HowTo: Install the Testers-Only Version of Qubes-Whonix ™
From Whonix
< Qubes | Install
Introduction[edit]
To install the stable version instead, see HowTo: Install the Stable Version of Qubes-Whonix ™.
Let's test these templates!
- todo
- todo
Installation[edit]
Qubes Version[edit]
Remove Old Versions[edit]
If you are already running any version of Qubes-Whonix ™, it must be uninstalled before a complete (re-)installation is performed. This applies to those who:
- Selected Qubes-Whonix ™ auto-configuration when Qubes was installed.
- Installed Qubes-Whonix ™ after installing the Qubes platform.
Before re-installation, back up any existing data stored in Whonix VMs.
In summary, three options are available (listed in order of preference):
- Uninstall Qubes-Whonix ™ and then Install Qubes-Whonix ™; OR
- Reinstall the Whonix TemplateVM; OR
- Upgrade Whonix 14 to 15
Update dom0[edit]
Launch a dom0
terminal.
Click the Qubes App Launcher (blue/grey "Q")
→ Open the Terminal Emulator (Xfce Terminal)
Upgrade Qubes dom0
. This step is mandatory. [1]
sudo qubes-dom0-update
Configure salt using Qubes dom0 Community Testing Repository[edit]
If you are a tester interested, click on Expand on the right.
The following command will configure Qubes dom0
salt to use qubes-templates-community-testing
for downloading Whonix ™. [2]
sudo qubesctl top.enable qvm.whonix-testing pillar=true
The following steps to enable the qubes-templates-community-testing
repository should no longer be required. Please report if these steps were necessary for you.
If you are a interested tester, click on Expand on the right.
1. Enable qubes-templates-community-testing
repository.
View the Qubes Templates .repo
[archive] file.
cat /etc/yum.repos.d/qubes-templates.repo
2. Ensure the file contains [qubes-templates-community-testing]
.
The following text should be included.
[qubes-templates-community-testing] name = Qubes Community Templates repository #baseurl = https://yum.qubes-os.org/r$releasever/templates-community-testing metalink = https://yum.qubes-os.org/r$releasever/templates-community-testing/repodata/repomd.xml.metalink enabled = 0 fastestmirror = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-templates-community
3. Fix any missing sections.
If the [qubes-templates-community-testing]
section is missing, then the user has probably already modified the file. In this case dnf
[3] preserves user changes by saving updates to /etc/yum.repos.d/qubes-templates.repo.rpmnew
[4] instead of overwriting the file. Since the .repo.rpmnew
file is ignored by qubes-dom0-update
, the .repo
file must be manually updated.
Either:
- Manually add the changes from
.repo.rpmnew
to the.repo
file; or - Overwrite the
.repo
file with the.repo.rpmnew
file:-
sudo cp /etc/yum.repos.d/qubes-templates.repo.rpmnew /etc/yum.repos.d/qubes-templates.repo
- And then manually add back necessary changes. If the command fails because
/etc/yum.repos.d/qubes-templates.repo.rpmnew
does not exist, then the user probably has[qubes-templates-community-testing]
already.
-
Adjust Whonix Version Number[edit]
This step can be skipped on Qubes 4.0.2
and above when installing Whonix ™ 15.
1. In dom0
open file whonix.jinja
with root rights. [5]
sudo nano /srv/formulas/base/virtual-machines-formula/qvm/whonix.jinja
2. Change 14
to 15
.
3. Save the file.
Please report if this step was necessary for you!
Download Whonix ™ Templates and Configure sys-whonix and anon-whonix[edit]
Before executing the call in this section, note it can take a long time to finish. Fast Internet connections take only a few minutes, while slow connections can take twenty minutes or more (it is far slower over Tor). No progress indicator is shown, so do not interrupt the salt process once it has started or this can lead to an unstable system [archive]. [6]
The following qubesctl
command [7] will:
- Download both Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs.
