Non-Qubes-Whonix Build Configuration. APT Repository, Onion Sources, APT Cache, VM Settings, Skip Steps, Source Code Changes

url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Usually the build configuration does not need to be changed. Whonix built from source code comes with safe defaults. The Derivative APT Repository will not be used.

The most interesting build configurations are documented in the following chapters.

If build configurations were used earlier, it might be better to delete the build configuration folder. A few example filenames may have changed since the last build.

Click = Copy Copied to clipboard! sudo rm -r /etc/buildconfig-dist.d

/etc/buildconfig-dist.d is a modular flexible .d style configuration folder.

Less popular build configurations are documented in the derivative-maker buildconfig.d folder and on the Dev/Source_Code_Intro#Build_Configuration page, but it is less user-friendly.

To avoid typos, it is best to copy and paste text when creating build configuration files. Take care that editors do not capitalize variable names which are supposed to be lower case during copy and paste procedures.

Note: All of the following build configuration steps are optional.

Platforms Choice[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.whonix.org/wiki/Build_Configuration#Platforms_Choice Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Build_Configuration#Platforms_Choice|Platforms Choice]]
Copy as Wikitext Click = Copy Copied to clipboard! [Platforms Choice](https://www.whonix.org/wiki/Build_Configuration#Platforms_Choice)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Platforms Choice](https://www.whonix.org/wiki/Build_Configuration#Platforms_Choice)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.whonix.org/wiki/Build_Configuration#Platforms_Choice]Platforms Choice[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Advanced users can create 32-bit instead of 64-bit builds.

If you are interested, click on Expand on the right.

Whonix is 64-bit by default. ^[1] ^[2]

To build Whonix 32-bit, add the following build parameter.

--arch i386

kFreeBSD is entirely untested and most likely needs additional work (see footnotes). ^[3]

Whonix for arm64 development discussion (working and tested with QEMU on Mac M1):

--arch arm64

- https://forums.whonix.org/t/whonix-for-arm64-raspberry-pi-rpi/723
- https://forums.whonix.org/t/whonix-on-mac-with-arm-m1/11310

Generally speaking, 64-bit builds cannot be created if running a 32-bit host kernel. See footnotes. ^[4] ^[5]

Derivative APT Repository[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.whonix.org/wiki/Build_Configuration#Derivative_APT_Repository Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Build_Configuration#Derivative_APT_Repository|Derivative APT Repository]]
Copy as Wikitext Click = Copy Copied to clipboard! [Derivative APT Repository](https://www.whonix.org/wiki/Build_Configuration#Derivative_APT_Repository)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Derivative APT Repository](https://www.whonix.org/wiki/Build_Configuration#Derivative_APT_Repository)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.whonix.org/wiki/Build_Configuration#Derivative_APT_Repository]Derivative APT Repository[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Non-Qubes-Whonix:
Whonix APT Repository is disabled by default ^[6] for builds from source code for reasons of Trust. Users can decide to update Whonix Debian packages by building them from source code (greater security). Alternatively, Whonix APT repository can be enabled right after building or after booting the build for the first time (greater convenience) using Whonix repository tool. To use the latter method which sacrifices security for convenience, click on Expand on the right side.

APT Onion Build Sources[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.whonix.org/wiki/Build_Configuration#APT_Onion_Build_Sources Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Build_Configuration#APT_Onion_Build_Sources|APT Onion Build Sources]]
Copy as Wikitext Click = Copy Copied to clipboard! [APT Onion Build Sources](https://www.whonix.org/wiki/Build_Configuration#APT_Onion_Build_Sources)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [APT Onion Build Sources](https://www.whonix.org/wiki/Build_Configuration#APT_Onion_Build_Sources)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.whonix.org/wiki/Build_Configuration#APT_Onion_Build_Sources]APT Onion Build Sources[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

For better build security, you can also use onions apt sources for building Whonix.

If you are interested, click on Expand on the right.

This does not ensure all of Whonix's build process will be torified! See Build Anonymity.

