Template:Torify APT traffic

From Whonix
Revision as of 16:50, 24 December 2025 by ArrayBolt3 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

It is recommended to torify APT traffic on the host for several reasons:

  • Each machine has its own unique package selection. This allows location tracking, because systems can be fingerprinted across physical networks as system updates are performed.
  • System updates leak sensitive security information such as package versions and differing patch levels. This information can aid targeted attacks.

Follow the instructions below to torify APT traffic in Debian. [1]

1 Install the apt-transport-tor package from the Debian repository so APT can route traffic through Tor.

sudo apt install apt-transport-tor

2 Edit the APT sources file so that all repository entries use only tor:// URLs.

Open file /etc/apt/sources.list in an editor with administrative ("root") rights.

1 Select your platform.

Non-Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.

3 Open the file with root rights.

sudoedit /etc/apt/sources.list

Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.
  • Template requirement: When using Qubes-Whonix, this must be done inside the Template.

3 Open the file with root rights.

sudoedit /etc/apt/sources.list

4 Notes.

  • Shut down Template: After applying this change, shut down the Template.
  • Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
  • Qubes persistence: See also Kicksecure logo Qubes PersistenceOnion network Logo
  • General procedure: This is a general procedure required for Qubes and is unspecific to Qubes-Whonix.

Others and Alternatives

2 Notes.

  • Example only: This is just an example. Other tools could achieve the same goal.
  • Troubleshooting and alternatives: If this example does not work for you, or if you are not using Whonix, please refer to Open File with Root Rights.

3 Open the file with root rights.

sudoedit /etc/apt/sources.list

3 Save the file and exit the editor to apply the changes.

Other URL Configurations

Alternatively, the tor+http:// URL scheme can be used.

apt-transport-tor can also be combined with apt-transport-https if a repository supports it, resulting in the tor+https:// URL scheme. [2]

Note that changing ftp.us.debian.org to http.debian.net selects a mirror close to the Tor exit node in use. Throughput is often surprisingly fast. [3] Also note that all public-facing debian.org FTP services were shut down on November 1, 2017archive.org iconarchive.today icon. [4]

Debian repositories can also be accessed via onion services at http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.oniononion icon. This is the most secure option, since no package metadata ever leaves Tor. [5] [6] [7] This URL scheme also provides protection in the event APT has a critical security vulnerability.

The following entries should work in the APT sources list:

deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie main deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie-updates main deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security trixie/updates main #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie-backports main