HOWTO: Debian via Tor
Securely installing OS packages over Tor
Both Tor Project and Debian now offer a wide array of their services over Tor. See weasel’s recent Tor Blog post for more, or onion.torproject.org and onion.debian.org for complete lists.
This post will describe how to set up a Debian system to pull new packages and updates via Tor and install Tor itself via Tor. This is already described in weasel’s post above, but I go into a little more detail.
So, how can you install Tor over Tor without Tor? Well, you can’t. So the very first thing you should do is install a system-wide Tor via “normal” clearnet means. Follow the instructions from Tor Project. I will presume you’re using Debian stable, which is currently “jessie”.
Note that it’s nicer if you put the new Tor project repository references in
/etc/apt/sources.list.d/torproject.list or similar so your
/etc/apt/sources.list stays nice and clean.
At the end of this, you should have a system-wide Tor running and you’ve successfully installed the Tor Project signing key and keyring.
Debian Updates Over Tor
In order to use Onion services for APT (the Debian package manager) we need to install:
sudo apt-get install apt-transport-tor
This allows you to put URIs like
tor+http://... into your APT
sources.list files. You could simply change everything in there to “tor+http” right now, but it’s even better to use the available Onion services – this means your traffic never uses an “exit” router and never leaves the Tor network.
Consulting the list of onion services, we see that
ftp.debian.org is at
http://vwakviie2ienjx6t.onion/ and that
security.debian.org is available as
sgvtcaew4bxjd7ln.onion/. Originally, your
/etc/apt/sources.list probably looks something like this:
deb http://ftp.debian.org/debian/ jessie main contrib
deb-src http://ftp.debian.org/debian/ jessie main contrib
deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main
To upgrade to using Onion services, we change it to look like the following. That is, we’ve replaced
security.debian.org with the appropriate Onion services and used
tor+http as the transport:
deb tor+http://vwakviie2ienjx6t.onion/debian/ jessie main contrib
deb-src tor+http://vwakviie2ienjx6t.onion/debian/ jessie main contrib
deb tor+http://sgvtcaew4bxjd7ln.onion/ jessie/updates main
deb-src tor+http://sgvtcaew4bxjd7ln.onion/ jessie/updates main
You can immediately run
apt-get update, which should run over Tor. If you’re using
jessie-updates (“volatile”) these also work the same way and are on
vwakviie2ienjx6t.onion. If you don’t know what that means, you can ignore it.
Note that you can use the
tor+http transport for anything at all, so if you have other third-party repositories that do not have their own Onion services you can still use these via Tor. These will just work like “normal” Tor, and go out over an exit node.
For the Tor Project repositories, edit your
/etc/apt/sources.list.d/torproject.list and change http://deb.torproject.org to tor+http://sdscoq7snqtznauu.onion/ (you can find this service listed on https://onion.torproject.org). So that whole file should now look like:
deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main
deb-src tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main
apt-get update commands will download package lists over Tor Onion services, and
apt-get upgrade or
apt-get install commands will download the actual packages over Tor via the appropriate Onion services.
(If you use Aptitude or other package managers, they should honour these settings as well – although beware that some tools don’t work with this, notably