Comprehensive Guide to Installing and Using a Safer Anonymous OS

Hello, welcome to Whonix forums and thank you for your question!

Some may think I shouldn’t be saying that, but software signature verification in your case looks not to be the most important. Two reasons:

Windows Hosts are a lost cause, see:

I expand Whonix wiki that subject just today.

Surveys (example) have shown that very few users use software signature verification. Even fewer users have a sufficient understanding of the threat model. In case of an attack by an advanced adversary most users would get compromised. This is the very strong opinion of the author of this text. Usually the author of this text seldom raises strong opinions.

Required knowledge is far too much. Usability of tools used for manual verification of software signatures is such as GnuPG is far too bad. For an elaboration of these issues, see Conceptual Challenges in Software Digital Signatures Verification and Verifying Software Signatures.



Hey tempest, just curious if there’s any news. Has a new guide (pdf) been created or an own wiki entry?
Thanks for your effort!

1 Like

not yet. i will post here when something is available. a few variables in flux.


i just want you all to know that i have not abandoned this. i thought i’d have more time to get this done now. but, with the covid-19 issues, and how much net based interaction has become more essential since, i’ve found my waking hours consumed by work. as soon as life returns to a more normal pace, i promise that i will be contributing.

i sincerely hope everyone is doing well.


@tempest have you a github ?

Maybe you could share I think most anticipated part “Installing the Operating System on an Encrypted Internal Hard Drive” if finished.

So we don’t have nervously look out the window :slight_smile:


1 Like

Stay healthy



Sure you have follow all steps right? what is part are you blocked? Chapter 2A 2B ?

I am following 2B and works fine!! :\ try this way…

Are you using VirtualMach ? Atterncion on grub-update … Will take several minutes (using USB) be patiente (ignore the errors warnings;)

@hellresistor, i do not have a github presence.

so, here is one of the variables in play for me. initially, i’d put steps to amend /etc/default/grub to include a number of hardening provisions. later, i’d opted to use the command line to add the whonix repo to /etc/apt/sources.list and upgrade/transform the system to kicksecure.

since i’m instructing via the “expert” install method, i’m debating starting from scratch to a degree, installing merely a base command line interface from the debian unofficial iso, emphasizing the use of a wired connection only during install, updating the apt repo to include the whonix repo, and then installing kicksecure-xfce from there.


1 Like

I have reading … my voting its. " Option A : Add Whonix ™ Onion Repository. "

well Build a Script/InitScript to executing on final stage Debian installation/first boot. Or creating a Script just executing after a complete Expert Debian Installation ?!

Dont know if helps…


echo 'Check User "user" exists...'

if id "user" >/dev/null 2>&1; then
 echo "Username user Exists"
 if id -nG "user" | grep -qw "sudo"; then
  echo "Username user belongs to sudo group"
  echo "Adding Username user into sudo group.."
  adduser user sudo
 echo "User Not Found.. Creating it.."
 sudo adduser user
 adduser user sudo

addgroup --system console
adduser user console


sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get install curl apt-transport-tor
curl --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
echo "deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install --no-install-recommends kicksecure-${WNXFAC,,}
sudo mv /etc/apt/sources.list ~/

exit 0

I don’t want to waste any time on Kicksecure + Whonix.

Please help finishing Whonix-Host so this chapter can be closed.

@tempest ‘s guide will be the Whonix Host?

it probably makes the most sense to do it that way. it will make the process much more user friendly.

Hi, thanks for help

Yes, I’m fallowing chapter 2B (2017) step by step.

I have an error in paragraph 74

quote “When prompted to “Enter any passphrase,” type the passphrase you created for your
encrypted hard drive in step 27 of this chapter and press “enter.” **If the process was a **
success, you will return to the command prompt.”

I got error message “Failed to open key file”

desktopPC Debian10_Busterx64 with ssd

did you create a keyfile? did you put the proper path to it? also, have you included the device name? for example, if you entered:

“/dev/YourDeviceName” in the command instruction, rather the the actual device (like /dev/sda6), you’ll get an error.

Hi @tempest that how it looks like in terminal:
Chapter 2B. Installing the Operating System on an Encrypted Internal Hard Drive Partition
with a USB Flash Drive Boot Key
(2017 guide) paragraph 73 (page 119 ) (debian 10 buster)

debian@josef:~$ su
root@josef:/home/debian# sudo -i
root@josef:~# dd if=/dev/urandom of=keyfile bs=512 count=16
16+0 records in
16+0 records out
8192 bytes (8.2 kB, 8.0 KiB) copied, 0.000121474 s, 60.4 MB/s
root@josef:~# nano /etc/crypttab
sda5_crypt UUID=r7xxxxx-xxxx-xxx-xxxx none luks,discard
sda5_crypt UUID=r7xxxxx-xxxx-xxx-xxxx /boot/keyfile.gpg luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg
control + x and saved

root@josef:~# cryptsetup luksAddKey /dev/sda5 /keyfile
Enter any existing passphrase:
Failed to open key file. ( I use the same pass like before, in partitioning steps)

root@josef:~# gpg -c --cipher-algo AES256 /keyfile
gpg: directory ‘/root/.gnupg’ created
gpg: keybox ‘/root/.gnupg/pubring.kbx’ created
gpg: can’t open ‘/keyfile’: No such file or directory
gpg: symmetric encryption of ‘/keyfile’ failed: No such file or directory
root@josef:~# nano /etc/crypttab

Check your keyboard configuration… mistaken password… on that steps are real working… :\ (I have tryed that again)

missing a plus (+) end of this line sda5_crypt UUID=r7xxxxx-xxxx-xxx-xxxx /boot/keyfile.gpg luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg

maybe this help you… GitHub - hellresistor/Anon-Guide-Shell-DEPRICATED-: Contribution to Complementation of Anon-Guide.pdf

echo "Are you Using this METHOD: Debian (USB / Internal HDD) + BootKey (USB)" && sleep 1
sudo dd if=/dev/urandom of=/keyfile bs=512 count=16

### NEEED WORK ON THIS awk ....
YourDeviceName=$(sudo awk '{print $2}' /etc/crypttab)  ### HERE PUT YOUR DEVICE sda5 ?!?!

sudo sed -i 's+none luks+/boot/keyfile.gpg luks,keyscript=/lib/cryptsetup/scripts/decrypt_gnupg+' /etc/crypttab
sudo cryptsetup luksAddKey /dev/"$YourDeviceName" /keyfile
 echo "Set Password... Same has BOOT" && sleep 2
sudo gpg -c --cipher-algo AES256 /keyfile 
sudo mv /keyfile.gpg /boot/keyfile.gpg 
sudo update-initramfs -u
sudo cryptsetup luksKillSlot /dev/"$YourDeviceName" 0 --key-file /keyfile
sudo shred -n 30 -uv /keyfile

try this:
dd if=/dev/urandom of=/keyfile bs=512 count=16

the difference is the “/” in “of=/keyfile”. see if that fixes it.

hi tempest, where is the new version of the guide?

1 Like

a new version likely will not be published until whonix live is released.

1 Like