{{Header}} {{hide_all_banners}} {{Title|
title=Install {{project_name_long}} inside Debian
}}
{{#seo:
|description={{project_name_short}} can be installed on top of an existing Debian installation.
|image=Download-debian.jpg
}}
[[File:Download-debian.jpg|thumb]]
{{intro|
An existing Debian version <code>{{Stable project version based on Debian version short}}</code> (codename: <code>{{Stable project version based on Debian codename}}</code>) installation can be converted into [[About|{{project_name_short}}]] by installing a {{project_name_short}} deb package. This procedure is also called [[Distribution_Morphing|distro-morphing]].
}}
= Introduction =
There are different options to install {{project_name_short}}. Two options. Choose one.

* '''A)''' (Easier) '''Download:''' Use the [[ISO]] or a different installation option from the [[Download]] page. In that case, you can stop reading this wiki page.; <u>or</u>
* '''B)''' (Advanced) '''Distribution morphing method:''' See below.

= Distribution Morphing Introduction =
To increase the chances of success, it is best to start with a minimal Debian <u>installation</u> either,

* '''A)''' Debian {{gui}} (<u>Xfce</u>); <u>or</u>
* '''B)''' Debian {{cli}}

and then install a {{project_name_short}} meta package as documented below.

It is easiest to set the Linux user account name to <code>user</code> during the installation of Debian <code>{{Stable project version based on Debian codename}}</code>.

<u>Debian Live sessions:</u> Distribution morphing a Debian Live ISO is unnecessary and [[unsupported]]. Use Kicksecure [[ISO]] instead. <ref>
Debian Live ISO (live session) is unnecessary and [[unsupported]]. Reasons:

* All changes will be lost on reboot.
* We already offer a live Kicksecure [[ISO]].
* None of the [[security-misc]] kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
* permission-hardener doesn't expect anything under /usr to be read-only.

Use Kicksecure [[ISO]] instead.
</ref>

= Warnings =

* '''SSH configuration:''' In Kicksecure 18 and higher, SSH client and server configuration will be hardened when morphing Debian to Kicksecure. Among other things, this will prevent the use of insecure cryptography and login methods. If morphing a system that is running an SSH server, the system may no longer be accessible over SSH after morphing due to the modified configuration. Arrange for some other means of accessing the machine for reconfiguration if this is a problem.

= Distribution Morphing versus ISO - Differences =
There are some specifics about distro-morphing which the user should be aware.

* '''No creation of usable accounts for the user:''' Neither Linux user account <code>user</code> nor <code>sysmaint</code> will be created. <ref>
{{Github_link|repo=dist-base-files|path=/blob/master/debian/dist-base-files.postinst}}
</ref> The user can continue to use their already existing user account(s).
* '''No default user-sysmaint-split:''' Is not installed by default but can later be installed by the user according to [[sysmaint|<code>user-sysmaint-split</code> documentation]].
* '''No password changes:''' No passwords for any already existing user accounts will be modified. The user can continue to use their already existing passwords. This means passwords for [[Full Disk Encryption]] (pre-boot authentication), <code>sudo</code>, <code>su</code>, [[Login]], etc. will remain the same.
* '''No root account locking:''' The password of the root account will not be locked. The user can manually [[Root#Disable_Root_Account|Disable Root Account]] for better security.
* '''No user account settings changes:''' Any user account settings will remain unchanged.
* '''No user account shell changes:''' The user's default [[shell]] will remain the same.
* '''Autologin:''' {{project_name_short}} package <code>usability-misc</code> will set up auto-login for account <code>user</code> for LightDM, {{project_name_short}}'s default login manager at time of writing. Auto login can be disabled by the user by following the documentation for [[Desktop#Disable_Autologin|Disable Autologin]]
* '''Swap / mount / fstab related:''' Swap partition / swap files, mounts, <code>/etc/fstab</code> set up by Debian installer or the user are <u>not</u> disabled or modified during distribution morphing. This might be a concern for users interested in non-persistent [[Live Mode|live mode]].
* '''Live Mode Information:''' Live mode indicator systray, a tool in systray that graphically shows if booted into live mode or [[Persistent Mode|persistent mode]] - at time of writing - is for Xfce only. (Will support all major desktop environments at a later time.)
* '''Desktop environment related:''' For GNOME, KDE, LXQt, LXDE and any desktop environment other than the current desktop environment Kicksecure is based on, which is Xfce at time of writing), see [[Other_Desktop_Environments|Other Desktop Environments]].

= Prerequisites =

{{Prerequisites}}

= Installation =
== Add the {{project_name_short}} Repository ==
{{Project-APT-Repository-Add}}

== Install the {{project_name_short}} Package ==

'''1.''' Pick a {{project_name_short}} package.

