Page MenuHomePhabricator
Create Task
Maniphest T909

installing Whonix-Host without installer (calamares)
Open, NormalPublic
Actions

Description

Do we want to support the use case of writing Whonix-Host images to disks with no use of any installer (calamares) required?

  • to internal disk: do we want to support this initially?
  • to USB disk: easier, since users can use their existing operating system to do that. Host operating specific.

This is related to resize disk image at first boot of Whonix Host (T907) and encrypt Whonix-Host disk after first boot (T906). I.e. after writing a Whonix disk image to (USB) disk it would:

  • boot
  • no run of installer required
  • use maximum available disk size (T907)
  • ready to use out of the box
  • encrypt disk (T906)

see also on

  • live iso
  • live USB
  • BIOS
  • UEFI
  • BIOS + UEFI

https://willhaley.com/blog/custom-debian-live-environment/

Related:
instructions how to burn Whonix-Host ISO image to DVD or USB (T969)

Details

Impact
High

Related Objects
Search...

Event Timeline

Patrick triaged this task as Normal priority.Apr 23 2019, 12:38 PM
Patrick created this task.
Herald added a project: Whonix. · View Herald TranscriptApr 23 2019, 12:38 PM
Herald added a subscriber: entr0py. · View Herald Transcript
Patrick updated the task description. (Show Details)Apr 23 2019, 1:45 PM
Patrick updated the task description. (Show Details)Mar 12 2020, 8:39 AM
Patrick updated the task description. (Show Details)
Patrick added subscribers: Onion_Knight, onion_knight2.
onion_knight2 added a comment.Mar 12 2020, 9:13 AM

No disk encryption?

Patrick added a comment.EditedMar 12 2020, 1:45 PM
In T909#19506, @onion_knight2 wrote:

No disk encryption?

Good point I hadn't considered yet for this installation method.

Creating an encrypted base image containing Debian is hard. There's no tool yet that can do that I am aware of. Possible in theory, though

grml-debootstrap feature request: encrypted VM images support

If that was possible then cryptsetup-reencrypt could be used to add full disk encryption after first boot.

Since disk encryption is probably not feasible, we probably don't want to go for installing Whonix-Host without installer (calamares)?

I'll split this ticket.

  • 1 easier ticket about instructions how to get the iso on USB or DVD -> T969,
  • and a separate one for installing Whonix-Host without installer (calamares) (this very ticket)
Patrick renamed this task from instructions how to copy Whonix Host image to disk to installing Whonix-Host without installer (calamares).Mar 12 2020, 1:46 PM
Patrick updated the task description. (Show Details)
Patrick mentioned this in T969: instructions how to burn Whonix-Host ISO image to DVD or USB.Mar 12 2020, 1:51 PM
Patrick updated the task description. (Show Details)
onion_knight2 added a comment.Mar 12 2020, 10:26 PM

It is possible to automatize grml-debootstrap with full-disk encryption. Nothing too hard. I could hack together a semi-working bash script after a couple of hours of online documentation.

Even easier to automatically create an encrypted partition and rsync Whonix-Host into it, and then modify some paramaters inside the encrypted partition to make it bootable.

But then, why even bother? Calamares does it just as well, and is much more powerful, elegant and modular.

Patrick added a comment.Mar 13 2020, 6:49 AM
In T909#19527, @onion_knight2 wrote:

It is possible to automatize grml-debootstrap with full-disk encryption. Nothing too hard. I could hack together a semi-working bash script after a couple of hours of online documentation.

That would be super cool!

Even easier to automatically create an encrypted partition and rsync Whonix-Host into it, and then modify some paramaters inside the encrypted partition to make it bootable.

This is very host operating system specific. Writing an iso to a device is an easier process since much more popular.

But then, why even bother? Calamares does it just as well, and is much more powerful, elegant and modular.

Great question! Could be useful for:

  • An easy, fast was to get a fully persistent installation of Whonix-Host on USB (or any external disk).
    • Otherwise one would have to burn Whonix-Host to DVD, boot DVD, install to USB.
    • Or in absence of an DVD drive, write the ISO to an Whonix-Host installer USB device, boot that Whonix-Host installer USB device, and then install to yet another USB device.
  • Unattended installation. Fully automated, no user input required, no graphical user interface requested for installation.
  • Server support.
    • Think future Kicksecure installations perhaps useful for Tor relays and public web servers.
    • Didn't think about Whonix-Host installation on dedicated servers yet. Maybe that could then happen too.
  • Vendors could sell pre-installed (persistent) Whonix-Host USB devices with zero installer/setup by user needed.
    • Just write the iso to USB and done.
  • Selling hardware with Whonix-Host pre-installed would also be easier since the process of installing the Whonix-Host image would be super simple.

(Calamares) installer seems more useful to completely replace the installed operating system and install Whonix-Host on internal disk.

Patrick updated the task description. (Show Details)Mar 17 2020, 5:07 PM
Patrick mentioned this in T906: encrypt Whonix-Host disk after first boot of Whonix-Host.
Patrick updated the task description. (Show Details)
Patrick added a subtask: T906: encrypt Whonix-Host disk after first boot of Whonix-Host.Mar 17 2020, 5:09 PM
Patrick added a subtask: T907: resize Whonix-Host disk at first boot of Whonix-Host.
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer