Comprehensive Guide to Installing and Using a Safer Anonymous OS

i just want you all to know that i have not abandoned this. i thought i’d have more time to get this done now. but, with the covid-19 issues, and how much net based interaction has become more essential since, i’ve found my waking hours consumed by work. as soon as life returns to a more normal pace, i promise that i will be contributing.

i sincerely hope everyone is doing well.


@tempest have you a github ?

Maybe you could share I think most anticipated part “Installing the Operating System on an Encrypted Internal Hard Drive” if finished.

So we don’t have nervously look out the window :slight_smile:


1 Like

Stay healthy



Sure you have follow all steps right? what is part are you blocked? Chapter 2A 2B ?

I am following 2B and works fine!! :\ try this way…

Are you using VirtualMach ? Atterncion on grub-update … Will take several minutes (using USB) be patiente (ignore the errors warnings;)

@hellresistor, i do not have a github presence.

so, here is one of the variables in play for me. initially, i’d put steps to amend /etc/default/grub to include a number of hardening provisions. later, i’d opted to use the command line to add the whonix repo to /etc/apt/sources.list and upgrade/transform the system to kicksecure.

since i’m instructing via the “expert” install method, i’m debating starting from scratch to a degree, installing merely a base command line interface from the debian unofficial iso, emphasizing the use of a wired connection only during install, updating the apt repo to include the whonix repo, and then installing kicksecure-xfce from there.


1 Like

I have reading … my voting its. " Option A : Add Whonix ™ Onion Repository. "

well Build a Script/InitScript to executing on final stage Debian installation/first boot. Or creating a Script just executing after a complete Expert Debian Installation ?!

Dont know if helps…


echo 'Check User "user" exists...'

if id "user" >/dev/null 2>&1; then
 echo "Username user Exists"
 if id -nG "user" | grep -qw "sudo"; then
  echo "Username user belongs to sudo group"
  echo "Adding Username user into sudo group.."
  adduser user sudo
 echo "User Not Found.. Creating it.."
 sudo adduser user
 adduser user sudo

addgroup --system console
adduser user console


sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get install curl apt-transport-tor
curl --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends kicksecure-${WNXFAC,,}
sudo mv /etc/apt/sources.list ~/

exit 0

I don’t want to waste any time on Kicksecure + Whonix.

Please help finishing Whonix-Host so this chapter can be closed.

@tempest ‘s guide will be the Whonix Host?

it probably makes the most sense to do it that way. it will make the process much more user friendly.

Hi, thanks for help

Yes, I’m fallowing chapter 2B (2017) step by step.

I have an error in paragraph 74

quote “When prompted to “Enter any passphrase,” type the passphrase you created for your
encrypted hard drive in step 27 of this chapter and press “enter.” **If the process was a **
success, you will return to the command prompt.”

I got error message “Failed to open key file”

desktopPC Debian10_Busterx64 with ssd

did you create a keyfile? did you put the proper path to it? also, have you included the device name? for example, if you entered:

“/dev/YourDeviceName” in the command instruction, rather the the actual device (like /dev/sda6), you’ll get an error.

Hi @tempest that how it looks like in terminal:
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition
with a USB Flash Drive Boot Key
(2017 guide) paragraph 73 (page 119 ) (debian 10 buster)

debian@josef:~$ su
root@josef:/home/debian# sudo -i
root@josef:~# dd if=/dev/urandom of=keyfile bs=512 count=16
16+0 records in
16+0 records out
8192 bytes (8.2 kB, 8.0 KiB) copied, 0.000121474 s, 60.4 MB/s
root@josef:~# nano /etc/crypttab
sda5_crypt UUID=r7xxxxx-xxxx-xxx-xxxx none luks,discard
sda5_crypt UUID=r7xxxxx-xxxx-xxx-xxxx /boot/keyfile.gpg luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg
control + x and saved

root@josef:~# cryptsetup luksAddKey /dev/sda5 /keyfile
Enter any existing passphrase:
Failed to open key file. ( I use the same pass like before, in partitioning steps)

root@josef:~# gpg -c --cipher-algo AES256 /keyfile
gpg: directory ‘/root/.gnupg’ created
gpg: keybox ‘/root/.gnupg/pubring.kbx’ created
gpg: can’t open ‘/keyfile’: No such file or directory
gpg: symmetric encryption of ‘/keyfile’ failed: No such file or directory
root@josef:~# nano /etc/crypttab

Check your keyboard configuration… mistaken password… on that steps are real working… :\ (I have tryed that again)

missing a plus (+) end of this line sda5_crypt UUID=r7xxxxx-xxxx-xxx-xxxx /boot/keyfile.gpg luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg

maybe this help you… GitHub - hellresistor/Anon-Guide-Shell-DEPRICATED-: Contribution to Complementation of Anon-Guide.pdf

echo "Are you Using this METHOD: Debian (USB / Internal HDD) + BootKey (USB)" && sleep 1
sudo dd if=/dev/urandom of=/keyfile bs=512 count=16

### NEEED WORK ON THIS awk ....
YourDeviceName=$(sudo awk '{print $2}' /etc/crypttab)  ### HERE PUT YOUR DEVICE sda5 ?!?!

sudo sed -i 's+none luks+/boot/keyfile.gpg luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg+' /etc/crypttab
sudo cryptsetup luksAddKey /dev/"$YourDeviceName" /keyfile
 echo "Set Password... Same has BOOT" && sleep 2
sudo gpg -c --cipher-algo AES256 /keyfile 
sudo mv /keyfile.gpg /boot/keyfile.gpg 
sudo update-initramfs -u
sudo cryptsetup luksKillSlot /dev/"$YourDeviceName" 0 --key-file /keyfile
sudo shred -n 30 -uv /keyfile

try this:
dd if=/dev/urandom of=/keyfile bs=512 count=16

the difference is the “/” in “of=/keyfile”. see if that fixes it.

hi tempest, where is the new version of the guide?

1 Like

a new version likely will not be published until whonix live is released.

1 Like

is the latest published version 1.7.2?

1 Like

yes. and it’s obsolete. you can probably get it to work for the most part. but, it will require you to figure out workarounds for the steps that fail, whether they be outdated links or software that is no longer supported.

1 Like

Due to enigmail unfortunately being deprecated… Nowadays integrated into Thunderbird…

Thunderbird 78 Deprecates Enigmail

I’ve moved the page (removed _and_Enigmail) from page title.

Unfortunately many screenshots got invalidated, had to be removed by this change too.

And removed mentions of torbirdy too since no longer available and required.

torbirdy replacement

Added a notice on top of the page.

Part of this wiki page on the topic of OpenPGP encryption is outdated. This is due to the enigmail extension recently becoming no longer available. OpenPGP encryption functionality is now built-in Thunderbird [archive]. Documentation is yet to be updated. Contributions are welcome.