Difference between revisions of "Kicksecure and Whonix"
JeremyRand (talk | contribs) (Linux update is stable) |
JeremyRand (talk | contribs) (→Known Issues: sdwdate, swap-file-creator, systemd-sysctl, Electrum) |
||
| (16 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | [http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/ Kicksecure] ([https://www.kicksecure.com/ clearnet link]) can be installed on POWER. These instructions were tested with Kicksecure 17. | + | [http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/ Kicksecure] ([https://www.kicksecure.com/ clearnet link]) and [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on POWER (KVM or host for Kicksecure, KVM for Whonix). These instructions were tested with Kicksecure 17 and Whonix 17. |
| − | + | == Distro Morphing (Kicksecure and Whonix) == | |
| − | Import the Kicksecure signing key ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Signing_Key source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Signing_Key clearnet]): | + | '''If installing Kicksecure, perform this section once (in either the host or a VM, as desired). If installing Whonix, perform this section once in the Gateway VM and again in the Workstation VM.''' |
| + | |||
| + | First, install Debian Bookworm, Trixie, or Sid for ppc64el or ppc64. If installing in a VM, set the Video Model to Virtio and the Display Type to Spice ([https://github.com/Kicksecure/libvirt-dist/blob/master/usr/share/libvirt-dist/xml/Kicksecure.xml source 1]) ([https://github.com/Kicksecure/libvirt-dist/blob/master/usr/share/libvirt-dist/xml/Whonix-Gateway.xml source 2]) ([https://github.com/Kicksecure/libvirt-dist/blob/master/usr/share/libvirt-dist/xml/Whonix-Workstation.xml source 3]). When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one. Launch a shell. | ||
| + | |||
| + | Import the Kicksecure/Whonix signing key ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Signing_Key source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Signing_Key clearnet]): | ||
sudo apt-get update | sudo apt-get update | ||
| Line 16: | Line 20: | ||
sudo adduser user console | sudo adduser user console | ||
| − | Add the | + | Add the Kicksecure package repository ([http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository source]) ([https://www.kicksecure.com/wiki/Debian#Add_the_Kicksecure_%E2%84%A2_Repository clearnet]): |
sudo apt-get install apt-transport-tor | sudo apt-get install apt-transport-tor | ||
| Line 22: | Line 26: | ||
sudo apt-get update | sudo apt-get update | ||
| − | Then, run one of the following, depending on whether you want | + | On Trixie or higher, you need bugfixes from <code>legacy-dist</code> 15.9 and <code>setup-wizard-dist</code> 12.4, which means you should use <code>bookworm-developers</code> instead of <code>bookworm</code> for the Kicksecure suite. You also need <code>kicksecure-meta-packages</code> [https://github.com/Kicksecure/kicksecure-meta-packages/pull/3 PR 3] and [https://github.com/Kicksecure/kicksecure-meta-packages/pull/4 PR 4] applied. |
| + | |||
| + | If installing Whonix, add the Whonix package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]): | ||
| + | |||
| + | <nowiki>echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list</nowiki> | ||
| + | sudo apt-get update | ||
| + | |||
| + | Then, run '''one''' of the following, depending on whether you want use XFCE or CLI-only, whether you are installing in a VM or on the host, and whether you are installing Kicksecure, Whonix-Gateway, or Whonix-Workstation: | ||
sudo apt-get install --no-install-recommends kicksecure-xfce-host | sudo apt-get install --no-install-recommends kicksecure-xfce-host | ||
| Line 31: | Line 42: | ||
sudo apt-get install --no-install-recommends kicksecure-cli-vm | sudo apt-get install --no-install-recommends kicksecure-cli-vm | ||
| + | |||
| + | sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce | ||
| + | |||
| + | sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce | ||
| + | |||
| + | sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli | ||
| + | |||
| + | sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli | ||
If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again: | If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again: | ||
| Line 40: | Line 59: | ||
If you get prompted with other questions during package installation, you can choose the defaults. | If you get prompted with other questions during package installation, you can choose the defaults. | ||
| − | The Kicksecure packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>. If you're using | + | The Kicksecure/Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>. If you're using Bookworm, that means you should clear the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos): |
sudo rm /etc/apt/sources.list | sudo rm /etc/apt/sources.list | ||
| Line 46: | Line 65: | ||
sudo rm /etc/apt/sources.list.d/backports.list | sudo rm /etc/apt/sources.list.d/backports.list | ||
| − | On | + | On Trixie or higher, the Kicksecure/Whonix <code>sources.list</code> is nonfunctional, so you should clear it instead: |
sudo rm /etc/apt/sources.list.d/debian.list | sudo rm /etc/apt/sources.list.d/debian.list | ||
| Line 56: | Line 75: | ||
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf | echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf | ||
| − | + | Shut off the machine. If you're installing Kicksecure, you're done, you can start up the machine again, and Kicksecure should be running. | |
| + | |||
| + | == Network Setup (Whonix Only) == | ||
| + | |||
| + | Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]). | ||
| + | |||
| + | Extract it: | ||
| + | |||
| + | tar -xvf Whonix*.libvirt.xz | ||
| + | |||
| + | Install the Whonix virtual networks: | ||
| + | |||
| + | sudo virsh -c qemu:///system net-define Whonix_external*.xml | ||
| + | sudo virsh -c qemu:///system net-define Whonix_internal*.xml | ||
| + | sudo virsh -c qemu:///system net-autostart Whonix-External | ||
| + | sudo virsh -c qemu:///system net-start Whonix-External | ||
| + | sudo virsh -c qemu:///system net-autostart Whonix-Internal | ||
| + | sudo virsh -c qemu:///system net-start Whonix-Internal | ||
| + | |||
| + | Set the Whonix-Gateway VM's NIC to use the <code>Whonix-External</code> Network source. | ||
| + | |||
| + | Add a 2nd NIC to the Whonix-Gateway VM, and set it to use the <code>Whonix-Internal</code> Network source. | ||
| + | |||
| + | Set the Whonix-Workstation VM's NIC to use the <code>Whonix-Internal</code> Network source. | ||
| + | |||
| + | Launch both Whonix VM's; Whonix should be running. | ||
| + | |||
| + | If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following: | ||
| + | |||
| + | sudo touch /etc/apparmor.d/local/system_tor.anondist | ||
| + | |||
| + | Restart Whonix-Gateway again and Tor should work. | ||
== Known Issues == | == Known Issues == | ||
| − | + | On Kicksecure ppc64 (morphed from Sid), the following services fail to start: | |
| + | |||
| + | * <code>sdwdate</code>, looks like a seccomp issue. | ||
| + | * <code>swap-file-creator</code>, error unclear. | ||
| + | * <code>systemd-sysctl</code>, might be an issue with having kernels with multiple page sizes installed. | ||
| + | |||
| + | On Kicksecure ppc64 (morphed from Sid), Electrum fails to launch with <code>Could not initialize GLX</code>; this might be unrelated to Kicksecure/Whonix (might be a generic BE bug in Electrum and/or Qt). | ||
Latest revision as of 12:04, 27 April 2025
Kicksecure (clearnet link) and Whonix (clearnet link) can be installed on POWER (KVM or host for Kicksecure, KVM for Whonix). These instructions were tested with Kicksecure 17 and Whonix 17.
