Template:Torify apt traffic

From Kicksecure
Jump to navigation Jump to search

It is recommended to torrify APT's traffic on the host for several reasons:

  • Each machine has its own unique package selection. This allows location tracking, because systems can be fingerprinted across physical networks as system updates are performed.
  • System updates leak sensitive security information like package versions and the varying patch levels. This information aids targeted attacks.

Follow the instructions below to torify APT traffic in Debian. [1]

1. Install apt-transport-tor from the Debian repository.

Click = Copy Copied to clipboard! sudo apt install apt-transport-tor

2.Edit the sources.list to include only tor:// URLs for every entry.

Open file /etc/apt/sources.list in an editor with root rights.

Kicksecure

See Open File with Root RightsOnion network Logo for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

Click = Copy Copied to clipboard! sudoedit /etc/apt/sources.list

Kicksecure for Qubes

NOTES:

Click = Copy Copied to clipboard! sudoedit /etc/apt/sources.list

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

Click = Copy Copied to clipboard! sudoedit /etc/apt/sources.list

3. Save and exit.

Other URL Configurations

Alternatively, the tor+http:// URL scheme is possible.

apt-transport-tor can also in theory be combined with apt-transport-https, leading to the tor+https:// URL scheme. [2] In practice at time of writing no major repository (such as the Debian repository) supported tor+https://.

Note that changing ftp.us.debian.org to http.debian.net picks a mirror near to whichever Tor exit node is being used. Throughput is surprisingly fast. [3] Also be aware that all public-facing debian.org FTP services were shut down on November 1, 2017archive.org iconarchive.today icon. [4]

Debian URL can also be pointed to the available onion services http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.oniononion icon. This is the most secure option, as no package metadata ever leaves Tor. [5] [6] [7] This URL scheme also protects from system compromise in the event APT has a critical security bug. The following entries should work in the sources list:

Click = Copy Copied to clipboard! deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-updates main deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm/updates main #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main

  1. https://packages.debian.org/apt-transport-torarchive.org iconarchive.today icon
  2. https://lwn.net/Articles/672350/archive.org iconarchive.today icon
  3. https://retout.co.uk/blog/2014/07/21/apt-transport-torarchive.org iconarchive.today icon
  4. ftp://ftp.debian.org and ftp://security.debian.org
  5. https://web.archive.org/web/20190228232722/https://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/archive.org icon
  6. https://onion.debian.orgarchive.org iconarchive.today icon
  7. https://onion.torproject.orgarchive.org iconarchive.today icon
Retrieved from "https://www.kicksecure.com/w/index.php?title=Template:Torify_apt_traffic&oldid=75336"