Difference between revisions of "Whonix"
Jump to navigation
Jump to search
JeremyRand (talk | contribs) (systemcheck is fixed in buster-developers) |
JeremyRand (talk | contribs) (Upgrade to Whonix 16) |
||
| Line 1: | Line 1: | ||
| − | [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on | + | [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on POWER using KVM. These instructions were tested with Whonix 16. |
== Both Whonix-Gateway and Whonix-Workstation == | == Both Whonix-Gateway and Whonix-Workstation == | ||
| Line 11: | Line 11: | ||
Install the Whonix virtual networks: | Install the Whonix virtual networks: | ||
| − | virsh -c qemu:///system net-define Whonix_external*.xml | + | sudo virsh -c qemu:///system net-define Whonix_external*.xml |
| − | virsh -c qemu:///system net-define Whonix_internal*.xml | + | sudo virsh -c qemu:///system net-define Whonix_internal*.xml |
| − | virsh -c qemu:///system net-autostart | + | sudo virsh -c qemu:///system net-autostart Whonix-External |
| − | virsh -c qemu:///system net-start | + | sudo virsh -c qemu:///system net-start Whonix-External |
| − | virsh -c qemu:///system net-autostart | + | sudo virsh -c qemu:///system net-autostart Whonix-Internal |
| − | virsh -c qemu:///system net-start | + | sudo virsh -c qemu:///system net-start Whonix-Internal |
| − | Then, create two Debian | + | Then, create two Debian Bullseye ppc64el VM's. When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM. |
| − | Import the Whonix signing key ([ | + | Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]): |
| − | <nowiki> | + | sudo apt-get update |
| − | sudo | + | sudo apt-get dist-upgrade |
| + | sudo apt-get install --no-install-recommends curl gpg gpg-agent | ||
| + | <nowiki>curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc</nowiki> | ||
| + | sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc | ||
| − | Initialize the <code>console</code> group ([https://www.whonix.org/wiki/ | + | Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]): |
sudo addgroup --system console | sudo addgroup --system console | ||
sudo adduser user console | sudo adduser user console | ||
| − | + | Add the Whonix/Kicksecure package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]): | |
| + | |||
| + | sudo apt-get install apt-transport-tor | ||
| + | <nowiki>echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki> | ||
| + | sudo apt-get update | ||
| + | |||
| + | Note: As of 2021 September 10, there are bugs in the <code>security-misc</code> package in the Whonix <code>bullseye</code> suite, which break ppc64el support. These bugs were fixed by <code>security-misc</code> version <code>3:22.7-1</code>. Until the fixes make their way to the <code>bullseye</code> suite, you can get the fixes early by substituting <code>bullseye-developers</code> for <code>bullseye</code> in the <code>derivative.list</code> line above. | ||
| − | + | Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix. As of 2021 September 10, this means using the Debian Experimental suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]): | |
| − | <nowiki>echo "deb | + | <nowiki>echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list</nowiki> |
sudo apt-get update | sudo apt-get update | ||
| − | sudo apt-get -t | + | sudo apt-get -t experimental install linux-image-powerpc64le |
| − | + | == Whonix-Gateway == | |
| − | + | Run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only: | |
| − | |||
| − | + | sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce | |
| − | + | sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli | |
| − | + | If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again: | |
| − | sudo apt-get install | + | sudo apt-get install --no-install-recommends console-common |
If you get prompted with questions during package installation, you can choose the defaults. | If you get prompted with questions during package installation, you can choose the defaults. | ||
| Line 59: | Line 67: | ||
Shut off the VM. | Shut off the VM. | ||
| − | Set the VM's NIC to use the <code> | + | Set the VM's NIC to use the <code>Whonix-External</code> Network source. |
| − | Add a 2nd NIC to the VM, and set it to use the <code> | + | Add a 2nd NIC to the VM, and set it to use the <code>Whonix-Internal</code> Network source. |
Launch the VM again; Whonix-Gateway should be running. | Launch the VM again; Whonix-Gateway should be running. | ||
| − | If you get errors about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running | + | If you get errors about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following: |
