Onionizing Repositories
From Whonix
Introduction[edit]
When software packages from Debian, Whonix ™, Fedora, Qubes (and others) are downloaded prior to the installation of new packages or upgrades, the package repository sources default to the http / https transport protocol, which is non-ideal for security. Instead, experimental Tor onion services can be configured for a number of platforms, which provides several security and privacy benefits: [1]
- The user cannot be uniquely targeted for malicious updates -- attackers are forced to attack everyone requesting the update.
- The package repository, or observers watching it, cannot track what programs are installed.
- The ISP cannot easily learn what packages are fetched.
- End-to-end authentication and encryption provides protection against man-in-the-middle attacks, like version downgrade attacks.
Be aware that enabling onion repositories may cause system updates to periodically fail due to their unreliability [archive]. If this becomes an issue, it is encouraged to Re-enable Clearnet Repositories so packages can be updated.
If the term "comment" is unfamiliar, please follow this link [archive] to learn how to comment / uncomment lines in a configuration file.
In this chapter, instructions are provided for onionizing sources on the Debian, Non-Qubes-Whonix ™ and Qubes platforms.
Qubes[edit]
Qubes dom0 and VMs can be onionized by editing the repository configuration files so they point to the corresponding onion mirrors. [2]
Complete the following steps in dom0 and for each template -- not all templates can be completely onionized. The instructions below consider Debian Templates, Whonix TM Templates, and the Fedora Template.
dom0[edit]
dom0 can be updated exclusively over onion services.
1. In a dom0 terminal, open the qubes-dom0.repo configuration file in a text editor.
sudo nano /etc/yum.repos.d/qubes-dom0.repo
- comment the lines that contain
metalink - uncomment the lines that contain
qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25 baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25 #metalink = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%/repodata/repomd.xml.metalink
Save and exit.
2. In a dom0 terminal, open the qubes-templates.repo configuration file in a text editor.
sudo nano /etc/yum.repos.d/qubes-templates.repo
- comment the lines that contain
metalink - uncomment the lines that contain
qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Once completed, each of the two code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r$releasever/templates-itl baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/templates-itl #metalink = https://yum.qubes-os.org/r$releasever/templates-itl/repodata/repomd.xml.metalink
Save and exit.
3. In dom0 terminal, confirm both onion repositories are functional.
sudo qubes-dom0-update
Debian Templates[edit]
Debian templates can be updated exclusively over onion services. Simply edit both Qubes and Debian sources.list files so they point to the respective onion repositories.
Note: to use the tor+http configuration below, apt-transport-tor must be installed. [3] Remove tor+ from the code block if updates over Tor are unwanted.
Onionize qubes-r4.list[edit]
1. In Debian TempateVM, open the qubes-r4.list file in a text editor.
sudo nano /etc/apt/sources.list.d/qubes-r*.list
2. Comment the first line underneath "Main qubes updates repository".
The first code block should look similar to this.
# Main qubes updates repository #deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm bullseye main #deb-src http://deb.qubes-os.org/r4.0/vm bullseye main
3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".
The first code block should look similar to this.
# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main #deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main
Save and exit.
4. Confirm the onionized repositories are functional.
sudo apt update && sudo apt full-upgrade
Onionize Debian sources.list[edit]
The sources.list file can be edited so it points to the Debian onion mirror. [4] This is a more secure method than clearnet for updates and software installation.
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list
2. Reference the onionized Debian repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.
#deb https://deb.debian.org/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt update && sudo apt full-upgrade
Whonix ™ Templates[edit]
Whonix ™ templates can be updated exclusively over onion services by editing the Qubes, Debian [4] and Whonix ™ sources.list files so they point to the respective onion repositories.
Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.
Onionize qubes-r4.list[edit]
1. In Whonix ™ TempateVM, open qubes-r4.list in a text editor.
sudo nano /etc/apt/sources.list.d/qubes-r*.list
2. Comment the first line underneath "Main qubes updates repository".
The first code block should look similar to this.
# Main qubes updates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm bullseye main #deb-src https://deb.qubes-os.org/r4.0/vm bullseye main
3. Uncomment the corresponding line underneath "Qubes Tor updates repositories".
The first code block should look similar to this.
# Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm bullseye main
Save and exit.
4. Confirm the onionized repositories are functional.
upgrade-nonroot
Onionize debian.list[edit]
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/debian.list
2. Uncomment the onionized Debian repositories.
Uncomment the following .onion mirrors and comment out (#) the corresponding https repositories (except the fasttrack repository).
