Comprehensive Guide to Installing and Using a Safer Anonymous OS

I have read something about, we should use urandom instead of random to generate keyfile to boot gsg file.

sudo apt-get install rng-tools
echo “HRNDEVICE=/dev/urandom” >> /etc/default/rng-tools
/etc/init.d/rng-tools start


You mean Whonix w/out VirtualBox?

correct. it will be using qemu/kvm.


well. I have started this before find the anonguide.pdf (update link)

so, assuming stories are true, which i have not yet verified, the person that hosts my guide has recently been arrested, which makes me reluctant to offer the guide on the same server as before.

is it worth me breaking up the guide as a wiki to post here as a means to install debian with whonix for kvm? i’m not opposed to it, outside of updating wikis being a pain. lol! but, the guide is a bit custom to specific use purposes. so, if this would be desirable, i’m open to suggestions on tweaks if it would be posted here.


Let’s discuss.

Which purposes?

I never understood the advantage of a separate guide versus the existing wiki. I never opposed it either. Just because I don’t get it, doesn’t mean it’s bad. Other people enjoy different formats. Perhaps some people prefer an all-in-one PDF? Or it is about a different writing style? More editorial freedom?

Or something wrong with the style of whonix wiki overall which lead to you writing a guide instead of editing the wiki instead or some other reason?

If Whonix for KVM needs improvements, well, these improvements could just be added to the wiki?

We have underdeveloped instructions for installation of Debian too. Whonix for Debian
These could use improvement.

Though, maybe in the future, Kicksecure and/or Whonix-Host will abolish the need to such guides but until that happens could be a long time.

@torjunkie demonstrated that the wiki administration is flexible enough for major restructuring and enhancements. Creation of Encrypted Email with Thunderbird was a success too?

Hosting unofficial / third party guides on might be done, but it could cause confusion if instructions conflict with otherwise. I am not sure makes that really clear either. Therefore I am now trying to understand this a bit better.

1 Like

nothing problematic that i could not change. right now, it is written for people who either want an entire debian and whonix install on an external hd, or on an internal hd with an external hd used to host /boot and a gpg encrypted keyfile to decrypt the hd. i could certainly keep the instructions for those in separate wiki chapters.

yes, one issue was to keep all the instructions in a single document at a specific location. it made it easier to keep it current at a point. the other reason was that it was a bit more customized than basic instructions to install debian on an hd. aside from that, no other reasons.

there’s nothing wrong with the whonix wiki that isn’t the same with any other wiki. the guide i work on, in its earlier incarnations, was shared privately. that’s how it started and it was simply easier to work off the existing documentation i had. plus, with all the images that were included in it, managing it via wiki was sometimes rather painful. haha. but, no reason it can’t be done.

they could be added, yes.

the debian link above still uses virtualbox. would the goal be to stay with virtualbox or move to kvm? one major positive point for kvm, especially when it comes to new users, is that it will work if “secure boot” is enabled with debian buster without any major additional configuration. with virtualbox, one has to create a trusted key for it and add it to the bios/uefi.

they will just change the documentation needed and hopefully require less writing. :wink:


i probably worded my initial post about this poorly. hosting the guide on the whonix site as a “third party guide” is not what is intended. rather, for the chapters that exist within it that may differ from what is here, they could be posted to the wiki as new alternative chapters if warranted. the “guide” as it is now would basically cease to exist and become linked chapters in the wiki, which could make click through for users fairly simple.


tempest via Whonix Forum:

nothing problematic that i could not change. right now, it is written for people who either want an entire debian and whonix install on an external hd, or on an internal hd with an external hd used to host /boot and a gpg encrypted keyfile to decrypt the hd.

This is actually very interesting stuff!

Could this be marked as optional? I guess it already is? My only concern
is not to make first time users of Linux who just want to try it out
think all of this is an absolute requirement to get started.

Some less important (meaning these shouldn’t block your progress)
questions here:

  • We mention “Separate /boot Partition” at
    Full Disk Encryption (FDE) but unfortunately don’t
    have instructions how to actually do that.
  • Why encrypt the keyfile? Maybe because two factor (password and
    keyfile) isn’t supported at pre boot password authentication? Well, then
    I see. Password encryption of the keyfile would implement that. Also
    otherwise password protected keyfile is easier than password + keyfile?
    Or having everything tied together?

i could certainly keep the instructions for those in separate wiki chapters.

Sounds great!

the debian link above still uses virtualbox.


Actually I wanted to share this link:

That page could be renamed to “Debian Host Operating Installation Guide”
or anything better fitting.

Not this link:

would the goal be to stay with virtualbox or move to kvm?

You can set the focus as you wish.

These are “landing pages”:

I.e. I supposed these pages to be found by users who google “whonix
debian” etc.

