Onionizing Repositories: Difference between revisions

From Whonix
Jump to navigation Jump to search
Browse history interactively
[unchecked revision][checked revision]
Content added Content deleted
m (Text replacement - "#Whonix" to "#{{project_name}}")
(Remove extra space)
 
(176 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Header}}
{{Header}}
{{title|title=
Onionizing Repositories
}}
{{#seo:
{{#seo:
|description=The guide explains how to configure Tor onion services for APT repositories to enhance security and privacy, but it may cause system updates to fail due to unreliability. The configuration provides protection against targeted and man-in-the-middle attacks and prevents tracking of installed programs.
|description=Onionizing Repositories Guide
|image=https://www.whonix.org/w/images/f/f9/Onionrepository23234.jpg
|image=Onionrepository23234.jpg
}}
}}
[[image:Onionrepository23234.jpg|thumb]]
{{Maintainer|
{{intro|
|status=stable
The guide explains how to configure experimental Tor onion services for APT repositories. The configuration provides additional security and privacy benefits, such as protection against targeted attacks, man-in-the-middle attacks and preventing tracking of installed programs, but it may cause system updates to fail due to unreliability.
|about=About this {{Code2|{{PAGENAME}}}} Page
|difficulty=easy
|maintainer=[https://forums.whonix.org/users/0brand 0brand]
|support=[[Support]]
}}
}}
= Introduction =
= Introduction =


When software packages from Debian, {{project_name_long}}, Fedora, Qubes (and others) are downloaded prior to the installation of new packages or upgrades, the package repository sources default to the http / https transport protocol, which is non-ideal for security. Instead, experimental Tor onion services can be configured for a number of platforms, which provides several security and privacy benefits: <ref>https://blog.torproject.org/tor-heart-apt-transport-tor-and-debian-onions</ref>
When {{project name}} and Debian packages are installed or updated, default settings point to repositories with a http:// URI. However, experimental Tor onion services are already available for both {{project name}} and Debian packages.


* The user cannot be uniquely targeted for malicious updates -- attackers are forced to attack everyone requesting the update.
There are several security and privacy benefits of using Tor onion services: <ref>https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions</ref>

* The user cannot be uniquely targeted for malicious updates - attackers are forced to attack everyone requesting the update.
* The package repository, or observers watching it, cannot track what programs are installed.
* The package repository, or observers watching it, cannot track what programs are installed.
* The ISP cannot easily learn what packages are fetched.
* The ISP cannot easily learn what packages are fetched.
* End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.
* End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.


Be aware that enabling onion repositories may cause system updates to periodically fail due to their [https://forums.whonix.org/t/disable-onions-by-default-due-to-unreliability/6650 unreliability]. If this becomes an issue, it is encouraged to [[Operating_System_Software_and_Updates#Non-functional_Onion_Services|Re-enable Clearnet Repositories]] so packages can be updated.
{{mbox

| type = notice
If the term "comment" is unfamiliar, please follow [https://www.howtogeek.com/118389/how-to-comment-out-and-uncomment-lines-in-a-configuration-file/ this link] to learn how to comment / uncomment lines in a configuration file.
| image = [[File:Ambox_notice.png|40px|alt=Info]]

| text = While {{project name}} maintains both v2 and v3 onion addresses, users are strongly encouraged to prefer v3 <i>.onion</i> connections which provide additional improvements and security benefits over the v2 legacy system. <ref>https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions</ref>
In this chapter, instructions are provided for onionizing sources on the [[#Debian|Debian]], [[#{{non_q_project_name_long}}|{{non_q_project_name_long}}]] and [[#Qubes|Qubes]] platforms.
}}

= Qubes =


Qubes <code>dom0</code> and VMs can be onionized by editing the repository configuration files so they point to the corresponding onion mirrors. <ref>At present, the [https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/ available Qubes onion service URLs] are:
= Qubes Packages =
<blockquote>
Website: www.{{qubes_onion}} <br />
Yum repo: yum.{{qubes_onion}} <br />
Deb repo: deb.{{qubes_onion}} <br />
ISOs: iso.{{qubes_onion}}
</blockquote></ref>


Complete the following steps in [[#dom0|<code>dom0</code>]] and for each template -- not all templates can be completely onionized. The instructions below consider [[#Debian Templates|Debian Templates]], [[#{{project_name_short}} Templates|Whonix <sup>TM</sup> Templates]], and the [[#Fedora Template|Fedora Template]].
If the term "comment" is unfamiliar, please follow [https://www.howtogeek.com/118389/how-to-comment-out-and-uncomment-lines-in-a-configuration-file/ this link] to learn how to comment / uncomment lines in a configuration file.


