Difference between revisions of "Whonix"
JeremyRand (talk | contribs) (→Whonix-Gateway: Update AppArmor troubleshooting) |
JeremyRand (talk | contribs) (→Known Issues: systemcheck is fixed) |
||
(24 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on | + | [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on POWER using KVM. These instructions were tested with Whonix 17. |
− | |||
− | |||
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]). | Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]). | ||
Line 11: | Line 9: | ||
Install the Whonix virtual networks: | Install the Whonix virtual networks: | ||
− | virsh -c qemu:///system net-define Whonix_external*.xml | + | sudo virsh -c qemu:///system net-define Whonix_external*.xml |
− | virsh -c qemu:///system net-define Whonix_internal*.xml | + | sudo virsh -c qemu:///system net-define Whonix_internal*.xml |
− | virsh -c qemu:///system net-autostart | + | sudo virsh -c qemu:///system net-autostart Whonix-External |
− | virsh -c qemu:///system net-start | + | sudo virsh -c qemu:///system net-start Whonix-External |
− | virsh -c qemu:///system net-autostart | + | sudo virsh -c qemu:///system net-autostart Whonix-Internal |
− | virsh -c qemu:///system net-start | + | sudo virsh -c qemu:///system net-start Whonix-Internal |
− | Then, create two Debian | + | Then, create two Debian Bookworm ppc64el VM's. Set the Video Model in each VM to Virtio ([https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Gateway.xml source 1]) ([https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Workstation.xml source 2]). When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM. |
− | Import the Whonix signing key ([ | + | Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]): |
− | <nowiki> | + | sudo apt-get update |
− | sudo | + | sudo apt-get dist-upgrade |
+ | sudo apt-get install --no-install-recommends curl gpg gpg-agent | ||
+ | <nowiki>curl --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc</nowiki> | ||
+ | sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc | ||
− | Initialize the <code>console</code> group ([https://www.whonix.org/wiki/ | + | Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]): |
sudo addgroup --system console | sudo addgroup --system console | ||
sudo adduser user console | sudo adduser user console | ||
− | + | Add the Kicksecure package repository ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository clearnet]): | |
− | + | sudo apt-get install apt-transport-tor | |
− | + | <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki> | |
− | <nowiki>echo "deb | ||
sudo apt-get update | sudo apt-get update | ||
− | |||
− | Add the Whonix package repository ([ | + | Add the Whonix package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]): |
− | <nowiki>echo "deb | + | <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list</nowiki> |
sudo apt-get update | sudo apt-get update | ||
− | + | If you're using Trixie (Bookworm is unaffected), run the following to work around a bug in the <code>xserver-xorg-video-qxl</code> package that breaks Whonix ([https://tracker.debian.org/pkg/xserver-xorg-video-qxl source]): | |
− | sudo apt | + | echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20230801/ trixie main" | sudo tee /etc/apt/sources.list.d/qxl.list |
− | + | sudo apt-get update | |
− | sudo apt-get | ||
− | + | Then, run one of the following, depending on whether you want Whonix to use XFCE or CLI-only, and whether you are installing Whonix-Gateway or Whonix-Workstation: | |
− | + | sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce | |
− | sudo | + | sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce |
− | + | sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli | |
− | + | sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli | |
− | + | If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again: | |
− | + | sudo apt-get install --no-install-recommends console-common | |
− | If you get | + | If you get prompted about choosing the default display manager during package installation, choose <code>gdm3</code> ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stable_Release#Whonix_™_16.0.2.7 source]) ([https://www.whonix.org/wiki/Stable_Release#Whonix_™_16.0.2.7 clearnet]). |
− | + | If you get prompted with other questions during package installation, you can choose the defaults. | |
− | + | The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>. If you're using Bookworm, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos): | |
− | + | sudo rm /etc/apt/sources.list | |
− | + | sudo touch /etc/apt/sources.list | |
− | + | sudo rm /etc/apt/sources.list.d/backports.list | |
− | |||
− | |||
− | |||
− | + | On Trixie or higher, the Whonix <code>sources.list</code> is nonfunctional, so you should clear it instead: | |
− | + | sudo rm /etc/apt/sources.list.d/debian.list | |
+ | sudo touch /etc/apt/sources.list.d/debian.list | ||
− | + | Run the following to work around a bug that breaks subsequent package updates ([http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 source]) ([https://forums.whonix.org/t/dist-base-files-postinst-aborted-on-ppc64el/13381/2 clearnet]): | |
− | sudo | + | sudo mkdir -p /etc/dist-base-files.d/ |
+ | echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf | ||
Shut off the VM. | Shut off the VM. | ||
− | + | If you're installing Whonix-Gateway, set the VM's NIC to use the <code>Whonix-External</code> Network source. Then add a 2nd NIC to the VM, and set it to use the <code>Whonix-Internal</code> Network source. | |
− | + | If you're installing Whonix-Workstation, set the VM's NIC to use the <code>Whonix-Internal</code> Network source. | |
− | + | Launch the VM again; Whonix should be running. | |
− | + | If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following: | |
− | + | sudo touch /etc/apparmor.d/local/system_tor.anondist | |
− | + | Restart Whonix-Gateway again and Tor should work. | |
− | + | == Known Issues == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | [ | + | See [[Kicksecure#Known_Issues|Kicksecure known issues]]. |
− | [ | ||
− | |||
− | |||
− | |||
− | + | No Whonix-specific known issues. |
Latest revision as of 21:01, 7 August 2024
Whonix (clearnet link) can be installed on POWER using KVM. These instructions were tested with Whonix 17.