--connection onion

Torified or Host APT Cache[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.whonix.org/wiki/Build_Configuration#Torified_or_Host_APT_Cache Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Build_Configuration#Torified_or_Host_APT_Cache|Torified or Host APT Cache]]
Copy as Wikitext Click = Copy Copied to clipboard! [Torified or Host APT Cache](https://www.whonix.org/wiki/Build_Configuration#Torified_or_Host_APT_Cache)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Torified or Host APT Cache](https://www.whonix.org/wiki/Build_Configuration#Torified_or_Host_APT_Cache)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.whonix.org/wiki/Build_Configuration#Torified_or_Host_APT_Cache]Torified or Host APT Cache[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Using an apt cache will greatly improve build speed when building several times in a row (e.g. when debugging, during development). Whonix build script sets up an apt cache by default.

If you are interested in a torified apt-cacher-ng or host apt-cacher-ng, click on Expand on the right.

torified apt-cacher-ng

Notes:

The following torified apt-cacher-ng setup only has to be applied, if you are building using onion apt sources using --connection onion.
When building inside Whonix-Workstation^™, this is not required.

Note, this neither torifies all of the build script's connections nor hides Tor from your ISP! See Build Anonymity.

The goal of this is to torify apt-cacher-ng using torsocks so it will be able to connect to onions.

Note: This is currently broken. No fix available. Undocumented.

1. Install apt-cacher-ng, torsocks and tor.

sudo apt install apt-cacher-ng torsocks tor

2. Create folder apt-cacher-ng systemd drop-in folder /lib/systemd/system/apt-cacher-ng.service.d.

sudo mkdir -p /lib/systemd/system/apt-cacher-ng.service.d

3. Open file /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf in an editor with root rights.

See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

NOTES:

When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

After applying this change, shutdown the Template.
All App Qubes based on the Template need to be restarted if they were already running.
This is a general procedure required for Qubes and unspecific to Qubes-Whonix^™.

This is just an example. Other tools could achieve the same goal.
If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /lib/systemd/system/apt-cacher-ng.service.d/50_user.conf

4. Add. ^[7]

[Service] ExecStart= ExecStart=torsocks /usr/sbin/apt-cacher-ng SocketPath=/run/apt-cacher-ng/socket -c /etc/apt-cacher-ng ForeGround=1

5. Save.

6. Reload systemd.

sudo systemctl daemon-reload

7. Restart apt-cacher-ng.

sudo systemctl restart apt-cacher-ng

8. Done.

The process of torification of apt-cacher-ng has been completed.

9. Broken!

/etc/tor/torsocks.conf add:

AllowInbound 1 AllowOutboundLocalhost 1

But this is also insufficient.

sudo journalctl -f -u apt-cacher-ng

shows errors:

WARNING torsocks[17645]: Config file not found: /etc/tor/torsocks.conf. Using default for Tor (in config_file_read() at config-file.c:583)
Couldn't listen on socket: Operation not permitted
Error creating socket: Function not implemented

No fix available. Help welcome.

host apt-cacher-ng

This is probably only useful for developers. Most users will not need the complexity of an apt-cacher-ng running outside of the VM which runs derivative-maker or on another computer.

Be sure to have a firewall, so the whole internet cannot use the apt-cacher-ng service.

When building inside a non-Whonix VM, an apt cache can be used on the host. In that case, adjust the IP accordingly and manually test that it is reachable. When building inside a (Whonix) VM, just install the apt cache inside the VM and point to a localhost apt cache.

Prepend REPO_PROXY=http://127.0.0.1:3142 before the build command.

Replace the IP 127.0.0.1 with the IP address of your host. For security reasons, this should only be done over LAN and not over the internet.

sudo REPO_PROXY=http://127.0.0.1:3142 ./derivative-maker ...

VM Settings[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.whonix.org/wiki/Build_Configuration#VM_Settings Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Build_Configuration#VM_Settings|VM Settings]]
Copy as Wikitext [VM Settings](https://www.whonix.org/wiki/Build_Configuration#VM_Settings)
for Discourse, reddit, GitHub [VM Settings](https://www.whonix.org/wiki/Build_Configuration#VM_Settings)
Copy as Markdown [url=https://www.whonix.org/wiki/Build_Configuration#VM_Settings]VM Settings[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Various VM settings can optionally be changed.

tested: Virtual RAM, virtual video RAM, hard drive size

untested: filesystem, hostname, password This is only relevant for VM builds.

Several examples are below. Values can be changed to suit user preferences.

VirtualBox's --vmsize option (virtual RAM).

--vmram 128

VirtualBox's --vram option (virtual video RAM).

--vram 128

grml-debootstrap's --vmsize option.

--vmsize 200G

grml-debootstrap's --filesystem option.

