- The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
- Adding additional repositories or tools for installing software extends your trust to those tool providers.
- Please keep in mind that using such a template for security and privacy critical tasks is not recommended.
- Kali Linux distribution is a rolling distribution based on Debian testing release, so it will always have a newer software base than available in the Qubes OS Debian template. Keep in mind that this may result in problems (especially in regard to package dependencies) not covered by this tutorial.
Only use this method if you want the full Kali GUI (desktop, fancy menus, etc.). It comes at the cost of much greater resources consumption.
$ qvm-start <hvm-name> --cdrom <vm-name>:/home/user/Downloads/<iso-name>.iso
This is the recommended method. Easier to maintain and less demanding on resources, but you won’t have the full Kali GUI.
The steps can be summarized as:
- Install Qubes stable Debian template
- Upgrade from Debian
testingfor Qubes repositories
- Replace the content of
/etc/apt/sources.listfile with the Kali repository
- Update the template
CAUTION: Before proceeding, please carefully read On Digital Signatures and Key Verification. This website cannot guarantee that any PGP key you download from the Internet is authentic. In order to obtain a trusted fingerprint, check its value against multiple sources. Then, check the keys you download against your trusted fingerprint.
This step is required since by (security) default TemplateVM do not have a direct Internet connectivity. Users understanding the risks of enabling such access can change this configuration in firewall settings for the TemplateVM.
- Retrieve the Kali Linux PGP key using a DisposableVM.
$ gpg --keyserver hkps://keys.openpgp.org --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 $ gpg --list-keys --with-fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 $ gpg --export --armor 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 > kali-key.asc
DO NOT TURN OFF the DisposableVM, the
kali-key.ascfile will be copied in the Kali Linux template for a further step.
Make sure the key is the authentic Kali key. See the Kali website for further advice and instructions on verification.
These instructions will show you how to upgrade a Debian TemplateVM to Kali Linux.
- (Optional) Check for latest Debian stable template and install it (if not already done)
# qubes-dom0-update --action="search all" qubes-template-debian # qubes-dom0-update <latest Debian template>
$ qvm-clone debian-<X> kali-rolling
- Check the name of currently used repository in
/etc/apt/sources.list.d/qubes-r<X>.listand current testing Debian release. Update repository list accordingly
# sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list.d/qubes-r<X>.list
e.g. in this example we update
bullseye stable repository to
bookworm testing repository
# sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/qubes-r<X>.list
- Enable the QubesOS
/etc/apt/sources.list.d/qubes-r<X>.list, enable the
securitytesting repository. We do that to reduce the ‘dependency hell’ between Qubes repository and Kali repository.
- Copy the Kali PGP key from the DisposableVM to the new template:
$ qvm-copy kali-key.asc
The DisposableVM can now be turned off.
- Add the Kali PGP key to the list of keys trusted to authenticate packages:
# cd /home/user/QubesIncoming/dispXXX && gpg --dearmor kali-key.asc # cp kali-key.asc.gpg /etc/apt/trusted.gpg.d/kali-key.gpg
- Replace Debian repositories with Kali repository
# echo 'deb https://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list
- Replace conflicted packages to work around dependency issues
# apt-get remove <existing_package> && apt-get install <required_package>
e.g. in this example we replace
# apt-get remove libgcc-8-dev && apt-get install libc6-dev
Note: This kind of dependency issue will pop up and disappear without notice. Such issues arise because of the differences of dependencies in packages from the Kali repository, the Qubes testing repository and the Debian testing repository. So this step [step 8] is currently needed. But it will not always be the case.
- Update the template
Note: During execution of the update, carefully read list of packages to be removed. If it contains
qubes-vm-dependencies package, terminate operation and try to resolve missing dependencies first. For other
qubes-* packages, it is up to you to decide if you need them.
- Ensure a terminal can be opened in the new template.
$ qvm-run -a kali-rolling gnome-terminal
At this point you should have a working template and you can install the tools you need. You can find a list of Kali Linux
Metapackages here Keep in mind that the tools you will install can easily take more than 10 GB, so you will need to grow the size of the VM system storage.
kali-defaults package (which is included in many Kali metapackages including
kali-linux-core) causes Kali PulseAudio configurations files to be installed that interfere with what Qubes provides. This breaks audio and microphone throughput for that qube.
To fix this, simply do one of the following in the Kali Linux TemplateVM:
- Remove the configuration files by running the following command:
# rm /usr/lib/systemd/user/pulseaudio.service.d/kali_pulseaudio.conf /usr/lib/systemd/user/pulseaudio.socket.d/kali_pulseaudio.socket.conf
- Assess the function and contents of the package to see if you need it:
- See description:
apt show kali-defaults
- See installed files:
dpkg -L kali-defaults
- See description:
- If you determine that the package is unnecessary, then uninstall it
sudo apt remove kali-defaults
Finally, for both of these options, the Kali Linux qube will have to be restarted for these changes to take effect.
- PenTester Framework, with PTF Qubes OS guide
- BlackArch Linux, with BA Qubes OS guide
- more on the Penetration Testing page
Thanks to the people in the discussion thread.