| + | |||
| + | sudo touch /etc/apparmor.d/local/system_tor.anondist | ||
| + | |||
| + | Restart the VM again and Tor should work. | ||
== Whonix-Workstation == | == Whonix-Workstation == | ||
| − | + | Run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only: | |
| − | |||
| − | |||
| − | |||
| − | + | sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce | |
| − | + | sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli | |
| − | + | If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again: | |
| − | sudo apt-get install | + | sudo apt-get install --no-install-recommends console-common |
If you get prompted with questions during package installation, you can choose the defaults. | If you get prompted with questions during package installation, you can choose the defaults. | ||
| Line 90: | Line 99: | ||
Shut off the VM. | Shut off the VM. | ||
| − | Set the VM's NIC to use the <code> | + | Set the VM's NIC to use the <code>Whonix-Internal</code> Network source. |
Launch the VM again; Whonix-Workstation should be running. | Launch the VM again; Whonix-Workstation should be running. | ||
Revision as of 23:58, 10 September 2021
Whonix (clearnet link) can be installed on POWER using KVM. These instructions were tested with Whonix 16.
Contents
Both Whonix-Gateway and Whonix-Workstation
Download Whonix from the Whonix KVM download page (clearnet link).
Extract it:
tar -xvf Whonix*.libvirt.xz
Install the Whonix virtual networks:
sudo virsh -c qemu:///system net-define Whonix_external*.xml sudo virsh -c qemu:///system net-define Whonix_internal*.xml sudo virsh -c qemu:///system net-autostart Whonix-External sudo virsh -c qemu:///system net-start Whonix-External sudo virsh -c qemu:///system net-autostart Whonix-Internal sudo virsh -c qemu:///system net-start Whonix-Internal
Then, create two Debian Bullseye ppc64el VM's. When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.
Import the Whonix/Kicksecure signing key (source) (clearnet):
sudo apt-get update sudo apt-get dist-upgrade sudo apt-get install --no-install-recommends curl gpg gpg-agent curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc
Initialize the console group (source) (clearnet):
sudo addgroup --system console sudo adduser user console
Add the Whonix/Kicksecure package repository (source) (clearnet):
sudo apt-get install apt-transport-tor echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list sudo apt-get update
Note: As of 2021 September 10, there are bugs in the security-misc package in the Whonix bullseye suite, which break ppc64el support. These bugs were fixed by security-misc version 3:22.7-1. Until the fixes make their way to the bullseye suite, you can get the fixes early by substituting bullseye-developers for bullseye in the derivative.list line above.
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix. As of 2021 September 10, this means using the Debian Experimental suite (source) (clearnet):
echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list sudo apt-get update sudo apt-get -t experimental install linux-image-powerpc64le
Whonix-Gateway
Run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
If you get a package conflict error that mentions console-common, run the following and then try again:
sudo apt-get install --no-install-recommends console-common
If you get prompted with questions during package installation, you can choose the defaults.
The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):
sudo rm /etc/apt/sources.list
Shut off the VM.
Set the VM's NIC to use the Whonix-External Network source.
Add a 2nd NIC to the VM, and set it to use the Whonix-Internal Network source.
Launch the VM again; Whonix-Gateway should be running.
If you get errors about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:
sudo touch /etc/apparmor.d/local/system_tor.anondist
Restart the VM again and Tor should work.
Whonix-Workstation
Run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli
If you get a package conflict error that mentions console-common, run the following and then try again:
sudo apt-get install --no-install-recommends console-common
If you get prompted with questions during package installation, you can choose the defaults.
The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):
sudo rm /etc/apt/sources.list
Shut off the VM.
Set the VM's NIC to use the Whonix-Internal Network source.
Launch the VM again; Whonix-Workstation should be running.
Known Issues
None.
