Install Kicksecure ™ inside a folder (chroot)
Donate
You can install Kicksecure ™ on top of your existing Debian (based) Linux installation inside a chroot.
This is a pre-release. (What does that mean?)
chroot Creation[edit]
Qubes Notes[edit]
Only users of Qubes need to consider these notes in this chapter.
Users that don't use Qubes or don't know what Qubes is should skip this chapter.
TODO: elaborate
- nosuid / nodev can cause issues?
- default private image size (/home folder) is too small for Kicksecure ™ XFCE
Install Required Tools[edit]
Install mmdebstrap apt-transport-https apt-transport-tor tor curl. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the mmdebstrap apt-transport-https apt-transport-tor tor curl package.
Using apt command line parameter --no-install-recommends is in most cases optional.
sudo apt install --no-install-recommends mmdebstrap apt-transport-https apt-transport-tor tor curl
D. Done.
The procedure of installing mmdebstrap apt-transport-https apt-transport-tor tor curl is complete.
Add Signing Key[edit]
It is required to add the signing key on the host because mmdebstrap will need it.
(Users of Kicksecure ™ and Kicksecure ™ could skip this step since the signing key is there by default.)
Key could be removed at the end. (Except Kicksecure ™ and Kicksecure ™ should not do this unless they upgrade from source code.)
Complete the following steps to add the Kicksecure ™ Signing Key to the system's APT keyring.
Open a terminal.
1. Package curl needs to be installed.
Install curl. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the curl package.
Using apt command line parameter --no-install-recommends is in most cases optional.
sudo apt install --no-install-recommends curl
D. Done.
The procedure of installing curl is complete.
2. Download Kicksecure ™ Signing Key. [2]
If you are using Debian, run.
curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc
Downloading over onion requires an already functional system Tor. torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc
If you are using a Qubes Debian Template, run.
curl --proxy http://127.0.0.1:8082/ --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc
Downloading over onion requires an already functional system Tor. torsocks curl --proxy http://127.0.0.1:8082/ --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc
3. Users can check Kicksecure ™ Signing Key for better security.
4. Done.
The procedure of adding the Kicksecure ™ signing key is now complete.
Set Variables[edit]
File /etc/hostname must exist. [3]
sudo touch /etc/hostname
Set Variables[edit]
Note: You could also replace kicksecure-xfce with kicksecure-cli.
package=kicksecure-xfce repo=bullseye path_to_chroot=~/kicksecure-xfce-chroot path_to_temp_sources_list=~/temp-sources.list
APT Sources List[edit]
Create temporary APT sources list for mmdebstrap.
echo " deb https://deb.debian.org/debian-security/ bullseye/updates main contrib non-free deb https://deb.debian.org/debian bullseye main contrib non-free deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com $repo main contrib non-free " > "$path_to_temp_sources_list"
APT Cache[edit]
Optional. If you are interested, please press Expand on the right side.
This shouldn't be done unless you are behind a firewall since apt-cacher-ng will by default listen on all network interfaces.
Install apt-cacher-ng. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the apt-cacher-ng package.
Using apt command line parameter --no-install-recommends is in most cases optional.
sudo apt install --no-install-recommends apt-cacher-ng
D. Done.
The procedure of installing apt-cacher-ng is complete.
Set apt_cacher_ng_maybe variable.
apt_cacher_ng_maybe="\ --aptopt='Acquire::http { Proxy \"http://127.0.0.1:3142\"; }' \ --aptopt='Acquire::https { Proxy \"http://127.0.0.1:3142\"; }' \ --aptopt='Acquire::tor { Proxy \"http://127.0.0.1:3142\"; }' \ "
Create apt-cacher-ng https compatible sources.list file.
echo " deb http://HTTPS///deb.debian.org/debian-security/ buster/updates main contrib non-free deb http://HTTPS///deb.debian.org/debian buster main contrib non-free deb http://HTTPS///deb.whonix.org $repo main contrib non-free " > "$path_to_temp_sources_list"
Run mmdebstrap[edit]
Run mmdebstrap. [4]
sudo \ SECURITY_MISC_INSTALL=force \ DERIVATIVE_APT_REPOSITORY_OPTS=stable \ anon_shared_inst_tb=open \ mmdebstrap \ --verbose \ --variant=required \ $apt_cacher_ng_maybe \ --include $package \ $repo \ "$path_to_chroot" \ "$path_to_temp_sources_list"
Chroot Post Processing[edit]
Delete the chroot's temporary /etc/apt/sources.list. [5]
sudo rm "$path_to_chroot/etc/apt/sources.list"
Host Cleanup[edit]
Optional: You can delete the signing key from the host.
