Actions

Template

Build Configuration

From Whonix

Build Configuration (Optional)

Note: All of the following build configuration steps are optional.

Introduction

Usually the build configuration does not need to be changed. Whonix ™ built from source code comes with safe defaults. Whonix's APT Repository will not be used.

The most interesting build configurations (Terminal-Only, NoDefaultApps etc.) are documented in the following chapters.

If you are interested, click on Expand on the right.

If build configurations were used earlier, it might be better to delete the build configuration folder. A few example filenames may have changed since the last build.

sudo rm -r /etc/whonix_buildconfig.d

Alternatively, experts can manually examine the /etc/whonix_buildconfig.d folder and change its contents to suit their preferences.

/etc/whonix_buildconfig.d is a modular flexible .d style configuration folder.

Less popular build configurations are documented in the buildconfig.d folder and on the Dev/Source_Code_Intro#Build_Configuration page, but it is less user-friendly.

To avoid typos, it is best to copy and paste text when creating build configuration files. Take care that editors do not capitalize variable names which are supposed to be lower case during copy and paste procedures.

Platforms Choice

Advanced users can create 32-bit instead of 64-bit builds.

If you are interested, click on Expand on the right.

  • Whonix ™ 14 and above is 64-bit by default. [1] [2]

To build Whonix ™ 14 32-bit, add the following build parameter.

--arch i386
  • kFreeBSD is entirely untested and most likely needs additional work (see footnotes). [3]
  • Whonix ™ for arm64 development discussion:

https://forums.whonix.org/t/whonix-for-arm64

  • Generally speaking, 64-bit builds cannot be created if running a 32-bit host kernel. See footnotes. [4] [5]

Whonix ™ APT Repository

Non-Qubes-Whonix ™:
Whonix's APT Repository is disabled by default since Whonix 7.3.3 for reasons of Trust. Later on, users can decide to update Whonix Debian packages by building them from source code (greater security). Alternatively, Whonix's APT repository can be enabled right after building or after booting the build for the first time (greater convenience). To use the latter method which sacrifices security for convenience, click on Expand on the right side.

Do you want to opt-in for Whonix's APT Repository? This is set using an environment variable or build configuration. Below is an example using an environment variable.

WHONIX_APT_REPOSITORY_OPTS='--enable --repository stable'
WHONIX_APT_REPOSITORY_OPTS='--enable --repository testers'
WHONIX_APT_REPOSITORY_OPTS='--enable --repository developers'
WHONIX_APT_REPOSITORY_OPTS='--enable --codename buster'

Add an environment variable as one normally does on that specific Linux platform. For example, to enable the Whonix stable repository during build, you could set WHONIX_APT_REPOSITORY_OPTS by interjecting it between sudo and the ./whonix_build command. Below is an example. Do not use [...]. Replace it with other chosen build parameters (such as --build, --target etc.) after ./whonix_build.

sudo WHONIX_APT_REPOSITORY_OPTS='--enable --repository stable' ./whonix_build [...]

APT Onion Build Sources

For better build security, you can also use onions apt sources for building Whonix ™.

If you are interested, click on Expand on the right.

This does not ensure all of Whonix's build process will be torified!

Whonix ™ 14 and above only:

--connection onion

APT Cache


Using an apt cache will greatly improve build speed when building several times in a row (e.g. when debugging, during development).

If you are interested, click on Expand on the right.

torified apt-cacher-ng

The following torified apt-cacher-ng setup only has to be applied, if you are building using onion apt sources using --connection onion.

However, if you are building behind a Tor transparent proxy such as Whonix-Gateway ™, you can use the simpler clearnet apt-cacher-ng instructions below instead.

Ambox notice.png If you skip these steps of setting up a torified apt-cacher-ng, you must below drop and not use REPO_PROXY=http://127.0.0.1:3142.

Ambox warning pn.svg.png Note, this neither torifies all of the build script's connections nor hides Tor from your ISP!

Install apt-cacher-ng-, torsocks and tor.

sudo apt-get install apt-cacher-ng torsocks tor

Create folder apt-cacher-ng systemd drop-in folder /lib/systemd/system/apt-cacher-ng.service.d.

sudo mkdir -p /lib/systemd/system/apt-cacher-ng.service.d

Open file /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please see this link.

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

If you are using a terminal-only Whonix, run.

sudo nano /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

Add.

[Service]
ExecStart=torsocks /usr/sbin/apt-cacher-ng SocketPath=/run/apt-cacher-ng/socket -c /etc/apt-cacher-ng ForeGround=1

Save.

Reload systemd.

sudo systemctl daemon-reload

Restart apt-cacher-ng.

sudo systemctl apt-cacher-ng restart

clearnet apt-cacher-ng

sudo apt-get install apt-cacher-ng

Be sure to have a firewall, so the whole internet can not use the apt-cacher-ng service.

Prepend REPO_PROXY=http://127.0.0.1:3142 before the build command.

sudo REPO_PROXY=http://127.0.0.1:3142 ./whonix_build ...

When building inside a non-Whonix VM, an apt cache can be used on the host. In that case, adjust the IP accordingly and manually test that it is reachable. When building inside a (Whonix ™) VM, just install the apt cache inside the VM and point to a localhost apt cache.

From 14.0.1.0.7-developers-only and above Whonix automatically uses apt-cacher-ng.


VM Settings

This is only relevant for VM builds.

Several examples are below. Values can be changed to suit user preferences.

VirtualBox's --vmsize option (virtual RAM).

--vmram 128

VirtualBox's --vram option (virtual video RAM).

--vram 12

grml-debootstrap's --vmsize option.

--vmsize 200G

grml-debootstrap's --filesystem option.

--file-system ext4

grml-debootstrap's --hostname option. [6]

--hostname host

grml-debootstrap's --password option.

--os-password changeme

grml-debootstrap's --debopt option.

--debopt "--verbose"


Skip Steps

--sanity-tests false

Source Code Changes

This is only required if changes were made to the Whonix source folder! In that case click on Expand on the right.
This is not required if only a customized build configuration was added to the /etc/whonix_buildconfig.d folder.

If changes were made to the Whonix source code, it is the easiest to use the following build parameter.

--allow-uncommitted true

Or if not building from a git tag, it is the easiest to use the following build parameter.

--allow-untagged true

Otherwise, changes must be committed to git first, before creating a git tag.


No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

There are five different options for subscribing to Whonix source code changes.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

  1. State of official 64-bit builds.
  2. Don't get confused by the term amd64. It runs on both, Intel and AMD. amd64 is only how Debian names the kernel. It works equally well on Intel and AMD.
  3. kFreeBSD (32-bit).
    --arch kfreebsd-i386 --kernel kfreebsd-image --headers kfreebsd-headers
    

    kFreeBSD (64-bit).

    --arch kfreebsd-amd64 --kernel kfreebsd-image --headers kfreebsd-headers
    
  4. https://github.com/grml/grml-debootstrap/pull/13
  5. In this case, try installing the packages linux-image-amd64 and linux-headers-amd64 on your host, then boot the amd64 kernel by choosing it in the boot menu. The whole system does not require re-installation; just be sure to boot with an amd64 kernel. Alternatively, consider to re-install your host using amd64.
  6. The anon-base-files package will change this later on.