Template:Torify APT traffic
It is recommended to torify APT traffic on the host for several reasons:
- Each machine has its own unique package selection. This allows location tracking, because systems can be fingerprinted across physical networks as system updates are performed.
- System updates leak sensitive security information such as package versions and differing patch levels. This information can aid targeted attacks.
Follow the instructions below to torify APT traffic in Debian. [1]
1 Install the apt-transport-tor package from the Debian repository so APT can route traffic through Tor.
sudo apt install apt-transport-tor
2 Edit the APT sources file so that all repository entries use only tor:// URLs.
Open file /etc/apt/sources.list in an editor with administrative ("root") rights.
1 Select your platform.
2 Notes.
- Sudoedit guidance: See Open File with Root Rights
for details on why using sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand.
3 Open the file with root rights.
sudoedit /etc/apt/sources.list
2 Notes.
- Sudoedit guidance: See Open File with Root Rights
for details on why using sudoeditimproves security and how to use it. - Editor requirement: Close Featherpad (or the chosen text editor) before running the
sudoeditcommand. - Template requirement: When using Qubes-Whonix, this must be done inside the Template.
3 Open the file with root rights.
sudoedit /etc/apt/sources.list
4 Notes.
- Shut down Template: After applying this change, shut down the Template.
- Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
- Qubes persistence: See also Qubes Persistence

- General procedure: This is a general procedure required for Qubes and is unspecific to Qubes-Whonix.
2 Notes.
- Example only: This is just an example. Other tools could achieve the same goal.
- Troubleshooting and alternatives: If this example does not work for you, or if you are not using Whonix, please refer to Open File with Root Rights.
3 Open the file with root rights.
sudoedit /etc/apt/sources.list
3 Save the file and exit the editor to apply the changes.
Other URL Configurations
Alternatively, the tor+http:// URL scheme can be used.
apt-transport-tor can also be combined with apt-transport-https if a repository supports it, resulting in the tor+https:// URL scheme. [2]
Note that changing ftp.us.debian.org to http.debian.net selects a mirror close to the Tor exit node in use. Throughput is often surprisingly fast. [3] Also note that all public-facing debian.org FTP services were shut down on November 1, 2017![]()
. [4]
Debian repositories can also be accessed via onion services at http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion. This is the most secure option, since no package metadata ever leaves Tor. [5] [6] [7] This URL scheme also provides protection in the event APT has a critical security vulnerability.
![]()
The following entries should work in the APT sources list:
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie main deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie-updates main deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security trixie/updates main #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian trixie-backports main
- ↑
https://packages.debian.org/apt-transport-tor

- ↑
https://lwn.net/Articles/672350/

- ↑
https://retout.co.uk/blog/2014/07/21/apt-transport-tor

- ↑ ftp://ftp.debian.org and ftp://security.debian.org
- ↑
https://web.archive.org/web/20190228232722/https://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/
- ↑
https://onion.debian.org

- ↑
https://onion.torproject.org
