diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md index 85974a4d..2cc44666 100644 --- a/common-tasks/software-update-dom0.md +++ b/common-tasks/software-update-dom0.md @@ -151,3 +151,5 @@ Requires installed [Whonix](/doc/privacy/whonix/). Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting. Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix. Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix + +If the UpdateVM is set to sys-whonix then checks for updates to dom0 will also use sys-whonix, and will therefore be torified. diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md index 06f49226..0e6dd452 100644 --- a/common-tasks/software-update-vm.md +++ b/common-tasks/software-update-vm.md @@ -48,6 +48,34 @@ In order to permanently install new software, you should: You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You can restart others whenever this will be convenient to you. +### Updating over Tor ### + +Requires installed [Whonix](/doc/privacy/whonix/). + +If you set the UpdateVM to a Whonix-Gateway proxyVM (e.g sys-whonix) or an updateVM that is downstream from a Whonix-Gateway, then template updates will run over Tor. + +In 3.2 you can set this in Qubes Manager: + +Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting. Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix. + + Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix + +In 4.0 use the 'qubes-global-settings' tool in dom0 + +N.B Update checking occurs from running qubes, not from templates. +This means that if you have a qube that is NOT attached to a Whonix-Gateway, then the check for updates will run over clearnet. +This runs the risk of leaking information about the packages that you have installed in templates. +You can guard against this by turning off automatic update checking: + +In 3.2 you can do this globally from Qubes Manager, or on qube-by-qube basis using qvm-service to disable the qubes-update-check service. + + qvm-service --disable qubes-update-check + +In 4.0 you can do this globally using qubes-global-settings, or on qube-by-qube basis using qvm-service to disable the qubes-update-check.timer service. + + qvm-service --disable qubes-update-check.timer + + Testing repositories --------------------