{{Header}}
{{Title|title=
Install Tor Browser on Debian, Kicksecure or Qubes using Tor Browser Downloader (by {{project_name_long}} developers)
}}
{{#seo:
|description=Installing Tor Browser outside of {{project_name_short}}. Fallback if {{project_name_short}} breaks. Test Tor connectivity outside of {{project_name_short}}.
|image=Tbboutside.jpg
}}
[[File:Tbboutside.jpg|thumb]]
{{intro|
* '''A)''' Installation of Tor Browser on Whonix: Tor Browser is installed by default in Whonix. For more information and re-installtion, see the [[Tor Browser]] wiki page.
* '''B)''' Installation of Tor Browser using tb-updater (by {{project_name_short}} developers) for Debian, Kicksecure, or Qubes: See this wiki page.
}}
= Introduction =
{{Community_Support|scope=page}}
Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the {{project_name_short}} platform. This is useful in various cases:
* Should {{project_name_short}} ever break, it is possible to search for a solution anonymously.
* System-wide Tor problems can be easily detected by testing connectivity outside of {{project_name_short}}.
* Certain Tor / Tor Browser activities are difficult (or impossible) to configure in {{project_name_short}}, but are much easier in the standard configuration. For example, the [[Bridges#Snowflake|Snowflake]] pluggable transport client is currently experimental in {{project_name_short}}.
In [[Non-Qubes-Whonix|{{non_q_project_name_short}}]], it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In [[Qubes|{{q_project_name_long}}]], it is recommended to install Tor Browser in a debian-{{Stable project version based on Debian version short}}
, debian-{{Stable project version based on Debian version short}}-minimal
or kicksecure
App Qube (advanced users).
Note: If an expired key signature message like below appears, the steps in this chapter must be performed again due to an update of the {{project_name_short}} signing key; see [https://forums.whonix.org/t/expired-key-signature/11457 Expired key signature].
The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer adrelanos@whonix.org= Easy = == All Platforms: Manual Tor Browser Download == Follow [[Tor_Browser/Manual_Download#Manually_Downloading_Tor_Browser |these instructions]] to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless [[Qubes|{{q_project_name_short}}]] users temporarily set
{{project_name_gateway_vm}}
as the NetVM for the non-{{project_name_short}} App Qube.
== Debian Linux Hosts ==
Tor Browser can optionally be downloaded utilizing the [https://github.com/Kicksecure/tb-updater tb-updater
] software package by {{project_name_short}} developers. By default the download does not occur over Tor, meaning it is not anonymous.
{{Box|text=
{{Project-APT-Repository-Add Easy}}
'''5.''' Update the package lists.
{{CodeSelect|code=
sudo apt update
}}
'''6.''' Install tb-updater
.
{{CodeSelect|code=
sudo apt install tb-updater
}}
}}
= Moderate: QubesOS =
{{mbox
| image = [[File:Ambox_notice.png|40px]]
| text = [[Qubes|{{q_project_name_short}}]] R4 only! This method is anonymous.
}}
Summary of instructions of Qubes OS. Details below. These instructions:
# Anonymously retrieve and verify the {{project_name_short}} signing key.
# Copy the {{project_name_short}} signing key to a debian-{{Stable project version based on Debian version short}} (debian-{{Stable project version based on Debian version short}}-tor
) or debian-{{Stable project version based on Debian version short}}-minimal (debian-{{Stable project version based on Debian version short}}-minimal-tor
) Template clone.
# Add the {{project_name_short}} signing key to the list of trusted keys.
# Install apt-transport-tor in the debian-{{Stable project version based on Debian version short}}-tor
/ debian-{{Stable project version based on Debian version short}}-minimal-tor
Template.
# Add the {{project_name_short}} APT repository.
# Install tb-updater
from the {{project_name_short}} repository.
# Create a debian-tor-browser
/ debian-minimal-tor-browser
App Qube based on the Template clone.
The debian-{{Stable project version based on Debian version short}}-minimal
template provides a smaller attack surface, but is recommended for advanced users. Several package prerequisites are required for full functionality; see footnote. At the time of writing the [https://www.qubes-os.org/doc/templates/minimal/ Qubes documentation] and [https://forum.qubes-os.org/t/debian-10-minimal-configuration/2603 forums] suggest the following essential packages for browsing purposes:
* qubes-core-agent-passwordless-root
* qubes-core-agent-networking
* pulseaudio-qubes
To utilize nautilus file manager so a GUI can be used to interact with downloaded files (optional):
* qubes-core-agent-nautilus
* nautilus
* zenity
If you plan on mounting encrypted drives (optional):
* gnome-keyring
* policykit-1
* libblockdev-crypto2
Also see [https://svensemmler.org/notes/deb-min-templates automate debian-minimal based template creation]
== Clone the Template ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Prerequisite: The debian-{{Stable project version based on Debian version short}}
or debian-{{Stable project version based on Debian version short}}-minimal
Template must be manually installed first if it not already available. In dom0
, run either. {{CodeSelect|code=
sudo qvm-template install debian-{{Stable project version based on Debian version short}}
}}
Or.
{{CodeSelect|code=
sudo qvm-template install debian-{{Stable project version based on Debian version short}}-minimal
}}
}}
In Qube Manager: Right-click debian-{{Stable project version based on Debian version short}} or debian-{{Stable project version based on Debian version short}}-minimal template
→ Clone qube
→ Rename to debian-{{Stable project version based on Debian version short}}-tor or debian-{{Stable project version based on Debian version short}}-minimal-tor
== {{project_name_workstation_vm}} Steps ==
Run the following commands in {{project_name_workstation_vm}}
terminal. Advanced users can utilize a {{project_name_short}} DispVM instead in this section.
{{Box|text=
'''1.''' Download the {{project_name_short}} signing key.
{{CodeSelect|code=
curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc
}}
'''2.''' Display the key fingerprint.
{{CodeSelect|code=
gpg --keyid-format long --import --import-options show-only --with-fingerprint derivative.asc
}}
'''3.''' Verify the {{project_name_short}} signing key fingerprint.
Compare the fingerprint to the one found [[Signing Key|here]]. The most important check is confirming the fingerprint exactly matches the output below. Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDAThe message
gpg: key 8D66066A2EEACCDA: 104 signatures not checked due to missing keys
is related to the [[OpenPGP#The_OpenPGP_Web_of_Trust|The OpenPGP Web of Trust]]. Advanced users can learn more about this [[Main/Project Signing Key#OpenPGP_Web_of_Trust|here]].
'''4.''' Rename the {{project_name_short}} signing key to a temporary derivative.asc
file.
{{CodeSelect|code=
mv derivative.asc /tmp/derivative.asc
}}
'''5.''' Copy the derivative.asc
text file to the debian-{{Stable project version based on Debian version short}}-tor
or debian-{{Stable project version based on Debian version short}}-minimal-tor
Template.
{{CodeSelect|code=
qvm-copy /tmp/derivative.asc
}}
When prompted, choose either the debian-{{Stable project version based on Debian version short}}-tor
or debian-{{Stable project version based on Debian version short}}-minimal-tor
Template.
}}
== Template Steps ==
Complete the following steps in debian-{{Stable project version based on Debian version short}}-tor
or debian-{{Stable project version based on Debian version short}}-minimal-tor
terminal.
{{Box|text=
'''1.''' Add the {{project_name_short}} signing key to the list of trusted keys.
{{CodeSelect|code=
sudo cp ~/QubesIncoming/{{project_name_workstation_vm}}/derivative.asc /usr/share/keyrings/derivative.asc
}}
'''2.''' Add the {{project_name_short}} stable APT repository.
Alternatively use the stable onion APT repository: {{CodeSelect|code=
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] http://deb.{{project_onion}} {{Stable project version based on Debian codename}} main contrib non-free" {{!}} sudo tee /etc/apt/sources.list.d/derivative.list
}}
Note: tor+http
does not work in this configuration.
{{CodeSelect|code=
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.{{project_clearnet}} {{Stable project version based on Debian codename}} main contrib non-free" {{!}} sudo tee /etc/apt/sources.list.d/derivative.list
}}
'''3.''' Update the package lists.
{{CodeSelect|code=
sudo apt update
}}
'''4.''' Install tb-updater
by {{project_name_short}}.
{{CodeSelect|code=
sudo apt install tb-updater
}}
Note: This step will correctly install tb-updater
and should also automatically download Tor Browser. If that does not occur, complete steps 2 to 4 below after creating an App Qube.
}}
== App Qube Steps ==
{{Box|text=
'''1.''' Create an App Qube based on the debian-{{Stable project version based on Debian version short}}-tor
or debian-{{Stable project version based on Debian version short}}-minimal-tor
Template.
In Qube Manager: Left-click Qube
→ Create new qube
Use the following settings:
* Name and label: debian-tor-browser or debian-minimal-tor-browser
* Type: App Qube
* Template: debian-{{Stable project version based on Debian version short}}-tor or debian-{{Stable project version based on Debian version short}}-minimal-tor
* Networking: default (sys-firewall)
'''2.''' ''Optional:'' Temporarily set {{project_name_gateway_vm}}
as the NetVM for the Debian App Qube.
If Tor Browser was not downloaded at step 5 in the previous section, complete steps 2 to 4.
In Qube Manager: Right-click ''debian-tor-browser''
or ''debian-minimal-tor-browser''
→ Qube settings
→ Networking
→ Select ''{{project_name_gateway_vm}}''
→ OK
'''3.''' ''Optional:'' Download Tor Browser.
In terminal, run.
{{CodeSelect|code=
update-torbrowser --input gui
}}
'''4.''' ''Optional:'' Revert the networking setting to sys-firewall
in Qube Manager.
'''5.''' Launch Tor Browser from the App Qube menu and check it is functional.
Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the ''update-torbrowser'' command again.
}}
'''Figure:''' ''Tor Browser in Qubes' debian-minimal-tor-browser
App Qube''
[[File:Debian10minimaltorbrowser.png|border]]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]