I explained the process of installing Whonix on QEMU and KVM for Debian, so you can securely access the dark web in a containerized and leak-free manner. But what about the host operating system? This question was raised as the top comment, and I promised I’d make a part two, so here we go.
You will want a Debian system, that’s already installed and potentially blank to avoid any later issues. A user with “sudo” is ideal, LUKS full disk encryption is mandatory. The DE I would reccomend is XFCE, for many reasons – such as being lightweight, configurable to the bone, simple to use, and familiar, since both Qubes and Whonix use it by default. Let’s get ahead of the boring parts with the commands below. Make sure you run “sudo su” to drop a “root” shell before running the commands. The commands assume “user” is your username, as it should be.
apt update && apt upgrade && apt install --no-install-recommends sudo adduser && echo "user ALL=(ALL:ALL) NOPASSWD:ALL" | EDITOR=tee visudo -f /etc/sudoers.d/nopassword >/dev/null && /usr/sbin/addgroup --system console && /usr/sbin/adduser user console && apt install console-data console-common kbd keyboard-configuration && apt install extrepo && extrepo enable kicksecure && apt install --no-install-recommends kicksecure-xfce-host && repository-dist --enable --repository stable && mv /etc/apt/sources.list ~/ && touch /etc/apt/sources.list
Great! Now you have morphed a Debian box, into a Kicksecure box. I’d like to provide some general security recommendations you will need to do on your new system, in order to fully use this configuration to it’s true potential.
- Follow this – guide to install Whonix securely.
- Disable auto-login using “sudo autologinchange” – it’s pretty intuitive.
- Install Mullvad VPN, enable DAITA, multi-hop WireGuard connection tunnel and enable a Shadowsocks obfuscation bridge. Enable killswitch and DNS blockers, make sure local network access is allowed, as you need it for Whonix. That’s 3 hops of security before Tor. Don’t use bridges.
- Install “user-sysmaint-split” using “sudo apt install –no-install-recommends user-sysmaint-split sysmaint-panel” to separate your normal user from the administrative user.
- Open your “sysmaint-panel” and take a look into cleaning and purging old, unused packages. You can also use it to manage your system using a GUI.
- Install KeePassXC for your passwords in Kicksecure.
- Remove every single bit of software you don’t use or need.
- Install “grub-customizer” and disable looking for other operating systems, and turn the boot delay to 0.
If you have any further recommendations, I’m all ears. I’ve noticed a project called HARDN that seems to want to replace Kicksecure, on GitHub – and I’d say take a look into it maybe it fits your threat model. You can probably even combine them if you tweak the modifications it does, but that’d be a little bit of work, so to speak.
Anyhow, this is how you get good security without Qubes, either due to hardware issues, limitations, skill level or threat model. I recommend this to anyone. It’s a few commands that can determine your fate and your security level. Both, really, they’re somewhat connected. Think about it and try it out!