APT (Advanced Package Tool) is a free software user interface that works with core libraries to handle the installation and removal of software on Linux/UNIX distributions. It already includes mechanisms for guaranteeing the authenticity of the packages you download. However, an adversary sniffing your network traffic can still see what software you are installing. This is where Tor comes in.
For security reasons, APT blocks clearnet connections to
.onion domains by default. This is because APT developers want to protect users from accidentally trying to use
.onion repositories without using Tor. Otherwise, a rogue / malicious DNS server could redirect users to a false domain and trick them into thinking they are using Tor when they are really not.
** apt-transport-tor ** is a package that provides support in APT for downloading packages anonymously via Tor. It's primarily used to allow operating systems to torify the traffic of individual repositories. It is available in Debian, Ubuntu and their derivatives.
Installation and Usage
Install ** apt-transport-tor ** and edit your sources.list to include only
tor:// URLs. This will make it very difficult for anyone intercepting your network traffic to be able to tell which packages you are installing, or even that you are installing packages at all.
=== Warnings === ** Please note that this approach is only as secure as Tor itself ** - this software cannot protect you from an attacker who has access to your local machine. While it does prevent an attacker who is sniffing your network connection from being able to tell that you are fetching packages to begin with, it does not necessarily defend you from:
- a global passive adversary (who could potentially correlate the exit node's traffic with your local Tor traffic)
- an attacker looking at the size of your downloads, and making an educated guess about the contents
- an attacker who has broken into your system
Older Instructions / Warnings
Below are older instructions for Torifying APT. Please note that they may be depreciated, and some caution should be used following them.
Warning: These methods will only work for APT. Graphical front-ends such as Apper in KDE, Software Center or Gnome will most likely not be torified just by torifying APT.
Add the following line to
Warning: This will only work for HTTP because Privoxy does not support FTP.
Please note it is important to ensure the
proxy_dns flag is enabled in your
/etc/proxychains.conf file, though it should be by default.