SDFG
SDFG
SDFG
With the greatest respect and thanks to The Debian Project, The Tor Project,
The Whonix Team, Anonymous and the numerous Open Source Software
Creators, all of which made this tutorial possible.
The most current stable version of this guide will always be available at
https://anonguide.cyberguerrilla.org or http://yuxv6qujajqvmypv.onion.
1. Added missing step 43 in Chapter 3 to disable Tor from automatically running when the host
operating system starts.
1. Changed host operating system from Debian 7.11.0 (Wheezy) to Debian 8.7.0 (Jessie).
2. Updated chapters 1A-1C to use SSL to download Debian ISO files and checksum files.
3. Added instructions starting at step 11 in Chapter 3 to set the timezone to UTC for the host
operating system.
4. Added instructions starting at step 20 in Chapter 3 to enable system updates and software
installations for the Debian host operating system over Tor's hidden services.
5. Added instructions starting at step 25 of Chapter 3 to disable disable TCP timestamps.
6. Updated steps 33-36 to include links to Whonix version 13.0.0.1.4
7. Added instructions starting at step 43 of Chapter 3 to create bash commands that update or
install the Debian host operating system over Tor's hidden services. The use of the bash
commands allow for Tor to be selectively start on the host operating system, rather than
always running by default on boot.
8. Added instructions starting at step 81 of Chapter 3 to modify the privacy settings in the
Debian host operating system.
9. Added instructions at starting step 104 in Chapter 3 to use Tor hidden services for upgrades
and software installations in the Whonix Gateway.
10. Added instructions at starting step 125 in Chapter 3 to use Tor hidden services for upgrades
and software installations in the Whonix Workstation.
11. Updated Chapter 5 to reference how funds can be provided to VFEmail.net.
12. Added Appendix A: Troubleshooting to address a situation where GRUB fails to install on
various USB devices.
1. Updated Chapters 1A and 1C to replace the Unetbootin program with Win32DiskImager and
dd.
2. Updated step 2 in Chapter 1C to specifify a keyserver for GPG in Ubuntu.
3. Updated step 70 in Chapter 2B to use /dev/urandom rather than /dev/random to create a
8192 byte keyfile.
4. Resized various images in Chapters 1D and 2B to cut down on file size and page length.
5. Updated steps 16-19 in Chapter 3 to point to the new download locations for Whonix.
6. Updated steps 77 and 88 in Chapter 3 to manually change the Whonix repositories to the
new Whonix repositories in order to avoid a confusing, but harmless, error.
Change log since version 1.1.1, July 2016.
1. Updated steps 5-6 in Chapter 4f to import Sukhbir Singh's public GPG key for verification
of Torbirdy.
2. Updated step 67 in Chapter 4f to disable various unneeded web features in Icedove.
1. Updated links throughout Chapters 1A-1C to point to Debian 7.11.0 for download.
2. Updated links in Chapter 3 to point to Whonix 13.
3. Updated Chapter 4D to use Hexchat due to change from Xchat to Hexchat with Whonix 13.
4. Updated Chapter 5 with new Cyberguerrila.org donation link.
1. Updated links throughout Chapters 1A-1C to point to Debian 7.10.0 for download.
2. Warning added to Chapter 1B regarding issues for Apple computers.
1. Whonix image download links in Chapter 3 updated to use newly available encrypted
locations.
2. Various typographical errors corrected.
1. Changed various steps throughout Chapter 1 to direct to the Debian 7.9.0 distribution server
directory.
2. Changed steps 5-6 in Chapter 1C to link to the proper verification files.
1. Modified various steps in Chapters 3 and 4a to reflect minor changes related to Whonix 11.
2. Simplified Step 15 in Chapter 3 to simplify verification of Whonix Signing Key.
1. Additional important notices regarding the choice of an installation method for Debian
and UEFI secure boot added at the beginning of Chapter 1.
2. Steps 10-13, 17-18, 20, 26, 32-33 modified in Chapter 3 to link or reflect Whonix 9.6.
3. Chapter 4 updated with link to Whonix forums for troubleshooting.
4. Chapter 4b updated to reflect current Tor Browser functionality.
5. Official distribution sites for this guide modified on first and last page.
6. Contact information added to first page.
7. Public GPG key and contact information mentioned at beginning and end of guide.
8. Whonix Forum link added in conclusion.
1. Various steps and links updated to work with Whonix 9 due to the Whonix Project's
retirement of Whonix 8.
1. Added stream isolation to Pidgin in Chapter 4e, Step 24. Previous users should make this
change.
2. Added Malware Mitigation method in new Chapter 4g.
3. Fixed wget as root oversight in Chapter 3.
4. Added various warnings at steps regarding the use of sudo.
5. Added notes of optional stopping points after the Debian installs Chapter 2a and 2b.
6. Added steps on disabling Mini Toolbar for Full Screen Mode in Whonix Workstation.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 7
Chapter 2A. Installing an Operating System on an Encrypted USB Flash Drive. . . Page 65
Chapter 4a. Proper Start Up and Shut Down Procedures for Whonix . . . . . . . . . . . Page 212
Chapter 4f. Encrypted email with Icedove and Enigmail. . . . . . . . . . . . . . . . . . . . . . Page 293
Chapter 5. Supporting the Projects that Made this Tutorial Possible. . . . . . . . . . . . . Page 413
One of the hardest concepts for many users of networked computers to understand is
security, privacy and anonymity. For those who wish to have security, privacy and anonymity,
many do not realize or understand how easy it is to lose them all as a result of making common
mistakes. This guide will teach you how to build a secure encrypted system that uses Debian and
Whonix to help maintain your privacy and anonymity.
Now, before you possibly close this document under the mistaken notion that you will not
understand how to use or install the system mentioned above, remember that this guide is written to
be beginner friendly. The truth is that, if you can follow the numbered steps, most of which are
accompanied by screen shots, you will find this process relatively straightforward. It will just take
some time. Do not let the length of this tutorial overwhelm you either. The length is due to the fact
that there are screen shots for almost every instruction. In the end, the time you invest in
building this system for yourself will be worth it.
The benefits of this system for those who wish to have privacy, security and anonymity are
numerous.
Your system will be encrypted with a very strong encryption technology. Thus,
unless you give someone your encryption password, they will not be able to read
what you keep on this system in a timely manner, if at all. This will protect your
data from entities that are made up of anything from powerful governments to
common thieves.
The system consists of a USB flash drive as either your main operating system
disk or as your boot disk. Since the device is portable, you can keep it on you at
all times and never have to worry about someone tampering with it to get your
encryption password by modifying the controlling software. Additionally, you
can easily lose it or destroy it, if you so desire, which will make the encrypted
data irrecoverable.
The Debian Operating System (OS), which will be your host OS, is free, open
source and has a good track record for security.
The Whonix OS, which will be the main OS you use on top of Debian, is a
customized version of Debian to work with the Tor network. Tor is one of the
more powerful anonymizing free proxy systems available to the public. While
using Whonix, everything you do will be forced through the Tor network,
making it very difficult for you to make a mistake and accidentally reveal your
identity through either mistaken use of, or an attacker's exploitation of, software.
The use of the web, the Internet Relay Chat, and numerous other Internet
services can be done by novice users without having to worry about leaking any
damaging information that would reveal their IP address through their computer.
If you are new to private and anonymous communications, you have everything to gain by
using this system. Everyone makes mistakes while they learn. This system will provide you with
the tools you need to learn while protecting you from the repercussions of common mistakes that
people make by not understanding technology. As you learn the more advanced uses of software,
this system will provide a very secure and anonymous base platform from which to operate.
Before you get started, you will need to acquire a USB flash drive. The following is a break
down of the two types of systems, their advantages and disadvantages, and what you will need to
install them.
If you wish to install this entire system on a USB flash drive (which is detailed in Chapter
2A beginning on page 65), you will potentially need the following, based on the method you
choose:
1 USB flash drive of at least 512 megabytes or a blank writable CD for the Debian
Installation Media Drive.
1 USB 3.0 flash drive of at least 32 gigabytes.
Access to computers with at least 2 gigabytes of RAM or more.
There are many benefits to this method. One, you have a mobile operating system that can
be used on just about any computer that has enough RAM. So long as you have the option to boot
from a USB flash drive on a computer in front of you, you can likely take advantage of your own
secure, private and anonymous OS. Two, it will not leave any fingerprints on the computer you use
it on if used properly. Three, the small size of USB flash drive makes it very easy to hide or
physically destroy/lose.
There are also a few possible disadvantages to this method. The first is that most small USB
Flash Drives are not very fast. Thus, the install time to copy the software may be longer.
Additionally, the use of the system may feel sluggish at times due to the slower disk read/write
speeds. The faster your USB flash drive is, the less noticeable any lag will be. Finally, if you use
this system on a machine with less than 2 gigabytes of RAM, the amount of memory caching that
will be required will greatly slow down the use of the system, if not make it unusable, depending on
the possible read/write speeds you have.
Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive
Boot Key
If you wish to install the main operating system on free space existing on your internal hard
drive (which is detailed in Chapter 2B on page 80), you will need the following:
A computer with an internal hard drive that has at least 32 gigabytes of free space for
the root operating system.
1 USB flash drive of at least 512 megabytes or a blank writable CD for the Debian
Installation Media Drive.
1 USB flash drive of at least 512 megabytes for the System Boot Key. (Choose one
with the smallest shape possible. Flash drives are available that are about the size of
the finger nail on your thumb.)
A back up of the existing files on your hard drive.
There are a few advantages to this method. The first and foremost is the speed. You will
not notice any sluggishness when you use the system and the install time will likely be much shorter
due to the faster disk writes. Another advantage is that you have the option of more hard drive
space than you will find on a number of USB flash drives for your operating system. Finally, if you
only have access to computers with less than 2 gigabytes of RAM, the faster read and write speeds
on an internal hard drive will allow the system to take advantage of memory caching without
making the system unbearably slow.
There are a few disadvantages as well. One is that your set up will be tied to one computer.
Thus, if you want a mobile set up, you'll need to install this system on a laptop. The other is that, if
anyone else looks at your computer with forensic equipment, they will be able to determine that you
have an encrypted partition on your hard drive. In various jurisdictions, that may trigger suspicion
or possible repercussions. This is a concern for some. However, if you are to turn on your computer
for someone who is forcing you to do so, it will boot right into Microsoft Windows, OS X or
Ubuntu without even providing a hint that there is an encrypted operating system installed on the
computer. Furthermore, if you do not have access to your USB Flash Drive Boot Key, you won't be
able to give them access to the encrypted drive anyways. Additionally, it is much more difficult to
hide or lose a large computer than a USB flash drive. However, if you lose the USB flash drive that
serves as your System Boot Key in this method, the data on your internal hard drive will be safely
(or frustratingly) irrecoverable. Finally, if you opt to use this method, please back up your
important files. You will be resizing an existing partition if you use this method which, in a worst
case scenario, can lead to data loss. However, such data loss is unlikely. So, don't let this be a
concern that would prevent you from trying this method.
The choice you make when it comes to the type of system you use will largely come down
to personal comfort and preference. You'll likely find arguments on the Internet for why one of the
two methods mentioned above is better than the other. I broke those arguments down to their basic
points by explaining the basic advantages and disadvantages of both. If you have the time, try both
methods and see which one you like the best. Remember that no system is perfect. Both of the
methods mentioned above are solid secure methods that will provide you with a great deal of
security if you act appropriately. In addition, remember that if you forget the encryption
password you choose for your operating system or if lose your USB boot key, you will never be
able to recover what is on your encrypted drive. That can be a disadvantage for you if you still
want to access your operating system. However, it is a great advantage if someone else gets their
hands on your computer or USB Flash Drive.
A Note on VPNs.
Over the course of development of this guide, a lot of feedback has been received over the
lack of instructions for using a VPN. How much anonymity, privacy and security a VPN can
provide is a matter for debate that will not be addressed here, largely due to the complexity of the
issues involved. The main reason using a VPN is not covered in this guide is simple: for a beginner
(or anyone), choosing or purchasing the proper VPN in a way that may work properly is a difficult
task with too many variables in play that, if done wrong, could lead to de-anonymization (payment
method, server redirecting/poisoning, etc.). It is not the intention of this guide to stress that there is
no merit in using a VPN. In fact, if you live in a region where Tor is banned, using a VPN in your
connection chain may be a necessity. However, remaining anonymous and private with a VPN is
simply too complex of a task to cover in this guide at the moment. When the core points of the
guide are more set in stone, the authors may have the chance of addressing how to securely and
anonymously use a VPN.
The first and most important step is ensuring that you have a clean and secure operating
system. Most beginners use either a variant of Windows or Apple's OS X. This guide will not
debate the merits of which particular OS is better or more secure than the other. Rather, for the
purposes of maintaining your privacy and anonymity, you should simply assume that your operating
system is compromised already. A compromised operating system will render everything done later
in this tutorial pointless. So, the best thing for you to do is install a new operating system.
First and foremost, you will probably be learning to use a new operating system. In this
tutorial, the OS you will be using is Debian, a well known and very good Linux distribution. Do
not be intimidated by this. It's much easier than you think and, by the time you've gotten used to it,
you will prefer it over anything else. Linux provides much greater privacy and anonymity than the
two other dominant operating systems ever will. Since the purpose of this tutorial is to teach you
how to use a system that protects both your privacy and anonymity, it is time to embrace Linux.
Thus, the first step you need to take is to install Debian onto the USB flash drive that you intend to
use as the Debian Install Disk.
For the purposes of this section of the tutorial, please use a plugged in wired connection for
your Internet connection. It will make things easier for you.
IMPORTANT NOTE: One thing that was not covered in this guide in the past are cameras that are
connected to computers. Many computers now have them built in as a sales feature. BEFORE
YOU DO ANYTHING ELSE, IT IS STRONGLY RECOMENDED THAT YOU DISABLE
ANY CAMERA CONNECTED TO YOUR COMPUTER AND COVER THE LENS WITH A
STRONG OPAQUE PIECE OF TAPE!
IMPORTANT NOTE FOR BOOTING: The majority of computers in production now use UEFI
instead of BIOS. One feature of UEFI is known as Secure Boot, which is often enabled by
default. If you discover that you cannot boot into the Debian Installer from your installation disk,
you need to enter your computer's setup as it first boots up and disable Secure Boot.
Additionally, if you plan to install the entire operating to an external USB disk, you may need
to enable a BIOS Compatibility Mode setting if your computer uses UEFI instead of BIOS.
Chapter 1A. Manual Download and Verification of Debian on Microsoft Windows
2. When the web page opens, click on $0 for the donation amount and then click on
Download..
Note: The version number in the download link for GPG4Win may be higher than what is
displayed in this guide. This is not important.
5. When asked if you wish to allow the program to make changes, click yes.
If you have a 32 bit CPU in your computer, right-click on the file entitled debian-7.11.0-
i386-netinst.iso and choose save target as in the context menu that appears.
If you have a 64 bit CPU in your computer, right-click on the file entitled debian-7.11.0-
amd64-netinst.iso and choose save target as in the context menu that appears.
17. In the next window that appears, click on the Downloads folder on the left side of the
window and then click the Save button.
18. Now, download the file that contains that hashes that will be used to verify the debian ISO
image you just downloaded. Right-click on the file entitled SHA256SUMS and choose
Save target as in the context menu that appears.
19. In the next window that appears, click on the Downloads folder on the left side of the
window and then click the Save button.
20. Next, download the file that will be used by GPG to verify the authenticity of the
SHA256SUM file. Right-click on the file entitled SHA256SUMS.sign and choose Save
target as in the context menu that appears.
21. In the next window that appears, click on the Downloads folder on the left side of the
window and then click the Save button.
22. If you are using Windows 8 or above, click on your Windows start key in the lower left
corner of your Desktop..
If you are using a version of Windows that is older than Windows 8, press the Windows Key
(the one with the Microsoft logo) + R to open a Run dialogue window. Then type cmd
in the field next to Open and press enter or click OK.
23. Change to your Downloads folder. Type cd Downloads and press enter.
24. Now, you need to import the GPG public key to use in the verification process. Type
gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys
DF9B9C49EAA9298432589D76DA87E80D6294BE9B.
If you have successfully imported the Debian GPG key, your screen will look similar to the
screen shot below. If you receive an error, make sure you entered the long string of
characters after --recv-keys above correctly and repeat the command.
25. Next, verify the fingerprint of the Debian CD signing key. Type
gpg --fingerprint DF9B9C49EAA9298432589D76DA87E80D6294BE9B.
If you imported the correct GPG key, your screen should look like the one below.
26. Now, verify that checksum file you downloaded. Type gpg -v SHA256SUMS.sign and
press enter.
The output should inform you that the file is verified by a Good signature from Debian
CD signing ket <debian-cd@lists.debian.org>. However, if it says BAD signature, one
of the files may have been been tampered with or is corrupted. If so, download
SHA256SUMS and SHA256SUMS.sign from debian.org again as described in steps 17-21
and restart from this step.
Note: You can ignore the warning that the key is not certified with a trusted signature.
This is not relevant for this process.
27. Next, type type SHA256SUMS |findstr netinst > sha256.sum and press enter.
Note: The symbol before findstr in the line to type above is the pipe character and looks
different than it will on your screen due to the font used. On your keyboard, it often looks
like a vertical line. It is generally accessed by holding the SHIFT key and typing \ which
is often located above the enter key. It looks as it should in the screenshot below.
28. Now, verify your Debian ISO image. Type
'C:\Program Files\GNU\GnuPG\sha256sum.exe -c sha256.sum' and press enter.
Note: You need to type those double quotation marks in this instance.
ADDITIONAL NOTE: This guide uses Windows 8.1. If you are using an older version of
Windows and the above command did not work, you may need to type
'C:\Program Files (x86)\GNU\GnuPG\sha256sum.exe -c sha256.sum' and press enter.
You should receive a message informing you that the Debian ISO image you downloaded is
OK.
If you receive a message that the verification FAILED, your Debian ISO image may
have been tampered with or is corrupted. Re-download the Debian ISO image as
described in step 16 and come back to this step.
NOTE: If you intend to use a CD/DVD as your install disk, burn the Debian ISO image to
the disk and continue on to Chapter 1D. The remaining steps only apply if you intend to use
a USB disk as your Debian Install disk.
30. You will be taken to a page where your download will start in a few seconds. When the
download dialogue appears, click the Save button.
31. When the download has completed, click on the Run button to open Win32 Disk Imager.
32. When asked if you want to allow the program to make changes to your computer, click the
Yes button.
33. When the Win32 Disk Imager installation window appears, click the Next button to
continue.
34. On the next screen, click the radio button next to I accept the agreement and then click the
Next button.
37. Next, click the check box next to Create a desktop icon and click the Next button.
38. When the next window appears, click on the Install button.
39. Next, remove the check marks next to View README.txt and Launch
Win32DiskImager. Then, click the Finish button.
40. Now, plug in the USB disk you wish to use as your Debian install disk and double click
on the Win32DiskImager icon on your desktop to run the program.
41. When the User Account Control window appears, click on the Yes button.
42. After the program opens, click on the folder icon pictured below.
43. Next, when the Select a disk image window appears, click on the arrow next to Disk
Images (*.img *.IMG) and select *.*.
44. Next, click on Downloads on the left hand side of the window. Then, select your Debian
installer ISO image. Finally, click the Open button.
45. Next, make sure the USB disk you wish to use as the Debian install disk is selected under
Device and then click the Write button. NOTE: ANY DATA CURRENTLY ON THE
USB DISK WILL BE ERASED. IF YOU HAVE IMPORTANT DATA ON THE DISK,
BACK UP THE DATA BEFORE COMPLETING THIS STEP!
46. When the Confirm overwrite window appears, click Yes to start the creation of the
Debian installer disk on your USB drive.
47. When the process is complete, a Write Successful window will appear. Click the OK
button. Then restart your computer and continue from Chapter 1D.
Chapter 1B. Manual Download and Verification of Debian on OS X.
IMPORTANT NOTE: This part of the guide is experimental. It may not work as expected
and, in the worst case scenario, may result in an unbootable system. Additionally, the method
described in Chapter 2A may not work if you intend to use the drive on other machines. If you
attempt to use this guide with an Apple computer, PLEASE BACK UP ALL OF YOUR
IMPORTANT FILES BEFORE DOING ANYTHING ELSE TO AN EXTERNAL DRIVE IN
CASE YOUR APPLE COMPUTER BECOMES UNUSABLE!
1. Open the Safari web browser in your dock bar and go to gpgtools.org.
2. When the page opens, scroll down until you see the Download GPG Suite link. Click on
the Download GPG Suite link. Your download will start automatically and you will be
taken to a donation page.