sudo rm /etc/apt/trusted.gpg.d/derivative.gpg
Usage[edit]
Simple Classic Chroot Method[edit]
sudo chroot ~/kicksecure-xfce-chroot bash
systemd-nspawn Method[edit]
Install systemd-nspawn[edit]
sudo apt install systemd-container
systemd-nspawn Simple Chroot[edit]
sudo systemd-nspawn -D ~/kicksecure-xfce-chroot
systemd-nspawn Boot Chroot CLI Only[edit]
sudo systemd-nspawn -D ~/kicksecure-xfce-chroot /sbin/init
systemd-nspawn Boot Chroot with GUI Support[edit]
This is unfinished. Unspecific to Kicksecure ™. Could be resolved as per Free Support Principle.
xhost +local:
sudo systemd-nspawn --setenv=DISPLAY=$DISPLAY -D ~/kicksecure-xfce-chroot /sbin/init
Exit systemd-nspawn Chroot[edit]
To leave the chroot press keep holding key CTRL and press key 5 quickly 3 times within 1 second. [6]
Limitations of systemd-nspawn based Chroot[edit]
Despite these limitations, systemd-nspawn should probably preferred over classic chroot. Depends on what you are trying to accomplish.
- sdwdate (and Boot Clock Randomization) cannot work inside
systemd-nspawn. - Tor will fail to start inside
systemd-nspawnchrootif Tor is already running on the host in default config (local listen post9050). But that shouldn't matter. Thesystemd-nspawnchrootwill use the host's Tor in this case.systemd-nspawnhas also option to run private networking but these have not been researched for Kicksecure ™ yet.
Footnotes[edit]
- ↑
apt-transport-httpsis required for some older Debian based Linux distributions that have not integrated https support into APT yet. If not available in your distribution, can be safely ignored.apt-transport-toris required because /etc/apt/sources.list.d/debian.list
is using tor+https. Otherwise we would see the following error.
I: cleaning package lists and apt cache... Reading package lists... E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: The method driver /usr/lib/apt/methods/tor+https could not be found. E: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease E: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease E: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease E: Some index files failed to download. They have been ignored, or old ones used instead. E: apt --option Dir::Etc::SourceList=/dev/null update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
toris required soapt-transport-torcan use Tor. Otherwise we would see the following error.
I: cleaning package lists and apt cache... Err:1 tor+https://deb.debian.org/debian-security buster/updates InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) Err:2 tor+https://deb.debian.org/debian buster InRelease Unable to connect to 127.0.0.1:9050: Err:3 tor+https://deb.whonix.org buster-developers InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) Reading package lists... W: Failed to fetch tor+https://deb.debian.org/debian-security/dists/buster/updates/InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) W: Failed to fetch tor+https://deb.debian.org/debian/dists/buster/InRelease Unable to connect to 127.0.0.1:9050: W: Failed to fetch tor+https://deb.whonix.org/dists/buster-developers/InRelease Could not connect to 127.0.0.1:9050 (127.0.0.1). - connect (111: Connection refused) W: Some index files failed to download. They have been ignored, or old ones used instead.
- Actually package
apt-transport-torrecommends packagetorbut listing it here anyhow for those using APT with parameter--no-install-recommends. apt-transport-httpsis suggested below to download the signing key.
- ↑
See Secure Downloads to understand why
curland the parameters--tlsv1.3are used instead ofwget.
Placing an additional signing key into folder/usr/share/keyringsby itself alone has no impact on security as this folder is not automatically used by Debian's APT by default. Only when an APT sources list configuration file points to folder/usr/share/keyringsusing thesigned-bykeyword the signing key will be actually used. Therefore deleting keys in/usr/share/keyringsis optional if intending to disable an APT repository. See also APT Signing Key Folders. - ↑
Fixed in
mmdebstrap0.5.0. Quote changelog:
do not copy /etc/resolv.conf or /etc/hostname if the host system doesn't have them
Therefore no longer required in Debian
bullseye. - ↑
debootstrapcannot be used since it is a single-mirror Debian chroot creation tool. I.e. it cannot use multiple APT repositories at the same time. And Kicksecure ™ APT repository does not ships no packages available from packages.debian.org. Therefore usingmmdebstrapwhich is a multi-mirror Debian chroot creation. If you cannot usemmdebstrapeither (cross platform builds?), you could first create a Debian chroot usingdebootstrap(or anything) and then install a Kicksecure ™ meta package manually inside the chroot. - ↑
During chroot build process the following files were already created.
/etc/apt/sources.list.d/debian.list/etc/apt/sources.list.d/derivative.list
- ↑
https://unix.stackexchange.com/questions/577065/connected-to-container-mycontainer-press-three-times-within-1s-to-exit-sessi
At
Kicksecure we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.
Kicksecure ™ is supported by Evolution Host DDoS Protected VPS.
ENCRYPTED SUPPORT LP,
2023