[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Long Wiki Edits Thread

0brand:

Done!

After stopping Tor, /var/lib/tor had to be unmounted. When moving new Tor folder back into /var/lib the new folder did not need to be mounted for Tor to start. Should it be mounted anyways?

It’s mounted by bind-dirs. So when manually unmount it would have to be
manually remount the same way bind-dirs does.

Probably better to use:

rm -r /var/lib/tor/*

To avoid any mount / unmount.

But then the user needs to be careful not to use any extra space before
the asterix /var/lib/tor/ *.

Please change.

1 Like

torjunkie

I can update the wiki if you like. Shouldn’t be too difficult.

Unless its something you’d like to tackle?

2 Likes

Please do.

Hi Patrick

Draft for updating wiki/forcing_onion

Note: Whonix maintains compatability with both v2 and v3 onion services so users can access web resources while staying in the Tor network. However, users are encouraged to use v3 (next generation onion services) when visiting whonix.org. This will allow users to benifit from the many improvements over the v2 legacy system.

  • homepage v2 onion v3 onion
  • wiki v3 onion
  • forums v3 onion
  • downloads v3 onion
  • phabricator v3 onion
  • debian repository v3 onion

If I understood correctly, you wanted only 1 mention of v2 onions on whonix.org i.e. forcing_onion chapter?


Wiki/Tor chapter has been updated

https://whonix.org/w/index.php?title=Tor&oldid=33463&diff=cur

For removing Tor files ?

sudo rm -r '/var/lib/tor/*

Added warning about extra spaces (possible consequences)

1 Like

Thanks.

No problem - forget it then.

I definitely saw it used on another page on my image hunting exercise, but if not useful I won’t bother.

OK - repository description must have been edited by me on another page that also references it. I do recall tidying this up at some stage.

1 Like

-> Draft blog post (Whonix 14 release) done.

Before it gets published, must fix the following:

  • Date at the top.
  • Superscript for references. Wordpress allegedly allows superscript with <sup>1</sup> etc. But when you use this, it just appears in plain text. Unlike in this forum where it works e.g. 1

Tried the markdown to HTML converter, didn’t work for me. Wordpress… harder to configure than Whonix :slight_smile:

1 Like

0brand:

Hi Patrick

Draft for updating wiki/forcing_onion

Note: Whonix maintains compatability with both v2 and v3 onion services so users can access web resources while staying in the Tor network. However, users are encouraged to use v3 (next generation onion services) when visiting whonix.org. This will allow users to benifit from the many improvements over the v2 legacy system.

  • homepage v2 onion v3 onion
  • wiki v3 onion
  • forums v3 onion
  • downloads v3 onion
  • phabricator v3 onion
  • debian repository v3 onion

If I understood correctly, you wanted only 1 mention of v2 onions on whonix.org i.e. forcing_onion chapter?


Wiki/Tor chapter has been updated

https://whonix.org/w/index.php?title=Tor&oldid=33463&diff=cur

For removing Tor files ?

sudo rm -r '/var/lib/tor/*

Added warning about extra spaces (possible consequences)

All ok. :slight_smile:

Wiki Forcing Onion

Done!

With minor edits to draft.

https://whonix.org/w/index.php?title=Forcing_.onion_on_Whonix.org&oldid=33112&diff=cur

1 Like

Wordpress automatically adds the date on top (as seen in blog post preview).

No idea.


public preview:

whonix.org/blog/?p=2424&preview=1&_ppp=f3c0e238b0

Looks very good!

1 Like

sudo rm -r ‘/var/lib/tor/'
rm: cannot remove '/var/lib/tor/
’: No such file or directory

* is a shell feature. If you put it into '' then its special meaning is gone.

* is not a feature by rm.

Since user cannot read /var/lib/torsudo won’t work either.

sudo rm /var/lib/tor/*
rm: cannot remove ‘/var/lib/tor/*’: No such file or directory

1 Like

Fixed!