3. When the download completes, click on the downloads icon in your Safari web browser
located in the upper right section of the browser and double click on the GPG Suite
installer.
4. When the GPG Suite installer opens, double-click on the Install button..
5. On next screen, click Continue.
6. On next window, click the Install button.
7. Next, you will be prompted for your password. Type your password and click install
software.
8. When install finishes, click the Close button. You can then close the GPG Suite installer
window.
9. You can close any GPG program windows and Safari if you wish. Then, click on the
Launchpad icon in your dock bar, type terminal and click on the Terminal icon that
appears.
10. When the terminal window appears, you will next import the Debian CD signing key. In the
terminal, type gpg --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B.
If the key import was successful, your output will look like the output pictured below.
11. Next, verify the fingerprint of the Debian CD signing key. Type gpg --fingerprint
DF9B9C49EAA9298432589D76DA87E80D6294BE9B.
Your output should mirror what is pictured below. If it does not, start over from step 10.
14. Next, download the GPG signature file to verify that the Debian checksums haven't been
tampered with.
If you selected the 32 bit processor (i386) related checksums in the last step, type curl -L
-O https://cdimage.debian.org/mirror/cdimage/archive/8.7.0/i386/iso-
cd/SHA512SUMS.sign and press enter.
If you selected the 64 bit processor (amd64) related checksums in the last step, type curl -L
-O https://cdimage.debian.org/mirror/cdimage/archive/8.7.0/amd64/iso-
cd/SHA512SUMS.sign and press enter.
15. Now, verify your downloads. This will help ensure that you have a legitimate version of
Debian that has not been tampered with. In this step, you will verify the legitimacy of the
checksum file. Type gpg --verify SHA512SUMS.sign SHA512SUMS.
The output from the command above should look like the screenshot below with a good
signature. However, if the output states bad signature, your download or keyfiles have
been corrupted or tampered with. If you get a bad result, restart from step 12.
NOTE: You can ignore the warning that the key is not certified. This is not relevant in
the context.
16. Next, verify that the Debian ISO image is not corrupt and has not been tampered with. Type
cat SHA512SUMS |egrep netinst |shasum -c -.
Note: The symbol in the line to type above that looks like a vertical line is known as the
pipe character. On an Apple keyboard, it is generally accessed by holding shift and
pressing the \ key that is often above your enter key.
You should get a result saying the version of Debian you downloaded is OK like the
screen shot below. If it says otherwise, start again from step 12.
NOTE: The next steps are for copying the image to a USB disk. If you intend to burn the
Debian Installer ISO to a bootable CD, do so now and continue to Chapter 1D.
17. Next, you need to convert the Debian ISO image to a format that can boot from your USB
disk for a Mac. Type for f in debian-*-netinst.iso; do hdiutil convert -format UDRW -o
debian.img $f; done and press enter.
This will show you the accessible disk drives on your system. It will look like the screen
shot below. Remember what it looks like.
19. Next, insert your USB disk drive that you intend to use as the install disk and type diskutil
list and press enter again.
Your USB disk will appear as the disk you didn't see in the last step. It will likely have the
device name of /dev/disk2. However, depending on the number of disks or disk partitions
you have for your system, it may be a different device name. The easiest way to determine
which device marks your USB disk is based on the total storage capacity of the disk. For
the remaining steps in Chapter 1B, /dev/disk2 will be used strictly for example
purposes. You should replace /dev/disk2 with whatever device name your USB drive
is using.
20. Now, unmount your usb disk. This is required in order for the next step to work. Type
diskutil unmountDisk /dev/disk2and press enter. Again, /dev/disk2 is only used for an
example purpose. Please substitute /dev/disk2 with the device name of your USB disk
if applicable.
21. Next, create your bootable disk. Typing sudo dd if=debian.img.dmg of=/dev/disk2
bs=1m and press enter. Again, /dev/disk2 is only used for an example purpose. Please
substitute /dev/disk2 with the device name of your USB disk if applicable. BE
WARNED THAT THIS WILL ERASE THE CONTENTS OF WHATEVER DISK
YOU CHOOSE! Thus, it is imperative that you select the correct disk.
22. Finally, when the task of creating the bootable USB installation disk is completed, you will
be returned to a command prompt. Type diskutil eject /dev/disk2 and restart your
computer. Continue from Chapter 1D. Again, /dev/disk2 is only used for an example
purpose. Please substitute /dev/disk2 for the device name of your USB disk if
applicable.
After you are returned to your command prompt, restart your computer and continue from
Chapter 1D.
Chapter 1C. Manual Download and Verification of Debian on Ubuntu.
1. First, open up a terminal shell. Click on the Ubuntu Dash button in the top left corner of
your dock bar. Then, type terminal and click on the Terminal icon.
2. When the terminal opens, import the Debian CD signing key. Type gpg --keyserver
hkp://hkps.pool.sks-keyservers.net --recv-keys
DF9B9C49EAA9298432589D76DA87E80D6294BE9B.
If the key import was successful, your output will look like the output pictured below.
3. Next, verify the fingerprint of the Debian CD signing key. Type gpg --fingerprint
DF9B9C49EAA9298432589D76DA87E80D6294BE9B.
Your output should mirror what is pictured below. If it does not, start over from step 2.
4. Next, download the Debian Installation ISO image.
5. Now, download the has checksum file for verifying that the Debian Installation ISO image
you downloaded has not been tampered with or corrupted.
If you have downloaded the version for a 32 bit processor, type wget
https://cdimage.debian.org/mirror/cdimage/archive/8.7.0/i386/iso-cd/SHA512SUMS
and press enter.
If you selected the 32 bit processor related checksums file in the last step, type wget
https://cdimage.debian.org/mirror/cdimage/archive/8.7.0/i386/iso-
cd/SHA512SUMS.sign and press enter.
If you selected the 64 bit related checksums file in the last step, type wget
https://cdimage.debian.org/mirror/cdimage/archive/8.7.0/amd64/iso-
cd/SHA512SUMS.sign and press enter.
7. Next, verify the hash checksum file that will be used to verify the Debian ISO image. Type
gpg -v SHA512SUMS.sign and press enter.
The output from the command above should look like the screenshot below with a good
signature. However, if the output states bad signature, your download or keyfiles have
been corrupted or tampered with. If you get a bad result, restart from step 5.
NOTE: You can ignore the warning that the key is not certified. This is not relevant in
the context.
8. Next, verify that the Debian ISO image is not corrupt and has not been tampered with. Type
cat SHA512SUMS |grep netinst |sha512sum -c -.
Note: The symbol in the line to type above that looks like a vertical line is the pipe
character. On your keyboard, it often looks like a vertical line and is is accessed by holding
the shift key and pressing the \ key often located above the enter key.
You should get a result saying the file is OK like the screen shot below. If it says
otherwise, your Debian ISO image has either been tampered with or is corrupt. If your
Debian ISO image does not pass this check, download Debian again as described in Step 4.
NOTE: If you plan on burning the Debian Installation ISO image to a CD/DVD, do so now
and continue from Chapter 1D. The remaining steps are only applicable if you wish to use a
bootable USB drive for the Debian Installation ISO.
9. Next, type df -h and press enter. Note the output of your screen. It will look similar to
the screen shot below.
10. Now, plug in the USB drive you wish to use as your installation disk and click on the new
disk icon that appears in your application launcher if the disk does not automatically open.
Then, to determine the device name of your USB drive, type df -h in the terminal and
press enter again. Your USB drive will now display as the one you did not see in the step
before. It will likely appear as /dev/sdb1. However, this may differ based on your system
configuration. Make a note of this information.
11. Next, unmount your USB drive. Type sudo umount /dev/sdX1 and press enter. You
will likely be prompted for your password.
NOTE: /dev/sdX1 represents the name of the device you took note of in the previous step.
In the image below, /dev/sdb1 represents the USB disk. Thus, replace '/dev/sdX1 with
the name of the device you noted in the previous step.
12. Now, install the Debian install disk on your USB drive. NOTE: THIS STEP WILL
ERASE ALL CONTENTS ON THE TARGET DRIVE SPECIFIED! IF YOU HAVE
IMPORTANT DATA ON YOUR USB DRIVE, BACK IT UP BEFORE
CONTINUING. ADDITIONALLY, MAKE SURE YOU SELECT YOUR USB DRIVE!
NOTE: /dev/sdX represents the name of the device you took note of in the previous step.
In the image below, /dev/sdb represents the USB disk. Thus, replace '/dev/sdX with the
name of the device you noted in the previous step. Do not include the number after the
device name in this step. In should be /dev/sdX and not /dev/sdX1.
13. When the process above finishes, you will be returned to a command prompt. Restart your
computer and continue from Chapter 1D.
Chapter 1D. Installing the Debian Host Operating System.
1. When your computer is first starting up, you need to boot from either your CD/DVD or USB
Flash Drive that you used in the previous chapter to create your Debian Installation Disk.
Thus, you need to get to a boot menu. The method for doing this differs on various
computers. For example, on a Dell, the boot menu is usually activated by pressing the F12
key as the computer is first starting up. On others, it can be the ESC key. On an Apple, hold
the "Option" key while the computer is starting and release it when the Startup Manager
loads. On whatever platform you use, once you get to a boot menu, select the USB flash
drive that you used in the previous chapters.
When you boot from your Debian Installer CD/DVD or USB disk, you should see a screen
like the one below. Choose Install.
2. On the next screen that appears, choose the default language you want to use and press
enter.
3. On the next screen, choose your default location and press enter.
4. On the following screen, choose the settings for your keyboard layout and press enter. Debian
will likely make a recommendation based on your earlier language choice which you should
accept.
5. The Install process will now perform a number of tasks and attempt to automatically configure
your network. If you are using a wired connection, everything will likely be configured
automatically and you can continue to the next step. If you also have a wireless network card,
you may be prompted by the installer to choose the network card to use. If prompted to choose a
primary network interface, select eth0 and press enter.
While not recommended, if you are going to use a wireless connection for the installation
process, choose wlan0, press enter and continue through the various prompts that will ask
for your wireless network name (SSID), password, etc. During this step, you may get a warning
stating that you need to install firmware from a disk in order to get the wireless card working
properly. If prompted to do that, choose no, and use a wired connection instead. You can
search for your corresponding wireless drivers, in addition to the instructions for installing
them, later.
6. Eventually you will be prompted to enter the hostname for this system. Leave this as the
default which is debian and press enter.
7. The next prompt will ask you for your domain name. Leave this blank and press enter.
8. The next screen is where you choose the password for your root account. Leave the password
blank so that the root account is disabled and press enter. The root account has the highest
access on a Debian system. It is not necessary to have the root account enabled. In fact, many
consider enabling the root account a security risk. You will be able to execute any command
with root privileges by using the sudo command later.
9. The next screen will prompt you to retype your root password. Simply press enter to continue
on to the next screen.
10. The next screen will ask you for the full name of the new user. Leave this blank and press
enter.
11. The next screen will prompt you to enter a Username for your account. Type user and press
enter.
12. The next screen will prompt you to choose a password for the new user. It is very important
for you to choose a strong password. An 8 character password is never a good password. Rather,
choose something that is easy to remember but is also long. Make use of upper case and lower
case letters, symbols and numbers.
There are numerous different mental tricks people use to create strong but memorable
passwords. Some people use a combination of random words that they can easily remember
padded with symbols in between like Horse-Atlant1c!Ocean-Cheese. Others use a
nonsensical phrase. The example password is nonsensical enough that nobody is likely to guess
it. Nor will a similar password appear in any stand alone dictionary file to be used for
dictionary based cracking attacks. Additionally, the passwords take full advantage of the
spectrum of characters on your keyboard and is lengthy enough to prevent a brute force guess
based attack. For any password you create and need to remember, use such a method. Just
don't forget it. Create your strong password and press enter.
13. When prompted to retype the password, retype it and press enter.
14. Depending on your choice of region, you may be asked to select a time zone. If prompted for
such, select your corresponding time zone.
You have completed the pre-installation steps of this tutorial. Continue to Chapter 2.
Chapter 2. Choosing your Installation Method
Now you have reached the point where you need to decide how you want to install your new
system. As detailed in the introduction to this tutorial, one involves installing the entire operating
system on an encrypted USB flash drive. The other involves installing the majority of the operating
system on an encrypted internal hard drive partition and using a USB flash drive as a boot key with
an encrypted key file to unlock the encrypted internal hard drive.
If you wish to use a USB flash drive for the entire operating system, continue on to
Chapter 2A beginning on the next page.
If you wish to install the operating system on an encrypted internal hard drive partition and
access it with a USB flash drive boot key, continue this tutorial beginning at Chapter 2B on page 80.
Chapter 2A. Installing an Operating System on an Encrypted USB Flash Drive
1. When prompted to select a partitioning method. Choose Guided use entire disk and set
up encrypted LVM and press enter.
2. On the next screen that appears, choose your USB Flash Drive and press enter. You will
likely see other choices of disks that differ from the picture below. Make sure you choose
your USB Flash Drive since whichever disk you choose will be erased. The amount of disk
space available on each drive can be used to determine which is your USB Flash Drive.
Also, make note of your USB Flash Drive's device name and save it for later. You will
need to know it later in this tutorial. In the example below, the device name is sdc. It
may be different for you.
NOTE: If you are installing Debian from a bootable USB drive, you must use a USB
drive that is different than your Debian Installation media drive. Otherwise, if you
attempt to install Debian on your Debian Installation media drive, the installation process
will eventually fail.
3. On the next screen, select the entry that says All files in one partition (recommended for
new users) and press enter.
4. You will next be prompted to Write the changes to disks and configure LVM. Select Yes
and press enter.
5. Next, the installation wizard will eventually begin automatically erasing data from your
USB Flash Drive. This can take a very long time. If you've ever used the drive to store data
that is related to your personal identity, it is probably best to let this process finish. However,
if it is a new drive, or you don't have the patience, you can select cancel and continue to
the next step. All new data that is written to your USB Flash Drive will be encrypted.
However, old data on the disk left over from before you encrypted it may be discoverable
through digital forensics.
6. On the next screen, you will be prompted for your encryption passphrase. It is imperative
that you choose a very strong passphrase! Otherwise, encrypting your flash drive will
simply amount to a waste of time! As was discussed earlier in step 13 of chapter 1D, an 8
character password is never a good passphrase. Since the Debian Installer is making use of
the cryptsetup program and the LUKS encryption system, the following breakdown of the
importance of a strong passphrase comes from the developer.
First, passphrase length is not really the right measure, passphrase entropy is. For example,
a random lowercase letter (a-z) gives you 4.7 bit of entropy, one element of a-z0-9 gives you
5.2 bits of entropy, an element of a-zA-Z0-9 gives you 5.9 bits and a-zA-Z0-9!@#$%^&:-+
gives you 6.2 bits. On the other hand, a random English word only gives you 0.6...1.3 bits of
entropy per character. Using sentences that make sense gives lower entropy, series of
random words gives higher entropy. Do not use sentences that can be tied to you or found on
your computer. This type of attack is done routinely today. To get reasonable security for the
next 10 years, it is a good idea to overestimate by a factor of at least 1000.
Then there is the question of how much the attacker is willing to spend. That is up to your
own security evaluation. For general use, I will assume the attacker is willing to spend up to
1 million EUR/USD. Then we get the following recommendations:
LUKS: Use > 65 bit. That is e.g. 14 random chars from a-z or a random English sentence
of > 108 characters length.
If paranoid, add at least 20 bit. That is roughly four additional characters for random
passphrases and roughly 32 characters for a random English sentence.
https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#5._Security_Aspects
Not in the mood to do math? The lesson to take away is that length, randomness and
nonsense matter. They will get you more entropy. There are many tricks people use to come
up with a nonsensical passphrase that they remember. For example, you could use a play on
a favorite line from a movie you enjoy combined with a date you would remember like If
My Calculations Are Proper, When This Baby Hits 88 Miles Per Hour, You're Going 2 See
Some Serious Business! January-1-2013?. This is a very secure type of passphrase that has
plenty of entropy per the suggested numbers by the developer of cryptsetup.
7. On the next screen, you will be prompted to confirm your encryption passphrase. Retype it
and press enter.
8. On the next screen, select Finish partitioning and write changes to disk and press enter.
9. The next screen will ask if you want to write the changes to disks. Select yes and press
enter.
10. In the next screen, you will see a progress bar indicating that it is installing the base
system. This could take awhile. When it finishes, it will prompt you to choose a Debian
archive mirror country. A selection will likely be chosen by default based on the location
you selected earlier. Select your region and press enter.
11. The next screen will ask you to choose a Debian archive mirror server. Again, you can
just choose what the system selected by default by pressing enter.
12. The next screen will ask you if you need to use a proxy to access the Internet. If you don't
know the answer to that one, you don't need to use a proxy to access the Internet. Press
enter to continue.
13. The installer will now begin retrieving files and installing the required packages for the
OS. At the next prompt, it will ask you if you want to participate in the package usage
survey. Select no and press enter.
14. The installer will again perform some tasks until it prompts you to choose software to
install. You only need to install the Debian Desktop Environment and Standard System
Utilities. Unselect the other chosen items by moving the arrow key until they are
highlighted and pressing the space bar. When the * disappears, the item is unselected.
When your screen looks like the screen shot below, press enter to continue.
NOTE: If you will need to print documents from the Debian Operating System you are
installing, you can leave the print server selected. However, if you will not be printing
documents, there is no need to enable it.
15. The installer will now begin retrieving files and will then install them. This will take a long
time. Eventually, the process of installing the GRUB boot loader will begin. If GRUB
detects other operating systems, you may be presented with a screen asking if you want to
install the GRUB boot loader to the master boot record. Choose no and press the
enter key. If you do not see this screen, continue to the next step.
16. Next, you will be asked if you want to Install the GRUB boot loader on a hard disk. In
step 2 of this chapter, you were instructed to make a note of the device name that was the
USB flash drive where you were installing Debian. The example used in this tutorial was
sdc. Scroll down to the name of the device where you installed Debian and press enter.
17. Now the installer will go through the process of finishing the installation. You may reach a
screen that asks if the system clock is set to UTC. Select no and press enter. If you
don't see this screen, skip to the next step.
18. Now the installer will go through the process of finishing the installation. You will
eventually be informed that the installation is complete. Select continue and press enter.
19. The installer will eventually reboot your computer. As your computer restarts, you need to
get into a boot menu again in the same manner the you did in step 1 of chapter 1D. When
you activate the boot menu, choose your USB flash drive on which you installed Debian.
Eventually, you will be prompted to choose a boot selection. It will default to Debian and,
thus, you can either press enter or wait for the timer to run out. The example screen below
may not look exactly the same as your's. But, it is essentially the same thing.
NOTE: If the installation process took long enough to make you run out of time, you can
power off your computer at this point. You can then continue from this step at a later time.
TROUBLESHOOTING NOTE: If you do not get to the GRUB menu pictured above
after trying to boot from your USB disk and are presented with a black screen or flashing
cursor, please refer to Appendix A of this guide at page 415. You have most likely encountered
a fairly common bug involving GRUB and Debian. The fix is fairly simple.
20. The next screen will prompt you to enter passphrase. This is the encryption passphrase
you created in step 6 of this chapter. You will not see any symbols on your screen when you
type your password. While this may seem odd, it is for security reasons. Someone watching
your screen won't be able to determine the length of your passphrase. Type your passphrase
and press enter.
21. Debian will now go through its boot process. Eventually you will reach the login window.
When you reach the login window, press enter or click on user.
22. On the next screen, you will be prompted for your password. Before typing your password,
click on the gear icon next to the Sign In button and select GNOME Classic. Then, type
the password you created for user in step 13 of chapter 1D and press enter. Debian will
use GNOME Classic for every other login until you choose something different.
Congratulations! You now have a fully functional encrypted USB flash drive running Debian. At
this point, continue the tutorial starting from Chapter 3 at page 130.
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition
with a USB Flash Drive Boot Key
As was stated earlier, if you have any sensitive files you may be worried about losing,
please back them up before beginning this process if you haven't already. While it is unlikely
that anything bad will happen, since you will be resizing an existing partition on your hard drive,
there is a chance of data loss. With that out of the way, let's begin.
1. When prompted to select a partitioning method. Choose manual and press enter.
2. First, you need to prepare the USB Flash Drive to use as the Boot Key Disk in addition to
making a note. In the image below, the USB Flash Drive used as the Boot Key Disk as an
example is displayed as SCSI5 (0,0,0) (sdc) and the internal hard drive where the Debian
root system will be installed is SCSI1 (0,0,0) (sda). Of particular importance is the device
name of the flash drive which will be your Boot Key Disk. In the example below, it is
sdc. However, it may be different on your computer. Look for the drive that matches the
size of your intended USB boot key to make your selection. Make note of your USB Flash
Drive's device name and save it for later. You will need to know it later in this tutorial.
