A fresh Debian install ships with only the main component enabled, so your first attempt to install an NVIDIA driver, Intel WiFi firmware, or CPU microcode update will fail silently. Those packages live in Debian’s contrib, non-free, and (since Debian 12) non-free-firmware archive components, which are hosted on the same official mirrors but disabled by default.
To enable contrib and non-free repositories on Debian, you add these components to APT’s source configuration. This guide covers two methods using the modern DEB822 sources format on Debian 13, 12, and 11: manual editing with nano and a single-command tee approach. Both produce the same result, and you can switch between them freely.
Understanding Debian Contrib and Non-Free Archive Components
Debian splits its archive into four components based on licensing. On Debian 13 (Trixie), the total amd64 binary package counts give a sense of scale: main holds roughly 68,700 packages, contrib about 300, non-free around 740, and non-free-firmware about 44.
| Component | Description | Typical Contents |
|---|---|---|
| main | Free software (DFSG-compliant) with no dependencies on non-free packages. This is the official Debian distribution. | Core applications, utilities, and development tools that meet the Debian Free Software Guidelines |
| contrib | Free software that depends on packages in contrib or non-free to build or run. DFSG-compliant source code but requires non-free dependencies. | Free wrappers for proprietary software, packages needing external non-free libraries (e.g., VirtualBox on Debian) |
| non-free | Software that does not meet the DFSG. Source code may be unavailable or redistribution restricted. | Proprietary drivers and utilities (NVIDIA drivers, unrar on Debian), closed-source applications with restrictive licenses |
| non-free-firmware | Device firmware required for hardware initialization. Separate component since Debian 12 for easier management and installer inclusion. | WiFi drivers, GPU firmware, CPU microcode updates, network card firmware |
On Debian 12 (Bookworm) and Debian 13 (Trixie), all four components are available. However, Debian 11 (Bullseye) and older releases have only main, contrib, and non-free. After the 2022 General Resolution on non-free firmware, Debian introduced the non-free-firmware component to allow firmware on official installation media. This separation isolates firmware packages from other proprietary software and is now included by default in Debian 12+ installers to simplify hardware support.
Prerequisites for Enabling Debian Non-Free Repos
Supported Debian Versions
| Release | Codename | Component Set | Backports |
|---|---|---|---|
| Debian 13 | Trixie (stable) | main, contrib, non-free, non-free-firmware | Available |
| Debian 12 | Bookworm (oldstable) | main, contrib, non-free, non-free-firmware | Available |
| Debian 11 | Bullseye (oldoldstable, LTS until Aug 2026) | main, contrib, non-free (no non-free-firmware) | Discontinued |
Debian 11 users: Bullseye LTS security support continues until August 2026, but backports are discontinued and the
non-free-firmwarecomponent does not exist on this release. Consider upgrading from Debian 11 to Debian 12 for full repository access and continued support.
Additional Requirements
- Active internet connection for downloading repository metadata and packages
- Terminal access (search for “Terminal” in Activities on GNOME, or use your desktop environment’s terminal application)
- Text editor such as
nano,vi, orvimfor manual configuration (Method 1)
Update Your System
Before modifying your sources configuration, refresh the existing package index to ensure APT metadata is current:
sudo apt updateIf you are new to using
sudo, see how to add a user to sudoers on Debian.
Identify Your Current Debian Configuration
First, check which Debian version you are running:
grep VERSION_CODENAME /etc/os-releaseThe output shows your release codename, for example VERSION_CODENAME=trixie for Debian 13, bookworm for Debian 12, or bullseye for Debian 11.
Next, check whether your system already uses a DEB822 .sources file or the legacy sources.list format:
ls /etc/apt/sources.list.d/debian.sources 2>/dev/null && echo "DEB822 format" || echo "Legacy format or no debian.sources file"Some Debian 12 and 13 desktop or live installers create
/etc/apt/sources.list.d/debian.sourcesautomatically, while netinstall and cloud images use the legacy/etc/apt/sources.listfile. Debian 11 always uses the legacy format. Both methods below create or replace the DEB822 format file, which works on all three versions regardless of the original installer.
Which Method to Enable Contrib and Non-Free on Debian
Choose the method that best fits your workflow. Both produce the same DEB822 configuration result:
| Method | Approach | Best For |
|---|---|---|
| Method 1: Manual (nano) | Open the file in a text editor, paste or modify the configuration | Users who want to review and understand each line, or customize individual fields |
| Method 2: Automatic (tee) | Single command writes the complete configuration file | Quick setup, scripted deployments, or users comfortable with command-line tools |
Method 1: Enable Debian Non-Free Repos with nano (Manual)
This method walks through opening the DEB822 sources file in a text editor, reviewing the current content, and pasting the correct configuration for your Debian release.
