Torify apt-get traffic

From Whonix

It is recommended to torrify APT's traffic on the host for several reasons:

  • Each machine has its own unique package selection. This allows location tracking, because systems can be fingerprinted across physical networks as system updates are performed.
  • System updates leak sensitive security information like package versions and the varying patch levels. This information aids targeted attacks.

Follow the instructions below to torify APT traffic in Debian. [1]

1. Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

2.Edit the sources.list to include only tor:// URLs for every entry.

Open file /etc/apt/sources.list in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please see this link.

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /etc/apt/sources.list

If you are using a terminal-only Whonix, run.

sudo nano /etc/apt/sources.list

3. Save and exit.

Other URL Configurations

Alternatively, the tor+http:// URL scheme is possible. apt-transport-tor can also be combined with apt-transport-https, leading to the tor+https:// URL scheme. [2]

Note that changing to picks a mirror near to whichever Tor exit node is being used. Throughput is surprisingly fast. [3] Also be aware that all public-facing FTP services were shut down on November 1, 2017. [4]

Debian URLs can also be pointed to the available onion services http://vwakviie2ienjx6t.onion and http://sgvtcaew4bxjd7ln.onion. This is the most secure option, as no package metadata ever leaves Tor. [5] [6] [7] This URL scheme also protects from system compromise in the event APT has a critical security bug. The following entries should work in the sources list:

deb  tor+http://vwakviie2ienjx6t.onion/debian          stretch            main
deb  tor+http://vwakviie2ienjx6t.onion/debian          stretch-updates    main
deb  tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates    main

#deb tor+http://vwakviie2ienjx6t.onion/debian          stretch-backports  main