Select the flash drive you desire to use as the Boot Key Disk and press enter.
NOTE: If you are installing Debian from a bootable USB drive, you must use a USB
drive that is different than your Debian Installation media drive. Otherwise, if you
attempt to install Debian on your Debian Installation media drive, the installation process
will eventually fail.
3. On the next screen that appears, choose yes and press enter.
4. On the next screen, you will now see an entry labeled as FREE SPACE. Select that entry
and press enter.
5. On the next screen, choose Create a new partition and press enter.
6. In the next screen, you will be asked to choose a new partition size. You can accept what is
already selected by the installer. Simply press enter to continue.
7. The next screen will ask you to choose the type for the new partition. Choose Primary
and press enter.
8. The next screen is for choosing your partition settings. There are many options here.
However, in this step, you only need to concern yourself with one. You need to change the
mount point to /boot. So, choose Mount point and press enter.
9. On the next screen, choose /boot static files of the boot loader and press enter.
10. On the next screen, choose Done setting up the partition and press enter.
11. In the next step, you will begin the process of resizing the partition on your internal hard
drive so you can create an encrypted partition for the Debian operating system. In this
tutorial, the internal hard drive is sda. On your computer, the device name for your
internal hard drive may be different. You may already have a number of partitions residing
on sda. Choose the largest one and shrink it by the size you wish to allow for Debian.
However, before doing this, make sure there is enough free space on the drive to allow
you to shrink it. Select the drive to resize and press enter.
12. On the next screen, select the resize the partition option and press enter.
13. On the next screen, choose yes and press enter.
14. On the next screen, you will be prompted to enter a new partition size. 64 gigabytes should
be sufficient for your purposes. At a minimum, use 32 gigabytes of space. However, if
you wish to make it larger than 64 gigabytes and have the space, feel free to do so. In the
example below, 64 gigabytes is chosen for what will be our encrypted operating system disk.
Since the maximum size of the disk in the example is 532.9 GB, subtracting 64 GB results
in 468.9 GB. Use the same math to determine what you should type in the field for the new
partition size and press enter when done. This process may take a bit of time.
15. On the next screen, you will see a new entry marked FREE SPACE under (sda) with the
size you chose for your encrypted disk. Select it and press enter.
16. On the next screen, select Create a new partition and press enter.
17. On the next screen, the maximum size for the disk will already be selected. Press enter to
continue.
19. On the next screen, we need to set this partition to be used for encryption. Select the Use
as: Ext4 journaling file system entry and press enter.
20. On the next screen, choose physical volume for encryption and press enter.
21. This step is optional. In the next screen, there is an option to erase data which is set to
yes by default. If you choose to erase data, the installer will overwrite the full partition
with pseudo-random data. If you want the tightest security, this is a wise step since it will be
even more difficult for someone who has possession of your hard drive to successfully use
forensics to decode it. However, this process can take a very long time. To skip erasing
data, select Erase data: and press enter. The option will change to no. If you wish to
erase data, skip this step and proceed to step 22.
22. In this step, select done setting up the partition and press enter.
23. On the next screen, select configure encrypted volumes and press enter.
26. If you opted to erase data when you set up the encrypted partition in step 21, you will be
asked again if you want to erase the data. Choose yes if you do and press enter. This
process can take hours. If you opted to not erase data, this screen will not appear and you
can continue to step 27.
27. On the next screen, you will be prompted for your encryption passphrase. It is imperative
that you choose a very strong passphrase! Otherwise, encrypting your hard drive will
simply amount to a waste of time! As was discussed earlier in step 13 of chapter 1D, an 8
character password is never a good passphrase. Since the Debian Installer is making use of
the cryptsetup program and the LUKS encryption system, the following breakdown of the
importance of a strong passphrase comes from the developer.
First, passphrase length is not really the right measure, passphrase entropy is. For example,
a random lowercase letter (a-z) gives you 4.7 bit of entropy, one element of a-z0-9 gives you
5.2 bits of entropy, an element of a-zA-Z0-9 gives you 5.9 bits and a-zA-Z0-9!@#$%^&:-+
gives you 6.2 bits. On the other hand, a random English word only gives you 0.6...1.3 bits of
entropy per character. Using sentences that make sense gives lower entropy, series of
random words gives higher entropy. Do not use sentences that can be tied to you or found on
your computer. This type of attack is done routinely today. To get reasonable security for the
next 10 years, it is a good idea to overestimate by a factor of at least 1000.
Then there is the question of how much the attacker is willing to spend. That is up to your
own security evaluation. For general use, I will assume the attacker is willing to spend up to
1 million EUR/USD. Then we get the following recommendations:
LUKS: Use > 65 bit. That is e.g. 14 random chars from a-z or a random English sentence
of > 108 characters length.
If paranoid, add at least 20 bit. That is roughly four additional characters for random
passphrases and roughly 32 characters for a random English sentence.
https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#5._Security_Aspects
Not in the mood to do math? The lesson to take away is that length, randomness and
nonsense matter. They will get you more entropy. There are many tricks people use to come
up with a nonsensical passphrase that they remember. For example, you could use a play on
a favorite line from a movie you enjoy combined with a date you would remember like If
My Calculations Are Proper, When This Baby Hits 88 Miles Per Hour, You're Going 2 See
Some Serious Business! January-1-2013?. This is a very secure type of passphrase that has
plenty of entropy per the suggested numbers by the developer of cryptsetup.
28. On the next screen, type your passphrase again to confirm it and press enter.
29. On the next screen, choose Configure the Logical Volume Manager and press enter.
32. At the next screen, you will be asked to choose a volume group name. Type debian-vg
and press enter.
33. On the next screen, you will be asked to choose devices for the new volume group. You
want to choose your encrypted partition. It will appear as
/dev/mapper/PartitionDeviceName_crypt. In the example below, it is
/dev/mapper/sda5_crypt. Select the box next to that entry and press the space-bar to
enable it. When you enable it, an * will appear in the box. Then press enter to
continue.
34. On the next screen, select create logical volume and press enter.
35. On the next screen, press enter to select debian-vg and continue.
36. At the next screen, you will be prompted to create a logical volume name. Type root and
press enter.
37. At the next screen, you will be asked to enter the logical volume size. If you are installing
this on a computer with less than 2 gigabytes of RAM, you will need to create an
appropriately sized swap partition or the system will not work! If you need a swap
partition, a roughly 2 gigabyte partition will be more than safe (but, you may choose a
smaller swap size depending on how much RAM is in your computer). Subtract 2 gigabytes
from the default logical volume size and enter that number for your logical volume size if
you need a swap partition. In the example below, the number would be changed from
63963 to 61963. After you have entered the new size, press enter to continue.
If you do not need a swap partition, accept the default entry. Press enter and continue to
step 42.
38. You only need to do this step if you need a swap partition. If you do not need a swap
partition, skip to step 42. Select create logical volume and press enter.
39. You only need to do this step if you need a swap partition. If you do not need a swap
partition, skip to step 42. On the next screen, press enter to select debian-vg and
continue.
40. You only need to do this step if you need a swap partition. If you do not need a swap
partition, skip to step 42. At the next screen, you will be prompted to create a logical
volume name. Type swap1 and press enter.
41. You only need to do this step if you need a swap partition. If you do not need a swap
partition, skip to step 42. Next, accept the default size and press enter.
42. On the next screen, select finish and press enter.
43. On the next screen, you will see a new entry for LVM VG debian-vg, LV root. Choose the
entry directly beneath it and press enter.
44. On the next screen, select Use as: do not use and press enter.
45. On the next screen, select Ext4 journaling file system and press enter.
46. On the next screen, select Mount point: none and press enter.
47. At the next screen, select / - the root file system and press enter.
48. At the next screen, select done setting up the partition and press enter.
49. You only need to do this step if you created a logical volume for a swap partition. If you
did not create a logical volume for a swap partition, skip to step 53. If you created a
logical volume for your swap space, you will also see a new entry entitled LVM VG
debian-vg, LV swap1. Choose the entry directly beneath it and press enter.
50. You only need to do this step if you created a logical volume for a swap partition. If you
did not create a logical volume for a swap partition, skip to step 53. On the next screen,
select Use as: do not use and press enter.
51. You only need to do this step if you created a logical volume for a swap partition. If you
did not create a logical volume for a swap partition, skip to step 53. On the next screen,
select Swap area and press enter.
52. You only need to do this step if you created a logical volume for a swap partition. If you
did not create a logical volume for a swap partition, skip to step 53. At the next screen,
select done setting up the partition and press enter.
53. On the next screen, select finish partitioning and write changes to disk and press enter.
54. If you decided you did not need a swap partition, the next screen will inform you that you
haven't selected a partition for swap space and ask if you want to return to the partitioning
menu. Select no and press enter.
55. The next screen will ask if you want to write the changes to disk. Select yes and press
enter.
56. In the next screen, you will see a progress bar indicating that it is installing the base
system. This could take awhile. When it finishes, it will prompt you to choose a Debian
archive mirror country. A selection will likely be chosen by default based on the location
you selected earlier. Select your region and press enter.
57. The next screen will ask you to choose a Debian archive mirror server. Again, you can
just choose what the system selected by default by pressing enter.
58. The next screen will ask you if you need to use a proxy to access the Internet. If you don't
know the answer to that one, you don't need to use a proxy to access the Internet. Press
enter to continue.
59. The installer will next go trough the process of configuring apt and installing various
software. At the next prompt, you will be asked if you want to participate in the package
usage survey. Select no and press enter.
60. The installer will again perform some tasks until it prompts you to choose software to
install. You only need to install the Debian Desktop Environment and Standard System
Utilities. Unselect the other chosen items by moving the arrow key until they are
highlighted and pressing the space bar. When the * disappears, the item is unselected.
When your screen looks like the screen shot below, press enter to continue.
NOTE: If you will need to print documents from the Debian Operating System you are
installing, you can leave the print server selected. However, if you will not be printing
documents, there is no need to enable it.
61. The installer will now begin retrieving files and will then install them. This will take a long
time. Eventually, the process of installing the GRUB boot loader will begin. If GRUB
detects other operating systems, you may be presented with a screen asking if you want to
install the GRUB boot loader to the master boot record. Choose no and press the
enter key. If you do not see this screen, continue to the next step.
62. Next, you will be asked if you want to Install the GRUB boot loader on a hard disk. In
step 2 of this chapter, you were instructed to make a note of the device name that was the
USB flash drive where you were installing Debian. The example used in this tutorial was
sdc. Scroll down to the name of the device where you installed Debian and press enter.
63. Now the installer will go through the process of finishing the installation. You may reach a
screen that asks if the system clock is set to UTC. Select no and press enter. If you
don't see this screen, skip to the next step.
64. You will eventually be informed that the installation is complete. Remove the Debian Install
Disk and press enter.
65. The installer will eventually reboot your computer. As your computer restarts, you need to
get into a boot menu again in the same manner the you did in step 1 of chapter 1D. When
you activate the boot menu, choose your USB flash drive on which you installed Debian.
Eventually, you will be prompted to choose a boot selection. It will default to Debian and,
thus, you can either press enter or wait for the timer to run out. The example screen below
may not look exactly the same as your's. But, it is essentially the same thing.
NOTE: If the installation process took long enough to make you run out of time, you can
power off your computer at this point. You can then continue from this step at a later time.
TROUBLESHOOTING NOTE: If you do not get to the GRUB menu pictured above
after trying to boot from your USB disk and are presented with a black screen or flashing
cursor, please refer to Appendix A of this guide at page 415. You have most likely encountered
a fairly common bug involving GRUB and Debian. The fix is fairly simple.
66. The next screen will prompt you to enter passphrase. This is the encryption passphrase
you created in step 27 of this chapter. You will not see any symbols on your screen when
you type your password. While this may seem odd, it is for security reasons. Someone
watching your screen won't be able to determine the length of your passphrase. Type your
passphrase and press enter.
67. Debian will now go through its boot process. Eventually you will reach the login window.
When you reach the login window, press enter or click on user.
68. On the next screen, you will be prompted for your password. Before typing your password,
click on the gear icon next to the Sign In button and select GNOME Classic. Then, type
the password you created for user in step 13 of chapter 1D and press enter. Debian will
use GNOME Classic for every other login until you choose something different.
69. When you reach the Debian desktop, click on Applications in the upper left corner, then
choose Utilities and scroll down to Terminal.
70. A terminal window will open. At the prompt, type sudo -i to obtain root privileges. When
you execute commands with sudo as root, they are run with root/administrative privileges.
You will be prompted for your password. This is the same password you chose for user in
step 13 of chapter 1D. Type your password and press enter.
NOTE: Whenever you use this command, you will have full root/administrative access
until you exit the session. Thus, be extra cautious in your session whenever you decide
to use this command. The changes you make can be damaging and permanent if you do
something wrong.
71. You will now be at a shell prompt as superuser (aka 'root') in a terminal program. Now you
need to create your key file to unlock your hard drive in the future. Type the following line
into the terminal:
This will create an 8 kilobyte key file of psuedo-random data. When the process for
generating the key file finishes, a cursor will appear next to a new prompt.
NOTE: If you wish to use copy and paste throughout the guide for any terminal
commands in the Debian Host OS, press CTRL-SHIFT-V to paste what you copied from
this guide into a terminal session.
72. When your key file is created, now you can edit your /etc/crypttab file. This is a file that
tells Debian how to handle encrypted drives on boot. Type nano /etc/crypttab in your
terminal window.
73. Now you need to change the existing line in /etc/crypttab to handle your future encrypted
key file. When you open /etc/crypttab, you will see something similar to the screen shot
below:
Make note of the section called sda5_crypt in the above example. sda5 is the device
name for the encrypted hard drive. It may be something different for your computer (for
example, sda6). You will need this information steps in 73 and 84.
Move the cursor to the far right with your arrow keys and then erase none luks with the
backspace key. Then add:
/boot/keyfile.gpg luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg
Press the Control and X key at the same time. When prompted to save modified
buffer, type y and press the enter key.
Press enter when prompted with File Name to Write: /etc/crypttab.
74. Now you need to add your key file to your LUKS keyring. You will need the device name
for your encrypted hard drive that I told you to make note of in step 72. In my case, it is
sda5. Type the following in your terminal window and press enter:
When prompted to Enter any passphrase, type the passphrase you created for your
encrypted hard drive in step 27 of this chapter and press enter. If the process was a
success, you will return to the command prompt.
75. Now you need to encrypt your key file with the gpg program. Type the following line at
your command prompt and press enter:
When prompted to Enter passphrase, either use the same passphrase you chose in step 27
of this chapter or create something new that is just as long and random. Retype your
passphrase to confirm it when prompted. This will now be the passphrase you need to
enter when you boot up Debian in the future.
If all went successfully, you will be returned to a command prompt with no error message.
76. Next, type mv /keyfile.gpg /boot/keyfile.gpgand press enter. This will move a copy of
your encrypted key file to your USB Boot Key if you ever need it in the future.
77. Now you need to update your boot process to actually use the encrypted key file. Type
update-initramfs -u and press enter. If all goes well, you will be returned to a
command prompt with no error messages and your screen will look similar to the shot
below. Do not worry about the Warning: GnuPG key /boot/keyfile.gpg is copied to
initramfs message. That is supposed to happen.
78. Now it is time to restart your computer. Click on the area in the top right corner of your
desktop with the network, speaker, battery and downward arrow icon and click on the power
button shown in the image below.
81. Debian will now go through its boot process. Eventually you will reach the login window.
When you reach the login window, press enter or click on user.
82. On the next screen, you will be prompted for your password. Type the password you created
for user in step 13 of chapter 1D and press enter or click on Sign in.
83. When you reach the Debian desktop, click on Applications in the upper left corner, then
choose Utilities and scroll down to Terminal.
84. A terminal window will open. At the prompt, type sudo -i to obtain root privileges. When
you execute commands with sudo as root, they are run with root/administrative privileges.
You will be prompted for your password. This is the same password you chose for user in
step 13 of chapter 1D. Type your password and press enter.
NOTE: Whenever you use this command, you will have full root/administrative access
until you exit the session. Thus, be extra cautious in your session whenever you decide
to use this command. The changes you make can be damaging and permanent if you do
something wrong.
85. Next, you need to remove the initial passphrase you created for your encrypted hard drive
partition in step 27 of this chapter. The LUKS encryption system uses what is called a
keyring. At this point, you have two keys in your keyring: one containing the passphrase
you chose when installing Debian in step 27 of this chapter and one containing the key file
you created and added to the keyring in steps 67-73 of this chapter.
Removing the passphrase you created in step 27 will make it so that your key file is the only
means to unlock your encrypted hard drive. This provides strong security since you will
never know the contents of the key file. As a human, it's unlikely that you could remember
4096 bytes of random characters. Thus, if you lose or destroy your USB flash drive boot
key, the data on your hard drive is irrecoverable. You will need the device name for your
encrypted hard drive that I told you to make note of in step 72. In my case, it is sda5.
Type the following and press enter:
If the process is successful, you will be returned to a command prompt with no error
message.
86. Now it is time to securely remove your unencrypted key file from your hard drive. This
further minimizes the risk of a potential attacker ever discovering it. If you ever need access
to your unencrypted key file in the future, remember that you have an encrypted version of it
stored on your boot key as keyfile.gpg. Type shred -n 30 -uvz /keyfile and press
enter. When the process is over, type exit and press the enter key, or click on the x
in the upper right corner to c lose the window.
Congratulations! You have finished up the lengthy process of installing Debian onto an
encrypted hard drive with a secure USB boot key. Continue on to the next chapter for the
final steps of installing Debian and Whonix.
Chapter 3. Final Debian Tweaks and Whonix Installation
You are almost done with the Debian install! There are now only a few more steps you need
to take. If you desire, you can take a break here and start from this chapter at another time. But, if
you're ready to go, let's get started.
1. First, let's set up your networking connection. It is ideal to use a wired network connection
for security reasons. If you left your wired connection plugged in, Debian's network
manager should automatically detect it and connect to the Internet. If you prefer to remain
using a wired connection only, you can skip to Step 9.
If you have not created a Wi-Fi connection, click on the area in the top right corner of your
desktop with the network, speaker, battery and downward arrow icon, then click on Wi-Fi
and then click on Select Network.
2. In the window that appears, click on your Wi-Fi connect and click connect.
3. When you are prompted for your Wi-Fi password, type your password and click Connect.
NOTE: If your router is still configured to use WEP for authentication, you should
change it to WPA2 immediately. WEP is notoriously insecure and can often be cracked
in less than 1 minute.
4. Now, you should edit the settings for your Wi-Fi connection. Click on the area in the top
right corner of your desktop with the network, speaker, battery and downward arrow icon,
then click on Wi-Fi and then click on Wi-Fi Settings.
5. When the Network Manager window appears, click on the icon shaped like a gear next to
your Wi-Fi connection profile.
6. When the next window appears, click on Identity in the left region. Then, uncheck the
checked box next to connect automatically towards the bottom of the window.
NOTE: If you add additional Wi-Fi connections later, it is worth repeating this for each new
connection to avoid creating a potential fingerprint. For example, if your laptop attempts to
connect to multiple specific Wi-Fi routers in public automatically, this can create a unique
fingerprint that machines can sniff and could be used to correlate your location at a specific
time.
7. Next, click on the IPv6 tab in the left region of the window. If you do not intend to use
the IPv6 protocol, set the slider for IPv6 in the upper right portion of the window to
OFF and then click the Apply button.
If you intend to use the IPv6 protocol, simply click on the Apply button without changing
anything.
8. When you are returned to the network manager window, click the X in the upper right
corner to close the window. To connect to your wireless connection now and in the future,
simply follow the same process described in steps 1-2 of this chapter.
9. When you are back at the Debian desktop, click on Applications in the upper left corner,
then choose Utilities and scroll down to Terminal.
10. Next, type sudo -i at the command prompt. When prompted for your password, type the
same password you chose for user in step 13 of chapter 1D.
NOTE: Whenever you use this command from a terminal session, you will have full
root/administrative access until you exit the session. Thus, be extra cautious in your
session whenever you decide to use this command. The changes you make can be
damaging and permanent if you do something wrong.
ADDTIONAL NOTE: If you wish to use copy and paste throughout the guide for any
terminal commands in the Debian Host OS, press CTRL-SHIFT-V to paste what you
copied from this guide into a terminal session.
11. Next, configure Debian's clock to run by Universal Time Code (UTC).
Type dpkg-reconfigure tzdata and press the enter key.