{{Tab
|type=controller
|content=
{{Tab
|title= ===GUI version===
|type=section
|image=
|addToClass=info-box
|active=true
|content=

Installs the Xfce graphical desktop environment and default applications. This is useful if Debian was installed without a graphical desktop environment and the {{project_name_short}} graphical desktop environment (Xfce) is desired.

{{Tab
|type=controller
|content=
{{Tab
|title= ====For host operating systems====
|type=section
|addToClass=info-box
|active=true
|content=

{{Install Package|package=
kicksecure-xfce-host
}}

}} <!-- close tab: For host operating systems -->

{{Tab
|title= ====For Qubes users====
|addToClass=info-box
|content=

{{Install Package|package=
kicksecure-qubes-gui
}}

}} <!-- For Qubes users -->

{{Tab
|title= ====For any other VMs (not Qubes)====
|addToClass=info-box
|content=

{{Install Package|package=
kicksecure-xfce-vm
}}

}} <!-- For any other VMs (not Qubes) -->

}} <!-- For GUI packages -->

}} <!-- close tab GUI version/section -->

{{Tab
|title= ===CLI version===
|image=
|addToClass=info-box
|content=

Command line interface (CLI) version only. This does not modify the graphical desktop environment. This package provides better kernel hardening, improved entropy, and [[About#Hardening_by_Default|other security features]].

{{Tab
|type=controller
|content=
{{Tab
|title= ====For host operating systems====
|type=section
|addToClass=info-box
|active=true
|content=

{{Install Package|package=
kicksecure-cli-host
}}

}} <!-- For host operating systems-CLI -->

{{Tab
|title= ====For Qubes users====
|content=

{{Install Package|package=
kicksecure-qubes-cli
}}

}} <!-- close tab: For Qubes users-CLI -->

{{Tab
|title= ====For any other VMs (not Qubes)====
|content=

{{Install Package|package=
kicksecure-cli-vm
}}

}} <!-- close tab: For any other VMs (not Qubes)-CLI -->

}} <!-- close tab controller: CLI partitions -->

}} <!-- close tab: CLI version entire -->

}} <!-- close tab controller: All -->

'''2.''' Troubleshooting. (Optional.)

Only in case of issues, see footnote. <ref>
If apt returns an error about console-common when trying to install the Kicksecure package, install console-common first:

<code>sudo apt install console-common</code>

Then try installing the Kicksecure package again. Meta package installation has been completed. Please proceed with the post-installation steps below.
</ref> Otherwise proceed to next step.

'''3.''' Next.

== Post-Installation ==

{{Box|text=
'''1.''' Enable the <code>/etc/apt/sources.list.d/derivative.list</code> {{project_name_short}} APT repository.

Can be done using the [[Project-APT-Repository|{{project_name_short}} repository tool]].

Two options. Choose one. Either using,

* '''A)''' <u>CLI:</u> {{CodeSelect|inline=true|code=
sudo repository-dist --enable --repository stable
}}, <u>or</u>
* '''B)''' <u>GUI:</u> <code>Start Menu</code> &rarr; <code>System</code> &rarr; <code>Derivative Repository</code> &rarr; <code>choose either "stable", "stable-proposed-updates" , "Testers" or "Developers" repository</code>

See the tool's wiki page for more detailed documentation if needed.

'''2.''' Disable the extrepo <code>{{project_name_short_lowercase}}</code> APT repository.

Only needed in case the user has chosen the extrepo signing key adding method above.

This is to avoid a duplicate {{project_name_short}} repository.

{{CodeSelect|lang=bash|code=
sudo extrepo disable {{project_name_short_lowercase}}
}}

'''3.''' Check APT sources.

Check if some APT sources in <code>/etc/apt/sources.list</code> should be kept.

Move the original <code>/etc/apt/sources.list</code> file out of the way (or delete it) because it is replaced by {{project_name_short}}'s <code>/etc/apt/sources.list.d/debian.list</code>.

{{CodeSelect|lang=bash|code=
sudo mv /etc/apt/sources.list ~/
}}

'''4.''' Create an empty <code>/etc/apt/sources.list</code> file.

{{CodeSelect|lang=bash|code=
sudo touch /etc/apt/sources.list
}}

'''5.''' ''Optional:'' Set the onionized Debian repositories.

If onion repository sources are preferred, follow these {{whonix_wiki
|wikipage=Onionizing_Repositories#Onionize_debian.list
|text=Debian onion repositories instructions.
}}.

'''6.''' Done.

The {{project_name_short}} installation is complete.
}}

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]