HOWTO: Debian via Tor

Securely installing OS packages over Tor

Both Tor Project and Debian now offer a wide array of their services over Tor. See weasel’s recent Tor Blog post for more, or onion.torproject.org and onion.debian.org for complete lists.

This post will describe how to set up a Debian system to pull new packages and updates via Tor and install Tor itself via Tor. This is already described in weasel’s post above, but I go into a little more detail.

Bootstrapping

So, how can you install Tor over Tor without Tor? Well, you can’t. So the very first thing you should do is install a system-wide Tor via “normal” clearnet means. Follow the instructions from Tor Project. I will presume you’re using Debian stable, which is currently “jessie”.

Note that it’s nicer if you put the new Tor project repository references in /etc/apt/sources.list.d/torproject.list or similar so your /etc/apt/sources.list stays nice and clean.

At the end of this, you should have a system-wide Tor running and you’ve successfully installed the Tor Project signing key and keyring.

Debian Updates Over Tor

In order to use Onion services for APT (the Debian package manager) we need to install: sudo apt-get install apt-transport-tor

This allows you to put URIs like tor+http://... into your APT sources.list files. You could simply change everything in there to “tor+http” right now, but it’s even better to use the available Onion services – this means your traffic never uses an “exit” router and never leaves the Tor network.

Consulting the list of onion services, we see that ftp.debian.org is at http://vwakviie2ienjx6t.onion/ and that security.debian.org is available as sgvtcaew4bxjd7ln.onion/. Originally, your /etc/apt/sources.list probably looks something like this:

deb http://ftp.debian.org/debian/ jessie main contrib
deb-src http://ftp.debian.org/debian/ jessie main contrib
deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main

To upgrade to using Onion services, we change it to look like the following. That is, we’ve replaced ftp.debian.org and security.debian.org with the appropriate Onion services and used tor+http as the transport:

deb tor+http://vwakviie2ienjx6t.onion/debian/ jessie main contrib
deb-src tor+http://vwakviie2ienjx6t.onion/debian/ jessie main contrib
deb tor+http://sgvtcaew4bxjd7ln.onion/ jessie/updates main
deb-src tor+http://sgvtcaew4bxjd7ln.onion/ jessie/updates main

You can immediately run apt-get update, which should run over Tor. If you’re using jessie-backports or jessie-updates (“volatile”) these also work the same way and are on vwakviie2ienjx6t.onion. If you don’t know what that means, you can ignore it.

Note that you can use the tor+http transport for anything at all, so if you have other third-party repositories that do not have their own Onion services you can still use these via Tor. These will just work like “normal” Tor, and go out over an exit node.

For the Tor Project repositories, edit your /etc/apt/sources.list.d/torproject.list and change http://deb.torproject.org to tor+http://sdscoq7snqtznauu.onion/ (you can find this service listed on https://onion.torproject.org). So that whole file should now look like:

deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main
deb-src tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main

Conclusion

Now, all apt-get update commands will download package lists over Tor Onion services, and apt-get upgrade or apt-get install commands will download the actual packages over Tor via the appropriate Onion services.

(If you use Aptitude or other package managers, they should honour these settings as well – although beware that some tools don’t work with this, notably apt-file.)