== dom0 ==
== dom0 ==


<code>dom0</code> can be updated exclusively over onion services.
'''1.''' In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.
{{Box|text=
'''1.''' In a <code>dom0</code> terminal, open the <code>qubes-dom0.repo</code> configuration file in a text editor.


{{CodeSelect|code=
{{CodeSelect|code=
sudo nano /etc/yum.repos.d/qubes-dom0.repo
sudoedit /etc/yum.repos.d/qubes-dom0.repo
}}
}}


* comment the lines that contain <code>metalink</code>
* comment the lines that contain <code>metalink</code>
* uncomment the lines that contain <code>{{Qubes onion}}</code>
* uncomment the lines that contain <code>{{Qubes_onion}}</code>


Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.
Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.


{{CodeSelect|code=
{{CodeSelect|code=
#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
#baseurl = https://yum.qubes-os.org/r$releasever/current/host/fc37
baseurl = http://yum.{{Qubes onion}}/r$releasever/current/dom0/fc25
baseurl = http://yum.{{Qubes_onion}}/r$releasever/current/host/fc37
#metalink = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%/repodata/repomd.xml.metalink
#metalink = https://yum.qubes-os.org/r$releasever/current/host/fc37/repodata/repomd.xml.metalink
}}
}}


Save and exit.
Save and exit.


'''2.''' In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.
'''2.''' In a <code>dom0</code> terminal, open the <code>qubes-templates.repo</code> configuration file in a text editor.


{{CodeSelect|code=
{{CodeSelect|code=
sudo nano /etc/yum.repos.d/qubes-templates.repo
sudoedit /etc/qubes/repo-templates/qubes-templates.repo
}}
}}


* comment the lines that contain <code>metalink</code>
* comment the lines that contain <code>metalink</code>
* uncomment the lines that contain <code>{{Qubes onion}}</code>
* uncomment the lines that contain <code>{{Qubes_onion}}</code>


Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.
Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.


{{CodeSelect|code=
{{CodeSelect|code=
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl
baseurl = http://yum.{{Qubes onion}}/r$releasever/templates-itl
baseurl = http://yum.{{Qubes_onion}}/r$releasever/templates-itl
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
#metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
}}
}}
Line 72: Line 80:
Save and exit.
Save and exit.


'''3.''' In dom0 terminal, confirm both http:// URI repositories are functional.
'''3.''' In <code>dom0</code> terminal, confirm both onion repositories are functional.


Using <code>--show-output --console</code> is optional but recommended because of a Qubes upstream bug. <ref>[https://github.com/QubesOS/qubes-issues/issues/7254 <code>qubes-dom0-update</code> shows <code>No updates available</code> in case of network is down / <code>qubes-dom0-update</code> fails to notice if repositories are unreachable / network is down]</ref><br />
{{CodeSelect|code=
{{CodeSelect|code=
sudo qubes-dom0-update
sudo qubes-dom0-update --show-output --console
}}
}}

== Fedora Template ==

'''1.''' In Fedora TemplateVM, open the qubes-r4.repo configuration file in a text editor.

{{CodeSelect|code=
sudo gedit /etc/yum.repos.d/qubes-r4.repo
}}
}}


== Debian Templates ==
* comment the lines that contain <code>metalink</code>
* uncomment the lines that contain <code>{{Qubes onion}}</code>


Debian templates can be updated exclusively over onion services. Simply edit both Qubes and Debian sources.list files so they point to the respective onion repositories.
Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.


Note: to use the <code>tor+http</code> configuration below, {{kicksecure_wiki|wikipage=Advanced_Host_Security#apt-transport-tor|text=apt-transport-tor}} must be installed. <ref name=tor+http>For support in downloading APT packages anonymously via the Tor network. To install it:
{{CodeSelect|code=
{{CodeSelect|code=
sudo apt install apt-transport-tor
#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
}}</ref> Remove <code>tor+</code> from the code block if updates over Tor are unwanted.
baseurl = http://yum.{{Qubes onion}}/r4.0/current/vm/fc$releasever
}}


==== Onionize qubes-r4.list ====
Save and exit.