#deb tor+https://deb.debian.org/debian bullseye main contrib non-free #deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free #deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free #deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free ## No onion for fasttrack yet: ## https://salsa.debian.org/fasttrack-team/support/-/issues/27
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt update && sudo apt full-upgrade
Onionize derivative.list[edit]
Follow these steps to point the Whonix ™ sources.list file to the v3 onion mirror. [5] [6] See Whonix APT Repository overview for details on the four repository choices.
1. Open the Whonix ™ sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/derivative.list
2. Uncomment the onionized Whonix ™ repository.
Uncomment the following .onion mirror and comment out (#) the corresponding https repository.
deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free
Save and exit.
3. Confirm the onionized repository is functional.
upgrade-nonroot
Fedora Template[edit]
Note: Updating Fedora templates exclusively over Onion Services is not possible -- only related Qubes repositories can be onionized. The reason is Fedora does not maintain onion service repositories.
1. In Fedora TemplateVM, open the qubes-r4.repo file in a text editor. [7]
sudo gedit /etc/yum.repos.d/qubes-r*.repo
- uncomment the lines that contain
qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Once completed, each of the four code blocks will have http(s) repository lines similar to the following example.
#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever
Save and exit.
2. In Fedora TemplateVM, confirm the onion service repositories are functional.
sudo dnf update
Debian[edit]
Debian hosts and VMs can be onionized by editing the Debian [4] [8] repository configuration files so they point to the corresponding onion mirrors. Complete the following steps on Debian hosts or in Debian VMs.
Note: to use the tor+http configuration below, apt-transport-tor must be installed. [3] Remove "tor+" from the code block if updates over Tor are unwanted.
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list
2. Reference the onionized Debian repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.
#deb https://deb.debian.org/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt update && sudo apt full-upgrade
Non-Qubes-Whonix ™[edit]
Non-Qubes-Whonix ™ VMs can be onionized by editing both the Debian [4] and Whonix ™ repository configuration files so they point to the corresponding onion mirrors. Complete the following steps in both Whonix-Gateway ™ and Whonix-Workstation ™.
Debian sources.list[edit]
1. Open the Debian sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/debian.list
2. Reference the onionized Debian repositories.
Cut and paste the following .onion mirrors and comment out (#) the corresponding https repositories.
#deb https://deb.debian.org/debian bullseye main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye-security main contrib non-free #Optional Backports #deb https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free
Save and exit.
3. Confirm the onionized repositories are functional.
sudo apt update && sudo apt full-upgrade
Whonix ™ sources.list[edit]
Follow these steps to point the Whonix ™ sources.list file to the v3 onion mirror. [5] [9] See Whonix APT Repository overview for details on the four repository choices.
1. Open the Whonix ™ sources.list file using an editor with root rights.
sudo nano /etc/apt/sources.list.d/derivative.list
2. Uncomment the onionized Whonix ™ repository.
Uncomment the following .onion mirror and comment out (#) the corresponding https repository.
deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main contrib non-free #deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free #deb-src [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.whonix.org bullseye main contrib non-free
Save and exit.
3. Confirm the onionized repository is functional.
upgrade-nonroot
Onionize Tor Project Updates[edit]
For enhanced security, advanced users and testers can onionize Tor Project updates; see Tor Versioning for further details.
Footnotes[edit]
- ↑ https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian-onions [archive]
- ↑ At present, the available Qubes onion service URLs [archive] are:
Website: www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
- ↑ 3.0 3.1 For support in downloading APT packages anonymously via the Tor network. To install it:
sudo apt install apt-transport-tor
- ↑ 4.0 4.1 4.2 4.3 https://onion.debian.org/ [archive]
- ↑ 5.0 5.1 While Whonix ™ maintains both v2 and v3 onion addresses, v3 connections should be preferred because they provide additional improvements and security benefits over the v2 legacy system which will soon be deprecated; see here [archive] for further information.
- ↑ The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.
- ↑ At the time of writing Qubes-R4 was the current stable release.
- ↑ Also edit Whonix ™
sources.listif you are using Whonix ™ Packages for Debian Hosts. - ↑ The v3 onion protocol has been supported for clients and servers since Tor v0.3.2.1-alpha.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
100px |
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
.svg.png&filetimestamp=20200623163525&.html){kind=small}
Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.