--filesystem ext4

grml-debootstrap's --hostname option. ^[8]

--hostname host

grml-debootstrap's --password option.

--os-password changeme

grml-debootstrap's --debopt option.

--debopt "--verbose"

Build Variables Changes[edit] Copy or share this direct link! https://www.whonix.org/wiki/Build_Configuration#Build_Variables_Changes Click below ↴ = Copy to Clipboard [[Build_Configuration#Build_Variables_Changes|Build Variables Changes]]
Copy as Wikitext [Build Variables Changes](https://www.whonix.org/wiki/Build_Configuration#Build_Variables_Changes)
for Discourse, reddit, GitHub [Build Variables Changes](https://www.whonix.org/wiki/Build_Configuration#Build_Variables_Changes)
Copy as Markdown [url=https://www.whonix.org/wiki/Build_Configuration#Build_Variables_Changes]Build Variables Changes[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

It is possible to add build configuration files snippets which can change build variables.

Build Variables[edit] Copy or share this direct link! https://www.whonix.org/wiki/Build_Configuration#Build_Variables Click below ↴ = Copy to Clipboard [[Build_Configuration#Build_Variables|Build Variables]]
Copy as Wikitext [Build Variables](https://www.whonix.org/wiki/Build_Configuration#Build_Variables)
for Discourse, reddit, GitHub [Build Variables](https://www.whonix.org/wiki/Build_Configuration#Build_Variables)
Copy as Markdown [url=https://www.whonix.org/wiki/Build_Configuration#Build_Variables]Build Variables[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

build results binary folder (derivative-binary) | Click = Copy Copied to clipboard! binary_build_folder_dist | default: $HOMEVAR/derivative-binary

See #Build Variables Changes on how to set build variables.

Skip Steps[edit] Copy or share this direct link! https://www.whonix.org/wiki/Build_Configuration#Skip_Steps Click below ↴ = Copy to Clipboard [[Build_Configuration#Skip_Steps|Skip Steps]]
Copy as Wikitext [Skip Steps](https://www.whonix.org/wiki/Build_Configuration#Skip_Steps)
for Discourse, reddit, GitHub [Skip Steps](https://www.whonix.org/wiki/Build_Configuration#Skip_Steps)
Copy as Markdown [url=https://www.whonix.org/wiki/Build_Configuration#Skip_Steps]Skip Steps[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Advanced users can opt-in to skip certain build steps and/or Debian maintenance scripts (postinst, preinst, ...).

Skip Sanity Tests

Useful to speed up the build.

--sanity-tests false

Skipping Build Steps

export SKIP_SCRIPTS+=" 1300_create-raw-image "

Skipping Chroot and/or Postinst Scripts

export SKIP_SCRIPTS+=" dist-base-files.postinst "

Look at the file names and add them. export SKIP_SCRIPTS+=" another_file_name ". Do not forget empty spaces before and after ". ^[11]

Source Code Changes[edit] Copy or share this direct link! https://www.whonix.org/wiki/Build_Configuration#Source_Code_Changes Click below ↴ = Copy to Clipboard [[Build_Configuration#Source_Code_Changes|Source Code Changes]]
Copy as Wikitext [Source Code Changes](https://www.whonix.org/wiki/Build_Configuration#Source_Code_Changes)
for Discourse, reddit, GitHub [Source Code Changes](https://www.whonix.org/wiki/Build_Configuration#Source_Code_Changes)
Copy as Markdown [url=https://www.whonix.org/wiki/Build_Configuration#Source_Code_Changes]Source Code Changes[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

If changes were made to the derivative-maker source code folder, it is the easiest to use the following build parameter.

Notes:

This is only required if changes were made to the derivative-maker source folder.
This is not required if only a customized build configuration was added to the /etc/buildconfig-dist.d folder.

--allow-uncommitted true

Or if not building from a git tag, it is the easiest to use the following build parameter.

--allow-untagged true

Otherwise, changes must be committed to git first, before creating a git tag.

Footnotes[edit] Copy or share this direct link! https://www.whonix.org/wiki/Build_Configuration#Footnotes Click below ↴ = Copy to Clipboard [[Build_Configuration#Footnotes|Footnotes]]
Copy as Wikitext [Footnotes](https://www.whonix.org/wiki/Build_Configuration#Footnotes)
for Discourse, reddit, GitHub [Footnotes](https://www.whonix.org/wiki/Build_Configuration#Footnotes)
Copy as Markdown [url=https://www.whonix.org/wiki/Build_Configuration#Footnotes]Footnotes[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

↑ State of official 64-bit builds.
↑ Don't get confused by the term amd64. It runs on both, Intel and AMD. amd64 is only how Debian names the kernel. It works equally well on Intel and AMD.