{{Box|text=
'''2.''' In Fedora terminal, confirm the http:// URI repositories are functional.
'''1.''' In Debian TempateVM, open the <code>qubes-r4.list</code> file in a text editor.


{{CodeSelect|code=
{{CodeSelect|code=
sudoedit /etc/apt/sources.list.d/qubes-r*.list
sudo dnf update
}}
}}


'''2.''' Comment the first line underneath "Main qubes updates repository".
== Debian and {{project name}} Templates ==


The first code block should look similar to this.
'''1.''' In Debian and {{project name}} TempateVMs, open the sources.list file in a text editor.


{{CodeSelect|code=
{{CodeSelect|code=
# Main qubes updates repository
sudo nano /etc/apt/sources.list.d/qubes-r*.list
#deb [arch=amd64] https://deb.qubes-os.org/r4.2/vm {{Stable project version based on Debian codename}} main
#deb-src https://deb.qubes-os.org/r4.2/vm {{Stable project version based on Debian codename}} main
}}
}}

'''2.''' Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

<pre> # Main qubes updates repository
#deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm stretch main
#deb-src http://deb.qubes-os.org/r4.0/vm stretch main</pre>


'''3.''' Uncomment the corresponding line underneath "Qubes Tor updates repositories".
'''3.''' Uncomment the corresponding line underneath "Qubes Tor updates repositories".
Line 127: Line 123:
# Qubes Tor updates repositories
# Qubes Tor updates repositories
# Main qubes updates repository
# Main qubes updates repository
deb [arch=amd64] http://deb.{{Qubes onion}}/r4.0/vm stretch main
deb [arch=amd64] tor+http://deb.{{Qubes_onion}}/r4.2/vm {{Stable project version based on Debian codename}} main
#deb-src http://deb.{{Qubes onion}}/r4.0/vm stretch main
#deb-src http://deb.{{Qubes_onion}}/r4.2/vm {{Stable project version based on Debian codename}} main
}}
}}


Save and exit.
Save and exit.


'''4.''' Confirm the onionized repositories are functional.
= Fedora Packages =
It is not currently possible to update Fedora packages in Qubes' Fedora TemplateVM exclusively over [[Onion_Services|Onion Services]], since Fedora does not provide this update option.


{{CodeSelect|code=
= {{project name}} and Debian Packages =
sudo apt update && sudo apt full-upgrade

}}
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Due to issues with [https://forums.whonix.org/t/disable-onions-by-default-due-to-unreliability/6650 onion unreliability], clearnet repositories are now preferred in {{project name}} 14 by default.
}}
}}


==== Onionize Debian sources.list ====


The <code>sources.list</code> file can be edited so it points to the Debian onion mirror. <ref name=Debian_onions>https://onion.debian.org/</ref> This is a more secure method than clearnet for updates and software installation.
If users enable v2 or v3 onion repositories it is possible that system updates will periodically fail due to their unreliability. If this becomes an issue, it is recommended to [[Operating_System_Software_and_Updates#Non-functional_Onion_Services|Re-enable Clearnet Repositories]] so the {{project name}} VMs can be updated.

== Debian ==


{{Box|text=
{{mbox
{{Onionize Debian Sources.list
| type = notice
|filename=/etc/apt/sources.list
| image = [[File:Ambox_notice.png|40px|alt=Info]]
}}
| text = [[{{q project name short}}|{{q project name}}]] and [[{{non q project name short}}|{{non q project name}}]].
}}
}}


== {{project_name_short}} Templates ==


{{project_name_short}} templates can be updated exclusively over onion services by editing the Qubes, Debian <ref name=Debian_onions /> and {{project_name_short}} <code>sources.list</code> files so they point to the respective onion repositories.
Advanced users can edit the sources.list files so it points to the Debian .onion mirrors. This is a more secure method for updates and software installation. Complete the following steps in both {{gateway_product_name}} (<code>whonix-gw-14</code>) and {{workstation_product_name}} (<code>whonix-ws-14</code>).


Complete the following steps in <u>both</u> {{project_name_gateway_long}} and {{project_name_workstation_long}}.
'''1.''' Edit sources.list


==== Onionize qubes-r4.list ====
Edit the debian.list file using an editor with root rights.

