RetroShare
Donate
Introduction[edit]
RetroShare
is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. RetroShare has a very different audience and threat model.
RetroShare is in active development. Users can operate servers for themselves, but the architecture doesn't depend on them. Communications are encrypted end-to-end and provide for messaging, mail, forums, pubsub, file exchange and even telephony. The problems with RetroShare are the confused user interface, the necessity to have it run most of the time and contribute to the distributed hashtable (DHT, causing continuous CPU usage) and three relevant privacy aspects: You expose your social graph to a global passive adversary because friends connect to friends directly. Your public IP is available in the DHT, allowing to track your physical locations. And your visible user name is exposed in the TLS certificate when somebody connects to your RetroShare node.
Several of these problems can be solved by disabling the built-in DHT and hiding RetroShare behind a Tor onion service. People who scan Tor onion services will however still be able to connect the service and see the RetroShare user name in the self-signed certificate. This can be prevented by setting up Authenticated Onion Services and limiting connections only to trusted people.
On November 4, 2014, RetroShare scored 6 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It lost a point because there has not been an independent code audit. [1] A recent audit by the pen-testing group Elttam uncovered many bugs in the code (some remotely exploitable) that were promptly fixed. The auditor's opinion was that RetroShare's codebase lacked secure coding practice. [2]
Running RetroShare through Tor enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.) This is not a recommendation, just stating a possibility.
After adding tons of random "friends" from a public forum, connection to a very few people over TCP. [3] [4] Approximately only 5% were online. Although probably only a very small portion of the network could be seen, the content of the network looked pretty interesting.
RetroShare reports Right click → DHT Details: NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD
There still may be some privacy caveats left with RetroShare trying to communicate outside of Tor, but that doesn't matter if Whonix makes any non-Tor traffic impossible.
Installation[edit]
WARNING: RetroShare packages are signed with weak 1024 bit keys. Until this is fixed we recommend using Ricochet IM with OnionShare instead.
Security warning: Adding a third-party repository and/or installing third-party software allows the vendor to replace any software on your system, including but not limited to the installation of malware, file deletion, and data harvesting. Proceed at your own risk! See also Foreign Sources for further information. For greater safety, users adding third-party repositories should always use Multiple Whonix-Workstation™ to compartmentalize VMs with additional software.
Documentation in the Whonix wiki provides guidance on adding third-party software from various upstream repositories. This is especially useful since upstream often includes generic instructions for different Linux distributions, which may be complex for users to follow. Additionally, documentation in Whonix usually places a higher emphasis on security and verifying digital software signatures.
The instructions provided here serve as a "translation layer" from upstream documentation to Whonix, offering assistance in most scenarios. Nevertheless, it's important to recognize that upstream repositories and software may change over time. Consequently, the documentation on this wiki might require occasional updates, such as revised signing key fingerprints, to remain current and accurate.
Please note, this is a general wiki template and may not apply to all upstream documentation scenarios.
Users encountering issues, such as signing key problems, are advised to follow the Self Support First Policy and engage in Generic Bug Reproduction. This involves attempting to replicate the issue on Debian bookworm, and contacting upstream directly if the issue can be reproduced, as such problems are likely unspecific to Whonix. In most cases, Whonix is not responsible for, nor capable of resolving, issues stemming from third-party software.
For further information, refer to Introduction, User Expectations - What Documentation Is and What It Is Not.
Should the user encounter bugs related to third-party software, it is advisable to report these issues to the respective upstream projects. Additionally, users are encouraged to share links to upstream bug reports in the Whonix forums and/or make edits to this wiki page. For example, if there are outdated links or key fingerprints that need updating, please feel free to make the necessary changes. Contributions aimed at maintaining the accuracy and currency of information are highly valued. These updates not only improve the quality of the wiki but also serve as a useful resource for other users.
The Whonix wiki is an open platform where everyone is welcome to contribute improvements and edits, with or without an account. Edits to this wiki are subject to moderation, so contributors should not worry about making mistakes. Your edits will be reviewed before being made public, ensuring the integrity and accuracy of the information provided.
RetroShare is currently available on Debian 7.0 Wheezy and 6.0 Squeeze for armel, armhf, i386 and amd64 architectures and for 8.0 Jessie.
Before adding the repo [5], fetch the key and verify [6] fingerprints. Always check the fingerprint for yourself. The output at the moment is:
pub 1024D/0x9418A47921691F91 2011-08-16 home:AsamK OBS Project <home:AsamK@build.opensuse.org>
Key fingerprint = E2CE 3677 C801 5772 D097 B0AA 9418 A479 2169 1F91
Download key with curl to home folder.
curl -o retroshare-pubkey.asc https://download.opensuse.org/repositories/network:retroshare/Debian_11/Release.key
Check fingerprints/owners without importing anything.
gpg --keyid-format long --with-fingerprint retroshare-pubkey.asc
If it looks good import into trusted.gpg.d. [7]
sudo apt-key --keyring /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg add retroshare-pubkey.asc
For stable builds:
sudo su -c "echo -e 'deb https://download.opensuse.org/repositories/network:/retroshare/Debian_11/ /' > /etc/apt/sources.list.d/retroshare06.list"
For nightly builds:
sudo su -c "echo -e 'deb https://download.opensuse.org/repositories/network:/retroshare/Debian_11/ /' > /etc/apt/retroshare06-git.list"
Update the package lists.
sudo apt update
Install Retroshare.
sudo apt install retroshare06
For the latest nightly package name install retroshare06-git instead.
Setup[edit]
RetroShare setup:
- Pick a pseudonym and password. Don't use real name or location obviously. Move your mouse to generate enough entropy.
- Check Advanced Options → Create a hidden node
- Change key-length to 4096 bits for adequate security then generate the new profile.
Configuration[edit]
I2P[edit]
Follow the steps in this guide to connect to others over I2P.
Tor[edit]
INCOMPLETE - Depends on unimplemented features for Whonix[9] [10]
On your Whonix-Gateway™.
If you want to read an introduction about onion services and to learn about about onion service security, see Onion Services.
If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Onion Services basics), see Onion Services.
Open file /usr/local/etc/torrc.d/50_user.conf in a 
text editor
of your choice, with administrative rights.
Platform specific. Select your platform.
Non-Qubes
If you are using a graphical Whonix-Gateway, take the following step.
Start Menu → Applications → Settings → /usr/local/etc/torrc.d/50_user.conf
Qubes-Whonix
If you are using Qubes-Whonix™, take the following step.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named sys-whonix) → Tor User Config (Torrc)
CLI
If you are using Whonix-Gateway with command line interface (CLI), take the following step. sudoedit /usr/local/etc/torrc.d/50_user.conf
Add. [11]
HiddenServiceDir /var/lib/tor/retroshare/ HiddenServicePort 7812 10.152.152.11:<Local Address port> HiddenServiceVersion 3
Save.
Reload Tor.
After changing Tor configuration, Tor must be reloaded for changes to take effect.
Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.
If you are using Qubes-Whonix™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway™ ProxyVM (commonly named 'sys-whonix') → Reload Tor
If you are using a graphical Whonix-Gateway, complete the following steps.
Start Menu → Applications → Settings → Reload Tor
If you are using a terminal-only Whonix-Gateway, click
HERE for instructions.
Complete the following steps.
Reload Tor.
sudo service tor@default reload
Check Tor's daemon status.
sudo service tor@default status
It should include a a message saying.
Active: active (running) since ...
In case of issues, try the following debugging steps.
Check Tor's config.
sudo -u debian-tor tor --verify-config
The output should be similar to the following.
Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf". Configuration was valid
Reminder: To get your onion service url.
sudo cat /var/lib/tor/retroshare/hostname
Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway™, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.
/var/lib/tor/retroshare/hs_ed25519_secret_key
The following example shows how to copy the /var/lib/tor/retroshare/hs_ed25519_secret_key from the sys-whonix VM to the vault VM (which should be started beforehand) using qvm-copy. A dialog will appear asking for the destination VM.
sudo qvm-copy /var/lib/tor/retroshare/hs_ed25519_secret_key
When the dialog appears asking to confirm, select vault. This copies the Tor onion service private key file to the QubesIncoming folder of the vault VM.
/home/user/QubesIncoming/sys-whonix/hs_ed25519_secret_key
Consider moving the file from the QubesIncoming folder to another preferred location.
Qubes VM Manager can be used to conveniently backup the vault and/or other VMs. Please refer to the Qubes backups documentation for necessary steps to accomplish that.
See also:
- file manager Thunar with Administrator Rights
- File Transfer
Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.
Footnotes[edit]
- ↑
https://www.eff.org/pages/secure-messaging-scorecard
- ↑
https://www.elttam.com/blog/a-review-of-the-eff-secure-messaging-scorecard-pt1/
- ↑ Chance of working better (untested): Tunnel UDP over Tor.
- ↑ Note, in case you are using the previous footnote, Other Anonymizing Networks over Tor UDP Tunnel applies.
- ↑
https://retroshare.cc/downloads.html
- ↑
https://download.opensuse.org/repositories/network:retroshare/Debian_11/Release.key
- ↑ T o import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.
- ↑
RetroShare .deb Packages installation instructions from RetroShare's third party repository
- ↑
https://github.com/RetroShare/RetroShare/issues/356
- ↑
This task is up for grabs: https://phabricator.whonix.org/T560
- ↑ Arbitrary choice of port to avoid conflicts with custom RetroShare setups.
The most watertight privacy operating system in the world.
At
Whonix we value freedom and trust, supporting Open Source and Freedom Software
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!