Debian is supposedly non-hostile, welcoming if derivatives redirect bug reports and support to Debian. That is, as long as the derivative is build using standard Debian build tools (which we do) and not recompiling packages (which we don’t do, we use the usual packages.debian.org) so “any bug applying to the derivative should equally apply to Debian”.
Debian supposedly doesn’t have a policy “not purely from us, go away”.
Even if we can’t provide the same level of user support quality it is ok.
users would still probably pop up in the Whonix forum in case something Debian-only breaks.
For sure but that is ok.
I guess Whonix build script could do that too (possible you were already using it).
Awesome, I wonder how you implemented that.
It also grows the partition to fit the disk size.
Encrypting the images before compression is pointless and makes compression a bit harder …
The meta package also installed graphics drivers or nic firmware.
If it includes non-free dependencies, let’s have one free and one non-free variant.
My intention was to not have anything Whonix specific on the host i.e. it should be a normal Debian image and no Whonix specific packages should be installed so that only Debian stuff could possibly break on the host and hence “they” need to fix it^^ .
Sounds great. (I was considering something similar with debian-vm.) Whonix build script can support many flavors.
But even a hardened-debian-something-no-whonix may be worthwhile. And also a Whonix Host which comes with Whonix images already set up.
You could also make an image based on Debian testing with support for newer hardware but then security support would be worse.
Whonix many releases ago was Debian testing based. There’s a writeup in the wiki. In short: that was a nightmare. Yet, contributions welcome.
Are there any features or things related to the general setup that you would like to see i.e. installed packages network setup (no network on the host, nat, macvtap ) I’d go for KVM as hypervisor + virt-manager.
Just tested it with latest Whonix 15 (after converting the .qcow2 file to a .raw file). Works fine, at least with BIOS mode. UEFI mode boots but does not reach graphical target with KVM, probably needs some more testing (I didn’t test the iso file with VirtualBox).
All the code comes originally from
I just put all together after trying out different combinations.
I am not a developer, so feel free to review the code and adapt/correct it. Needs optimizing.
Step one: I am mostly interested having our upcoming Whonix host operating system raw (?) image being bootable on both, BIOS and UEFI. As fully persistent (if not using grub-live option in grub boot menu). (i.e. not live-boot based.) Ideally, a single hybrid image, if sane and doable.
Step two: If it could be at the same time a hybrid image that can be burned on DVD, all the better. ISO / DVD support would be step two.
Finally, probably not doable: one image for all use cases HDD persistent, HDD live, DVD live. (DVD-RW persistent realistic?)
Correction: mostly non-networked. For updates you would of course need to enable networking on the host temporarily.
Thanks for the script. Do you know if the isos work with secure boot enabled?
HDD persistent + live is doable. But not at the same time with an iso file for DVDs. You can burn the iso to an USB stick but it will not be writable in the first place. There is the persistent feature for live tools but for system updates it is imho not really usable. Also, at least from reading the /r/tails, it seems to break occassionaly and people loose their data.
Maybe one could create some kind of installer iso which installs Whonix on the disk and otherwise acts as live CD.
No, didn’t test. Not sure what do you mean actually, secure boot in the motherboard BIOS/UEFI settings?
Waw, that would be great idea! Like any modern Linux installer (Ubuntu for instance), but with all Whonix features out of the box, and the installer for persistent use! 100% behind this idea. Is it realistic to do? I don’t know But I think we are pretty close, all tools are available, and documented.
A raw (or similar) image to be dd’d (or similar) to the disk would of course be an inferior solution to an installer. I’ve only considered the downloadabe image solution since it looks kinda easier to create. Perhaps we’ll get such an image “almost effortless” anyhow and it would still be useful for some people?
For the installer I see two choices, maybe.
A) Debian-Installer: for sure worse usability than Ubiquity. I find it confusing, and not great to always answer a few questions, wait, answer a few questions, wait and so forth.
B) Ubiquity Installer: much more modern, nice. It is in use by, and I like the style of elementary os / linux mint / ubuntu style installer DVDs. Those can be booted as Live ISO to play around and have a much improved installer. It first asks all questions, then installs. No waiting, stop, asking and continuing as Debian-Installer frontend.
Lots of Ports, perhaps any is better than original?
(CLI version might be unsupported by Ubiquity but these users could be redirected to “install plain Debian followed by our Whonix host meta package”. I am not sure anymore Ubiquity based installer DVD’s also come with CLI mode, they might indeed.)
From a design perspective I think we might also get sudo apt-get install whonix-host-kvm-xfce 
(to be run on Debian hosts, in theory)
(Whether we want to / whether it is sane to support the sudo apt-get install whonix-host-kvm-xfce way of installation is a separate question.)
This would look to be like a clean, solid design.
 not sure in which order the name, getting a lot: host vs VM, kvm vs virtualbox, xfce vs cli
Just to sum-up (tell me if I’m wrong), what we want to achieve is a bootable (BIOS/UEFI, maybe secure boot?) ISO file containing a “Whonix Host” (temporary name), basically a hardened debian OS running as live CD.
This Whonix Host would come with Qemu/KVM/virt-manager preinstalled with latest Gateway and Workstation qcow2 images, also preinstalled and preconfigured. So a user could just download the ISO file and run everything from a USB/DVD device. Right?
Then, on top of that, this same ISO file would contain an Installer program that would allow to install the whole Whonix system (Whonix Host+Gateaway/Workstation VMs) onto a physical drive, in the same spirit as modern Linuxes do, for instance Ubuntu. Still right?
Some months ago, while playing around with VMs and ISO files (see bash script script), I ended up with something similar, minus the installer option, the ISO file’s size being around 5GB, but I am sure that there is room for optimization and more compression. 4GB ISO files, while big, are not that uncommon, see for example the Qubes ISO installer…
As for the install process, I was wondering whether it would be feasible to just run a few scripts interactively asking the user to chose the hard drive on which to install the OS, ask for a LUKS password, and then just dd the ISO content into the encrypted hard drive, while taking care of the required adjustments in the process?
That would be much easier and faster that downloading everything again from debian/whonix repositories IMHO.