{{Box|text=
'''1.''' In {{project_name_short}} TempateVM, open <code>qubes-r4.list</code> in a text editor.


{{CodeSelect|code=
{{CodeSelect|code=
sudo nano /etc/apt/sources.list.d/debian.list
sudoedit /etc/apt/sources.list.d/qubes-r*.list
}}
}}


'''2.''' Reference the onionized Debian repositories.
'''2.''' Comment the first line underneath "Main qubes updates repository".


The first code block should look similar to this.
Note: The settings below are for Debian stretch. Modify it accordingly if Debian buster is in use.

Cut and paste the following <i>.onion</i> mirrors and comment out (#) the corresponding http repositories.


{{CodeSelect|code=
{{CodeSelect|code=
# Main qubes updates repository
#deb http://ftp.debian.org/debian stretch main contrib non-free
#deb [arch=amd64] https://deb.qubes-os.org/r4.2/vm {{Stable project version based on Debian codename}} main
deb http://{{Debian_onion}}/debian stretch main contrib non-free
#deb-src https://deb.qubes-os.org/r4.2/vm {{Stable project version based on Debian codename}} main
}}


'''3.''' Uncomment the corresponding line underneath "Qubes Tor updates repositories".
#deb http://security.debian.org stretch/updates main contrib non-free
deb http://{{security.debian.org_onion}} stretch/updates main contrib non-free


The first code block should look similar to this.
#Optional Backports

#deb http://ftp.debian.org/debian stretch-backports main contrib non-free
{{CodeSelect|code=
deb http://{{Debian_onion}}/debian stretch-backports main contrib non-free
# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] tor+http://deb.{{Qubes_onion}}/r4.2/vm {{Stable project version based on Debian codename}} main
#deb-src tor+http://deb.{{Qubes_onion}}/r4.2/vm {{Stable project version based on Debian codename}} main
}}
}}


Save and exit.
Save and exit.


'''3.''' Confirm the onionized repositories are functional.
'''4.''' Confirm the onionized repositories are functional.


{{CodeSelect|code=
{{CodeSelect|code=
upgrade-nonroot
sudo apt-get update && sudo apt-get dist-upgrade
}}
}}
}}


==== Onionize debian.list ====
Optionally, repeat steps 1-3 for any other Debian templates in use.


{{Box|text=
== {{project name}} ==
'''1.''' Open the Debian <code>sources.list</code> file using an editor with root rights.


{{CodeSelect|code=
{{mbox
sudoedit /etc/apt/sources.list.d/debian.list
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = '''Tip:''' {{project name}} users have four package preferences available: stable, stable-proposed-updates, testers and developers. Change the entry below to reflect this preference.<ref>https://www.whonix.org/wiki/{{project_name_short}}-APT-Repository#{{project_name}}_APT_Repository_Overview</ref>
}}
}}


'''2.''' Uncomment the onionized Debian repositories.


Uncomment the following .onion mirrors and comment out (#) the corresponding https repositories (except the fasttrack repository).
{{project_name}} packages can be updated/installed via onion services using a single command.


{{CodeSelect|code=
To use the v3 onion, run.
#deb tor+https://deb.debian.org/debian bullseye main contrib non-free
#deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
#deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
#deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free


deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
{{CodeSelect|code=
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
sudo whonix_repository --baseuri http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion --enable --repository stable
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free
## No onion for fasttrack yet:
## https://salsa.debian.org/fasttrack-team/support/-/issues/27
}}
}}


Save and exit.
Next, confirm onion repositories are functional

'''3.''' Confirm the onionized repositories are functional.


{{CodeSelect|code=
{{CodeSelect|code=
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt update && sudo apt full-upgrade
}}
}}

= Onionize Tor Project Updates =

Only complete this step if [[Tor_Versioning|Newer Tor versions from The Tor Project Repository]] are in use. The Tor Project deb apt signing key must be added first (see the prior link), or error messages will appear when completing these steps.

== {{non_q_project_name_short}} and [[{{q_project_name_short}}|{{q_project_name}}]] R3.2 ==

{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = Qubes R3.2 reached [https://www.qubes-os.org/news/2019/03/28/qubes-3-2-has-reached-eol/ EOL] on 28 March, 2019. It is strongly recommended to [https://www.qubes-os.org/downloads/ upgrade to Qubes R4.0] to stay safe.
}}
}}


==== Onionize derivative.list ====
Follow these steps to point the {{project_name_short}} <code>sources.list</code> file to the onion mirror. See [[Project-APT-Repository|{{project name short}} APT Repository overview]] for details on the four repository choices.