Step 1: Open the DEB822 Sources File
Open the Debian sources file in nano. If the file already exists, you will see the current configuration. If it does not exist yet, nano creates a new empty file:
sudo nano /etc/apt/sources.list.d/debian.sourcesStep 2: Replace the Configuration
Delete any existing content in the file and paste the configuration block that matches your Debian release. Each block uses the DEB822 format with these key fields:
Types: debspecifies binary packages (adddeb-srcto also include source packages)URIs:defines the repository server addressSuites:lists the release codenames and update channelsComponents:specifies which archive areas to enable (main, contrib, non-free, non-free-firmware)Signed-By:points to the GPG keyring that verifies package signatures
Copy the entire block for your version below, then paste it into nano. To paste in most terminals, use Ctrl+Shift+V or right-click and select Paste.
Trixie (Debian 13):
Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpgBookworm (Debian 12):
Types: deb
URIs: https://deb.debian.org/debian
Suites: bookworm bookworm-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://deb.debian.org/debian
Suites: bookworm-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpgBullseye (Debian 11):
Types: deb
URIs: https://deb.debian.org/debian
Suites: bullseye bullseye-updates
Components: main contrib non-free
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bullseye-security
Components: main contrib non-free
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpgDebian 11 (Bullseye) does not have the
non-free-firmwarecomponent or active backports. Do not add either to your Bullseye configuration. On Debian 11, firmware packages such asfirmware-iwlwifiremain in thenon-freecomponent.
Step 3: Save and Exit nano
After pasting the configuration, save the file by pressing Ctrl+O, then press Enter to confirm the filename. Exit nano by pressing Ctrl+X.
Step 4: Disable Legacy Sources (If Applicable)
If your system has an existing /etc/apt/sources.list with Debian repository entries, comment them out to prevent duplicate repository warnings. Open the file:
sudo nano /etc/apt/sources.listAdd a # at the beginning of each line containing deb.debian.org or security.debian.org. Leave any third-party repository lines (Docker, Google, VS Code, etc.) unchanged. Save and exit.
Step 5: Update the Package Index
Refresh your repository metadata so APT recognizes the newly enabled components:
sudo apt updateExpected output on Debian 13 (Trixie) shows the new contrib, non-free, and non-free-firmware components being fetched:
Hit:1 https://deb.debian.org/debian trixie InRelease Hit:2 https://deb.debian.org/debian trixie-updates InRelease Get:3 https://security.debian.org/debian-security trixie-security InRelease [43.4 kB] Get:4 https://deb.debian.org/debian trixie-backports InRelease [54.0 kB] Get:5 https://deb.debian.org/debian trixie/non-free amd64 Packages [100 kB] Get:6 https://deb.debian.org/debian trixie/non-free-firmware amd64 Packages [6888 B] Get:7 https://deb.debian.org/debian trixie/contrib amd64 Packages [53.8 kB] Fetched 497 kB in 0s (6860 kB/s) Reading package lists...
Your output will show your Debian codename and may include different package counts. Debian 11 output will not include
non-free-firmwareor backports lines.
Now skip ahead to the Verify Debian Non-Free Repos Are Enabled section to confirm everything works correctly.
Method 2: Enable Debian Non-Free Repos with tee (Automatic)
This method uses a single command to write the complete DEB822 configuration file. It is faster than manual editing and works well for scripted deployments or quick setup.
Step 1: Back Up Your Current Sources Configuration
Before overwriting the sources file, create a backup in case you need to revert:
sudo cp /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.d/debian.sources.bak 2>/dev/null; sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/nullStep 2: Write the DEB822 Sources File
Run the command that matches your Debian release. Each command writes the complete DEB822 configuration in a single step.
Trixie (Debian 13):
sudo tee /etc/apt/sources.list.d/debian.sources <<'EOF'
Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOFBookworm (Debian 12):
sudo tee /etc/apt/sources.list.d/debian.sources <<'EOF'
Types: deb
URIs: https://deb.debian.org/debian
Suites: bookworm bookworm-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://deb.debian.org/debian
Suites: bookworm-backports
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOFBullseye (Debian 11):
sudo tee /etc/apt/sources.list.d/debian.sources <<'EOF'
Types: deb
URIs: https://deb.debian.org/debian
Suites: bullseye bullseye-updates
Components: main contrib non-free
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bullseye-security
Components: main contrib non-free
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOFDebian 11 (Bullseye) does not have the
non-free-firmwarecomponent or active backports. The Bullseye command above omits both. Firmware packages remain available in thenon-freecomponent on this release.
Step 3: Disable Legacy Sources (If Applicable)
If /etc/apt/sources.list contains active Debian repository lines, comment them out with sed to avoid duplicate repository warnings:
sudo sed -i 's/^deb /#deb /' /etc/apt/sources.list 2>/dev/nullThis command comments out all active
deblines insources.list. If you have third-party repositories defined in that file (uncommon on modern Debian), move those entries to a separate file in/etc/apt/sources.list.d/before running this command.
Step 4: Update the Package Index
Refresh APT metadata to apply the new configuration:
sudo apt updateExpected output confirms the new components are being fetched. Look for lines containing contrib, non-free, and non-free-firmware in the output.
Verify Debian Non-Free Repos Are Enabled
After applying either method, confirm that the components were added correctly and packages from the new repositories are visible.