- Configure
sys-whonix
andanon-whonix
safely. [8]
In dom0
, run.
sudo qubesctl state.sls qvm.anon-whonix
Refer to the footnotes for troubleshooting tips. [9] [10] [11]
Optional: Whonix ™ DisposableVM Template VM[edit]
In Qubes R4 and above a whonix-ws-15-dvm
DisposableVM Template can optionally be set up as a base for Disposable VMs. [12]
In dom0
, run.
sudo qubesctl state.sls qvm.whonix-ws-dvm
Optional: Updates over Tor[edit]
TemplateVMs[edit]
To force all TemplateVM updates over Tor, [13] use salt in dom0
.
sudo qubesctl state.sls qvm.updates-via-whonix
To undo this setting, modify /etc/qubes-rpc/policy/qubes.UpdatesProxy
in dom0
. [14] See also How-to: Fix dom0 Qubes-Whonix ™ UpdatesProxy Settings.
dom0[edit]
To force dom0
updates over Tor, set Qubes' dom0
UpdateVM to sys-whonix
. [15]
Qube Manager
→ System
→ Global Settings
→ Dom0 UpdateVM:
sys-whonix
→ OK
To revert this change, set Qubes' dom0
UpdateVM to sys-firewall
or another preferred VM. [16]
Qubes Manager
→ System
→ Global Settings
→ Dom0 UpdateVM:
sys-firewall
→ OK
Optional: Enable AppArmor[edit]
If you are interested, click on Expand on the right.
The following steps should be completed in dom0
for both whonix-gw-15
and whonix-ws-15
TemplateVMs. [17] After these settings are applied to the Whonix ™ templates, the sys-whonix
(ProxyVM) and anon-whonix
(AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix
and anon-whonix
TemplateBasedVMs to benefit from the new kernel parameters.[18] It is also important to verify AppArmor is active in the sys-whonix
and anon-whonix
VMs after making these changes.
Whonix-Gateway ™[edit]
1. Open a dom0
terminal.
Qubes App Launcher (blue/grey "Q")
→ System Tools
→ Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-gw-15 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor
.
For example.
qvm-prefs -s whonix-gw-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-gw-15 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the sys-whonix
ProxyVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Whonix-Workstation ™[edit]
1. Open a dom0
terminal.
Qubes App Launcher (blue/grey "Q")
→ System Tools
→ Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-ws-15 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor
.
For example.
qvm-prefs -s whonix-ws-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-ws-15 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the anon-whonix
AppVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Update and Launch Applications[edit]
Before starting applications in the Whonix-Workstation ™ AppVM, update both Whonix-Gateway ™ and Whonix-Workstation ™ TemplateVMs.
To launch an application like Tor Browser:
Qubes App Launcher (blue/grey "Q")
→ Domain: anon-whonix
→ Tor Browser (AnonDist)
Additional Information[edit]
It is recommended to refer to these additional references:
- Known Issues
- Read and apply the Post Installation Security Advice.
- Stay Tuned!
Footnotes[edit]
- ↑
- This is required to make sure a recent version of Qubes repository definition files, Qubes salt, qubes-core-admin-addon-whonix [archive] as well as qubes-mgmt-salt-dom0-virtual-machines [archive] are installed.
- ↑
- ↑ Which is invoked by
qubes-dom0-update
. - ↑ Note the file extension
.repo.rpmnew
. - ↑
- ↑ add salt download progress indicator [archive]
- ↑
- ↑
- ↑
If an error message appears stating that
qubesctl
does not exist or the command is not recognized, then it is necessary to enable the testing repository and installsalt
.sudo qubes-dom0-update --best --allowerasing --enablerepo=qubes-dom0-current-testing qubes-mgmt-salt-dom0-virtual-machines
Please report if this step was necessary for you!
- ↑
Sometimes the Qubes Community Templates repository must also be enabled by editing Qubes'
dom0
repository definition files.In
dom0
.1. Open file
/etc/yum.repos.d/qubes-templates.repo
with root rights.sudo nano /etc/yum.repos.d/qubes-templates.repo
2. In section
[qubes-templates-community]
setenabled = 1
3. Save.
Please report if step this was necessary for you!
- ↑
If
qubesctl
still does not work, try shutting down Qubes OS and rebooting the machine. Please report if this step was necessary for you! - ↑ https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/whonix-ws-15-dvm.sls [archive]
- ↑
- In Qubes-R4 and above, RPC/qrexec UpdatesProxy is used to update TemplateVMs
- doc/software-update-vm/#technical-details-r40
- salt [archive]
- https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/qvm/updates-via-whonix.sls [archive]
- ↑ https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/_jI2uWPPMMA#!topic/qubes-users/_jI2uWPPMMA [archive]
- ↑
Or manually set the torified UpdateVM in
dom0
terminal.qubes-prefs updatevm sys-whonix
- ↑
To revert this change in
dom0
terminal, run.qubes-prefs updatevm sys-firewall
- ↑
While Debian has enabled AppArmor by default since the
buster
release, Fedora has not. This matters since Qubes, which is Fedora based, by default uses thedom0
(not VM) kernel. Therefore this is still required even though Whonix ™ is based on a recent enough Debian version. - ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM [archive].
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.