Torify apt-get traffic

From Whonix

It is recommended to torrify APT's traffic on the host for several reasons:

  • Each machine has its own unique package selection. This allows location tracking, because systems can be fingerprinted across physical networks as system updates are performed.
  • System updates leak sensitive security information like package versions and the varying patch levels. This information aids targeted attacks.

Follow the instructions below to torify APT traffic in Debian. [1]

1. Install apt-transport-tor from the Debian repository.

sudo apt-get install apt-transport-tor

2.Edit the sources.list to include only tor:// URLs for every entry.

Open file /etc/apt/sources.list in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/apt/sources.list

3. Save and exit.

Other URL Configurations

Alternatively, the tor+http:// URL scheme is possible. apt-transport-tor can also be combined with apt-transport-https, leading to the tor+https:// URL scheme. [2]

Note that changing to picks a mirror near to whichever Tor exit node is being used. Throughput is surprisingly fast. [3] Also be aware that all public-facing FTP services were shut down on November 1, 2017 [archive]. [4]

Debian URLs can also be pointed to the available onion services http://vwakviie2ienjx6t.onion [archive] and http://sgvtcaew4bxjd7ln.onion [archive]. This is the most secure option, as no package metadata ever leaves Tor. [5] [6] [7] This URL scheme also protects from system compromise in the event APT has a critical security bug. The following entries should work in the sources list:

deb  tor+http://vwakviie2ienjx6t.onion/debian          stretch            main
deb  tor+http://vwakviie2ienjx6t.onion/debian          stretch-updates    main
deb  tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates    main

#deb tor+http://vwakviie2ienjx6t.onion/debian          stretch-backports  main