with the recent change to drop virtualbox in debian 9, i need to do a fairly substantial rewrite to the guide i work on, which is already over 400 pages. the installation and configuration of kvm involves a number of steps that will add more pages to the guide. thus, i’ve been brought back to considering something i experimented with before. wondering if anyone else here would find such a project useful, or would have any tips or direction.
in the past, i made a custom debian live installer with the refracta tools for the purpose of installing a host os that was preconfigured with a number of the standard security tweaks, tor pre-installed, the apt sources.list using onions, virtualbox pre-installed, and the whonix images ready to be run in virtualbox. this offered the potential for me to amend guide and shorten the page length significantly. it would be easy enough to do this with debian 9 and kvm.
is there any interest from the whonix team in working on an iso that will function as a debian host installer that comes preconfigured with a number of the tweaks in the whonix documentation, and ships with the latest whonix kvm images? basically, could make a one stop shop download for people who wish to switch from whatever os they are using to debian for the purpose of running whonix from a clean os, without having to modify the host os pursuant to the whonix documentation or download whonix after the fact.
the refracta tools, when i played with them in the past were pretty simple. essentially, you can create an live iso from a running debian vm. when you boot from the live iso, another tool enables a user to install the running live os to a persistent drive. not sure if they are the best, since this is only something i’ve experimented with. but, they worked.
On Debian stretch, you can install VirtualBox from Debian stretch-backports. Not great, but possible.
That’s certainly most interesting, but there are no development resources to get this implemented. I never had the time to maintain a host operating system, because then one goes into hardware support issues and whatnot. Therefore I was happy for the Qubes team to come along doing a good job providing a host operating system with superb Whonix integration. However, Qubes lacks hardware support, so it does not work for everyone. I don’t think I’ll ever be able to provide more than I am doing now.
So for this to happen, a maintainer has to step up, develop and maintain that all.
If this is supposed to become official, we need to match certain quality standards. Build process may not be “install Debian on your system, click this, run this tool, an ISO will be created, upload that ISO to whonix.org”. That’s fine for personal use and advanced users, however not good enough for officially redistributable builds for a number of reasons.
For officially redistributable builds the quality has to be more like “get this source code, run this build command, upload that iso”.
I think there’s a lot of value in an integrated Linux based Whonix distro for maximum hardware compatibility.
Sounds like a good initiative if you have the time and means to take this on independently. Even if it doesn’t meet our “official” redistributable/reproducible standards initially, its a good way to gauge dev/user interest in the concept. All the better if you can rally more dedicated devs around this and then merge it if it takes off and has maintainers (other than us).
I’m also interested in this but still unsure whether an iso or an img is more suited i.e. if you wan’t an installer at all or you just ship the final preconfigured filesystem image which is burned to disk.
The advantage of an iso would be some flexibility because you still can boot from dvd. However, many modern PC’s don’t have a dvd drive anymore and most PC’s could also boot from an usb drive.
Booting from DVD would also ensure the medium is read only, though you can’t have updates easily and it will be slow to boot and run, in particular with two more VM’s running.
An image could be used only with USB or normal HDDs but it would be easier to ship with an already encrypted disk and you could still use the USB as kind of install drive to install the OS on another PC. In contrast to the other thread it may be even possible to just boot the disk in some kind of setup mode with cryptsetup-reencrypt in the initrd. So you can change the password and master key and also resize the image to fill the whole drive.
Of course you could also run the image live.
Preconfigured systems or filesystem images are standard for most ARM boards though for a normal desktop PC I didn’t see this yet. This is probably also driver and hardware related.
Since the installer would be a for a privacy and anonmity OS choosing a different language, timezone, hostname etc. would not be a wise decision. So they would need to be preconfigured. The only things I can currently think of that would need to be configured are disk encryption keys and filesystem size and layout.