This can be done using <code>repository-dist</code> {{cli}} tool with the <code>--transport onion</code> option.
The following commands are run in either the {{gateway_product_name}} or <code>{{whonix-gw}}</code> TemplateVM.


{{Box|text=
To onionize Tor Project updates, first create a torproject.list file using an editor with root rights.
'''1.''' Open the {{project_name_short}} <code>sources.list</code> file using an editor with root rights.


{{CodeSelect|code=
If you are using a graphical {{project name}} or [[{{q_project_name_short}}|{{q_project_name}}]], run.
sudo repository-dist --enable --transport onion

{{Open with root rights|filename=
/etc/apt/sources.list.d/torproject.list
}}
}}


'''2.''' Confirm the onionized repository is functional.
Next, cut and paste the following text and comment out (#) the corresponding http repository.


{{CodeSelect|code=
{{CodeSelect|code=
upgrade-nonroot
#Tor Project Mirror
#deb http://deb.torproject.org/torproject.org {{Stable_project_version_based_on_Debian_codename}} main
deb http://{{Torproject_onion}}/torproject.org {{Stable_project_version_based_on_Debian_codename}} main
}}
}}

Save and exit.

== Qubes R4 ==

{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = In Qubes R4.0 and above, TemplateVMs are non-network connected by default. This means any attempt to download the apt key in <code>{{whonix-gw}}</code> will fail. <ref>https://github.com/QubesOS/qubes-issues/issues/1854</ref>
}}
}}


== Fedora Template ==
=== Add the Tor Signing Key ===


<u>Note:</u> Updating Fedora templates exclusively over [[Onion_Services|Onion Services]] is not possible -- only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.
As a workaround, the Tor apt singing key can be fetched from a (networked) <code>anon-whonix</code> AppVM, then copied over to <code>{{whonix-gw}}</code> in a text file.


{{Box|text=
To add the Tor Project deb apt signing key, run the following in <code>anon-whonix</code>:
'''1.''' In Fedora Template, open the <code>qubes-r4.repo</code> file in a text editor. <ref>At the time of writing Qubes-R4 was the current stable release.</ref>


{{CodeSelect|code=
{{CodeSelect|code=
sudoedit /etc/yum.repos.d/qubes-r*.repo
sudo apt-key adv --keyserver jirk5u4osbsr34t5.onion --recv-keys A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
}}
}}


* comment the lines that contain <code>yum.qubes-os.org</code>
To display the key's fingerprint, run.
* uncomment the lines that contain <code>{{Qubes_onion}}</code>

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.


{{CodeSelect|code=
{{CodeSelect|code=
#baseurl = https://yum.qubes-os.org/r4.2/current/vm/fc$releasever
sudo apt-key adv --fingerprint A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
baseurl = http://yum.{{Qubes_onion}}/r4.2/current/vm/fc$releasever
}}
}}


Save and exit.
Compare the fingerprint displayed in the terminal with the one listed on this website https://www.torproject.org/docs/signing-keys.html ([http://expyuzz4wqqyqhjn.onion/docs/signing-keys.html v2 onion]).


'''2.''' In Fedora Template, confirm the onion service repositories are functional.
In <code>anon-whonix</code>, copy the Tor singing key to a new text file named tor.key


{{CodeSelect|code=
{{CodeSelect|code=
sudo dnf update
sudo apt-key export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 > /tmp/tor.key
}}
}}


'''3.''' Import the Qubes OS signing key if prompted.
In <code>anon-whonix</code>, copy the tor.key text file over to <code>{{whonix-gw}}</code>.

