How to use apt with apt_auth.conf on Debian


If you are in the console shell on a Debian 10 or 11, after running the apt update command, you may get these warning:

N: Usage of apt_auth.conf(5) should be preferred over embedding login information directly in the sources.list(5) entry for ''
use APT on Debian

This tutorial will show you how to use Login configuration file for Debian apt sources and proxies. Debian Repositories for users with a valid subscription like Kopano can use the credentials to log in to the repository to gain access that makes able to install packages using apt.

Use apt_auth.conf to Kopano repository

If you have a purchased serial key, it can be used to login to the repository withapt_auth.confor at/etc/apt/auth.conf.d/*.conffiles, this will add the login information to the configuration file for APT sources.

Open in the editor of your choice the file:


and remove your login and password information from it.

Create a new/etc/apt/auth.conf.d/kopano.conffile and place in it:

machine login serial password XXXXXXXXXXXXXXXXXXXXXXXXX

Supplying login information for a user named serial with the password of your subscription serial key using debian apt.

If you want to deploy Kopano Groupware on Debian 11 (bullseye). Create in/etc/apt/sources.list.d/kopano.listfile and add the following to your Debian apt source:

deb ./

  as seen here it place without the serial key into the apt source.

The packages are signed so we need to add the key as well.

$ sudo curl -O https://serial:<SERIALKEY>
$ apt-key add Release.key

  I prefer working with elevated privileges as root (“su -“), many people use sudo, so the commands here shown with sudo, but also on Ubuntu you can become root with the (“sudo su -“), simply choose the method that suits for you.

Up to here with Debian 10 everything works fine, but with Debian 11 a warning displayed::

# sudo apt-key add Release.key
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

It’s a warning, not an error. It doesn’t stop the process. The GPG key is added to your system and you can continue adding the external repository. It doesn’t stop the installation of packages.

The system is now ready to authenticate to the repository able to install packages, simply just now run apt update

Using apt-key deprecation and trusted.gpg

This message requires two steps, apt-key is deprecated, Manage keyring files in trusted.gpg.d. With add the keys of a repository, Debian apt and Ubuntu trusts the packages (signed with that key) coming from the repository. If you don’t add the key of a repository, the system won’t allow installing packages from it. It works by adding the keys to separate files located in the /etc/apt/trusted.gpg.d directory. The apt package manager trusts the keys inside this directory.

It’s the same mechanism it uses for the sources list where external repository sources are listed in their own file under /etc/apt/sources.list.d instead of keeping everything under the /etc/apt/sources.list file. It makes managing the external repos convenient.

And this is how it works, first if the gnupg2 package is not already installed, it can be added as follows:

$ sudo apt install -y gnupg2

After that the repository key can be added as follows:

$ sudo curl -sS | gpg --dearmor > /etc/apt/trusted.gpg.d/KopanoRelease.key

Now check the keys are stored in the keyring with run apt-key list

you’ve done it now, Debian or Ubuntu won’t complain anymore.

Debian APT Login configuration file

The APT/etc/apt/auth.conffile and .conf files inside/etc/apt/auth.conf.dcan be used to store login information in a netrc-like format with restrictive file permissions.

The format defined is similar to the format of the~/.netrcfile used by ftp and similar programs interacting with servers.

machine hostname[:port][/path]

Note that apt does not support Digest access authentication, it only does Basic access authentication. As having protocol specified is not wrong (at least not in bullseye) and actually needed if the protocol is not https, so as it doesn’t leak auth info over unencrypted channels.

The authentication to several different repositories can be used flexibly and are suitable for automated processing, here is another example:

machine login USER password PASSWD
machine login USER password PASSWD
machine login USER password PASSWD

  Login information in auth.conf and auth.conf.d are more flexible than those in sources.list. For example, login information can be specified for parts of a repository only, or if the sources.list entry redirects elsewhere, login information for the redirect destination can be supplied.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *