It is recommended to Torrify APT's traffic on the host for many reasons:
- Each machine has its own unique selection of packages that can be used to fingerprint a system across physical networks as system updates are performed, allowing location tracking.
- System updates leak sensitive security information like package versions and the patch levels for a system. This information aids targeted attacks.
Install apt-transport-tor from Debian repos:
sudo apt-get install apt-transport-tor
Edit the sources.list to include only tor:// URLs for every entry:
Open /etc/apt/sources.list in an editor with root rights.
Alternatively this URL scheme can be used tor+http://. It allows combining apt-transport-tor with apt-transport-https tor+https://.
Note that changing
http.debian.net picks a mirror near to whichever Tor exit node you are using. Throughput is surprisingly good.
http://earthqfvaeuv5bla.onionis the most secure option as no package metadata ever leaves Tor. This protects your system from compromise even in the event of APT having a critical security bug.