Sometimes the following message may appear. Press <code>y</code> and then <code>Enter</code>. <ref>See: [https://www.qubes-os.org/security/verifying-signatures/ Verifying signatures] for further information on signing keys.</ref> <ref>All Qubes OS signing keys can be found [https://keys.qubes-os.org/keys/ here].</ref>


{{CodeSelect|code=
{{CodeSelect|code=
Importing GPG key 0x8E34D89F:
qvm-copy /tmp/tor.key {{whonix-gw}}
Userid : "Qubes OS Release 4.2 Signing Key"
Fingerprint: 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary
Is this ok [y/N]:
}}
}}
}}


= Debian =
If the following error appears, it can be safely ignored (hit "OK" when prompted).
<i>qfile-agent: Fatal error: stat {{whonix-gw}}-version (error type: No such file or directory)</i>


Debian hosts and VMs can be onionized by editing the Debian <ref name=Debian_onions /> <ref>Also edit {{project_name_short}} <code>sources.list</code> if you are using [[Packages for Debian Hosts|{{project_name_short}} Packages for Debian Hosts]].</ref> repository configuration files so they point to the corresponding onion mirrors. Complete the following steps on Debian hosts or in Debian VMs.
In <code>{{whonix-gw}}</code>, add the Tor signing key to the list of trusted keys.


Note: to use the <code>tor+http</code> configuration below, {{kicksecure_wiki|wikipage=Advanced_Host_Security#apt-transport-tor|text=apt-transport-tor}} must be installed. <ref name=tor+http /> Remove "tor+" from the code block if updates over Tor are unwanted.
{{CodeSelect|code=

sudo apt-key add ~/QubesIncoming/anon-whonix/tor.key
{{Box|text=
{{Onionize Debian Sources.list
|filename=/etc/apt/sources.list
}}
}}
}}


= {{non_q_project_name_short}} =
=== Onionize the Sources File ===


{{non_q_project_name_short}} VMs can be onionized by editing both the Debian <ref name=Debian_onions /> and {{project_name_short}} repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in <u>both</u> {{project_name_gateway_short}} and {{project_name_workstation_short}}.
To onionize Tor Project updates, first create a torproject.list file using an editor with root rights.


=== Debian sources.list ===
If you are using a graphical {{project name}} or [[{{q_project_name_short}}|{{q_project_name}}]], run.


{{Box|text=
{{Open with root rights|filename=
{{Onionize Debian Sources.list
/etc/apt/sources.list.d/torproject.list
|filename=/etc/apt/sources.list.d/debian.list
}}
}}
}}

=== {{project_name_short}} sources.list ===

Follow these steps to point the {{project_name_short}} <code>sources.list</code> file to the v3 onion mirror. <ref name=v2_v3>{{project_name_short}} no longer maintains v2 legacy onion addresses which were deprecated by The Tor Project in October 2021; see [https://support.torproject.org/onionservices/v2-deprecation/#topic_v2-deprecation here].</ref> <ref>The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.</ref> See [[Project-APT-Repository#Whonix_APT_Repository_Overview|Whonix APT Repository overview]] for details on the four repository choices.


{{Box|text=
If you are using a terminal-only {{project_name}}, run.
'''1.''' Open the {{project_name_short}} <code>sources.list</code> file using an editor with root rights.


{{CodeSelect|code=
{{CodeSelect|code=
sudo nano /etc/apt/sources.list.d/torproject.list
sudoedit /etc/apt/sources.list.d/derivative.list
}}
}}


'''2.''' Uncomment the onionized {{project_name_short}} repository.
Next, cut and paste the following text and comment out (#) the corresponding http repository.

Uncomment the following .onion mirror and comment out (#) the corresponding https repository.


{{CodeSelect|code=
{{CodeSelect|code=
deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.{{project_onion}} {{Stable project version based on Debian codename}} main contrib non-free
#Tor Project Mirror
#deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.{{project_onion}} {{Stable project version based on Debian codename}} main contrib non-free
#deb http://deb.torproject.org/torproject.org {{Stable_project_version_based_on_Debian_codename}} main

deb http://{{Torproject_onion}}/torproject.org {{Stable_project_version_based_on_Debian_codename}} main
#deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org {{Stable project version based on Debian codename}} main contrib non-free
#deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org {{Stable project version based on Debian codename}} main contrib non-free
}}
}}


Save and exit.
Save and exit.

'''3.''' Confirm the onionized repository is functional.

{{CodeSelect|code=
upgrade-nonroot
}}
}}

= Onionize Tor Project Updates =

For enhanced security, advanced users and testers can onionize Tor Project updates; see [[Tor_Versioning|Tor Versioning]] for further details.


= Footnotes =
= Footnotes =

{{reflist|close=1}}
{{reflist|close=1}}


Latest revision as of 10:41, 15 March 2024

The guide explains how to configure experimental Tor onion services for APT repositories. The configuration provides additional security and privacy benefits, such as protection against targeted attacks, man-in-the-middle attacks and preventing tracking of installed programs, but it may cause system updates to fail due to unreliability.