Removed '' from sudo rm -r /var/lib/tor/*

Warning Box text updated.

https://whonix.org/w//index.php?title=Tor&oldid=33476&diff=cur

Didn’t realize using * with '' would change the behavior of the command.

Takeaway:

Test even if you are 100% sure the command works.

1 Like

Since user cannot read /var/lib/tor… sudo won’t work either.

sudo rm /var/lib/tor/*
rm: cannot remove ‘/var/lib/tor/*’: No such file or directory

Hi Patrick

Fixed!

https://whonix.org/w/index.php?title=Tor&oldid=33483&diff=cur

When step 3 was reverted back to previous command I failed to remove the asterisk (*).

With the change, Tor file can now be removed. Since this directory is mounted by bind-dirs, it will always complain resource busy?

user@host:~$ sudo rm -r /var/lib/tor
rm: cannot remove '/var/lib/tor': Device or resource busy
user@host:~$ sudo ls /var/lib/tor
(no output)

Also, 2 out of 10 times moving Tor state file from sys-whonix-13 to sys-whonix-14, Tor (sys-whonix-14) would not start due to missing
DisableNetwork 0 in torrc.

Its likely I made a mistake but couldn’t find anything in command history.

BTW, fully tested intructions and everything works as it should with the new edit.

Thanks for being so patient :blush:

1 Like

0brand:

With thie change, Tor file can now be removed. Since this directory is mounted by bind-dirs, it will always complain resource busy?

user@host:~$ sudo rm -r /var/lib/tor
rm: cannot remove '/var/lib/tor': Device or resource busy

Means something is very wrong.

umount alone is very bad. If you do an action (umount), it should
probably be redone (mount again). Unless completely understood and not
required.

To simulate the parts which bind-dirs would do and recreating the
folder… (Not fully tested.)

sudo umount /var/lib/tor
sudo rm -r /rw/bind-dirs/var/lib/tor
sudo mkdir -p /rw/bind-dirs/var/lib/tor
sudo chown -R debian-tor:debian-tor /rw/bind-dirs/var/lib/tor
sudo mount --bind /rw/bind-dirs/var/lib/tor /var/lib/tor

But this is quite lengthy and complicated.

I see two options. a)

sudo su
sudo rm /var/lib/tor/*

or b)

sudo find /var/lib/tor -type f | sudo xargs rm

None is very elegant. Isn’t there a better linux command?

user@host:~$ sudo ls /var/lib/tor
(no output)

Also, 2 out of 10 times moving Tor state file from sys-whonix-13 to sys-whonix-14, Tor (sys-whonix-14) would not start due to missing
DisableNetwork 0 in torrc.

DisableNetwork 0 should have Tor start but not connect. Is that what is
happening?

Its likely I made a mistake but couldn’t find anything in command history.

Maybe also a bind-dirs issue?

Could you please also mention torrc migration? Mostly interesting for
users who changed torrc settings.

@0brand - You’ll lick your lips with this. The key to editing longevity is balancing the boring shit (eg sys-whonix Tor state), with the fun.

Now, everybody loves unbreakable encryption. “It doesn’t exist” they say? Well, we know that is not true with One Time Pads (OTPs) used properly providing perfect encryption.

Now I’m talking about the physical creation of OTPs, not the electronic program fails which can of course be backdoored by adversaries 6 ways since Sunday.

Anyway, there is no wiki page for that, so I just created an empty one. This is a good guide below that summarises the technique nicely. Of course, multiple dice always comes in handy for generating true randomness where required; no backdoored “RNGs” for us. People don’t need fancy 10 sided dice and all that crap. It can be accomplished properly with good technique with 6 sided dice, to adjust for statistical issues that would otherwise not create true randomness.

Why you say?

If this is wrapped up with the GPG email encryption guide when finished, our most paranoid friends could wrap up a OTP message, inside of a GPG-encrypted email, thrown 100% through the Tor network, using a truly anonymous email account, via an .onion server. And with icing on the cake, we can eventually add the “Jason Bourne” GPG key creation guide from the terminal, so users have the hottest key generation and strongest algorithms going around.

