Enabling system and template updates over the Tor anonymity network using Whonix

Enabling system and template updates over the Tor anonymity network using Whonix

I regret not turning this item on when installing qubesOS.
Is there any way to enable this now?

qubes-os.org/doc/how-to-install-software-in-dom0/#updating-over-tor

You need to change the default update qube (Dom0 update qube) to sys-whonix (or else).

Apps Menu > Qubes Tools > Qubes Global Settings > qube defaults

edit:
you also need to modify the qubes.UpdatesProxy policy.
The defaults configuration are located in the file /etc/qubes/policy.d/90-default.policy

The line you need is already in the file, commented:

# HTTP proxy for downloading updates
# Upgrade all TemplateVMs through sys-whonix.
qubes.UpdatesProxy  *  @type:TemplateVM  @default  allow target=sys-whonix

note the warning at the top:

Do not modify this file, create a new policy file with a lower number in the
filename instead. For example 30-user.policy.

Uncomment is good, if you need more policies, make a new file.

thank you :grinning:

You also need to make sure that this file (in dom0) /etc/qubes-rpc/policy/qubes.UpdatesProxy contains the following:

$type:TemplateVM $default allow,target=sys-whonix
$tag:whonix-updatevm $default allow,target=sys-whonix
$tag:whonix-updatevm $anyvm deny

Otherwise, only dom0 will be updated with Tor, not templates.

Indeed, my answer wasn’t complete. I have edited it.

the /etc/qubes-rpc/policy/qubes.UpdatesProxy is the old configuration file.
the salt formula sudo qubesctl state.sls qvm.updates-via-whonix
also use the old configuration file.

I’m not sure, maybe it work for backwards compatibility ? or it doens’t ?

It seems they started to move things to /etc/qubes/policy.d (Use new policy format · QubesOS/qubes-mgmt-salt-dom0-virtual-machines@81eab07 · GitHub) but it’s for 4.2 only from what I’ve found.

There’s also the same policy present on 4.1 in /etc/qubes/policy.d/90-default.policy but /etc/qubes-rpc/policy/qubes.UpdatesProxy still have priority.

The new format policy work in 4.1 and is recommended for policy already moved.

qubes-os.org/news/2020/06/22/new-qrexec-policy-system/

I was talking about salt, I know it’s already a thing but it was not the default for some part of the qrexec policy system.

yes, I saw that.
And I added a precision that all policies already work with the new format.
With a link with all the explanation …

I confused.

Sorry for the off-topic and confusion.

For the system, you need to change the default update qube (Dom0 update qube) to sys-whonix.
qubes-os.org/doc/how-to-install-software-in-dom0/#updating-over-tor

Apps Menu > Qubes Tools > Qubes Global Settings > qube defaults

For the templates, you also need to update the qubes.UpdatesProxy policy.
To do that, in a dom0 terminal, run the following command:
whonix.org/wiki/Qubes/Install#Updates_over_Tor

sudo qubesctl state.sls qvm.updates-via-whonix

For Whonix itself, you have nothing to do, the policies already exist in:

/etc/qubes/policy.d/90-default.policy

Thank you very much. It’s very simple :smiley:

An easy way to check whether dom0 or a template is using sys-whonix for updates is to shut down all of your qubes, then try to update the qube in question. The system will automatically start all the required networking qubes, and you can see whether sys-whonix is among them.

In addition, you can go into the App Menu under sys-whonix and click on Nyx - Status Monitor for Tor. This will allow you to see real-time traffic data. Once your update is running, you should see some data being download over Tor.