Introduction[edit]

When software packages from Debian, Whonix, Fedora, Qubes (and others) are downloaded prior to the installation of new packages or upgrades, the package repository sources default to the http / https transport protocol, which is non-ideal for security. Instead, experimental Tor onion services can be configured for a number of platforms, which provides several security and privacy benefits: [1]

  • The user cannot be uniquely targeted for malicious updates -- attackers are forced to attack everyone requesting the update.
  • The package repository, or observers watching it, cannot track what programs are installed.
  • The ISP cannot easily learn what packages are fetched.
  • End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.

Be aware that enabling onion repositories may cause system updates to periodically fail due to their unreliabilityarchive.org. If this becomes an issue, it is encouraged to Re-enable Clearnet Repositories so packages can be updated.

If the term "comment" is unfamiliar, please follow this linkarchive.org to learn how to comment / uncomment lines in a configuration file.

In this chapter, instructions are provided for onionizing sources on the Debian, [[#Non-Qubes-Whonix|Non-Qubes-Whonix]] and Qubes platforms.

Qubes[edit]

Qubes dom0 and VMs can be onionized by editing the repository configuration files so they point to the corresponding onion mirrors. [2]

Complete the following steps in dom0 and for each template -- not all templates can be completely onionized. The instructions below consider Debian Templates, Whonix TM Templates, and the Fedora Template.

dom0[edit]

dom0 can be updated exclusively over onion services.

1. In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.

sudoedit /etc/yum.repos.d/qubes-dom0.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/current/host/fc37 baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/host/fc37 #metalink = https://yum.qubes-os.org/r$releasever/current/host/fc37/repodata/repomd.xml.metalink

Save and exit.

2. In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.

sudoedit /etc/qubes/repo-templates/qubes-templates.repo

  • comment the lines that contain metalink
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl #metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink

Save and exit.

3. In dom0 terminal, confirm both onion repositories are functional.

Using --show-output --console is optional but recommended because of a Qubes upstream bug. [3]
sudo qubes-dom0-update --show-output --console

Debian Templates[edit]

Debian templates can be updated exclusively over onion services. Simply edit both Qubes and Debian sources.list files so they point to the respective onion repositories.

Note: to use the tor+http configuration below, Kicksecure logo apt-transport-tor The Web Archive Onion Version must be installed. [4] Remove tor+ from the code block if updates over Tor are unwanted.

Onionize qubes-r4.list[edit]

1. In Debian TempateVM, open the qubes-r4.list file in a text editor.

sudoedit /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

# Main qubes updates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.2/vm bookworm main #deb-src https://deb.qubes-os.org/r4.2/vm bookworm main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main #deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main

Save and exit.

4. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Onionize Debian sources.list[edit]

The sources.list file can be edited so it points to the Debian onion mirror. [5] This is a more secure method than clearnet for updates and software installation.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bookworm main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free #deb https://deb.debian.org/debian-security bookworm-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bookworm-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Whonix Templates[edit]

Whonix templates can be updated exclusively over onion services by editing the Qubes, Debian [5] and Whonix sources.list files so they point to the respective onion repositories.

Complete the following steps in both Whonix-Gateway and Whonix-Workstation.

Onionize qubes-r4.list[edit]

1. In Whonix TempateVM, open qubes-r4.list in a text editor.

sudoedit /etc/apt/sources.list.d/qubes-r*.list

2. Comment the first line underneath "Main qubes updates repository".

The first code block should look similar to this.

# Main qubes updates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.2/vm bookworm main #deb-src https://deb.qubes-os.org/r4.2/vm bookworm main

3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".

The first code block should look similar to this.

# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/vm bookworm main

Save and exit.

4. Confirm the onionized repositories are functional.

upgrade-nonroot

Onionize debian.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudoedit /etc/apt/sources.list.d/debian.list

2. Uncomment the onionized Debian repositories.

Uncomment the following .onion mirrors and comment out (#) the corresponding https repositories (except the fasttrack repository).

#deb tor+https://deb.debian.org/debian bullseye main contrib non-free #deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free #deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free #deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free ## No onion for fasttrack yet: ## https://salsa.debian.org/fasttrack-team/support/-/issues/27

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Onionize derivative.list[edit]

Follow these steps to point the Whonix sources.list file to the onion mirror. See Whonix APT Repository overview for details on the four repository choices.