Gives me a stiffie thinking about it. :grinning: ha ha. Anyway, I suggest you start with One Time Pads, instead of that proxy crap, since that is piecemeal, and this is fun.

1 Like

I didn’t have time to thoroughly read through the paper but this does look really cool! Plus its easier (for me at least) if the chapter can be started from scratch.

Another benefit to having individual wiki pages is users can more easily find what they are looking for without having to role the dice and sift through an entire page.

“Jason Bourne” GPG key creation will definitely look good along side one time pad. I think this page will perk interest with Quantum computers just around the corner? Possibly here already?

Once i get “sys-whonix Tor state” completed I have a few other small thing to complete and then I can start this :grinning:

Also

VirtualBox troubleshooting wiki enhancement

Low RAM issues (VMs freezing)

TODO

May have to quit my job so I can work on wiki full time!:crazy_face:

1 Like

Hi Patrick

I’m writing this post in reverse order. You’ll see why :slight_smile:

I think it is bind-dirs. I’m not sure exactly whats happening but I was able to reproduce the behavior 1 more time.

Just to recap, this happens intermittently when the following command is used to remove the Tor folder.

sudo rm -r /var/lib/tor

When all step are complete, expected behavior.

sudo systemctl start tor@default

user@host:~$ whonixcheck
[INFO] [whonixcheck] sys-whonix-14 | Whonix-Gateway | whonix-gw TemplateBased ProxyVM | Fri Apr 13 21:25:44 UTC 2018
[INFO] [whonixcheck] Connected to Tor.
[INFO] [whonixcheck] Whonix APT Repository: Enabled.
When the Whonix team releases STRETCH updates,
they will be AUTOMATICALLY installed (when you run apt-get dist-upgrade)
along with updated packages from the Debian team. Please
read https://www.whonix.org/wiki/Trust to understand the risk.
If you want to change this, use:
    sudo whonix_repository
[INFO] [whonixcheck] Debian Package Update Check: Checking for software updates via apt-get... ( Documentation: https://www.whonix.org/wiki/Update )
^Cwhonixcheck: signal SIGINT received. Cleaning up... Exiting...
[INFO] [whonixcheck] whonixcheck aborted! (SIGNAL_TYPE: SIGINT

Actual behavior

user@host:~$ whonixcheck
[INFO] [whonixcheck] sys-whonix-14 | Whonix-Gateway | whonix-gw TemplateBased ProxyVM | Fri Apr 13 21:26:47 UTC 2018
[WARNING] [whonixcheck] Tor Check Result:
Tor is disabled. Therefore you most likely can not connect to the internet.
(Debugging information: Could not find DisableNetwork 0 in Tor config.)
Please close this window and enable Tor using Whonix Setup!
    dom0 -> Start Menu -> ServiceVM: sys-whonix-14 -> Whonix Setup
    or in Terminal: sudo whonixsetup
or manually (If you know about the public Tor network!) and open /usr/local/etc/torrc.d/50_user.conf with root rights
(dom0 -> Start Menu -> ServiceVM: sys-whonix-14 -> Torrc) and set:
DisableNetwork 0

Tor is functioning though

user@host:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enable
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf, 40_obfs4proxy-workaround.conf, 40_qubes.conf, 50_controlsocke
   Active: active (running) since Fri 2018-04-13 21:27:03 UTC; 29s ago
  Process: 2007 ExecReload=/bin/kill -HUP ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 5278 ExecStartPost=/bin/kill -HUP ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 5273 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-def
  Process: 5271 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d 
 Main PID: 5276 (tor)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-tor.slice/tor@default.service
           └─5276 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc

Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:9184' 
Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:9185' 
Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:9186' 
Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:9187' 
Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:9188' 
Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:9189' 
Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:5300' 
Apr 13 21:27:03 host Tor[5276]: You configured a non-loopback address '10.137.0.43:9040' 
Apr 13 21:27:03 host Tor[5276]: Opening Control listener on /var/run/tor/control
Apr 13 21:27:03 host Tor[5276]: DisableNetwork is set. Tor will not make or accept non-co

After running sudo whonixsetup error still persists with whonixcheck.