1 Like

easily. i had an html version on cyberguerrilla .org as well. when one reached the end of a set of instructions, if divergent options existed, they were given a choice of links to click on that would take them to the set of instructions for the type of configuration they wanted to use. i don’t think that would be problematic here. the challenge would likely be organizing it in a way to require as little updating as possible when issues like version changes occur and such.

that is documented step by step in my guide and i can easily incorporate that into the wiki in a chapter.

intentions were a bit different. the purpose was risk mitigation for the more paranoid. the process went as follows:

  1. during debian installation, created the encrypted partition with lvm for root.
  2. after first boot, create a new 8192 byte keyfile from /dev/urandom and add it as a new luks key.
  3. create a gpg encrypted version of the key file, save it to the external hd /boot, and call it in /etc/crypttab.

with various different planning options, if an attacker (the type that may use torture) captured both you and your computer, you still can’t decrypt the hd because you will only know the gpg decryption passphrase. but, the hd is encrypted with a random 8192 byte keyfile, which you obviously would not know or remember. thus, if the attacker didn’t find or acquire your external /boot hd, you can’t decrypt the root hd for them. is the method a bit extreme? yes. is it foolproof? no. but, for people with proper contingency plans, it could buy time for others.

i can certainly play with it a bit. i have step by step instructions for installing debian with the text based installation process, including screenshots.

great. time allowing, should be able to do both. will focus on kvm first.

so, the instructions i wrote all involved using debian as the host os. it did not involve running whonix on windows or macos. however, where i can make useful amendments, i’ll do it. i’ve been meaning to do this for awhile actually. recent events simply lit a new fire under my butt. lol!

i’m in the process of finishing up the most recent version. as soon as i have that done and can confirm it is all working, i will start adding to the wiki. i may be able to start earlier. i’m about done with the chapter involving the installation of the gateway and the workstation, which will provide a good base to start from.


A post was merged into an existing topic: Long Wiki Edits Thread

Hi fawkes!

I have found a issue when trying send mail using .onion and needed do some extra configurations on Thunderbird ( I have done a search on forum but not find).

These are the 2 simple steps to add on AnonGuide (I think should). On Thunderbird Go To:
-> Preferences - Advanced - General - Config Editor - Search to “network.dns.blockDotOnion” set TRUE
-> Preferences - Advanced - Network & Disk Space - Connection Setting - CheckBox ON “Proxy DNS when using SOCKS v5”

Thank you to Daniel!!! About this TIP!!!

1 Like

I’ve already read that both programs would be a risk as phone numbers will be on the workstation, but as you’re in the process of rewriting the guide, would it be possible to cover stream isolation with installed software like signal and telegram?

To get the latest versions and updates of both programs, installing them via snap(craft) seems the most easy way. Will snap needs isolation, too?
Don’t know if that’s a good solution, but can’t find another easy way to install them on Debian.

1 Like

there should be no reason for any personal phone numbers to be present on the workstation. signal and telegram have never been covered in the guide. due to the fact that there are no easy and free means of obtaining a torified direct inward dial phone number that i am aware of at this point, i don’t foresee any instructions for signal coming soon. i do periodically look into this. but, everything i’ve found that would work requires some form of payment. i’ve experimented with some of the free options out there that offer a web interface (textnow as an example). but, i cannot get it to work. obtaining an anonymous dedicated phone number is something that would warrant entirely separate instructions at this point and, unfortunately, i have not had much luck finding a workable free solution since ipkall went down. i’m hesitant to offer instructions involving a paid service, since payment is a very easy means to deanonymize users.

i’ve attempted to engage moxie on implementing user registrations for signal without a phone number in the past. unfortunately, they just ignore me. thus, absent a public pressure campaign, i don’t think signal will be offering that in the future. moxie seems opposed to it.


sudo cp /etc/ufw/before.rules /etc/ufw/before.rules.bck
sudo sed -i /etc/ufw/before.rules -e '/# ok icmp codes for INPUT/,/# allow dhcp client to work/s/ACCEPT/DROP/g'

Only to give a Lazy/Fast command to Change on Debian UFW instead use nano and change manually.

1 Like

Maybe my paranoid buut, maybe add on Debian Host Login.

This permit put a 2nd possible SOS password on same user and run some Panic script (rm -f /* ) ? :wink: :crazy_face: If you are understand what I try to mean.

I will check about this :crazy_face: unless as knowledgment about issues with this modules.

Have seen this rep too GitHub - cngutierr/ErsatzPassword interesting, but as seems deprecated.

1 Like

Didn’t look into these yet but looks to me the same could be implemented using pam_exec (installed by default in Debian).

I really like the pdf guide which tell me step by step like I’m 5
Looking for the chapter “Installing the Operating System on an Encrypted Internal Hard Drive Partition with a USB Flash Drive Boot Key”
I’d love to try beta instruction.

Seems like the old instruction working to the point where after typing “cryptsetup luksAddKey /dev/YourDeviceName /keyfile”
I got “Failed to open key file” (tested on desktopPC Debian10_Busterx64 with ssd)

Thank you for your very hard work @tempest .
You should consider donation adress with the next pdf guide.



Hi @sivac , Check if your have failed some steps! I have get this working (maybe need do a “mixing” chapters because of examples/screenshots (sda/sdb/sdc), I am using USB OS + USB Boot key (not tested when inserted into laptop, because of sdX :wink: )

Check this :wink:


OMG! I feel SOOO Stupid when it comes to this whole topic.

I installed TOR about a year ago. I use it when I am about to research something controversial. I am trying to install Whonix, my biggest obstacle right now is understanding the verification process. I’ve been a professional IT Business/Data Analyst, and I’ve always used Windows (for most of my 20 + years - before that a VAX and before that a IMB360 Mainframe :)) I HAVE NEVER REALLY HAD TO VERIFY.

So, I already have TOR, reviewing this process it looks like I should uninstall TOR and re-download/verify/install? Is this necessary.

Thanks for Your help!