Distro Morphing (Kicksecure and Whonix)
If installing Kicksecure, perform this section once (in either the host or a VM, as desired). If installing Whonix, perform this section once in the Gateway VM and again in the Workstation VM.
First, install Debian Bookworm, Trixie, or Sid for ppc64el or ppc64. If installing in a VM, set the Video Model to Virtio and the Display Type to Spice (source 1) (source 2) (source 3). When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell.
Import the Kicksecure/Whonix signing key (source) (clearnet):
sudo apt-get update sudo apt-get dist-upgrade sudo apt-get install --no-install-recommends curl gpg gpg-agent curl --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
Initialize the console group (source) (clearnet):
sudo addgroup --system console sudo adduser user console
Add the Kicksecure package repository (source) (clearnet):
sudo apt-get install apt-transport-tor echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list sudo apt-get update
On Trixie or higher, you need bugfixes from legacy-dist 15.9 and setup-wizard-dist 12.4, which means you should use bookworm-developers instead of bookworm for the Kicksecure suite. You also need kicksecure-meta-packages PR 3 and PR 4 applied.
If installing Whonix, add the Whonix package repository (source) (clearnet):
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list sudo apt-get update
Then, run one of the following, depending on whether you want use XFCE or CLI-only, whether you are installing in a VM or on the host, and whether you are installing Kicksecure, Whonix-Gateway, or Whonix-Workstation:
sudo apt-get install --no-install-recommends kicksecure-xfce-host
sudo apt-get install --no-install-recommends kicksecure-xfce-vm
sudo apt-get install --no-install-recommends kicksecure-cli-host
sudo apt-get install --no-install-recommends kicksecure-cli-vm
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli
If you get a package conflict error that mentions console-common, run the following and then try again:
sudo apt-get install --no-install-recommends console-common
If you get prompted about choosing the default display manager during package installation, choose gdm3 (source) (clearnet).
If you get prompted with other questions during package installation, you can choose the defaults.
The Kicksecure/Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. If you're using Bookworm, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):
sudo rm /etc/apt/sources.list sudo touch /etc/apt/sources.list sudo rm /etc/apt/sources.list.d/backports.list
On Trixie or higher, the Kicksecure/Whonix sources.list is nonfunctional, so you should clear it instead:
sudo rm /etc/apt/sources.list.d/debian.list sudo touch /etc/apt/sources.list.d/debian.list
Run the following to work around a bug that breaks subsequent package updates (source) (clearnet):
sudo mkdir -p /etc/dist-base-files.d/ echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf
Shut off the machine. If you're installing Kicksecure, you're done, you can start up the machine again, and Kicksecure should be running.
Network Setup (Whonix Only)
Download Whonix from the Whonix KVM download page (clearnet link).
Extract it:
tar -xvf Whonix*.libvirt.xz
Install the Whonix virtual networks:
sudo virsh -c qemu:///system net-define Whonix_external*.xml sudo virsh -c qemu:///system net-define Whonix_internal*.xml sudo virsh -c qemu:///system net-autostart Whonix-External sudo virsh -c qemu:///system net-start Whonix-External sudo virsh -c qemu:///system net-autostart Whonix-Internal sudo virsh -c qemu:///system net-start Whonix-Internal
Set the Whonix-Gateway VM's NIC to use the Whonix-External Network source.
Add a 2nd NIC to the Whonix-Gateway VM, and set it to use the Whonix-Internal Network source.
Set the Whonix-Workstation VM's NIC to use the Whonix-Internal Network source.
Launch both Whonix VM's; Whonix should be running.
If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:
sudo touch /etc/apparmor.d/local/system_tor.anondist
Restart Whonix-Gateway again and Tor should work.
Known Issues
On Kicksecure ppc64 (morphed from Sid), the following services fail to start:
sdwdate, looks like a seccomp issue.swap-file-creator, error unclear.systemd-sysctl, might be an issue with having kernels with multiple page sizes installed.
On Kicksecure ppc64 (morphed from Sid), Electrum fails to launch with Could not initialize GLX; this might be unrelated to Kicksecure/Whonix (might be a generic BE bug in Electrum and/or Qt).