Manually adding DisableNetwork 0 to /usr/local/etc/torrc.d/50_user.conf fixed problem

Thought you might be interested?


For the Tor wiki, this command was added to remove Tor folder

Option a)

sudo su
sudo rm /var/lib/tor/*

Now the reason for this post being backwards

I saw a possible problem. Users may see this command and wonder why not just use?

sudo rm -r /var/lib/tor

Possible someone like myself would actually try using this? This may cause problems with broken bind-dirs and possible what happened with above whonixcheck? So I added a warning in the footnote about consequences of not following instructions as written.

Should this be taken out of footnote and placed at top of instructions?

Users are strongly encouraged to follow the instructions as they are written. This is because deviation from the listed commands could have unforeseen consequences. For example, if users where to use a alternate command to remove the Tor state folder. The outcome may be broken file persistence across reboots. This is owing to the fact that Qubes-Whonix uses bind-dirs file persistence for the Tor folder and other select directories. This in turn, at the very least would require users to umount and mount the Tor folder in the same way as bind-dirs does. This would likely be very timely and complicated.

Also added note on migration of torrc

Users with custom Tor configurations options, which are also referred to as custom torrc options, are required to migrate those settings separately. This is on account of the Tor state folder, which is located in /var/lib, does not contain the custom torrc settings that are located in /etc/tor/torrc for Whonix 13, and /usr/local/etc/torrc.d/50_user.conf for Whonix 14 and later releases.

https://www.whonix.org/w/index.php?title=Tor&oldid=33485&diff=cur

If you like, please generalize that chapter (or make sub chapters if
that looks good) for a full migration (Tor state folder and torrc).

0brand:

Possible someone like myself would actually try using this?

Yes, quite likely.

This may cause problems with broken bind-dirs and possible what happened with above whonixcheck? So I added a warning in the footnote about consequences of not following instructions as written.

Should this be taken out of footnote and placed at top of instructions?

Yes, very much so. A short warning box with a footnote to explain why.

TO DO

1. Add gpg fingerprint check steps to OnionShare and elsewhere it is a forgotten step in Whonix, since we shouldn’t blindly trust the long key ID by itself.

Ref:

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Security_Guide#Verifying_Software_Signatures

https://riseup.net/en/security/message-security/openpgp/best-practices#do-not-blindly-trust-keys-from-keyservers

https://riseup.net/en/security/message-security/openpgp/best-practices#dont-rely-on-the-key-id

2. Good later references for strong manual GPG key pair creation and storage e.g:

https://help.github.com/articles/generating-a-new-gpg-key/
https://debian-administration.org/users/dkg/weblog/48
https://security.stackexchange.com/questions/82216/how-to-change-default-cipher-in-gnupg-on-both-linux-and-windows
https://alexcabal.com/creating-the-perfect-gpg-keypair/

Main points seem to be:

  • Min 3072-bit RSA key (preferably a 4096 bit key).
  • SHA512 hashing algorithm & personal cipher preferences to the strongest i.e. setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
  • Stronger digest when receiving signed messages privately (via setpref preferences).
  • Expiration date less than two years.
  • Generate a revocation certificate.
  • Separate subkey for signing.
  • Primary key entirely offline (secret_key).
  • Test quality of key pair with hopenpgp-tools.
  • Check primary keys are using RSA.
  • Check bit-length of primary key.
  • Self-signatures issues e.g. not use SHA1 etc.
  • ASCII-armored version of public key (?)
  • Transforming the master keypair into the laptop keypair (removing original signing subkey from the master keypair in our keyring)?

Anything else to consider for a strong GPG key pair?

TODO Mention configuring Split GPG in Email section ->

https://www.qubes-os.org/doc/split-gpg/

2 Likes

4096 bit for sure. Some of these things are already in the wiki. But https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key is quite lengthy and not everyone’s cup of tea.




2 Likes
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]