Difference between revisions of "Whonix"

From RCS Wiki
Jump to navigation Jump to search
(Add some Whonix 15 instructions)
(→‎Known Issues: Link to Kicksecure.)
(31 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on the Talos using KVM.
+
[http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/ Whonix] ([https://www.whonix.org/ clearnet link]) can be installed on POWER using KVM.  These instructions were tested with Whonix 16.
  
 
== Both Whonix-Gateway and Whonix-Workstation ==
 
== Both Whonix-Gateway and Whonix-Workstation ==
 
=== For Whonix 14 ===
 
 
Download Whonix-Gateway from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
 
 
Extract it:
 
 
tar -xvf Whonix-Gateway*.libvirt.xz
 
 
=== For Whonix 15 ===
 
  
 
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
 
Download Whonix from the [http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/KVM#Download_Whonix_.E2.84.A2 Whonix KVM download page] ([https://www.whonix.org/wiki/KVM#Download_Whonix_.E2.84.A2 clearnet link]).
Line 18: Line 8:
  
 
  tar -xvf Whonix*.libvirt.xz
 
  tar -xvf Whonix*.libvirt.xz
 
=== For Whonix 14 ===
 
  
 
Install the Whonix virtual networks:
 
Install the Whonix virtual networks:
  
  virsh -c qemu:///system net-define Whonix_external*.xml
+
  sudo virsh -c qemu:///system net-define Whonix_external*.xml
  virsh -c qemu:///system net-define Whonix_internal*.xml
+
  sudo virsh -c qemu:///system net-define Whonix_internal*.xml
  virsh -c qemu:///system net-autostart external
+
  sudo virsh -c qemu:///system net-autostart Whonix-External
  virsh -c qemu:///system net-start external
+
  sudo virsh -c qemu:///system net-start Whonix-External
  virsh -c qemu:///system net-autostart internal
+
  sudo virsh -c qemu:///system net-autostart Whonix-Internal
  virsh -c qemu:///system net-start internal
+
  sudo virsh -c qemu:///system net-start Whonix-Internal
  
Then, create two Debian Stretch ppc64el VM's, launch a root shell in each, and follow the below instructions for each VM.
+
Then, create two Debian Bullseye ppc64el VM's.  When installing Debian, do not create a separate root password, name the user <code>user</code>, and for desktop environment either pick XFCE or do not install one.  Launch a shell in each VM, and follow the below instructions for each VM.
  
Install <code>dirmngr</code> (this is required in order to import the Whonix signing key):
+
Import the Whonix/Kicksecure signing key ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Signing_Key clearnet]):
  
  apt-get install dirmngr
+
  sudo apt-get update
 +
sudo apt-get dist-upgrade
 +
sudo apt-get install --no-install-recommends curl gpg gpg-agent
 +
<nowiki>curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc</nowiki>
 +
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc
  
Import the Whonix signing key ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Initialize the <code>console</code> group ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Prerequisites source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Prerequisites clearnet]):
  
  apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
+
  sudo addgroup --system console
 +
sudo adduser user console
  
Add the Whonix package repository ([https://github.com/Whonix/whonix-developer-meta-files/blob/master/README_generic.md#how-to-install-package-name-using-apt-get source]):
+
Add the Whonix/Kicksecure package repository ([http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository source]) ([https://www.whonix.org/wiki/Kicksecure/Debian#Add_the_Whonix_.E2.84.A2_Repository clearnet]):
  
  <nowiki>echo "deb http://deb.whonix.org stretch main" | tee /etc/apt/sources.list.d/whonix.list</nowiki>
+
sudo apt-get install apt-transport-tor
 +
  <nowiki>echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list</nowiki>
 +
sudo apt-get update
  
== Whonix-Gateway ==
+
Note: As of 2021 September 10, there are bugs in the <code>security-misc</code> package in the Whonix <code>bullseye</code> suite, which break ppc64el support.  These bugs were fixed by <code>security-misc</code> version <code>3:22.7-1</code>.  Until the fixes make their way to the <code>bullseye</code> suite, you can get the fixes early by substituting <code>bullseye-developers</code> for <code>bullseye</code> in the <code>derivative.list</code> line above.
  
