk5u4osbsr34t5.onion --recv-keys A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
To display the keys fingerprint, run.
sudo apt-key adv --fingerprint A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
Compare the fingerprint displayed in the terminal with the one listed on this website https://www.torproject.org/docs/signing-keys.html (v2 onion).
In anon-whonix, copy the Tor singing key to a new text file named tor.key
sudo apt-key export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 > /tmp/tor.key
In anon-whonix, copy the tor.key text file over to whonix-gw-14.
qvm-copy /tmp/tor.key whonix-gw-14
If the following error appears, it can be safely ignored (hit "OK" when prompted).
qfile-agent: Fatal error: stat whonix-gw-14-version (error type: No such file or directory)
In whonix-gw-14, add the Tor signing key to the list of trusted keys.
sudo apt-key add ~/QubesIncoming/anon-whonix/tor.key
Onionize the Sources File[edit]
To onionize Tor Project updates first create a torproject.list file using an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run.
Open /etc/apt/sources.list.d/torproject.list in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix with KDE, run.
kdesudo kwrite /etc/apt/sources.list.d/torproject.list
If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.
kdesudo mousepad /etc/apt/sources.list.d/torproject.list
If you are using a terminal-only Whonix, run.
sudo nano /etc/apt/sources.list.d/torproject.list
If you are using a terminal-only Whonix, run.
sudo nano /etc/apt/sources.list.d/torproject.list
Next, cut and paste the following text and comment out (#) the corresponding http repository.
#Tor Project Mirror #deb http://deb.torproject.org/torproject.org stretch main deb http://sdscoq7snqtznauu.onion/torproject.org stretch main
Save and exit.
Footnotes[edit]
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
Please contribute by helping to answer Whonix questions.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.
Enable comment auto-refresher