12. In the window that appears, use your down arrow key to go to the bottom of the list until
None of the above is highlighted and press enter.
13. On the next screen, if UTC is not highlighted by default, use the up or down arrows until
UTC is highlighted and press enter. The options are listed alphabetically.
14. Next, install a firewall for debian. This will add an extra layer of protection against potential
network intrusions. Ufw is a software that will configure firewall rules for your OS. At the
command prompt, type apt-get install ufw and press enter.
15. Now, you are going to modify the settings for your firewall rules to disable various ICMP
network traffic. This should not pose any problems for you and will narrow your potential
attack surface further. Type nano /etc/ufw/before.rules and press enter.
16. On the next screen, press LEFT-CTRL+W to open a search query in the editor. Then,
type icmp and press enter.
17. Your cursor will move to a line containing # ok icmp codes. There are 5 entries that you
need to change that are highlighted in red below.
Type a # sign at the beginning of each of the 5 lines to comment them out. Your screen
should look like the picture below when complete.
18. Now, save the file and exit Nano. Press LEFT-CTRL+X and type Y when prompted to
save the modified buffer.
19. Next, enable your firewall. Type ufw enable at the command prompt and press enter.
UFW should inform you that it is active. It will remain active through every reboot.
20. IMPORTANT NOTE: For the purposes of this tutorial, it is assumed that you live in a
jurisdiction where connecting to the Tor Network is not something that has any legal
consequence. However, this is not the case in all jurisdictions throughout the world.
Please make sure that connecting to the Tor Network is something that is safe in your
locale. If you are not confident that using the Tor Network is safe in your locale, please
research the issue before executing this step or proceeding further with this guide.
Now, it is time to install tor and apt-transport-tor. Tor is a strong anonymizing proxy service.
Apt-transport-tor will ensure that all future Debian updates or software installs are
implemented via the Debian Organization's Tor hidden services. This will hide what
operating system you are using from various potential snoopers.
Type apt-get install tor apt-transport-tor and press enter. When you are prompted to
type yes or no, press enter.
21. Next, you need to configure Debian to install operating system updates and software installs
over Tor hidden services. Type nano /etc/apt/sources.list and press enter.
22. The following screen will appear:
25. The next couple steps will disable TCP Timestamps. This will prevent attackers from
gaining a potential mechanism to identify you, particularly if you ever use software in
Whonix that requires an Onion host on your machine (some various chat programs for
example).
26. Now, load the file you just created to set the policy for TCP Timestamping in the Debian
host. Type sysctl -p /etc/sysctl.d/tcp_timestamps.conf and press enter.
27. OPTIONAL STEP: Some people are concerned about various leaks with the IPv6 protocol.
Unless you need the IPv6 protocol for network connectivity, you can disable it. If you wish
to disable the IPv6 protocol, type nano /etc/default/grub and press enter. If you don't
want to disable the IPv6 protocol, skip to step 31.
28. OPTIONAL STEP: Move the cursor down to the line that begins with
GRUB_CMDLINE_LINUX_DEFAULT. After the " mark that follows the = sign,
type ipv6.disable=1 so that your screen looks like the image below.
29. OPTIONAL STEP: Now, save the file and exit Nano. Press LEFT-CTRL+X and type
Y when prompted to save the modified buffer.
30. OPTIONAL STEP: Next, update grub so your grub menu entries contain the variable to
disable the IPv6 protocol. Type update-grub and press enter.
After you reboot your machine, the IPv6 protocol will be disabled for future use sessions.
31. Now, you can exit the root environment. Type exit and press enter.
32. Next, type cd Downloads to change your directory to the Downloads directory. You are
going to download all of the Whonix related files here.
33. Now you are going to download the Whonix-Gateway virtual machine. You will use a
program called wget to download the file. If the connection gets interrupted for any
reason, using the following command will continue downloading the Whonix-Gateway
anonymously over the Tor Network from where you left off. Type
torsocks wget -c https://download.whonix.org/linux/13.0.0.1.4/Whonix-Gateway-
13.0.0.1.4.ovaand press Enter.
34. When you have successfully downloaded the Whonix-Gateway, it is time to download the
Whonix-Workstation. Type
torsocks wget -c https://download.whonix.org/linux/13.0.0.1.4/Whonix-Workstation-
13.0.0.1.4.ova and press enter.
35. Now, download the verification signatures for the Whonix virtual machines. The verification
signatures will allow you to test if the virtual machines have been tampered with. First,
download the Whonix Gateway OpenPGP Signature. Type
torsocks wget -c https://download.whonix.org/linux/13.0.0.1.4/Whonix-Gateway-
13.0.0.1.4.ova.asc and press enter.
36. Next, download the Whonix Workstation OpenPGP Signature. Type
torsocks wget -c https://download.whonix.org/linux/13.0.0.1.4/Whonix-Workstation-
13.0.0.1.4.ova.asc and press enter.
38. Next, verify the signature key using its fingerprint. Type gpg --with-fingerprint
patrick.asc and press enter.
When finished, your screen should look the same as the one below. In particular, you need to
check that the email address for adrelanos and the associated fingerprint look the same as
they do in the image below. If they do not, you have a bad signature. Download it again as
described in step 31.
39. Now, import the developer's signature key by typing gpg --import patrick.asc and
pressing enter.
When finished, your screen should look similar to the one below. You may see some various
errors or warnings. None of these are usually of any significance and will likely relate to the
fact that you haven't used GPG to create your own key yet. The output of importance to you
is highlighted in red below.
40. Next, test the integrity of Whonix-Gateway-13.0.0.1.4.ova by typing:
When the verification is done, your screen should look similar to the screen shot below. If
you see gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net> and
gpg: Signature notation: file@name=Whonix-Gateway-13.0.0.1.4.ova on your screen,
then you have successfully verified the integrity of the image. The warnings that appear
after that line can be ignored. However, if you see gpg: BAD signature from "Patrick
Schleizer <adrelanos@riseup.net> or a file@name that is different than Whonix-
Gateway-13.0.0.1.4.ova on your screen, delete the image and do not use it. This means
the image has probably been tampered with or got corrupted during the download process.
Try downloading the image again at a later time.
41. Now, test the integrity of Whonix-Workstation-13.0.0.1.4.ova by typing:
When the verification is done, your screen should look similar to the screen shot below. If
you see gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net> and
gpg: Signature notation: file@name=Whonix-Workstation-13.0.0.1.4.ova on your
screen, then you have successfully verified the integrity of the image. The warnings that
appear after that line can be ignored. However, if you see gpg: BAD signature from
"Patrick Schleizer <adrelanos@riseup.net> or a file@name that is different than
Whonix-Workstation-13.0.0.1.4.ova on your screen, delete the image and do not use
it. This means the image has probably been tampered with or got corrupted during the
download process. Try downloading the image again at a later time.
42. Now, change back to your home directory. Type cd and press enter.
43. In this step, you will disable Tor so that it does not automatically run at startup each time
you boot your host operating system. Type sudo systemctl disable tor.service and press
enter. When prompted for your password, type the same password you chose for user in
step 13 of chapter 1D.
44. Next, you will create a new command alias to update the Debian operating system. This
will create a shell command entitled dist-upgrade will enable Tor, pause for 10 seconds
while Tor builds a circuit, download Debian operating system updates, and run the apt-get
dist-upgrade command to install any new updates. After updates are installed, if any are
available, it will disable Tor again. Type the following as one line:
echo "alias dist-upgrade='sudo systemctl start tor.service && sleep 10 && sudo apt-
get update && sudo apt-get dist-upgrade && sudo apt-get clean && sudo systemctl
stop tor.service'" >> .bashrc
Press the enter key after you've typed the above as one line.
45. Now, create a function command for installing new software packages. This will create a
shell command entitled apt-install that will enable Tor, pause for 10 seconds while Tor
builds a circuit, updates the software repositories and runs the apt-get install command to
download and install the software package specified on the command line. After the
software package is installed, Tor will be disabled again. Type the following as one line:
echo "function apt-install() { sudo systemctl start tor.service; sleep 10; sudo apt-get
update; sudo apt-get install "\$@"; sudo apt-get clean; sudo systemctl stop
tor.service; }" >> .bashrc
46. Next, you need to load your new command aliases for their first time use.
Type source .bashrc and press enter.
47. When you are returned to the command prompt, install VirtualBox. VirtualBox is used to
run the Whonix images which you will download later. You will use the apt-install
command function to perform this task. Type apt-install virtualbox and press enter.
When prompted for your password, type the same password you chose for user in step 13
of chapter 1D.
IMPORTANT NOTE: apt-install is the command to use in the future to install individual
programs on your host operating system. However, it is strongly recommended that you
only use your host operating system for the purpose of hosting Whonix. Therefore,
installing unnecessary programs on your Debian host operating system for general use
is strongly discouraged!
48. Next, run dist-upgrade to check for updates and install any that are available.
Type dist-upgrade and press enter. In the future, running dist-upgrade will likely
prompt you to enter the password you chose for user in step 13 of chapter 1D.
49. You can now close your terminal. Type exit and press enter.
50. Now it's time to import the Whonix images into VirtualBox. When you are back at the
Debian desktop, click on Applications in the upper left corner, then choose Accessories
and scroll down to VirtualBox. Click on VirtualBox.
51. In the window that appears, click on File in the upper left corner and then click on Import
Appliance.
52. When the Import Virtual Appliance window appears, click on the button with the folder
icon towards the right side of the window.
53. In the next window, click on Downloads in the left region. Then, click on Whonix-
Gateway-13.0.0.1.4.ova and click Open.
54. When you are returned to the Import Virtual Appliance window, click the Next button.
55. Then the Appliance Import Wizard appears, click on Import.
56. A Software License Agreement window will pop up informing you of various
information, including what to do if you intend to run the Whonix Gateway on low RAM
systems. Click Agree to continue.
57. When the import process is complete, make a snapshot of the Whonix Gateway virtual
machine. This will provide you with an easy back up to restore from in case your virtual
machine ever has problems. Click on the button that says Snapshots in the upper right
corner of the VirtualBox Manager.
58. Click on the icon that looks like a camera located above Current State.
59. A window will pop up entitled Take a Snapshot of Virtual Machine. Choose an
appropriate label for your snapshot, or just accept the default, and click OK.
60. After you have taken the snapshot, click on File in the upper left corner and then click on
Import Appliance.
61. When the Import Virtual Appliance window appears, click on the button with the folder
icon towards the right side of the window.
62. In the next window, click on Downloads in the left region. Then, click on Whonix-
Workstation-13.0.0.1.4.ova and click Open.
63. When you are returned to the Import Virtual Appliance window, click the Next button.
64. When the Appliance Import Wizard appears, click on Import.
65. A Software License Agreement window will pop up informing you of various
information, including what to do if you intend to run the Whonix Gateway on low RAM
systems. Click Agree to continue.
66. When the import process is complete, make a snapshot of the Whonix Workstation virtual
machine. This will provide you with an easy back up to restore from in case your virtual
machine ever has problems. Click on Whonix-WorkStation and then click on the button
that says Snapshots in the upper right corner of the VirtualBox Manager.
67. Click on the icon that looks like a camera located above Current State.
68. A window will pop up entitled Take a Snapshot of Virtual Machine. Choose an
appropriate label for your snapshot, or just accept the default, and click OK.
69. [OPTIONAL STEP] To conserve space, you can now delete the Whonix files you
downloaded. Click on Places in the upper right region of your Desktop and then click
Downloads.
70. [OPTIONAL STEP] Select all the files in your Downloads folder. Then, right-click on
the any of the files and choose Move to Trash.
71. [OPTIONAL STEP] Next, click on the Trash icon towards the lower left side of the
Downloads Folder window and click Empty Trash in the upper right side of the
window.
72. [OPTIONAL STEP] When asked if you wish to empty all items from Trash, click on
Empty Trash. This will free roughly 4.1 gigabytes of hard drive space.
After you have emptied the Wastebasket, you can close the file explorer window.
73. [APPLE USER OPTIONAL STEP. Skip to step 75 if you don't use an Apple computer.]
A common annoyance for Mac users with VirtualBox is the default setting for Right-Ctrl
as the Host Key in VirtualBox. If you use a Mac, you can change this now. In the
VirtualBox Manager window that should now be on your screen, click on File
Preferences.
74. [APPLE USER OPTIONAL STEP. Skip to step 75 if you don't use an Apple computer.]
In the window that appears, click on the entry that says Input. Then, click on the Virtual
Machine tab. Then, click in the area under Shortcut next to the Host Key Combination
area that displays Right-Ctrl. After you've click on it, type the key that you wish to use as
a Host Key in the future. This should be a key you don't use for regular typing. The
option key may suffice. When you've changed the Host Key, click the OK button.
75. Now you should tweak a couple settings in Debian. Click on the area in the top right corner
of your desktop with the network, speaker, battery and downward arrow icon, then click on
the icon that looks like tools in the lower left region.
76. In the window that appears, click on User Accounts which is towards the bottom.
77. In the next screen, click on the unlock button in the upper right corner.
78. You will be prompted for your user password. Type it and click authenticate.
79. Click on the button that is in the OFF position next to Automatic Login. When switched
ON, this will remove the requirement to type your user password to login to Debian on
boot. Since you have an encrypted hard drive with a passphrase, this extra login check is not
necessary. After you have set Automatic Login to ON, click on the back arrow button in
the upper left region of the window.
80. Next, you need to disable all of your microphone/sound inputs. VirtualBox does not
currently have a setting to disable sound input in its current version. As a result, booting a
virtual machine can enable your microphone (if you have one) which is a security hazard.
Click on the Sound icon in system settings.
81. In the next screen, click on the Input tab. Then, Click on the ON/OFF button next to the
Input Volume bar to set the device to OFF. Do this for all of your microphones and audio
input devices. Then, click the back button in the upper left region of your window.
82. Next, click on the Privacy icon.
83. In the Privacy window that appears, click on Usage & History.
84. Next, set the switch next to Recently Used to the OFF position. Then, click on the
Clear Recent History button and then click the x button in the upper right corner.
85. When you are returned to the Privacy window, click on Purge Trash & Temporary Files.
86. Now, set the switches next to Automatically empty Trash and Automatically purge
Temporary Files to the ON position. Then, select 1 day from the options in the pull-
down menu next to Purge After. Finally, click the x button in the upper right corner.
87. When you are returned to the Pirvacy window, click the x button in the upper right
corner.
88. Now you are ready to run Whonix for the first time. In the Oracle VM VirtualBox
Manager, click on Whonix Gateway and click Start. Since this might be your first
time using VirtualBox, there is an issue that may confuse. When you run a virtual
machine in full screen mode, you may have dificulty figuring out how to switch between
windows. To switch to other windows or escape from the virtual machine in full screen
mode, simply press the Right Control Key and VirtualBox will release the control from
the virtual machine. Then, press ALT-TAB to switch to other windows.
Note: Depending upon the size and resolution of your monitor, you may discover that the
Whonix Gateway window cannot display everything and, as a result, has scrollbars. To
work around this, you can either run the Whonix Gateway in Scaled Mode by pressing
RIGHT-CTRL C or in Full Screen Mode by pressing RIGHT-CTRL F. If you wish
to exit either mode, you simply press the same keys used to enable them.
89. A window will appear to start the Whonix Gateway boot sequence. You'll first see the
GRUB menu. You can let it automatically boot with the default.
90. Since it is your first time running the Whonix Gateway, it is going to run through a number
of procedures and reboot once. Eventually, when it finishes its boot process, a window will
appear which is the wizard for the initial configuration of Whonix. Click on
Understood/Verstanden and then click the Next button.
91. On the next screen that appears, click on Understood/Verstanden and click on the Next
button to continue.
92. The next window will ask if you wish to enable Tor. Select I am read to enable Tor and
click on the next button.
93. Next, a window should appear telling you that Tor is enabled. Click the Next button.
94. The wizard will now prompt you that it is going to begin the Whonix Repository Wizard.
Click the Next button.
95. The next screen will ask if you wish to automatically install updates from the Whonix
Team. Choose yes and click on the Next button.
96. At the next screen, choose Whonix Stable Repository and click the Next button.
97. On the next screen, click the Next button to continue.
98. The next screen will inform you that the Whonix Setup has completed. Click the Next
button to continue.
99. The next screen will inform you that the Whonix Gateway is never to be used for regularly
browsing or similar networking activities. This is important advice to follow. Always use
the Whonix Workstation for your general use. Click the Finish button to continue.
100. The Whonix Gateway will now go through a procedure to check the status of the Tor
connection and to check for software updates. When the procedures finish, you should see a
window appear similar to the screen shot below. Click on the OK button to close it.
101. Now you should be at the Whonix Gateway Desktop. It's time to change the default
passwords and install the latest updates to the Whonix Gateway. Double click on the
Konsole icon to get to a command prompt.
102. Eventually you will come to a command prompt. At the command prompt, type
sudo -i and type changeme when prompted for password for user.
103. Now you need to change the default passwords. Again, don't choose a password
that's easy for a machine or human to guess. Type passwd and press enter. You will be
prompted to enter a new password. You will then be asked to confirm it. If the process is
successful, your screen will look like the screen shot below.
104. Next, change the password for the user account on the Whonix Gateway. Type
passwd user and press enter. You will be prompted to enter a new password. You will
then be asked to confirm it. If the process is successful, your screen will look like the screen
shot below.
105. Now, you will configure the Whonix Gateway to use the Debian Organization's and
the Whonix Organization's Tor hidden services for future software installations and
operating system updates. Type the following as one complete line:
NOTE: Make sure you use >> in the line above. This appends the data to the file
you are writing. A single > will overwrite it completely which is not what you
want to do.
107. Now, type the following line to use Whonix's Tor hidden service repository:
Apt-get will download the most current list of packages and patches. When asked if you
want to continue, type y and press enter. Since this is your first time doing a system
upgrade, it is likely that you will have a large amount of data to download. Thus, this
process may take some time.
Note: During the distribution upgrade process, you may be prompted to select various
options. It is generally best to simply go with the defaults. If, however, you are ever
prompted to overwrite a file, choose the option that keeps the original local version
instead unless the new file has .whonix as a filename extension.
109. When the process finishes and you are returned to the command prompt, click on the
x to close the window.
110. Now it is time to prepare to start the Whonix Workstation. You need to get back to
the VirtualBox Manager. However, when moving your mouse around, you'll probably notice
that it is stuck inside the Whonix Gateway virtual machine window. This is by design. To
release the mouse from the Whonix Gateway (or any virtual machine in the future), press the
right-ctrl key (or the equivalent key if you use an Apple computer).
It will probably be more user friendly for you to run the Whonix Workstation in Full Screen
Mode. Unfortunately, a Mini Toolbar is present in VirtualBox's Full Screen Mode by
default, which can cause the mouse pointer to seem sluggish when used near the bottom of
the screen on a number of computers. Before starting the Whonix Workstation, let's address
that. Click on Whonix Workstation in the VirtualBox Manager and then click the
Settings button.
111. Next, click on the Advanced tab. Then, click on the check box next to Mini
Toolbar so it is unmarked. Then, click the OK button.
112. Now, with the Whonix-Workstation selected, click the Start button.
113. A window will appear to start the Whonix Gateway boot sequence. You'll first see
the GRUB menu. You can let it automatically boot with the default.
NOTE: At this point, you will probably enjoy Full Screen Mode more. Press RIGHT-
CTRL F to run it in Full Screen Mode. If you wish to exit Full Screen Mode, simply
press RIGHT-CTRL F again.
114. Since it is your first time running the Whonix Workstation, it is going to run through
a number of procedures and reboot once. Eventually, when it finishes its boot process, the
Important Information About Whonix window will appear. Click on
Understood/Verstanden and then click the Next button to continue.
115. Next, an additional Important Information About Whonix window will appear.
Click on Understood/Verstanden and then click the Next button to continue.
116. The next window will prompt you to begin the Whonix Repository Wizard. Click the
Next button.
117. The next window will ask if you wish to automatically install updates from the
Whonix Team. Choose Yes and click the Next button.
118. Next, you will be asked which repository you'd like to receive updates from. Choose
Whonix Stable Repository and click the Next button.
119. The next window will tell you that updates will be automatically installed from the
Whonix Team. Click the Next button to continue.
120. At the next screen, you will be informed that the Whonix Setup Wizard is complete.
Click the Next button to continue.
121. The Whonix Workstation will now go through a procedure to check the status of the
Tor connection and to check for software updates. When it finishes, you will see a window
appear similar to the screen shot below. Click on the OK button if visible, or the x in the
upper right corner of the results window to close it.
122. Next, you need to get to a shell prompt. Double click on the Konsole icon to open
up a terminal and reach a shell command prompt.