Unfortunately, Whonix's <code>tor</code> package, which is a required dependency of Whonix-Gateway, is not available for ppc64el.  Debian's <code>stretch-backports</code> repo does have a <code>tor</code> package that works, we just need to edit its metadata to make the package manager happy. First, we download the <code>tor</code> package and extract it:
+
Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix.  As of 2021 September 10, this means using the Debian Experimental suite ([http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion/ source]) ([https://onion.debian.org/ clearnet]):
  
  <nowiki>echo "deb http://http.debian.net/debian stretch-backports main" | tee /etc/apt/sources.list.d/stretch-backports.list
+
  <nowiki>echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list</nowiki>
apt-get update
+
sudo apt-get update
apt-get download -t stretch-backports tor
+
sudo apt-get -t experimental install linux-image-powerpc64le
mkdir tor_extracted
 
dpkg-deb -R ./tor_*.deb ./tor_extracted</nowiki>
 
  
Then, run the following command.  It will fail with a dependency error, note the minimum <code>tor</code> version that it wants.
+
== Whonix-Gateway ==
 
 
apt-get install non-qubes-whonix-gateway-kde whonix-gateway-shared-packages-shared-meta whonix-gateway-packages-recommended-cli tor-geoipdb
 
 
 
Then, edit the metadata file:
 
  
nano tor_extracted/DEBIAN/control
+
Run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:
  
And replace the Version field with the minimum version you noted earlier. Then exit <code>nano</code>.
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
  
Rebuild the package and install it:
+
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli
  
mkdir tor_rebuilt
+
If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again:
dpkg-deb -b tor_extracted tor_rebuilt
 
apt-get install ./tor_rebuilt/tor*.deb
 
  
Now we can install the Whonix packages:
+
sudo apt-get install --no-install-recommends console-common
  
apt-get install non-qubes-whonix-gateway-kde
+
If you get prompted with questions during package installation, you can choose the defaults.
  
 
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
 
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
  rm /etc/apt/sources.list
+
  sudo rm /etc/apt/sources.list
  
 
Shut off the VM.
 
Shut off the VM.
  
Set the VM's NIC to use the <code>external</code> Network source.
+
Set the VM's NIC to use the <code>Whonix-External</code> Network source.
  
Add a 2nd NIC to the VM, and set it to use the <code>internal</code> Network source.
+
Add a 2nd NIC to the VM, and set it to use the <code>Whonix-Internal</code> Network source.
  
 
Launch the VM again; Whonix-Gateway should be running.
 
Launch the VM again; Whonix-Gateway should be running.
  
== Whonix-Workstation ==
+
If you get errors about the Tor service failing to start, this is probably an AppArmor issue.  You can fix it by running the following:
  
This one's a lot easier, since Whonix's <code>tor</code> package version isn't a requirement.
+
sudo touch /etc/apparmor.d/local/system_tor.anondist
  
Install the Whonix packages:
+
Restart the VM again and Tor should work.
  
apt-get update
+
== Whonix-Workstation ==
apt-get install non-qubes-whonix-workstation-kde
 
  
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
+
Run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:
  
  rm /etc/apt/sources.list
+
  sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
  
Shut off the VM.
+
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli
  
Set the VM's NIC to use the <code>internal</code> Network source.
+
If you get a package conflict error that mentions <code>console-common</code>, run the following and then try again:
  
Launch the VM again; Whonix-Workstation should be running.
+
sudo apt-get install --no-install-recommends console-common
  
== Known Issues ==
+
If you get prompted with questions during package installation, you can choose the defaults.
  
=== Checking for virtualization ===
+
The Whonix packages will install their own <code>sources.list</code> data in <code>/etc/apt/sources.list.d/debian.list</code>, which means you should delete the <code>sources.list</code> that Debian came with (in order to avoid warnings from <code>apt-get</code> about duplicated repos):
  
<code>whonixcheck</code> in both VM's reports this error:
+
sudo rm /etc/apt/sources.list
  
<nowiki>[ERROR] [whonixcheck] Virtualizer Failed to check for virtualization: Permission denied unsupported by Whonix developers! Whonixcheck aborted! (qubes_detected: false)
+
Shut off the VM.
  