↑ kFreeBSD (32-bit).

--arch kfreebsd-i386 --kernel kfreebsd-image --headers kfreebsd-headers

kFreeBSD (64-bit).

--arch kfreebsd-amd64 --kernel kfreebsd-image --headers kfreebsd-headers

↑ https://github.com/grml/grml-debootstrap/pull/13
↑ In this case, try installing the packages linux-image-amd64 and linux-headers-amd64 on your host, then boot the amd64 kernel by choosing it in the boot menu. The whole system does not require re-installation; just be sure to boot with an amd64 kernel. Alternatively, consider to re-install your host using amd64.
↑ Since Whonix 7.3.3
↑
- The first Click = Copy Copied to clipboard! ExecStart= is to disable the default ExecStart in /lib/systemd/system/apt-cacher-ng.service.
- This is based on Click = Copy Copied to clipboard! /lib/systemd/system/apt-cacher-ng.service .
- Only Click = Copy Copied to clipboard! torsocks is prepended in front of Click = Copy Copied to clipboard! /usr/sbin/apt-cacher-ng
- No other changes.
↑ The anon-base-files package will change this later on.
↑
Since you would have to either:
- A) git commit your build config files, OR,
- B) See chapter source code changes below.
↑ This is because .. means "one level below this folder".
↑ We are expanding a bash array.

Whonix

The most watertight privacy operating system in the world.

Dark mode

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] State of official 64-bit builds.

[2] Don't get confused by the term amd64. It runs on both, Intel and AMD. amd64 is only how Debian names the kernel. It works equally well on Intel and AMD.

[3] FreeBSD (32-bit).
--arch kfreebsd-i386 --kernel kfreebsd-image --headers kfreebsd-headers

kFreeBSD (64-bit).

--arch kfreebsd-amd64 --kernel kfreebsd-image --headers kfreebsd-headers

[4] ttps://github.com/grml/grml-debootstrap/pull/13

[5] In this case, try installing the packages linux-image-amd64 and linux-headers-amd64 on your host, then boot the amd64 kernel by choosing it in the boot menu. The whole system does not require re-installation; just be sure to boot with an amd64 kernel. Alternatively, consider to re-install your host using amd64.

[6] Since Whonix 7.3.3

[7] 
The first Click = Copy Copied to clipboard! ExecStart= is to disable the default ExecStart in /lib/systemd/system/apt-cacher-ng.service.

This is based on Click = Copy Copied to clipboard! /lib/systemd/system/apt-cacher-ng.service .

Only Click = Copy Copied to clipboard! torsocks is prepended in front of Click = Copy Copied to clipboard! /usr/sbin/apt-cacher-ng

No other changes.

[8] The first Click = Copy Copied to clipboard! ExecStart= is to disable the default ExecStart in /lib/systemd/system/apt-cacher-ng.service.

[9] This is based on Click = Copy Copied to clipboard! /lib/systemd/system/apt-cacher-ng.service .

[10] Only Click = Copy Copied to clipboard! torsocks is prepended in front of Click = Copy Copied to clipboard! /usr/sbin/apt-cacher-ng

[11] No other changes.

[8] The anon-base-files package will change this later on.

[9] Since you would have to either:
A) git commit your build config files, OR,

B) See chapter source code changes below.

[14] A) git commit your build config files, OR,

[15] B) See chapter source code changes below.

[10] This is because .. means "one level below this folder".

[bash-array-11] We are expanding a bash array.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

Build Configuration

Contents

Non-Qubes-Whonix^™

Qubes-Whonix^™

Others and Alternatives

Non-Qubes-Whonix^™

Qubes-Whonix^™

Others and Alternatives

Navigation menu

Build Configuration

Non-Qubes-Whonix™

Qubes-Whonix™

Others and Alternatives

Non-Qubes-Whonix™

Qubes-Whonix™

Others and Alternatives

Navigation menu

Search

Disable server cache for this browser

Debug vis URL

Non-Qubes-Whonix^™

Qubes-Whonix^™

Non-Qubes-Whonix^™

Qubes-Whonix^™