123. You need to reset the default passwords for the Whonix Workstation as well.
Type sudo -iand press enter. When prompted to enter password for user, type
changeme and press enter.
124. Now you need to change the default passwords. Again, don't choose a password
that's easy for a machine or human to guess. Type passwd and press enter. You will be
prompted to enter a new password. You will then be asked to confirm it. If the process is
successful, your screen will look like the screen shot below.
125. Next, change the password for the user account on the Whonix Workstation.
Type passwd user and press enter. You will be prompted to enter a new password. You
will then be asked to confirm it. If the process is successful, your screen will look like the
screen shot below.
126. Now, you will configure the Whonix Workstation to use the Debian Organization's
and the Whonix Organization's Tor hidden services for future software installations and
operating system updates. Type the following as one complete line:
NOTE: Make sure you use >> in the line above. This appends the data to the file
you are writing. A single > will overwrite it completely which is not what you
want to do.
128. Now, type the following line to use Whonix's Tor hidden service repository:
129. Next, update the Whonix Workstation with any recent patches. Type
apt-get update && apt-get dist-upgrade and press enter.
Apt-get will download the most current list of packages and patches. When asked if you
want to continue, type y and press enter. Since this is your first time doing a system
upgrade, it is likely that you will have a large amount of data to download. Thus, this
process may take some time.
Note: During the distribution upgrade process, you may be prompted to select various options. It is
generally best to simply go with the defaults. If, however, you are ever prompted to overwrite a file,
choose the option that keeps the original local version instead unless the new file has .whonix
as a filename extension.
130. When the process finishes and you are returned to the command prompt, click on the
x to close the window.
Congratulations! You have finished installing the operating system relating to the
Safer Anonymous OS. Feel free to take a break here. The next chapters will deal
with installing and/or using software in a secure and anonymous fashion over the
Internet. You can take a break from here if you like.
Chapter 4. Using Whonix Securely and Anonymously
If you made it this far, you're now ready to begin using Whonix. This tutorial is not intended
to be a full manual for everything involving Whonix or security and anonymity. However, you will
be given the basics on installing and using a number of very good tools. Additionally, unless
otherwise specified, all instructions are intended to be executed in the Whonix Workstation. To
learn more about Whonix and its various uses, it is strongly recommended that you visit and
read the following links:
As the first rule (or advice) going forward from this point, do not use Whonix to login to
any accounts that you have used without Whonix and can be traced to your identity. Consider
everything you do from here forward the creation of a new identity.
Additionally, when using this set up in the future, always boot the Whonix Gateway virtual
machine first in VirtualBox. If you boot the Whonix Workstation first, it won't work.
Finally, do not use the main Debian host operating system that you installed on your
computer for surfing the web or engaging in other net related activities! The goal is to keep
Debian as clean as possible. Surfing the web with the Debian host operating system opens up
greater possibilities that your machine may be infected with malware. If your Debian host operating
system becomes infected with malware, then your Whonix virtual machines are compromised as
well. Therefore, use Whonix Workstation for all your networking activities.
Chapter 4a. Proper Start Up and Shut Down Procedures for Whonix
In order for Whonix to function as intended, there is a specific start up and shut down
procedure that you need to follow in the future. This chapter will explain how to do just that.
1. When you have booted into Debian from your USB Flash Drive and reach your Dekstop,
click on Applications in the upper left corner, then choose Accessories and scroll down
to VirtualBox. Click on VirtualBox.
2. In the VirtualBox Manager, click on Whonix-Gateway and click Start. Whonix
Gateway must always be run first or the system won't work.
3. When you reach the Desktop of the Whonix Gateway, go back to the VirtualBox Manager,
click on Whonix-Workstation and click Start.
When you reach the Desktop of the Whonix Workstation, you are ready to being using it as
you usually would any other computer.
NOTE: Whonix now uses Guest Additions which allows for a true full screen experience.
If you would like to use the Whonix Workstation in full screen mode,
press RIGHT-CTRL+F. If you need to switch to the VirtualBox Manager or Whonix
Gateway, you can either return the Whonix Workstation to the windowed version by
pressing RIGHT-CTRL+F again or you can simply press RIGHT-CTRL and then
press ALT-TAB to move to other programs running on your Debian host OS.
4. When you are ready to shut down your computer, first make sure you have saved all
your work in the Whonix Workstation and closed the programs. Then, shut down the
Whonix-Workstation. Then, click on the K start button in the lower left corner of your
screen, hover the mouse over the Leave icon that appears in the right side of the Start
Menu and then click on Shut down.
8. In the window that pops up, click Shut Down. Eventually your computer should power
off.
Once your computer is powered off, you are finished. This is how you should start up and
shut down your system every time in the future.
Chapter 4b. Using the Tor Browser.
The debate on the enabling or disabling of javascript is a fair one. Many web sites now
make use of multitudes of javascript to deliver their service or data. If javascript is disabled, then
the web sites often appear to be broken which will frustrate less patient users. However, javascript
is often a vulnerable vector that is leveraged by attackers, with one of the most notorious recent
examples involving infecting everyone who visited any server hosted by Freedom Networking on
the Tor Hidden Network with malware that exposed their real IP address. Whonix provides a very
good safe guard against leaking one's real IP address. But, there is no good reason to leave a door
open for malware infections. This chapter will instruct you on how to install the Tor Browser in
Whonix and how to make the most of the NoScript plugin, which will disable all javascript by
default, that comes pre-installed in the Tor Browser.
1. The Tor Browser does not come pre-installed on Whonix by default. However, the Whonix
Team has included a script on the Desktop that will install the Tor Browser. Thus, you first
need to double click on the Update Tor Browser icon on your desktop.
2. A window will pop up a couple times informing you that it is checking for updates.
Eventually you will come to a window informing you that the Tor Browser is not installed
and it will ask you which version you wish to install. Select the highest number displayed
that does not have an a in the version number. The version number you may see which
has an a next to it is an alpha version which means it is for testing purposes only and,
thus, may still have bugs which could pose problems. When you've selected the highest
numbered stable version, click on the yes button.
3. The wizard will now start downloading the Tor Browser. This may take awhile. After some
time, you will eventually come to a window prompting you for Installation Confirmation.
If you see a message towards the bottom of the window that says gpg: Good signature
from 'Tor Developers (Signing Key)' followed by the same fingerprints shown in the image
below, click on the Yes button. Otherwise, click No and restart from step 1 of this
chapter.
4. The next window will inform you that the Tor Browser has been installed and ask asks if
you wish to run the Tor Browser. Click the Yes button.
5. In the next window that appears, you need to disable javascript via the NoScript plugin. The
NoScript icon will be to the left of the location bar in the browser and will look like the icon
below.
8. Click on the box next to Temporarily Allow [...] so that a check mark appears in it. You
want to enable this option.
9. Next, click the OK button to close the window.
From now on, javascript, and other scripting, is disabled by default for every site you visit.
Additionally, you will have the option to temporarily allow individual scripts to run on
various sites.
10. Now, try an example to get the feeling for how NoScript will work while you browse the
web. By default, most browser scripting is disabled. This provides protection against various
drive-by infections from sites hosting malware, obnoxious banner ads from advertisers, etc.
At the same time, it will require you to take some additional steps to get web pages that rely
on javascript to function properly. In Tor Browser, go to
https://www.youtube.com/watch?v=WaPni5O2YyI
11. Notice that, aside from having a blank Youtube screen, you don't even see any player
controls. This is due to the fact that NoScript has blocked scripting. Thus, you need to
enable scripting from Youtube.com. Click the NoScript icon and click on Temporarily
allow https://www.youtube.com.
12. When the page reloads, eventually the video will begin to play.
While the above example is specific to youtube.com, a similar process will apply to every
other web page you use. If you browse to a site and find that it is broken in a way that
makes it unusable, follow the steps you learned above with the quick reference below.
1. Be patient when learning what scripts need to run on various sites. Start by only
temporarily allowing the main domain name of the website in NoScript.
2. When the page reloads, if it works the way you like, you are done. If not, enable
other scripts that appear related to reload the page reload again with the
additional chosen scripts allowed. Do this until you find a combination that
works.
3. If you completely run out of patience, use the Temporarily allow all this page
option in NoScript.
13. When you are done using the web page for which you temporarily allowed scripts to run, the
safest and most secure thing to do is close the Tor Browser and open it again if you wish to
continue using it. This will clear all of the temporary permissions you allowed in NoScript,
in addition to clearing all cookies, temporary browser data, etc. However, if you prefer not
to close the browser, you can disable the script permissions in NoScript the same way you
enabled them. Click on the NoScript icon in your browser. Then, for every script that is
enabled click the option to forbid it.
If that option is too tedious under the circumstances, there is also the option to revoke all
temporary script permissions you've granted by clicking on Revoke Temporary
Permissions.
14. Once you have revoked the temporary permissions that you allowed for a site, you can either
browse to a new site or close the tab. The scripts will no longer be able to run on any
new web page you visit.
That's all there is to it. Keep in mind that, the less scripts you allow, the better. A solid
majority of scripts serve no extra purpose other than for various online entities to send you ads or
collect data about your browsing session. In the worst case scenario, it opens a vector to infect your
computer. While Whonix provides protections against some of the pitfalls that come with being
exploited by scripts, there is no reason to test fate. Thus, learn to live without scripting where
possible. To run the Tor Browser in the future, there is both a Start Tor Browser icon on your
Desktop, in addition to a quick launch icon next to the Start Button.
Note on updating Tor Browser: In the past, it was necessary to use the Whonix Team's
Tor Browser Downloader to update the Tor Browser. While it can still be done this way, a
consequence is that all of the settings you made above will be erased and, thus, you will have to
reconfigure the Tor Browser again. However, the more recent versions of the Tor Browser have an
internal update mechanism. It is safe to use the internal updater within the Tor Browser to stay
current with the most recent version. An advantage of using the internal updater is that it will not
erase your previous settings.
Chapter 4c. Using a Password Manager
Some of the most common mistakes people make involve the choice of a weak and easily
crackable password and/or reusing the same password for multiple accounts. It can be a frustrating
task for many people to choose different and complex passwords for every online account they use.
However, without doing that, if one of their accounts gets compromised, the attacker will very
likely have access to all of their accounts and will discover them shortly. Additionally, As of this
writing, CNET has reported that both the United States NSA and FBI have been asking service
providers for anything from individual user passwords to entire password databases.
No longer can the difficulty of remembering multiple complex passwords be an excuse for
dangerous behavior. The simple solution to the problem is a password manager. In this chapter,
you will install, and learn how to use, KeePassX, a secure and encrypted offline password generator
and manager.
1. First, double-click on the Konsole icon on your Desktop.
2. At the command prompt, type sudo apt-get install keepassx and press enter. Type your
user password and press enter when prompted.
NOTE: If you wish to use copy and paste throughout the guide for any terminal
commands in the Whonix Workstation, and you are viewing this guide from within the
Whonix Workstation, press LEFT-CTRL+SHIFT+V to paste what you copied from this
guide into a terminal session.
When the install process finishes and you have a command prompt, you can close the
Konsole terminal by typing exit and pressing enter or clicking on the x in the upper
right corner.
3. For simplicity, now add a shortcut for KeePassX to your desktop. Click on the K start button
and go to "Applications Utilities." Right-click on "Cross Platform Password Manager"
and select "Add to Desktop." A shortcut to "KeePassX" will now be on your desktop.
4. After you add the icon to the Desktop, the Start Menu will still be open. Click on "Cross
Platform Password Manager" to open KeePassX.
5. When KeePassX opens, click on "File New Database" to create your password database.
6. You will now be prompted to choose a password for your database. Choose something
secure in a similar manner to how you chose passwords earlier in this tutorial and click
"OK." Remember that if you forget this password, you will not be able to access any of
the passwords you store in the database.
7. When prompted to confirm your password, re-enter what you chose in step 6 and click
"OK."
8. Next, save the database to create your database file. Click on File Save Database.
9. Now, choose a safe location and file name for your password database. When you have
chosen the location you want, click Save. In the example below, the database will end up
being saved as mypass.kdb in the home folder. This database will open automatically
the next time you open KeePassX.
10. Create a new account entry in the password manager. Click on Entries in the menu bar and
then click Add New Entry.
From this point forward, it may be easier to create a dummy account to learn how to use
KeePassX. Open up Tor Browser and choose a site where you wish to create an account and
use it where appropriate with these steps. An easy and quick one to use is safemail.net.
11. In the window that appears, type the name of the site/service in the field called Title and
the username that you register with the Internet service/web-page in username. Then, click
on Gen to go to the password generation screen.
12. The Password Generator window will now appear and look like the one below.
Click on the boxes next to Ensure that password contains characters from every group and
Enable entropy collection so that those options are enabled. When it appears, uncheck the
box next to Collect only once per session so that this option is disabled. These options will
remain the way you set them for each additional use.
If your Password Generator now looks exactly like the one below, continue to the next step.
13. Next, select the length of your password. Since you do not need to remember your password
(and may very well not want to ever remember it), you should ideally set the password to the
maximum length that the service allows. However, to prevent against brute force guessing
attacks, the default length of 25 above should be sufficient. When you've settled on a
password length, click on the Generate button.
14. The Entropy Collection window will now appear. Move your mouse around and press
random keys to generate an entropy pool for the password generator. When it is finished,
click on the OK button.
15. You will now be back at the Password Generator window. If you are curious to see what
your password looks like, you can click on the eyeball button next to the New password
field. Otherwise, click on OK to continue.
16. Now you will be back to the New Entry screen. Click on the OK button to continue.
You will now be returned to the main screen of KeePassX. It is a good practice to save your
database whenever you add a new account and password to KeePassX. Thus, click on
File Save Database.
17. Now, whenever you need the password for an account, you can highlight the entry in
KeePassX and press LEFT-CTRL C or right-click on it and select Copy Password to
Clipboard. The password will be automatically cleared from your clipboard in 20 seconds.
If you were creating an account to follow along with these steps, now would be a good time
to test out using the password on that site. To use the password on any service, simply click
in the password field that it provides and press LEFT-CTRL+V to paste the password in.
18. When you are finished using KeePassX, close it. There's no reason to leave it running the
whole time.
This concludes the basic instructions on using KeePassX in a secure manner. Use of
KeePassX as instructed above will result in passwords that are at low risk of being cracked by an
attacker, while also being individually unique to every service you use. It greatly minimizes the
fallout one can experience if an account they own is compromised and, thus, is one of the better
models to use.
Chapter 4d. Using the IRC and HexChat
The Internet Relay Chat (IRC) is one of the best available technologies for real time group
conversations. Numerous different IRC networks exist that cater to multiple general interests to
incredibly niche interests. However, it is also a technology where a number of people who are
concerned about their privacy or anonymity have gotten exploited or have shot themselves in the
foot. This chapter will give you basic instructions on how to get started safely using the IRC.
HexChat is a graphical IRC client that comes pre-installed with Whonix. As a result, most
of the settings that leave people vulnerable have been appropriately set by the Whonix developers.
Additionally, since all of your traffic is routed through the Tor network, this adds another layer of
security and anonymity to your IRC experience that simply didn't exist in the past. However, one
down side is that a number of IRC servers have intentionally blocked any incoming connections
from Tor. Circumventing the Tor blocking measures is a trivial task, but not a matter that will be
covered in this chapter. Instead, let's get you on a server that welcomes and embraces the Tor
Network where you can chat with us.
3. Click on the Logging tab and uncheck the box next to Display scrollback from previous
session. Then click the OK button. If you do not do this, your system will log your
previous sessions automatically. If your computer is ever compromised, this could be data
that you would not want to be discovered.
4. When you are returned to the main HexChat screen, click on the HexChat menu and then
click Network List. This will open up the Network List window which stores profiles for
any IRC server you desire to use.
5. In the Network List window that appears, click on Add.
6. A New Network profile will be created and highlighted in blue. In this example, type
CGAN and press enter. This will be the profile for the Cyberguerrilla Anonymous
Nexus.
That address probably looks odd to you. This is a special address that is only available over
the Tor network. When connecting to a server with a .onion address on the Tor Hidden
Network, not only is your data connection encrypted between you and the server, you also
get greater anonymity protections than you would by merely connecting to a standard
Internet address like cyberguerrilla.org. Whenever you have the option of connecting
to a hidden service (a domain with a .onion suffix) for communication while using
Whonix, , whether in IRC or for any other service, use it.
9. Now, click the check boxes next to Use SSL for all the servers on this network and
Accept invalid SSL certificate. Then, uncheck the box next to Use global information
and type a nickname you wish to use on the network in the Nick name: field. If your
window looks like the screen shot below, click Close.
Note: Never choose a nickname that can be correlated to your real identity! This means
not to use any nickname which you've used or have been known by, whether it is something
your parents or friends called you or an alias you used online.
Note: If possible, always enable the Use SSL for all the servers on this network
option. This will encrypt the data between your computer and the IRC server. If HexChat
complains about the SSL certificate not being valid, this is either due to the IRC server being
compromised or, in most cases, the IRC server using a self signed SSL certificate (which is
not something you need to worry about). When connecting to a .onion address, lack of
SSL encryption between you and the IRC server is not something that needs to concern you
since the entire connection will be encrypted by the Tor Network.
10. Next, click on CGAN and then click on the Connect button. This will connect you to the
CGAN IRC server.
11. When you connect to the server, the HexChat: Connection Complete window will appear.
This window can be more of a nuisance since, due to the instructions provided here for
using systems anonymously, it's of little use to you. Click on the circle next to Nothing, I'll
join a channel later. Then, uncheck the box next to Always show this dialog after
connecting. When the window looks like the one below, click the OK button to continue.
12. If you intend to continue using the nickname you chose in step 10 in the future, or if you
want to take advantage of additional identity masking by using a vhost (which you should
and which will be discussed in step 13), you should now register your nickname. To do
this, you need to send a specific message to the IRC server's nickserv service which will
supply a password you wish to use and a fake email address. Type /msg nickserv register
[Password made with KeePassX] FakeEmail@lkdfgvirdfnvj.com
Note: Use KeePassX to create a password and save it in its database along with the
nickname you chose.
If you successfully registered your nickname, the server will send you a message stating
YourDesiredNick is now registered as shown below.
In the future, if you use the same nickname after connecting to the IRC server, you must
supply the Nickserv with the password you set in the instructions above. If you do not,
the server will change your nickname to something else in a certain period of time. To let the
server know that you are the owner of a nickname type /msg nickserv identify
KeePassXGeneratedPassword and press enter.
13. Now, set up a virtual host, or vhost, for yourself. While a vhost may seem like overkill under
the circumstances since your IP address is already cloaked by Tor and probably the IRC
server, the type of masking the IRC server uses may still allow an observer to know you are
using Tor. There's no reason they need to know that. Thus, type /j #vhost to join the vhost
channel.
14. In the next window that opens, type !vhost some.fake.host and press enter to set your
virtual host. Different servers have different rules for how you can set a vhost. But, the
syntax for setting it is usually the same. From this point on, every time you identify your
nickname to the Nickserv, your vhost will be displayed. You do not need to create a vhost
every time you log in to the IRC server.
Note: Do not choose any fake host name that can be correlated to your identity. That
will include old inside jokes relating to gaming clans, old web forums where you were a
member, etc.
15. If you successfully set your vhost, the server will inform you that you've been banned from
the channel. You can now close the channel window. Right-click on #vhost in the upper
right side of the HexChat window and click on close. You can use this method to quit any
IRC channel in the future.
16. Next, come join a channel where you can chat. An easy way to find channels on any server
is to use the list command. HexChat provides a user friendly means of viewing the list.
Click on Server List of Channels.
17. A window will appear that provides various options. By default, it will filter out the listing
of any channel with less than 5 users present. You can change this if you desire. Otherwise,
simply click on the Download List button.
18. A list of available channels will now appear in your window. Join #freeanons to come and
chat with some of us. Click on freeanons and then click the Join Channel button. You
can then close the channel list window. In the future, if you already know a channel that you
wish to join, you can do so by simply typing /j #YourDesiredChannel and pressing
enter.
19. Next, announce your presence to the channel. A simple hi will do. To chat with others in
the channel, simply type whatever you want to say in the section next to your nick name and
press enter. The #freeanons channel is mirrored across multiple different IRC networks.
While not always full of conversation, there are generally people around who will be eager
to welcome you and chat.
The screen shot below is provided for reference. After you've typed something to be
displayed in the channel, it will be displayed next your nickname which is colored red. Text
from other users in the color green are messages intended for you. Text in regular black is
general channel chatter. You will also see some colored circles in the right column in most
channels. The more common ones are shown in the example. Anyone with a yellow circle
next them is a Super Operator in a channel. Those with green circles are Channel Operators.