This can be done using repository-dist command line interface (CLI) tool with the --transport onion option.

1. Open the Whonix sources.list file using an editor with root rights.

sudo repository-dist --enable --transport onion

2. Confirm the onionized repository is functional.

upgrade-nonroot

Fedora Template[edit]

Note: Updating Fedora templates exclusively over Onion Services is not possible -- only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.

1. In Fedora Template, open the qubes-r4.repo file in a text editor. [6]

sudoedit /etc/yum.repos.d/qubes-r*.repo

  • comment the lines that contain yum.qubes-os.org
  • uncomment the lines that contain qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.

#baseurl = https://yum.qubes-os.org/r4.2/current/vm/fc$releasever baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.2/current/vm/fc$releasever

Save and exit.

2. In Fedora Template, confirm the onion service repositories are functional.

sudo dnf update

3. Import the Qubes OS signing key if prompted.

Sometimes the following message may appear. Press y and then Enter. [7] [8]

Importing GPG key 0x8E34D89F: Userid : "Qubes OS Release 4.2 Signing Key" Fingerprint: 9C88 4DF3 F810 64A5 69A4 A9FA E022 E58F 8E34 D89F From : /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.2-primary Is this ok [y/N]:

Debian[edit]

Debian hosts and VMs can be onionized by editing the Debian [5] [9] repository configuration files so they point to the corresponding onion mirrors. Complete the following steps on Debian hosts or in Debian VMs.

Note: to use the tor+http configuration below, Kicksecure logo apt-transport-tor The Web Archive Onion Version must be installed. [4] Remove "tor+" from the code block if updates over Tor are unwanted.

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bookworm main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free #deb https://deb.debian.org/debian-security bookworm-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bookworm-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Non-Qubes-Whonix[edit]

Non-Qubes-Whonix VMs can be onionized by editing both the Debian [5] and Whonix repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in both Whonix-Gateway and Whonix-Workstation.

Debian sources.list[edit]

1. Open the Debian sources.list file using an editor with root rights.

sudo nano /etc/apt/sources.list.d/debian.list

2. Reference the onionized Debian repositories.

Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.

#deb https://deb.debian.org/debian bookworm main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free #deb https://deb.debian.org/debian-security bookworm-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bookworm-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bookworm-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free

Save and exit.

3. Confirm the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

Whonix sources.list[edit]

Follow these steps to point the Whonix sources.list file to the v3 onion mirror. [10] [11] See Whonix APT Repository overview for details on the four repository choices.

1. Open the Whonix sources.list file using an editor with root rights.

sudoedit /etc/apt/sources.list.d/derivative.list

2. Uncomment the onionized Whonix repository.

Uncomment the following .onion mirror and comment out (#) the corresponding https repository.

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main contrib non-free #deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bookworm main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bookworm main contrib non-free

Save and exit.

3. Confirm the onionized repository is functional.

upgrade-nonroot

Onionize Tor Project Updates[edit]

For enhanced security, advanced users and testers can onionize Tor Project updates; see Tor Versioning for further details.

Footnotes[edit]

  1. https://blog.torproject.org/tor-heart-apt-transport-tor-and-debian-onionsarchive.org
  2. At present, the available Qubes onion service URLsarchive.org are:

    Website: www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
    Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
    Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
    ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

  3. qubes-dom0-update shows No updates available in case of network is down / qubes-dom0-update fails to notice if repositories are unreachable / network is downarchive.org
  4. 4.0 4.1 For support in downloading APT packages anonymously via the Tor network. To install it: sudo apt install apt-transport-tor
  5. 5.0 5.1 5.2 5.3 https://onion.debian.org/archive.org
  6. At the time of writing Qubes-R4 was the current stable release.
  7. See: Verifying signaturesarchive.org for further information on signing keys.
  8. All Qubes OS signing keys can be found herearchive.org.
  9. Also edit Whonix sources.list if you are using Whonix Packages for Debian Hosts.
  10. Whonix no longer maintains v2 legacy onion addresses which were deprecated by The Tor Project in October 2021; see herearchive.org.
  11. The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.
Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.whonix.org/w/index.php?title=Onionizing_Repositories&oldid=99384"