Jump to: navigation, search

Template:Torify apt-get traffic

It is recommended to Torrify APT's traffic on the host for many reasons:

  • Each machine has its own unique selection of packages that can be used to fingerprint a system across physical networks as system updates are performed, allowing location tracking.
  • System updates leak sensitive security information like package versions and the patch levels for a system. This information aids targeted attacks.


Install apt-transport-tor from Debian repos:

sudo apt-get install apt-transport-tor

Edit the sources.list to include only tor:// URLs for every entry:

Open /etc/apt/sources.list in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list



Alternatively this URL scheme can be used tor+http://. It allows combining apt-transport-tor with apt-transport-https tor+https://.[2]

Note that changing ftp.us.debian.org to http.debian.net picks a mirror near to whichever Tor exit node you are using. Throughput is surprisingly good.[3]

Changing Debian URLs to point to the onion addresses http://vwakviie2ienjx6t.onion or http://earthqfvaeuv5bla.onion is the most secure option as no package metadata ever leaves Tor.[4][5][6] This protects your system from compromise even in the event of APT having a critical security bug.
  1. https://packages.debian.org/apt-transport-tor
  2. https://lwn.net/Articles/672350/
  3. https://retout.co.uk/blog/2014/07/21/apt-transport-tor
  4. http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/
  5. https://onion.debian.org
  6. https://onion.torproject.org