Think of these people as administrators of the channel. They maintain control of the
channel. Those with blue circles are voiced which means they can chat if a channel must
be muted by a Channel Operator.
20. When you wish to disconnect from the server, there are two ways to do this. If you only
want to disconnect from one server (it is possible to be connected to multiple servers at the
same time in XChat), type /quit and press enter. If you wish to disconnect from all the
servers and close XChat, simply click on the x in the upper right corner.
This covers the basics of connecting to, and using, an IRC server. For the future, remember
these important rules:
1. Do not give any real personal information about yourself on the IRC if you
wish to keep your anonymity. IRC channels can be logged by anyone.
2. Be wary of clicking on any links that have been sent to you or posted in
channels. Various people may try to send you malware.
3. Do not ever use a nickname that you have used outside of Whonix. Additionally,
do not choose a nickname that can be correlated to your identity.
4. Do not chose a vhost that can be correlated to your identity.
5. Enable SSL encryption for any IRC server you use if possible.
Note: As you get more comfortable using HexChat, you will probably notice that there are a
number of ways to store nicknames, either globally or specifically for certain IRC servers, and
passwords for various services, including Nickserv, on IRC servers. There is a reason you should
consider against using those features in HexChat. This is due to the fact that HexChat stores all of
your nicknames and passwords in a configuration file that is not encrypted. If an attacker
compromises your machine and views or copies your HexChat configuration file, they will be
able to see every nickname and password that you have stored within it. Thus, it is safer to use
KeePassX to store all of your IRC account related personal/sensitive details.
Chapter 4e. Using an Instant Messenger
This chapter will instruct you on how to use an instant messenger account with the Off-The-
Record (OTR) plugin. OTR is a plugin that provides end-to-end encryption to instant messenger
sessions, thus making the chats much more secure. Before using an instant messenger, understand
the following issues with it, as detailed in the Whonix documentation at
https://www.whonix.org/wiki/Chat:
Most of instant messenger protocols are unsafe from a privacy point of view. This is not a
Whonix specific problem. It is a general problem with instant messengers. [...]
Tor Exit Node eavesdropping can happen if no encryption to the server is enabled. Some protocols
have encryption disabled by default, some do not support encryption at all. See also Overview about
Pidgin protocols and their encryption features. If encryption to the server is enabled, the Tor Exit
Node can no longer eavesdrop. One problem solved, another problem remains unsolved.
The server could still gather interesting information.
Account names
Buddy list (list of contacts)
Log login dates and times
Timestamp of messages
Who communicates with whom
If the recipient knows the sender and the recipient uses a non-anonymous account or
was ever logged in without Tor, this can be used as a hint who the sender is.
Content of messages - Can be prevented using end-to-end encryption. This is covered [by]
OTR.
A server-based protocol designed with openness, security and privacy in mind is Jabber.
With that in mind, it is strongly recommended that you use a Jabber account. As of this
writing, the most known Jabber server, Jabber.org, is not accepting new registrations. However, this
is unimportant. If you create a jabber account with any Jabber server, you will be able to
communicate with anyone who uses Jabber on any other server. Some Jabber servers offer different
encryption services than others. In this tutorial, the Tor hidden service for jabber.calyxinstitute.org
will be used as an example, which is a server with an A grade from the security rating system at
https://xmpp.net/result.php?domain=jabber.calyxinstitute.org&type=client.
1. You first need to install two programs to use instant messaging, Pidgin and Pidgin-OTR.
Pidgin is your instant messenger client. Pidgin-OTR is a plugin for Pidgin that provides end-
to-end encryption between yourself and the person on the other side of your chat. If you do
not use Pidgin-OTR, assume that your communications can be intercepted and read.
To install these programs, first you need to open up a Konsole session. Double-click on
Konsole on your Desktop.
3. When the installation process is finished and you've returned to a command prompt, type
exit and press enter.
4. For simplicity, now add a shortcut for Pidgin to your desktop. Click on the K start button
and go to "Applications Internet." Right-click on "Internet Messenger" and select "Add to
Desktop." A shortcut to "Pidgin Internet Messenger" will now be on your desktop.
5. After you add the icon to the Desktop, the Start Menu will still be open. Click on "Internet
Messenger" to open Pidgin.
6. On the next window that appears, click on the Add button.
7. When the next window appears, open up an instance of KeePassX. Generate a password and
anonymous account name for your instant messenger account in KeePassX and save it.
8. Return to the Pidgin window. Now, you need to choose the protocol for Jabber. Click on the
pulldown menu next to Protocol and choose XMPP. XMPP is the protocol for Jabber.
Then, type the user name you wish to use next to Username and type
jabber.calyxinstitute.org next to Domain. Then, click on the checkbox next to Create
this new account on the server. Finally, click on the Advanced tab.
9. Next, make sure the chosen option next to Connection security is Require Encryption.
Then, to use the Tor hidden service, type ijeeynrc6x2uy5ob.onion in the field next to
Connect Server. Then, uncheck the box next to Show Custom Smileys. Finally, click the
Add button.
10. The next window that appears will inform you that the SSL certificate you received from
ijeeynrc6x2uy5ob.onion belongs to *.calyxinstitute.org. Click the Accept button.
11. In the next window, enter the username you wish to use again in the User field and copy
the password you created with KeePassX into the Password field. Finally, click the OK
button.
12. If your account was successfully created, you will see the window below. Click on the
Close button to continue.
Note: When you give out your Jabber screen name, it is similar to email. In this example, if
you wanted to tell someone what your screen name was, it would be
anonymousalias@jabber.calyxinstitute.org. All Jabber accounts follow the
username@jabberserverdomain syntax.
13. Now you need to enable your account to log in. Click on the checkbox under Enabled
next to the Jabber account you created so the box is checked.
14. The next window that appears will prompt you for your password. Copy your password
from KeePassX and enter it into the field next to Enter Password. Then, click on the OK
button.
Note: Do not use the Save Password option. Pidgin does not store passwords and
account details in an encrypted format. Thus, if an attacker compromises your
machine and reads your Pidgin configuration file, they can get the password to your
Jabber account. The safest option is to use KeePassX to store your password and enter it
into Pidgin when prompted as the program starts in the future.
15. You will next be returned to the the Accounts window. Click on the Close button.
16. Next, from the Pidgin Buddy List window, click on Tools Plugins.
17. Now, you need to configure the OTR plugin for future use. Scroll down until you see Off-
the-Record Messaging. Click the check box next to it so it is enabled. Then, click on
Configure Plugin.
18. In the next window that appears, make sure every box is checked. Of particular importance
is to mark the Require private messaging box. If someone does not have the option of
chatting with you via an OTR encrypted session, then they aren't worth chatting with. Using
an instant messenger service without OTR will put both you and the person you are
talking to at risk of having your communications intercepted.
When you are done marking the boxes, click on Generate. This will create your unique
OTR private key for your account.
Note: If you create more than one account, you will need to generate an OTR key for each.
19. A generating private key window will next appear. When it says done, click the OK
button.
20. When you are returned to the previous Off-the-Record Messaging configuration window,
click on the Close button.
21. Next. Do the final configuration tweaks to Pidgin. Click on Tools Preferences.
22. On the next window, click on the Conversations tab on the left side of the window. Then
unmark the show formatting on incoming messages, enable buddy icon animation,
notify buddies that you are typing to them, highlight misspelled words, use smooth-
scrolling and resize incoming custom smileys options. When your window looks like the
image below, continue to the next step.
23. Click on the Logging tab on the left side of the window. Unmark every option here. When
your screen looks like the image below, continue to the next step.
24. Next, Click on the Proxy tab on the left hand side of the window. Then, select
Tor/Privacy (SOCKS 5) in the pull down menu next to Proxy type. Next, type
10.152.152.10 in the field next to Host. Then, type 9103 in the field next to Port.
25. Click on the Sounds tab on the left side of the window. Enable the mute sounds option.
When your screen looks like the image below, continue to the next step.
26. Click on the Status / Idle tab on the left side of the window. Then, click on the pull down
options next to Report idle time and select Never. Next, unmark the box next to change
to this status when idle. Finally, click on the pull down options next to Auto-reply and
select Never. When your screen looks like the image below, continue to the next step.
27. Click on the Themes tab on the left side of the window. In the pull down options next to
Smiley Theme, select none. Then, click on the close button.
28. Next, when you have returned to the Buddy Icons window, click on Tools Privacy.
29. In the pull down option field beneath the Set privacy for: {your nickname}, select Allow
only the users on my buddy list. Then click Close.
Note: In the future, only users on your buddy list will be able to send you messages.
There are trade-offs here. On one hand, you will be creating a buddy list that will be stored
on the Jabber server you use. If an attacker gains access to the server, whether through an
exploit or legal process, they will be able to access your buddy list and possibly profile you
based on who it contains. On the other hand, this also weakens the abilities of random
attackers to exploit vulnerabilities in your client by directly sending you a message before
you've authorized them to be in your buddy list.
Congratulations. You have now installed and configured Pidgin for general use in
Whonix. The remainder of this chapter will instruct you on how to chat with others using
Pidgin with OTR.
30. To initiate a chat with someone, first add them to your Buddy List. From the Buddy List
window, click on Buddies Add Buddy.
31. In the next window, type the contact address of the person you wish to chat with in the field
next to Buddy's username. This will be in the format of
username@JabberServerDomain. Then, click on the pull down menu next to add buddy
to group and select the group you wish to add the contact to. When finished, click the
Add button.
Note: The contact you add will not appear in your Buddy List immediately at this
point. This is due to the fact that your contact must authorize you to add them to your
Buddy List and, after you are authorized, must be online.
32. When your newly added contact has authorized you to add them to your Buddy List, you
will see their screen name appear in your Buddy List if they are online. You will also be
prompted by Pidgin to authorize them to add you to their Buddy List. If it is someone you
contacted, or someone you wish to chat with, click on the Authorize button.
33. Next, to chat with a contact in your Buddy List, double-click on their screen name.
34. In the next window that appears, you need to start an OTR private conversation. Click on
OTR Start private conversation.
Note: Since you set private conversations as required in the OTR configuration, simply
typing some text and sending it will also start a private conversation. However, until the
private conversation handshake is completed between you and the other user, anything that
you've typed will not be seen by them. Thus, it's better to use the method above and wait for
the confirmation that the private conversation has started.
35. Eventually, you will receive a message that your private conversation has started.
However, note the Unverified status message. Also, notice the Unverified icon towards
the lower right corner that is highlighted in red in the image below. These inform you that
you haven't verified the identity of the person your are chatting with yet.
For future security purposes, you need to verify the identity of the sender. Click on the
Unverified icon highlighted in red in the image above and select Authenticate buddy.
36. On the next screen, click on the pull down menu under how would you like to authenticate
your buddy and choose manual fingerprint verification. The contact's fingerprint will be
listed directly below your's, and is a series of five strings of random letters and numbers.
If you currently have the ability to communicate with your contact in real time by another
channel, such as IRC, have them repeat what their OTR fingerprint is. If it matches up, you
are safe. If not, you may be experiencing a man-in-the-middle attack and, thus, may have an
unsafe communication session. If the contact asks for your fingerprint, supply them with
what is shown as your OTR fingerprint in this window by the same means.
If you have no way to initially authenticate your contact in real time, find a means to
confirm it with them later outside of Jabber. Other options may exist for this, such as an
encrypted email signed with a corresponding GPG key (which will be discussed in the next
chapter), Twitter, or some other communication service.
If you choose to authenticate the contact without actually verifying their fingerprint, be wary
of discussing anything sensitive in the Pidgin chat until you have confirmed that you are
indeed chatting with the contact you want.
Once you have finished the manual verification procedure (or have concluded that you
can't), select I have in the pull down menu preceding verified that this is in fact the
correct fingerprint for [contact name]and click on the Authenticate button.
37. Notice how the status of the conversation has changed to Private, which is highlighted in
red in the image below. For all future conversations with this contact, if their OTR key has
remained the same, the status will always be marked as private. IMPORTANT: If the
status ever reverts to Unverified, you may not be talking to the contact. It could be
that someone has hacked his Jabber account or that a server somewhere in the middle
has meddled with the encryption process. Be very wary if a contact who you've verified
reverts to an unverified status.
Sending messages at this point is straightforward. In the section of the screen shot below
where you see this is where you type text, that is where you type messages to be sent to
your contact. When you are ready to send it, press the enter key.
The message you sent will show up next to your name which will be blue. Messages you
receive will show up next to the contact's name which will be red.
38. Pidgin is also controlled by an icon that sits in the lower right corner of your Taskbar. It is
highlighted in red in th image below.
First, enable the icon to blink when you receive new messages. This will make it easier for
you to know someone has sent you a message if you are using other windows in Whonix.
Right-click on the Pidgin related icon in your Taskbar and select Blink on New Message.
Finally, to quit Pidgin, you need to do more than close your message windows or Buddy List
window. Right-click on the Pidgin related icon in your Taskbar and select Quit.
You've reached the end of the chapter on Pidgin and OTR. For future reference, remember
these points.
1. Do not ever use a screen name that you have used outside of Whonix. Additionally,
do not choose a screen name that can be correlated to your identity.
2. Make sure the Jabber provider you uses implements the proper encryption protocols
at every level. Resources on the net will tell you if it does or does not.
(calyxinstitute.org currently passes the test).
3. If you aren't using Off-The-Record encryption during your chat sessions, assume
that they are being logged and that anyone can read them.
4. Just because you are using Off-the-Record encryption, don't assume that the
person you are chatting with isn't logging your conversation. As with any other
communication technology, do not share any real information about yourself which
could identify you.
5. If anyone you've ever chatted with via Off-the-Record encryption changes from
a Verified to an Unverified status, assume you are talking to an impostor.
6. DO NOT USE PIDGIN TO STORE PASSWORDS! All passwords and account
details stored by Pidgin are unencrypted. If your machine is compromised by an
attacker, they could gain access to your screen name by viewing Pidgin's
configuration files if you use Pidgin to store passwords. Only use KeePassX to store
your passwords.
Now you are ready to continue on to the next chapter that deals with one of the more
underused technologies by beginners, anonymous email and GPG encryption.
Chapter 4f. Encrypted email with Icedove and Enigmail
Due to the complexity of the software in the past, one of the most underutilized forms of
protection for users is email encryption. However, with the use of Icedove (the Debian Project's
email client) and Enigmail (a graphical front-end for using the GnuPG [GPG] encryption
program), taking advantage of encrypted email is now much easier. This is not the same as online
services that promise encrypted email in transit or storage such as Lavabit. Those types of
systems can still be broken by an attacker if the system cooperates. Rather, the email encryption
discussed here involves direct end-to-end encryption that can only be read by the intended recipient
and, thus, is much more secure.
Be aware that e-mail is a very insecure system by design when it comes to privacy and
anonymity and, thus, must be used with great discipline and caution. For example, even if you
encrypt all of the email that you send to a recipient, if they reply to your email and don't encrypt it,
then they have just sent an email that contains their message, and likely a quote of the one you
typed, which can be viewed by numerous different attackers. Furthermore, the names of email
recipients and the subject line of your email cannot be encrypted and, thus, are always viewable to
an attacker. Additionally, there are a number of different types of metadata that can be harvested
from email, depending on how it is used. Therefore, please be careful if you use email to engage
in sensitive communications.
1. First, open a Konsole session. Double-click on the Konsole icon on your Desktop.
2. Next, change to your Downloads directory. Type cd Downloads and press enter.
3. Now, download TorBirdy. This is a plugin for Icedove created by the Tor Project to further
anonymize Icedove.
Type wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi and press
enter.
4. The following steps are optional but strongly recommended. Next, download the necessary
files to verify the integrity of the TorBirdy installer.
Type wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi.asc and press
enter. If you wish to skip the verification procedure, proceed to step 7.
5. Now, download the GPG signature of Sukhbir Singh, one of the developers of TorBirdy.
Type gpg --recv-key E4ACD3975427A5BA8450A1BEB01C8B006DA77FAA and press
enter.
When you have imported the key, your screen should look like the screen shot below.
6. Next, it is time to verify the integrity of TorBirdy. Type
gpg -v torbirdy-current.xpi.asc and press enter.
When the verification is done, your screen should look similar to the screen shot below. If
you see gpg: Good signature from "Sukhbir Singh <azadi@riseup.net> on your
screen, then you have successfully verified the integrity of the program installer. The key is
not certified warning that appears after that line can be ignored. However, if you see gpg:
BAD signature from "Sukhbir Singh <azadi@riseup.net>" on your screen, delete
torbirdy-current.xpi and do not use it. This means the downloaded program has probably
been tampered with or got corrupted during the download process. If you receive a warning
regarding a bad signature, either wait 10-15 minutes, or open up the Arm Tor Controller
in the Whonix Gateway and type n to choose a new Tor circuit, and repeat the steps
starting from step 3.
7. Now you are going to begin the process of modifying Torbirdy to allow for the importation
and exportation of GPG keys in Icedove. Without modifying Torbirdy, key management is
much more difficult in Icedove due to various errors. IMPORTANT NOTE: This
modification is for Whonix only! If you do the same thing to Torbirdy for some reason
in any other OS, you may damage your anonymity or privacy!
8. The part of the file you will be editing is moved to the right by spaces. Thus, it will be
easier to edit if you maximize your terminal window. Click on the up-arrow in the upper
right side of your terminal window to maximize the terminal.
11. You will next see your cursor at a line that shows ' "--display-charset utf-8 " + ' as displayed
in the screen shot below.
Remove the + sign and place a , sign immediately following the quotation mark so it
looks like the screen shot below.
12. Next, move the cursor down 2 lines to the line that starts with --keyserver-options as
pictured below.
14. Next, add the file you just edited to the torbirdy-current.xpi install package.
Type 7z u torbirdy-current.xpi components/torbirdy.js and press enter.
15. Remove the directory for the file you just modified. Type rm -rf components and press
enter.
16. Next, you can close your Konsole session. Type exit and press enter.
17. Now you need to create your new email account. Click on the Tor Browser icon located near
the K Start Button towards the lower left side of your screen to start Tor Browser.
18. First and foremost, there are multiple email providers that you have the option to choose
from. For the purposes of this tutorial, the example used will be vfemail.net. This is not to
be confused with an endorsement of vfemail.net as the best or most secure email
provider. However, at the time of this publication, vfemail.net is one of the few free
regularly available email providers offering POP3 email access through a .onion address in
the Tor Hidden Network that does not require additional verification details to register an
account. To learn more details regarding the features and offerings of vfemail.net, go to
https://344c6kbnjnljjzlz.onion/faq.php.
If used properly with GPG encryption, vfemail.net's Tor hidden service email service will
provide you with strong anonymity and privacy. However, remember that this is a Tor
Hidden Service which means you have no way of ever determining who is running it.
Thus, if you do not use GPG to encrypt your e-mail, and the people who send you e-
mail do not encrypt it with GPG either, it can be easily read by the e-mail service
provider, random computers on the internet that relay a sent email message, or anyone
who manages to gain access to your account!
If you wish to use another email provider, go to its registration page, create your new
account with them, use KeePassX to generate your password for it, and continue to step 24.
19. Next, the Tor Browser will warn you that the web page's connection is untrusted. This is
expected. The warning is due to the fact that the SSL certificate you received is from
vfemail.net, but the domain you are connecting to is 344c6kbnjnljjzlz.onion. Click on the
text that says I understand the risks and then click on the add exception button that will
appear beneath it.
20. Next, a window prompting you to add security exception will appear. Click on the
Confirm Security Exception button.
21. The registration screen for vfemail will now load. As of this publication, javascript is
required for the registration process due to the CAPTCHA used to block bots. Thus, click on
the NoScript icon to the left of the browser location bar and select temporarily allow
https://344c6kbnjnljjzlz.onion.
22. When the page reloads, you will need to create your email account name and password.
Open up KeePassX and create a password as instructed in Chapter 4b.
When finished creating your password in KeePassX, type fake information into the fields
under First Name and Last Name. Then, type the email name you wish to use in the
field under User Name. Next, select vfemail.net in the pull down menu under Domain
name. Then, copy the password you created in KeePassX and paste it into the fields under
Password and Confirm Password. Finally, type the letters that appear in the CAPTCHA
puzzle in the field under the Type the letters you see above heading and click on the
Register button.
23. The next screen will confirm that you have created an account. The email address you
selected will be displayed on the page. Copy that address and paste it into the
description or username fields of KeePassX that are associated with your
password immediately. Then, save your KeePassX database. Then, click the X button to
close Tor Browser and continue to the next step.
