Kicksecure and Whonix

From RCS Wiki
Jump to navigation Jump to search

Kicksecure (clearnet link) and Whonix (clearnet link) can be installed on POWER (KVM or bare metal). These instructions were tested with Kicksecure 17 and Whonix 17.

Distro Morphing (Kicksecure and Whonix)

If installing Kicksecure, perform this section once (in either the host or a VM, as desired). If installing Whonix, perform this section once in the Gateway and again in the Workstation.

First, install Debian Bookworm, Trixie, Forky, or Sid for ppc64el or ppc64. If installing in a VM, set the Video Model to Virtio and the Display Type to Spice (source 1) (source 2) (source 3). When installing Debian:

  • Do not create a separate root password.
  • Name the user user
  • For desktop environment, pick LXQt (only available for Trixie or higher), XFCE (only available for Bookworm), or do not install one.

Launch a shell.

Import the Kicksecure/Whonix signing key (source) (clearnet): 

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends curl gpg gpg-agent
curl --tlsv1.3 --output ~/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc
sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc

Initialize the console group (source) (clearnet): 

sudo addgroup --system console
sudo adduser user console

Add the Kicksecure package repository (source) (clearnet): 

sudo apt-get install apt-transport-tor
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update

On Trixie or higher, use trixie-developers instead of bookworm for the Kicksecure suite.

If installing Whonix, add the Whonix package repository (source) (clearnet): 

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bookworm main" | sudo tee /etc/apt/sources.list.d/whonix.list
sudo apt-get update

On Trixie or higher, use trixie-developers instead of bookworm for the Whonix suite.

Then, run one of the following, depending on whether you want use LXQt, XFCE, or CLI-only, whether you are installing in a VM or on the host, and whether you are installing Kicksecure, Whonix-Gateway, or Whonix-Workstation: 

sudo apt-get install --no-install-recommends kicksecure-baremetal-gui-lxqt

sudo apt-get install --no-install-recommends kicksecure-vm-gui-lxqt

sudo apt-get install --no-install-recommends kicksecure-xfce-host

sudo apt-get install --no-install-recommends kicksecure-xfce-vm

sudo apt-get install --no-install-recommends kicksecure-baremetal-server

sudo apt-get install --no-install-recommends kicksecure-vm-server

sudo apt-get install --no-install-recommends kicksecure-cli-host

sudo apt-get install --no-install-recommends kicksecure-cli-vm

sudo apt-get install --no-install-recommends whonix-gateway-baremetal-gui-lxqt

sudo apt-get install --no-install-recommends whonix-gateway-vm-gui-lxqt

sudo apt-get install --no-install-recommends whonix-workstation-baremetal-gui-lxqt

sudo apt-get install --no-install-recommends whonix-workstation-vm-gui-lxqt

sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-xfce

sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-xfce

sudo apt-get install --no-install-recommends whonix-gateway-baremetal-server

sudo apt-get install --no-install-recommends whonix-workstation-baremetal-server

sudo apt-get install --no-install-recommends whonix-gateway-vm-server

sudo apt-get install --no-install-recommends whonix-workstation-vm-server

sudo apt-get install --no-install-recommends non-qubes-whonix-gateway-cli

sudo apt-get install --no-install-recommends non-qubes-whonix-workstation-cli

If you get a package conflict error that mentions console-common, run the following and then try again: 

sudo apt-get install --no-install-recommends console-common

If you get prompted about choosing the default display manager during package installation, choose gdm3 (source) (clearnet).

If you get prompted with other questions during package installation, you can choose the defaults.

The Kicksecure/Whonix packages will install their own sources.list data in /etc/apt/sources.list.d/debian.list. If you're using Bookworm or Trixie, that means you should clear the sources.list that Debian came with (in order to avoid warnings from apt-get about duplicated repos): 

sudo rm /etc/apt/sources.list
sudo touch /etc/apt/sources.list
sudo rm /etc/apt/sources.list.d/backports.list

On Forky or higher, the Kicksecure/Whonix sources.list is nonfunctional, so you should clear it instead: 

sudo rm /etc/apt/sources.list.d/debian.sources
sudo touch /etc/apt/sources.list.d/debian.sources

Run the following to work around a bug that breaks subsequent package updates (source) (clearnet): 

sudo mkdir -p /etc/dist-base-files.d/
echo "set +e" | sudo tee /etc/dist-base-files.d/50_user.conf

Shut off the machine. If you're installing Kicksecure, you're done, you can start up the machine again, and Kicksecure should be running.

If you're using LXQt and, after booting again, the GUI doesn't come up, run the following to fix it: 

sudo systemctl disable sddm
sudo systemctl enable greetd

Reboot and the GUI should come up.

Network Setup (Whonix Only)

Download Whonix from the Whonix KVM download page (clearnet link).

Extract it: 

tar -xvf Whonix*.libvirt.xz

Install the Whonix virtual networks: 

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml
sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal

Set the Whonix-Gateway VM's NIC to use the Whonix-External Network source.

Add a 2nd NIC to the Whonix-Gateway VM, and set it to use the Whonix-Internal Network source.

Set the Whonix-Workstation VM's NIC to use the Whonix-Internal Network source.

Launch both Whonix VM's; Whonix should be running.

If you get errors in Whonix-Gateway about the Tor service failing to start, this is probably an AppArmor issue. You can fix it by running the following: 

sudo touch /etc/apparmor.d/local/system_tor.anondist

Restart Whonix-Gateway again and Tor should work.

Known Issues

On Kicksecure ppc64 (morphed from Sid), the following services fail to start:

  • sdwdate, looks like a seccomp issue. Also affects Whonix-Workstation ppc64le Forky.
  • swap-file-creator, error unclear.
  • systemd-sysctl, might be an issue with having kernels with multiple page sizes installed.

On Whonix ppc64 (morphed from Sid), the following services fail to start:

  • greetd, no problems in ppc64le Forky. Probably affects Kicksecure too but didn't check. Also affects plain Debian Sid ppc64 (without Kicksecure/Whonix) and doesn't affect plain Debian Forky ppc64le. So it's not a Kicksecure/Whonix bug. Probably should file a bug with either Debian or upstream.

On Whonix ppc64 (morphed from Sid), sudo apt update fails with DNS errors. Probably also affects Kicksecure, probably also affects ppc64le, probably also affects Forky. Probably can be fixed by replacing http:// in sources.list with tor+https://.

On Kicksecure ppc64 (morphed from Sid), Electrum fails to launch with Could not initialize GLX; this might be unrelated to Kicksecure/Whonix (might be a generic BE bug in Electrum and/or Qt).

Retrieved from "https://wiki.raptorcs.com/w/index.php?title=Kicksecure_and_Whonix&oldid=5363"