Download Whonix from the Whonix KVM download page (clearnet link).
Extract it:
tar -xvf Whonix*.libvirt.xz
Install the Whonix virtual networks:
sudo virsh -c qemu:///system net-define Whonix_external*.xml sudo virsh -c qemu:///system net-define Whonix_internal*.xml sudo virsh -c qemu:///system net-autostart Whonix-External sudo virsh -c qemu:///system net-start Whonix-External sudo virsh -c qemu:///system net-autostart Whonix-Internal sudo virsh -c qemu:///system net-start Whonix-Internal
Then, create two Debian Bookworm ppc64el VM's. Set the Video Model in each VM to Virtio (source 1) (source 2). When installing Debian, do not create a separate root password, name the user user
, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.
Import the Whonix/Kicksecure signing key (source) (clearnet):
sudo apt-get update sudo apt-get dist-upgrade sudo apt-get install --no-install-recommends curl gpg gpg-agent curl --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
Initialize the console
group (source) (clearnet):
sudo addgroup --system console sudo adduser user console
Add the Kicksecure package repository (source) (clearnet):
sudo apt-get install apt-transport-tor echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list sudo apt-get update
Add the Whonix package repository (source) (clearnet):
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list sudo apt-get update
If you're using Trixie (Bookworm is unaffected), run the following to work around a bug in the xserver-xorg-video-qxl
package that breaks Whonix (source):
echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20230801/ trixie main" | sudo tee /etc/apt/sources.list.d/qxl.list sudo apt-get update
Then, run one of the following, depending on whether you want Whonix to use XFCE or CLI-only, and whether you are installing Whonix-Gateway or Whonix-Workstation:
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli
If you get a package conflict error that mentions console-common
, run the following and then try again:
sudo apt-get install --no-install-recommends console-common
If you get prompted about choosing the default display manager during package installation, choose gdm3
(source) (clearnet).
If you get prompted with other questions during package installation, you can choose the defaults.
The Whonix packages will install their own sources.list
data in /etc/apt/sources.list.d/debian.list
. If you're using Bookworm, that means you should clear the sources.list
that Debian came with (in order to avoid warnings from apt-get
about duplicated repos):
sudo rm /etc/apt/sources.list sudo touch /etc/apt/sources.list sudo rm /etc/apt/sources.list.d/backports.list
On Trixie or higher, the Whonix sources.list
is nonfunctional, so you should clear it instead:
sudo rm /etc/apt/sources.list.d/debian.list sudo touch /etc/apt/sources.list.d/debian.list
Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):
sudo mkdir -p /etc/dist-base-files.d/ echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
Shut off the VM.
If you're installing Whonix-Gateway, set the VM's NIC to use the Whonix-External
Network source. Then add a 2nd NIC to the VM, and set it to use the Whonix-Internal
Network source.
If you're installing Whonix-Workstation, set the VM's NIC to use the Whonix-Internal
Network source.
Launch the VM again; Whonix should be running.
If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:
sudo touch /etc/apparmor.d/local/system_tor.anondist
Restart Whonix-Gateway again and Tor should work.
Known Issues
No Whonix-specific known issues.