24. For simplicity, now add a shortcut for Icedove to your desktop. Click on the K start button
and go to "Applications Internet." Right-click on "Mail Client" and select "Add to
Desktop." A shortcut to "Icedove" will now be on your desktop.
25. After you add the icon to the Desktop, the Start Menu will still be open. Click on "Mail
Client" to open Icedove.
26. The first window that will appear on running Icedove for the first time will prompt you to
configure your email account. Type the alias that you wish to use in the field next to Your
name. This will appear next to your email address in emails you send to others. Then, type
the vfemail.net email address you just created into the field next to Email address. Finally,
uncheck remember password and click the Continue button. IMPORTANT NOTE:
Never use Icedove to save your email account password. Icedove does not store
passwords in an encrypted format. Thus, if your workstation is compromised in the
future, an attacker may be able to gain access to your email account if they view
Icedove's unencrypted password storage file.
27. An outdated version of Torbirdy comes pre-installed with Whonix. You will remove it later.
This poses no problem at the moment. The next window that appears will inform you that
Torbirdy has blocked the automatic configuration process to protect your anonymity. Click
on the OK button to continue.
28. In the next window, you need to configure Icedove to connect to the hidden server of
vfemail.net. The fields you need to change are highlighted in red. Type
344c6kbnjnljjzlz.onion in the field next to Server Name. Then, type your complete
email address into the field next to User Name. Additionally, unmark the box next to
Leave messages on server. Finally, mark the box next to Empty Trash on Exit and
continue to the next step.
29. Next, click on Copies and Folders in the left column. Each option you will need to change
is highlighted in red below. In the pull down menu next to 'Sent' Folder on, select Local
Folders. Next, in the pull down menu next to 'Archives' Folder on, select Local
Folders. Additionally, in the pull down menu next to 'Drafts' Folder on, select Local
Folders. Now, in the pull down menu next to 'Templates' Folder on, select Local
Folders. Finally, mark the box next to show confirmation dialog when messages are
saved. When finished, continue to the next step.
30. Next, click on Local Folders in the left column. Then, click on Empty trash on exit.
When finished, continue to the next step.
31. Now, click on Outgoing Server (SMTP) in the left column. Then, click on the Edit
button.
32. In the next window that appears,type 344c6kbnjnljjzlz.onion in the field next to Server
Name. Then, click on the pulldown menu next to Connection security and select
STARTTLS. Next, type your complete email address into the field next to User Name.
Finally, click on the OK button.
33. When you are returned to the Account Settings window, click on the OK button.
34. Icedove will now attempt to connect to 344c6kbnjnljjzlz.onion. Wait for the window
pictured below to appear. When Icedove connects, the Add Security Exception window
will appear informing you that there is an issue with with the SSL certificate. This is
expected. The warning is due to the fact that the SSL certificate you received is from
vfemail.net, but the domain you are connecting to is 344c6kbnjnljjzlz.onion. Click on the
Confirm Security Exception button.
35. You will now be returned to the main Icedove window. An Enigmail Setup Wizard
window will also be running. You can ignore this for now. When you reach the main
Icedove window, click on the icon that has the 3 horizontal bars towards the upper right
corner. Then, click on Preferences and click the box next to Menu Bar so that a check
mark appears in it.
36. A menu bar will now appear towards the top of the Icedove window.
Click on Tools Add-ons.
37. The Add-ons Manager tab will now appear. Click on Extensions and then click the
Disable button next to TorBirdy.
38. Now, click on the X button in the upper right corner of Icedove to close the main Icedove
window.
39. The Enigmail Setup Wizard will be running. Start setup now will be selected by default.
Click on the Next button.
40. On the next screen, click the circle next to I prefer an extended configuration and then
click the Next button.
41. Next, you will be prompted to create a GPG keypair or use an existing one. Click on the
circle next to I want to create a new key pair for signing and encrypting my email and then
click the Next button.
42. In the next window that appears, choose a strong passphrase and input it into the fields next
to Passphrase and Passphrase (repeat). Create your passphrase using the same
methodology that you used for the passphrase to encrypt your hard drive in the beginning of
this tutorial. You will need your passphrase to sign messages with GPG or to decrypt
messages sent you. With a strong passphrase, if your machine is ever compromised and
someone steals your GPG Secret Key, you will have an extra layer of protection to prevent
the attacker from being able to easily decrypt emails sent to you or to impersonate you by
signing emails with your GPG key.
When you have selected an appropriate passphrase and typed it into the passsphrase fields,
click on the Next button.
43. At this point, Enigmail will begin creating your new GPG key pair. When it finishes, click
on the Create Revocation Certificate button.
44. You will now be prompted to enter the passphrase you created in step 42 for your GPG
secret key. Type your passphrase in the Passphrase field and click the OK button.
45. The next window will ask you where you want to store your GPG Revocation Certificate.
Click on user in the left column. Then, choose a filename other than the default for your
GPG Revocation Certificate. The default name uses spaces which can make a step later in
this guide trickier for you. Finally, click the Save button.
46. Next, you will be informed the the GPG revocation certificate was successfully created.
Click the OK button.
47. You will now be returned to the Key Creation window. Click the Next button.
48. The next window will inform you that Enigmail is now ready to use. Click the Finish
button.
49. Note: The following steps are optional, but recommended. Before continuing with Icedove,
take the time to encrypt your revocation certificate. Your GPG revocation certificate can be
used to revoke your public encryption key that you have added to key servers even if you no
longer have access to your GPG Secret Key or have forgotten your password. If an attacker
gets their hands on your GPG revocation certificate, they can revoke your keys. Encrypting
the GPG revocation certificate with a passphrase you can remember will protect you against
an attacker using it to revoke your keys if they manage to steal your revocation key. Open
up a Konsole / Terminal session to get to a command prompt. Click the K start button and
then click Terminal.
If you wish to skip encrypting your revocation key, continue from step 55.
50. At the command prompt, type
gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName and press
enter.
Tip: If you included spaces in your file name, once you type the first few letters of it, you
can complete the rest of the file name by pressing the Tab key. This can save you time
when typing any file name from the command line.
51. You will be prompted to Enter passphrase. Choose a secure passphrase and enter it into
the passphrase field. Then, click the OK button. If you ever need to use your revocation
certificate, this the passphrase you will use to decrypt it first. Do not forget this
passphrase! If need be, save it in KeePassX.
52. You will be asked to re-enter your passphrase. Type it again into the passphrase field and
click the OK button.
53. Eventually, you will be returned to the shell prompt. Type ls *.gpg and press enter. If
you see a file that has the same name as your revocation certificate ending with .gpg, you
have successfully encrypted your revocation certificate and can continue to the next step. If
you don't see such a file, start again from step 50.
54. Now, securely delete your unencrypted revocation key.
Type shred -n 30 -uvz RevocationCertificateFileName and press enter.
When the process completes, close the Terminal/Konsole window by clicking on the x in
the upper right corner or typing exit and pressing enter. Then, go back to Icedove.
In the future, if you ever need to use your revocation key, decrypt it by typing
gpg -o RevocationCertificateFilename.asc -d RevocationCertificateFilename.gpg.
55. Next, open Icedove either through the K start menu or from the icon on your desktop. When
Icedove opens, a System Integration window will appear. Click on the Skip Integration
button.
56. Icedove will now attempt to automatically check for new email. Wait for a moment until you
are prompted for your password. When the window appears that asks you to enter your
password, click the Cancel button.
57. At the bottom of the Icedove window, you will be asked if you would like to help improve
Icedove Mail/News by automatically reporting memory usage, performance and
responsiveness to Mozilla? Click on the No button.
58. Next, you will install the latest version of Torbirdy that you modified earlier in this chapter.
Click on the gear icon towards the upper right side of the Icedove Add-ons Manager
window and click on Install Add-on from file.
59. In the next window that appears, click on user under Places towards the left side of the
window. Then, double-click on Downloads.
At the next screen, click on torbirdy-current.xpi and then click on the Open button.
60. Next, a Software Installation window will appear. After the brief timed delay finishes,
click the Install Now button.
61. When you are returned to the Add-ons Manager in Icedove, click on the Enable button
next to Torbirdy
62. After you have enabled Torbirdy, click on the Restart now link that appears to restart
Icedove.
63. When Torbirdy restarts, click on the x in the tab entitled Add-ons Manager to close the
Add-ons Manager window.
64. You will now be returned to the main Icedove window. Click on Edit Preferences.
65. In the window that appears, click on the Advanced tab. Unmark the box next to Enable
Global Search and Indexer. Then, click on the Return Receipts button.
66. In the next window that appears, mark the circle next to Never send a return receipt. Then,
click the OK button.
67. When you are returned to the Icedove Preferences window, click the Privacy button.
Then, uncheck the boxes next to Remember websites and links I've visited and Accept
cookies from sites. Then, click the close button.
68. Next, you need to change some settings that were not addressed by the Enigmail Setup
Wizard. At the main Icedove window, click on Edit Account Settings.
69. In the window that appears, click on OpenPGP Security in the left column. Then, mark the
boxes next to Encrypt messages by default and Sign encrypted messages. Next, unmark
the box next to Use PGP/MIME by default. Then, click the Enigmail Preferences
button.
70. In the Sending tab of Enigmail Preferences window, click the circle next to Manual
encryption settings. Then click the circle next to Always under Confirm before sending
and click the OK button.
71. When returned to the OpenPGP Options window, click the OK button.
72. Next, quit Icedove by clicking on the x in the upper right corner.
73. Now, open Icedove either through the K start menu or from the icon on your desktop. When
Icedove opens, click on Enigmail Key management.
74. In the Key Management window that appears, you will see your key in bold and the key you
imported for Sukhbir Singh if you chose to verify Torbirdy earlier.
Click on Keyserver Search for Keys.
75. The next window that appears enables you to search for GPG keys hosted on public GPG
key servers. You can search for GPG keys by e-mail address, a short key ID or an
individual's public GPG fingerprint. In this step you are going to search for the key belong
to anonguide@vfemail.net by its public GPG finger print.
Type or paste 64222A88D25730910C47A904BD8083C5237F796B in the field next to
Search for key and click the OK button.
76. In the next window that appears, an entry for anonguide@bitmessage.ch with a Key ID of
237F796B should be displayed with a check mark next to it. Click the OK button to
import the key.
77. The next window should inform you that the key for anonguide@vfemail.net was
successfully imported. It is not a problem that the e-mail address is different than the
anonguide@bitmessage.ch listed above when importing the key. Multiple e-mail
addresses can be used with a GPG public key. Anonguide@bitmessage.ch is simply an
older e-mail address. Click the OK button to continue.
78. Now, verify the integrity of the newly imported key for anonguide@vfemail.net. Double-
click on the key for Anon Guide <anonguide@vfemail.net> to open the Key Properties
window.
79. In the window that appears, note the fingerprint. It should be
6422 2A88 D257 3091 0C47 A904 BD80 83C5 237F 796B. The full fingerprint may not
display in the Key Properties window. You can scroll through it by clicking in the field next
to Fingerprint and using your arrow keys.
If the fingerprint is anything different, assume the public key for this tutorial that you
downloaded has been tampered with and do not use it. When you have confirmed the
fingerprint, click the OK button.
Note: It is always important to verify any GPG public key you have added to your keyring
with a fingerprint provided to you by the person you wish to communicate with. The reason
for this is that anyone can add a GPG public key to a key server that claims to belong to a
certain email account. If an attacker is monitoring an email account through surveillance,
and you use an encryption key that they created to falsely correspond to the person you wish
to communicate with, the attacker will be able to read your email.
80. Now, export your public key to a GPG key server. Right-click on the entry for your email
address and click on Upload Public Keys to Keyserver.
81. Click the OK button in the next window that appears to upload your public GPG key to
the keyserver. A progress meter will then appear. If the upload is successful, you will not
receive any confirmation message. If you wish to check that your GPG public key was
successfully uploaded to the keyserver, do a search for your own key the same way you
searched for the key belonging to anonguide@vfemail.net in step 74.
82. Now, let's prepare Icedove to inform people about your public GPG key through listing it in
your email signature. Double-click on the key entry for your vfemail.net email address to
open the Key Properties window.
83. In the window that appears, click in the field next to Fingerprint. Then, select all of the
text in the field by typing either LEFT-CTRL A or doing a right-click and choosing
select all. Next, copy the text to your clipboard by typing LEFT-CTRL C or doing a
right-click and choosing copy. When you have copied the text to your clipboard, click the
Close button. You may close the Key Management window at this point if you wish.
84. From the main Icedove window, click on Edit Account Settings.
85. Now you are going to create a signature that will be included in all of your outgoing mail
that will contain both your GPG public key ID and your GPG public key fingerprint. In the
next window that appears, click in the text field located underneath Signature text. Then
paste the contents of your clipboard on to two separate lines in the text field.
On the first line, type GPG Public Key: before the fingerprint you just pasted. Then,
delete all but the last 16 characters of the fingerprint from this line. If you look at the
example below, you'll notice that your fingerprint consists of 10 groups of 4 characters.
Delete the first six groups. Then, delete the spaces in between the remaining groups of
characters. Finally, type 0x (that is the numeral zero) directly in front of the remaining
characters. In the example below, that results in 0xE2A4440ABE1DE630. The end result
of what you create here is your GPG public key ID number. People can enter that into
various GPG key servers to find your public key and send you encrypted messages.
On the second line, type Fingerprint: in front of the characters you pasted there. This will
help enable people who download your GPG public key to verify that it is they key you wish
them to use. When you are finished, click the OK button.
86. Now you will be instructed on sending out your first test email to anonguide@vfemail.net.
Click on the Write button located in the upper left region of the window.
87. A new window will open for you to compose an email message. In the To field, type
anonguide@vfemail.net. Then, type key test in the Subject field. Then, type
whatever you wish into the message body. You do not need to go into great detail. The
point of this email is to test your encryption key and get you familiar with a common
encrypted email exchange.
Notice the padlock and pencil icons located towards the upper-left side of the window next
to the Enigmail: header. These icons should be marked as active by a gray square around
them with the padlock closed, which means your message will be signed and encrypted (if
you have a corresponding public key). To the far right of these icons, a status message also
informs you that the message will be signed and encrypted.
Note: The Subject field is NEVER ENCRYPTED, even when you encrypt your message
and attachments. Thus, be wary of any information you put in a subject field.
When you are ready to send the message, click the Send button.
88. You will next be prompted to enter your GPG passphrase. This will enable you to sign the
message you are sending to us. When you sign a message, this provides a mechanism which
allows the recipient of an email to be confident that you actually wrote the email and not an
impostor. Type your passphrase and click the OK button.
89. If you take too long to enter your GPG passphrase, the window imaged below may appear.
Do not worry about that. Finish typing your GPG passphrase and, when you get to the
Warning: Unresponsive Script window, click the Continue button. Your email will now
be encrypted.
90. After you've typed in your passphrase, a confirmation window will appear asking if you
wish to send a signed and encrypted email to anonguide@vfemail.net. Note the body of your
email message under that window. If you see -----BEGIN PGP MESSAGE--- and a
series of random characters, that shows your email has been encrypted and you can click the
Send Message button. However, if you still see the original text of your message, it is
not encrypted and you should click the Cancel button.
91. Since this is your first time sending an email, another Add Security Exception window
will next appear. This is expected. The warning is due to the fact that the SSL certificate
you received is from vfemail.net, but the domain you are connecting to is
344c6kbnjnljjzlz.onion. Click on the Confirm Security Exception button. You won't have
to do this again in the future.
92. As a result of the issue with the SSL certificate in the last step, the sending of your message
will fail. Select the Icedove Write: key test window from your task bar.
Then, click the OK button in the Send Message Error window that appears.
Then, when you are returned to your email composition window, click on the Send button
again.
Finally, you'll again be prompted to confirm that you want to send a signed and encrypted e-
mail. Click the Send Message button.
93. Next, you will be prompted to enter the password for your vfemail.net account. This will
happen each time you start Icedove and send an email for the first time since your password
is not stored by the program. However, once you have entered the password, Icedove will
remember it for the session. The same process applies to receiving email. When asked to
enter your password, copy it from KeePassX, paste it into the password field and click the
OK button.
Note: Do not use Icedove's Password Manager to store your password. Icedove does not
encrypt stored passwords by default. Thus, if an attacker compromises your machine and
manages to access your Icedove folder, they will gain the password to your email account if
you have stored it in Icedove.
94. You will now be returned to the main Icedove window. If you notice a new Sent folder in
your Local Folders on the left side of the window, your email to anonguide@vfemail.net
was sent.
95. In some instances, you may wish to send an email to an address for which you have no GPG
public key in your keyring. When you reach a new mail composition window like you did in
step 87, you have the option of sending your GPG public key to the recipient as an
attachment. If you wish to do that, click on the Attach My Public Key button before you
send the email.
Once you have composed the message and click the Send button, a window will appear
explaining that no valid GPG public key could be found for the email recipient. Unmark the
boxes next to Send encrypted and Send signed. Then, click the Send button to send
the unencrypted message.
Note: Remember that this email is unencrypted. Thus, it is possible that, if someone
intercepts your email at some point, it could be read. Be wary of what information you
share in an unencrypted email.
The remainder of this chapter will discuss downloading and reading email.
96. In the near future, you will want to check your mail to see if you got a response from us or if
anyone has sent you email messages. From the main Icedove window, click on the Get
Mail icon to check for any new email messages on the server and download them.
97. Next, you will be prompted to enter your password for your email account. Once you have
entered the password, Icedove will remember it for the session. When asked to enter your
password, copy it from KeePassX, paste it into the password field and click the OK
button.
98. When you receive new emails, a counter will appear next to Inbox in the left column.
Click on Inbox to go to the list of new emails. Then, click on the email that you wish to
read.
99. If the message you received was encrypted with your public key, you will need to type your
GPG passphrase to decrypt it. If a window like the one in the image below appears, type
your GPG passphrase and click the OK button.
100. The email will next display in the lower portion of your Icedove window. From
here, you have the option of replying, forwarding, deleting, etc. If you are reading the
message sent to you by anonguide@vfemail.net, your encryption configuration is working.
Congratulations. You have reached the end of the Icedove and Enigmail email tutorial. It
should be emphasized that this is not meant to be an all inclusive tutorial on the safest way to
use GPG/PGP encryption. There are a number of other resources on the Internet, or people you
can talk to, that can provide more tips that may be better for the perceived threat model you want to
address. However, you now have a strong starting point that has laid down the basic fundamentals
of using encryption over email. Remember the following tips regarding email:
Do not contact people you know in real life at non-anonymous email addresses
with the email account you created here. Do your best to keep your real world
identity separate from your online identity in Whonix.
Be wary of what you share about yourself in email! Just because your email is
encrypted doesn't protect you if the person you are communicating with stores your
emails in an unencrypted format. Nor does it protect you from someone receiving
messages from you who desires to use the information you provide to exploit you.
Whenever you have the option to use a Tor hidden service, a domain name with a
.onion extension, use it! If you can confirm it is controlled by the service you wish to
use, it will give you greater protections.
Chapter 4g. Malware Mitigation.
One of the most common risks to a secure system that you will encounter is malware.
Despite what some may say about Linux, it is not immune to the threat of malware. The standard
approach for most users to prevent malware is a virus scanner. However, such a method is flawed
since, once malware has found its way on to your computer, it's already been compromised. All a
virus scanner can do is attempt to clean up the mess. Additionally, using a virus scanner only
detects known malware. Any unknown malware will get past it and compromise your system
undetected.
The method described in this chapter provides a means of limiting the risk of a lasting
compromise of your Whonix Gateway and Whonix Workstation by malware. Rather than relying
on a virus scanner, this method involves creating an additional virtual hard drive for persistant
storage of various files and then restoring the Whonix Gateway and the Whonix Workstation from a
snapshot after each use. The benefit of this method is that, if either the Whonix Gateway or the
Whonix Workstation are compromised by malware during your session, it will simply be erased and
gone the next time you use the Whonix Gateway or Whonix Workstation.
While this method provides a fairly good way to mitigate the risks associated with malware,
do not become overconfident in it and get reckless with your networking habits. This method will
only work against malware that is confined to the Whonix virtual machines. If the malware is
advanced enough to break out of the restrictions of a virtual machine and compromises your host,
then this method will no longer do you any good and your entire system will no longer be secure.
Additionally, standard malware that infects your vm can still compromise communications that you
believed to be encrypted, thus weakening a significant aspect of the security methods discussed
earlier in this guide. Therefore, while this method will mitigate against a persistent install of
malware in your Whonix Gateway or Whonix Workstation, remember that it is still best to avoid
malware compromise entirely.