Using Virtualizer Failed to check for virtualization: Permission denied together with Whonix is recommended against, because it is rarely tested. [1] [2] [3] It could be made possible, but would require more Whonix contributors.
+
Set the VM's NIC to use the <code>Whonix-Internal</code> Network source.
It may already work, but is highly experimental.
 
  
 +
Launch the VM again; Whonix-Workstation should be running.
  
 +
== Known Issues ==
  
This might endanger your anonymity. Do not proceed unless you know what you are doing.
+
See [[Kicksecure#Known_Issues|Kicksecure known issues]].
 
 
If you wish to ignore this warning and to continue whonixcheck anyway, you can set
 
    WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"
 
in /etc/whonix.d/30_whonixcheck_default.conf.
 
 
 
Recommended action:
 
- Shut down.
 
- Read Whonix documentation [4].
 
- Use Whonix with a supported virtualizer or Physical Isolation [5].
 
 
 
Footnotes:
 
 
 
[1] https://www.whonix.org/wiki/LeakTests
 
[2] https://www.whonix.org/wiki/Test
 
[3] https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
 
[4] https://www.whonix.org/wiki/Documentation
 
[5] https://www.whonix.org/wiki/Physical_Isolation</nowiki>
 
  
It is not clear why this error shows up, or whether anything bad will happen if it's ignored.  The only mention of this error that I can find in upstream documentation is [http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/error-virtualizer-unsupported-by-whonix-developers/4471 this forum thread], which doesn't have any solution.
+
No Whonix-specific known issues.

Revision as of 07:52, 25 September 2021

Whonix (clearnet link) can be installed on POWER using KVM. These instructions were tested with Whonix 16.

Both Whonix-Gateway and Whonix-Workstation

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it:

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks:

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

Then, create two Debian Bullseye ppc64el VM's. When installing Debian, do not create a separate root password, name the user user, and for desktop environment either pick XFCE or do not install one. Launch a shell in each VM, and follow the below instructions for each VM.

Import the Whonix/Kicksecure signing key (source) (clearnet):

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl --tlsv1.3 --proto =https --max-time 180 --output ~/patrick.asc https://www.whonix.org/patrick.asc
sudo cp ~/patrick.asc /etc/apt/trusted.gpg.d/derivative.asc

Initialize the console group (source) (clearnet):

sudo addgroup --system console
sudo adduser user console

Add the Whonix/Kicksecure package repository (source) (clearnet):

sudo apt-get install apt-transport-tor
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

Note: As of 2021 September 10, there are bugs in the security-misc package in the Whonix bullseye suite, which break ppc64el support. These bugs were fixed by security-misc version 3:22.7-1. Until the fixes make their way to the bullseye suite, you can get the fixes early by substituting bullseye-developers for bullseye in the derivative.list line above.

Upgrade Linux to 5.14 or higher; a bug was fixed between Linux 5.10 and Linux 5.14 that broke ppc64le support in Whonix. As of 2021 September 10, this means using the Debian Experimental suite (source) (clearnet):

echo "deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian experimental main" | sudo tee /etc/apt/sources.list.d/experimental.list
sudo apt-get update
sudo apt-get -t experimental install linux-image-powerpc64le

Whonix-Gateway

Run one of the following, depending on whether you want the Whonix-Gateway to use XFCE or CLI-only:

sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the Whonix-External Network source.

Add a 2nd NIC to the VM, and set it to use the Whonix-Internal Network source.

Launch the VM again; Whonix-Gateway should be running.

If you get errors about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following:

sudo touch /etc/apparmor.d/local/system_tor.anondist

Restart the VM again and Tor should work.

Whonix-Workstation

Run one of the following, depending on whether you want the Whonix-Workstation to use XFCE or CLI-only:

sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce
sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli

If you get a package conflict error that mentions console-common, run the following and then try again:

sudo apt-get install --no-install-recommends console-common

If you get prompted with questions during package installation, you can choose the defaults.

The Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list, which means you should delete the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos):

sudo rm /etc/apt/sources.list

Shut off the VM.

Set the VM's NIC to use the Whonix-Internal Network source.

Launch the VM again; Whonix-Workstation should be running.

Known Issues

See Kicksecure known issues.

No Whonix-specific known issues.