Also be aware that if you create a snapshot of a either the Whonix Gateway or Whonix
Workstation after it has been compromised, and you are using that snapshot for this method, then
the mitigation techniques described in this chapter will essentially be worthless. Thus, if you've
already used the Whonix Gateway or Whonix Workstation to visit risky internet sites, consider
doing a fresh install of Whonix as described in this guide before implementing the method in this
chapter.
Let's begin.
1. First and foremost, if your Whonix Gateway and Whonix Workstation are running,
shut them down as described in steps 4-7 of Chapter 4a. The first thing you need to do is
create a new virtual hard drive to use with your Whonix Workstation. This is done from
inside the VirtualBox Manager. If your VirtualBox Manager is not currently running in your
Debian host OS, click on Applications in the upper left corner, then choose Accessories
and scroll down to VirtualBox. Click on VirtualBox.
2. If you've made it this far, you've done some substantial work with your Whonix virtual
machines. Take snapshots of them for backup purposes before proceeding. First, click on
Whonix Gateway and then click on Snapshots.
3. Next, click on the icon that looks like a camera towards the upper center of the screen to
take a snapshot of your Whonix Gateway.
4. On the next screen that appears, choose whatever name you want for your snapshot and
click the OK button.
5. Next, click on the Whonix Workstation to select it and click on the camera icon towards
the upper center of the screen to take a snapshot.
6. On the next screen, choose whatever name you want for your snapshot and click the OK
button.
19. After the Whonix Gateway has booted and reached the desktop, start your Whonix
Workstation. Click on Whonix Workstation and then click on the Start button.
20. When the system boots and you reach the Whonix Workstation Desktop, click on the
Konsole icon on your Desktop to open a terminal session.
21. Now, you need to format the new virtual hard disk you created. In the terminal, type
sudo fdisk /dev/sdb. When prompted for your password, type it and press enter.
22. When you reach the command prompt in fdisk, type n to create a new partition.
23. For the remaining prompts that appear while creating the new partition, accept the defaults.
Simply press enter after every prompt that appears that is highlighted in red below.
24. When returned to the main prompt in fdisk, type w to write the changes to disk.
25. You will now be returned to your terminal command prompt. You need to format the newly
created partition in order to be able to use it. Type sudo mkfs.ext4 /dev/sdb1 and press
enter.
26. When the disk finishes formatting and you re returned to the command prompt, create a
directory that will be used by the new virtual hard disk in the future.
Type mkdir storage and press enter.
27. Next, you need to configure your Whonix Workstation to mount the new virtual hard disk on
every boot. Type sudo nano /etc/fstab and press enter.
28. The next screen is the nano editor. Use your down-arrow key to navigate to the bottom of
the file and type /dev/sdb1 /home/user/storage ext4 defaults 0 2 as the
last line.
29. Next, type you need to use a left-control-keystroke to exit nano and save the file.
Press LEFT CTRL-X. When prompted to save your changes, type Y.
30. The next prompt will ask you to select a file name to which you will save the file which
should default to /etc/fstab. Press enter to continue.
31. Next, restart the Whonix Workstation for your changes to take effect. Click on the K start
button in the lower left corner of your screen, hover the mouse over the Leave icon that
appears in the right side of the Start Menu and then click on Restart.
32. In the next screen that appears, click on the Restart Computer button.
33. Let the Whonix Workstation go through its reboot process. When you are returned to the
Desktop, click on the Konsole icon on your Desktop.
34. Next, you need to change which account owns the storage directory in order to make use
of it. Type sudo chown user:user storage and press enter.
35. Now, you need to move various files and directories to the persistent storage directory.
This step of the tutorial is assuming you saved your KeePassX password database as
mypass.kdb in your home directory. If you saved it as something else, replace
mypass.kdb with the path and file name you chose in the following command.
37. Next, create a symbolic link for your Icedove e-mail data.
Type ln -s storage/.icedove .icedove and press enter.
38. Next, create a symbolic link for your Pidgin instant messenger data.
Type ln -s storage/.purple .purple and press enter.
44. KeePassX will now open to an empty screen. Click on File Open Database.
45. In the next window that appears, click on Home in the column to the left side. Then,
double-click on Storage.
46. In the next screen, click on mypass.kdb and then click the Open button.
NOTE: This step assumes you named your KeePassX database file mypass.kdb. If you
named it something else, click on the file name you chose.
47. When prompted to enter your password, type the main password you set for your KeePassX
password database in Step 6 of Chapter 4c in the field next to password and click the
OK button.
48. Close KeePassX by clicking the X symbol in the upper right corner.
49. Next, shut down both the Whonix Workstation and the Whonix Gateway as described
in steps 4-7 of Chapter 4a.
50. When both the Whonix Workstation and Whonix Gateway have shut down, now you will
clone them. Click on Whonix Gateway to select it in the VirtualBox Manager. Then click
on Machine Clone.
51. In the next window that appears, type Whonix-Gateway [Mitigated] for the name of the
new virtual machine. Then, click on the Next button.
52. In the next screen, select Full Clone and click the Next button.
53. When the next window appears, select Current machine state and then click the Clone
button.
54. When you are returned to the VirtualBox Manager, click on Whonix Workstation to select
it. Then, click Machine Clone.
55. In the window that appears, type Whonix-Workstation [Mitigated] for the name of the
new virtual machine. Then, click on the Next button.
56. In the next screen, select Full Clone and click the Next button.
57. When the next window appears, select Current machine state and then click the Clone
button.
58. Next, you have to temporarily remove some drives from your Whonix virtual machines in
order to change the state of those drives. You will do this through the Virtual Media
Manager. When returned to the VirtualBox Manager, click on File Virtual Media
Manager.
59. In the next window that appears, click on the disk entitled Whonix-Gateway [Mitigated]-
disk1.vmdk to highlight it. Then, click the Release button.
60. When the window appears that asks you if you want to release the virtual hard disk, click the
Release button.
61. When you are returned to the Virtual Media Manager window, click the Modify button.
62. When the next window appears, select Immutable and click the OK button.
63. Next, when you are returned to the Virtual Media Manager, click on the disk entitled
Whonix-Workstation [Mitigated]-disk1.vmdk, and then click the Release button.
64. When the window appears that asks you if you want to release the virtual hard disk, click the
Release button.
65. When you are returned to the Virtual Media Manager, click on the Modify button.
66. When the next window appears, select Immutable and click the OK button.
67. When you are returned to the Virtual Media Manager window, click the close button.
68. When you are returned to the VirtualBox Manager, click on Whonix-Gateway [Mitigated]
and then click the Settings button.
69. In the next window that appears, select Immutable and click the OK button.
70. When you are returned to the Virtual Media Manager, click the Close button.
71. Now you need to reattach the disks to the Whonix virtual machines. When you are returned
to the VirtualBox Manager, click on Whonix Gateway [Mitigated] and then click on
Settings.
72. In the window that appears, click on Storage on the left side of the window. Then, click
the small icon that looks like a circular disk with a + sign on it towards the bottom of the
window and select Add Hard Disk.
73. On the next screen, click on the Choose existing disk button.
74. Next, select Whonix-Gateway [Mitigated]-disk1.vmdk and click on the Open button.
79. In the next window that appears, you will need to navigate to a new location. Click on the
Virtual Box VMs folder button towards the top of the window. Then, double click on the
Whonix-Workstation [Mitigated] folder to open the folder.
80. Next, select Whonix-Workstation [Mitigated]-disk1.vmdk and click the Open button.
81. When you are returned to the settings window, click the OK button.
82. When you are returned to the VirtualBox Manager, select Whonix-Workstation
[Mitigated] and click Snapshots.
83. Click on the camera icon towards the upper center of the screen to take a snapshot of the
Whonix-Workstation [Mitigated] virtual machine.
84. On the next screen, choose the name you want for your snapshot and then click the OK
button.
85. Next, click on Whonix-Gateway [Mitigated] in the VirtualBox Manager and click on the
camera icon towards the upper center of the screen to take a snapshot of the Whonix-
Gateway [Mitigated] virtual machine.
86. On the next screen, choose the name you want for your snapshot and then click the OK
button.
Congratulations! You have reached the end of the steps necessary to configure the
Malware Mitigation system. The next page will provide explanation on how it works
and how you should use it in the future.
IMPORTANT! DO NOT SKIP THIS PAGE!
Now that you have the malware mitigation system installed, here is an explanation of how it
works. When you changed the two Whonix virtual disks to immutable, this makes it so they will
be erased and restored from the most recent snapshot connected to the virtual machine on every
boot. Thus, every time you start Whonix-Gateway [Mitigated] and Whonix-Workstation
[Mitigated], anything that was written to the immutable disks will be erased unless you specifically
chose to take snapshots. The benefit of this is that, if you obtained malware during any regular use
of the virtual machines, unless it was advanced enough to break out of the virtual machines and
infect your Host OS, it will be gone the next time you use the Whonix Mitigated virtual
machines.
With that in mind, there is something that is incredibly important for you to
understand. Any documents you create, or files you download to the system will be erased on
the next boot unless you save them in your /home/user/storage directory. The storage
directory that you created earlier is connected to a disk that you configured as a writethrough
device. This means that it is not affected by snapshots and, thus, will not be erased on reboots. All
of the programs that you configured in the earlier subchapters of Chapter 4 have been moved to this
directory. Therefore, when you add new servers to HexChat, download new e-mail, add other
people's public encryption keys, add new accounts and passwords to KeePassX, etc., they will not
be erased on next boot. Therefore, for anything else that you work on which you do not want to be
erased on the next boot, you must save them in your storage directory.
There is one more very important strategy to using this system. It deals with installing
periodic OS updates to your Whonix virtual machines in order to keep them the most current with
application updates, security patches, etc. When you do an upgrade to your system by the steps
described in steps 70 and 86 of Chapter 3, which is something you should do regularly, make sure
you have not used the virtual machines for anything else during that session. Start both the
Whonix-Gateway [Mitigated] and Whonix-Workstation [Mitigated] virtual machines. Then,
open a terminal in each and run the sudo apt-get update && sudo apt-get dist-upgrade
command. When the upgrade has finished, shut down your machine as usual. Then, create a new
snapshot for both the Whonix-Gateway [Mitigated] and Whonix-Workstation [Mitigated]
virtual machines as you did in steps 76-79 above. Once you take the snapshots following the
shutdown of the virtual machines you updated, the OS updates will stay persistent through the next
uses of the virtual machines.
That's all there is to it. As usual keep the following practices in mind to avoid malware
infection:
1. Do not EVER use the Host OS for anything but hosting the Whonix virtual
machines. This betters your odds of keeping it free of malware. If your Host OS is
compromised, none of the protections otherwise afforded to you by Whonix are
secure.
2. Do not use javascript in your web browser unless absolutely necessary. If you must
use it for some sites, try to minimize the sites that you allow to send you javascript in
the session through selective use of the NoScript plugin.
3. Beware of suspicious links sent to you through the IRC, your instant messenger, e-
mail lists or anywhere else.
4. Be wary of attachments sent to you in e-mail, especially if you did not ask for them.
Chapter 5. Supporting the Projects that Made this Tutorial Possible.
Those of us who wrote this guide are merely users who took the time to document a means
of effectively using a number of tools. If it were not for the teams that actually developed these
tools or maintain these services, then this guide would not be possible. If you have any funds or
bitcoins that you can spare for any of the projects listed below, please donate what you can. It
greatly helps the continued development of advanced tools to help protect our anonymity and
privacy. Obviously, if you wish to maintain your anonymity, be cautious in how you go about
giving donations. Financial transactions can pierce your anonymity.
The Debian Project: The Debian Project is composed of many volunteers throughout the world
who have been active in creating and developing the Debian Operating System. Debian is the
Operating System used as both the base host Operating System in this guide, in addition to being
the Operating System which drives Whonix. The Debian Project established a non-profit
corporation in order to accept donations. For more information on donating to the Debian Project,
go to https://www.debian.org/donations.
The Tor Project: The Tor Project is the team that picked up and continued the development of Tor.
Tor is the software used throughout this tutorial to protect your anonymity by encrypting your
networking connections and layering them over multiple proxies. The Tor Project is a non-profit
corporation that relies heavily on grants and donations for funding. For more information on
donating to the Tor Project, go to https://www.torproject.org/donate.
The Whonix Team: The Whonix Team is a small group of volunteers that have put all the work
into the development and distribution of Whonix. Whonix is the Operating System relied upon in
this tutorial to ensure that all of your networking activity is initially sent through the Tor Network.
The only full time developer for Whonix is Patrick Schleizer. If you would like to donate to the
Whonix Project, please go to https://www.whonix.org/wiki/Donate.
Off-the-Record Messaging (OTR): OTR is the primary tool used in this tutorial to ensure that,
even if your networking connections are subjected to surveillance somewhere within an instant
messaging network, the content of your instant messaging discussions still remain private. For more
information on donating to OTR, go to https://otr.cypherpunks.ca/donate.php.
G10 Code (GPG): GPG is the main tool used to encrypt and decrypt emails as described in this
tutorial. The current source of funding is a German corporation known as G10 Code. To learn
more about donating the the continued development of GPG, go to http://g10code.com/gnupg-
donation.html.
CalyxInstitute.org: The Calyx Institute is the service providing the instant messenger services
detailed in this guide. Their approach is unique in that they offer access on a Tor Hidden Service
and require OTR encryption for messages to go across their network. For more information on
donating to the Calyx Institute, go to https://www.calyxinstitute.org/support-us/donate-by-mail.
VFEmail.net: VFEmail.net has provided a reliable regularly accessible free e-mail service via a Tor
hidden service for years. If you would like to give any funds to VFEmail.net, you can do this
through upgrading an existing account or an anonymous throw away account.
Conclusion
First and foremost, congratulations if you made it to this page. That likely means you read
this whole tutorial unless you are the kind of person that reads the last page of a book first. The
topics covered by this tutorial are fairly advanced for many users. Getting through this entire
tutorial shows that you are curious about what exists and have the patience to learn about it.
On that note, here is our final advice. With this system, your worst enemy will be yourself.
Do not ever expose any real information about yourself. Based on how you use this system, despite
all the efforts you make, you will still create fingerprints that may correlate to your true identity.
Never voluntarily divulge any information that may identify you. Or, if you feel that is necessary,
pad it with a lot of false information. How well you use this system is up to you. But, this system
cannot protect you from giving up social information that may identify you. Play it smart. Play it
safe. Don't own yourself.
Additionally, to emphasize this point again, read the documentation provided by the
Whonix Team to learn how to use this system to its maximum potential at the following links:
Finally, if you wish to share this guide, please use the official distribution links. This will
guarantee that people will get the most current version of the guide. Currently, the official
distribution links for this guide are https://anonguide.cyberguerrilla.org or
http://yuxv6qujajqvmypv.onion.
Thank you for taking the time to read this tutorial. We hope it was useful to you. Please
send any comments, suggestions or corrections you may have to anonguide@vfemail.net, GPG
Key = 0xBD8083C5237F796B, Fingerprint = 6422 2A88 D257 3091 0C47 A904 BD80 83C5 237F
796B.
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
Expect us.
APPENDIX A: Troubleshooting
This appendix will walk you through fixing your Debian install if you encounter either a
blinking cursor or black screen when you try to boot Debian for the first time. This error is due to a
bug in both GRUB, which is the boot loader, and the Debian Installer which does not report a
particular error from GRUB when it is installed on your boot drive for the first time. The fix is
fairly simple and will not take much time.
1. Insert the CD or the USB disk you used as your Debian install disk and restart or power on
your computer. Boot from your Debian install disk the same way you did in step 1 of
Chapter 1D.
2. When the following screen appears, insert the USB key that you are using to boot your
newly installed Debian operating system. Then use your arrow keys to navigate to
Advanced options and press enter.
3. On the next screen, use your arrow keys to navigate to Rescue mode and press enter.
4. On the next screen that appears, choose the default language you want to use and press
enter.
5. On the next screen, choose your default location and press enter.
6. On the following screen, choose the settings for your keyboard layout and press enter.
Debian will likely make a recommendation based on your earlier language choice which you
should accept.
7. The Install process will now perform a number of tasks and attempt to automatically
configure your network. If you are using a wired connection, everything will likely be
configured automatically and you can continue to the next step. If you also have a wireless
network card, you may be prompted by the installer to choose the network card to use. If
prompted to choose a primary network interface, select eth0 and press enter.
While not recommended, if you are going to use a wireless connection for the installation
process, choose wlan0, press enter and continue through the various prompts that will
ask for your wireless network name (SSID), password, etc. During this step, you may get a
warning stating that you need to install firmware from a disk in order to get the wireless card
working properly. If prompted to do that, choose no, and use a wired connection instead.
You can search for your corresponding wireless drivers, in addition to the instructions for
installing them, later.
8. Eventually you will be prompted to enter the hostname for this system. Leave this as the
default which is debian and press enter.
9. The next prompt will ask you for your domain name. Leave this blank and press enter.
10. You may be asked to select a time zone. If prompted for such, select your corresponding
time zone.
11. The Debian rescue mode will eventually detect your encrypted hard drive and prompt you
for the password. Type in the passphrase you selected in Chapter 2A or 2B to encrypt your
hard drive.
12. The next screen will ask you to select your root file system. Select /dev/debian-vg/root
and press enter.
13. The next screen will inform you that the installed system appears to use a separate /boot
partition and will ask you if you want to mount it. Select Yes and press enter.
14. On the next screen, choose Execute a shell in /dev/debian-vg/root and press enter.
15. On the next screen, select Continue and press enter.
16. You will now be at a command line prompt next to a # symbol. You need to find out the
device name for /boot. Type df -h and press enter.
Look at the output from the above command and find the line that contains /boot. The
device name you need to make note of is at the start of the line that ends with /boot. It
will look like /dev/sdX1.
NOTE: Your device may have a different name than what is used as the example in this
guide. For purposes of this guide, /dev/sdX is /dev/sdb.
17. Next, you need to find the starting drive sector for /dev/sdX1. Type fdisk -l /dev/sdX and
press enter.
NOTE: /dev/sdX represents the name of the device you took note of in the previous step.
In the image below, /dev/sdb represents the USB disk. Thus, replace '/dev/sdX with the
name of the device you noted in the previous step. Do not include the number after the
device name in this step. In should be /dev/sdX and not /dev/sdX1.
The output will show a number under the Start column next to device /dev/sdX1. Make
note of the number and subtract it by one. For example, in the screen show below, the
number is 2048. Thus, subtracting one from the number, the number to make note of is
2047 because 2048 1 = 2047. It is extremely important to remember to subtract the
number under Start by one! If you do not remember to do this, you will overwrite
extra data that may make your system unbootable.
18. Next, you will overwrite the sectors on your boot drive that are preventing the installation of
GRUB. You will need the number you made not of in the last step.
Type dd if=/dev/zero of=/dev/sdX seek=1 count=NumberNotedFromLastStep and
press enter.
NOTE: /dev/sdX represents the name of the device you took note of in step 16. In the
image below, /dev/sdb represents the USB disk. Thus, replace '/dev/sdX with the name
of the device you noted in the previous step. Do not include the number after the device
name in this step. In should be /dev/sdX and not /dev/sdX1. Also, replace
NumberNotedFromLastStep with the number you noted in step 17. For the purposes of
this guide in the example below, the command is dd if=/dev/zero of=/dev/sdX seek=1
count=2047. IF YOU MAKE ANY TYPOS WITH THE ABOVE COMMAND, YOU
WILL POTENTIALLY DAMAGE YOUR SYSTEM AND HAVE TO START OVER
FROM THE BEGINNING OF THIS GUIDE. Therefore, please be careful and make sure
you get this step right.
19. Now, install the Grub bootloader. Type grub-install --target=i386-pc /dev/sdX and press
enter.
NOTE: /dev/sdX represents the name of the device you took note of in step 16. In the
image below, /dev/sdb represents the USB disk. Thus, replace '/dev/sdX with the name
of the device you noted in the previous step. Do not include the number after the device
name in this step. In should be /dev/sdX and not /dev/sdX1.
20. Next, type exit and press enter. This will take you back to the Recovery Mode menu
driven program.
21. When you reach the next screen, remove your Debian installer disk, whether it is a CD or
USB drive. Then, use your arrow keys to navigate to Reboot the system and press enter.
You have completed this section. When your computer is first starting up, you need to boot
from your /boot Debian USB Flash Drive. Thus, you need to get to a boot menu. The
method for doing this differs on various computers. For example, on a Dell, the boot menu
is usually activated by pressing the F12 key as the computer is first starting up. On others, it
can be the ESC key. On whatever platform you use, once you get to a boot menu, select the
USB flash drive that you just installed GRUB to in this section. Then, depending on where
in the guide you were instructed to use this appendix, continue from step 19 in Chapter 2A
or step 65 in Chapter 2B.