Check Your Configuration File
Verify that the Components lines include contrib and non-free:
grep -E "Components:.*(contrib|non-free)" /etc/apt/sources.list.d/debian.sourcesExpected output for Debian 12 or 13:
Components: main contrib non-free non-free-firmware Components: main contrib non-free non-free-firmware Components: main contrib non-free non-free-firmware
On Debian 11, output shows
Components: main contrib non-freewithoutnon-free-firmware, and only two lines (no backports block).
Test Non-Free Package Availability
Search for NVIDIA drivers to confirm non-free packages are visible:
apt search nvidia-driver 2>/dev/null | head -10Expected output on Debian 13:
Sorting... Full Text Search... nvidia-driver/stable 550.163.01-2 amd64 NVIDIA metapackage nvidia-driver-bin/stable 550.163.01-2 amd64 NVIDIA driver support binaries
Debian 12 labels results as
oldstablewith version 535.x, and Debian 11 labels them asoldoldstablewith version 470.x. Version numbers vary by release.
On Debian 12 and 13, also confirm non-free-firmware by checking a firmware package such as Intel WiFi:
apt-cache policy firmware-iwlwifiExpected output on Debian 13:
firmware-iwlwifi:
Installed: (none)
Candidate: 20250410-2
Version table:
20250410-2 500
500 https://deb.debian.org/debian trixie/non-free-firmware amd64 Packages
On Debian 11, the same package appears under non-free instead of non-free-firmware:
firmware-iwlwifi:
Installed: (none)
Candidate: 20210315-3
Version table:
20210315-3 500
500 https://deb.debian.org/debian bullseye/non-free amd64 Packages
Troubleshoot Debian Non-Free Repository Issues
If you encounter errors during configuration, use the checks below to diagnose and fix common problems.
APT Reports Duplicate Repository Entries
Duplicate warnings appear when both /etc/apt/sources.list and debian.sources define the same Debian repositories:
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list.d/debian.sources:1
Check which files contain Debian repository entries:
grep -rn "deb.debian.org\|security.debian.org" /etc/apt/sources.list /etc/apt/sources.list.d/ 2>/dev/nullComment out the duplicate Debian lines in the legacy file, keeping any third-party repositories untouched:
sudo nano /etc/apt/sources.listVerify the warning is gone:
sudo apt updateDebian 11 Reports Missing non-free-firmware Component
This warning appears when Debian 11 is configured with the non-free-firmware component, which does not exist on Bullseye:
W: Skipping acquire of configured file 'non-free-firmware/binary-amd64/Packages' as repository 'https://deb.debian.org/debian bullseye InRelease' doesn't have the component 'non-free-firmware' (component misspelt in sources.list?)
This commonly happens when copying a Debian 12 or 13 configuration file onto a Debian 11 system. Confirm the issue:
grep "non-free-firmware" /etc/apt/sources.list.d/debian.sourcesEdit the file and remove non-free-firmware from each Components: line, along with any bullseye-backports block:
sudo nano /etc/apt/sources.list.d/debian.sourcesAfter editing, verify the warning is resolved:
sudo apt updateAPT Fails with NO_PUBKEY Errors
This error means the Debian archive keyring is missing or outdated:
W: GPG error: https://deb.debian.org/debian trixie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1122334455667788
Check the installed keyring version:
dpkg -l debian-archive-keyringReinstall the keyring package to restore the correct keys:
sudo apt install --reinstall debian-archive-keyringRun sudo apt update again to verify that the signature warnings are resolved.
Firmware Package Not Found After Enabling Non-Free Repos
If apt install intel-microcode or apt install amd64-microcode returns “unable to locate package” even after enabling non-free components, the non-free-firmware component may be missing from your configuration. This is the most common cause of the APT message “ensure you enable the non-free-firmware component in the apt sources.” Verify your current components:
grep Components /etc/apt/sources.list.d/debian.sourcesOn Debian 12 or 13, the output should include non-free-firmware alongside main, contrib, and non-free. If it is missing, add it to each Components: line and run sudo apt update. On Debian 11, firmware packages are in the non-free component instead.
HTTPS 443 Errors After Changing Debian Sources
If sudo apt update fails with connection errors on port 443 after creating the DEB822 sources file, the ca-certificates package is likely missing. This happens on minimal or netinstall Debian systems where the package was not included during installation. The DEB822 configurations in this guide use HTTPS, which requires valid CA certificates to verify server identity.
Install ca-certificates using your existing HTTP-based sources before switching to the DEB822 HTTPS configuration:
sudo apt install ca-certificatesAfter installing ca-certificates, run sudo apt update again. The HTTPS connections should now succeed.
software-properties-common Is Not Required
Some older tutorials recommend installing software-properties-common to manage repositories on Debian. This package is designed for Ubuntu’s add-apt-repository command and is unnecessary on Debian when configuring DEB822 sources files directly. You do not need it for any step in this guide.
Revert Debian Non-Free Repos to Main Only
If you later decide to disable contrib and non-free components, edit the sources file and change each Components: line to include only main.
sudo nano /etc/apt/sources.list.d/debian.sourcesDebian 12 or 13: Change each Components: line from:
Components: main contrib non-free non-free-firmware
To:
Components: main
Debian 11: Change each Components: line from Components: main contrib non-free to Components: main.
Apply the change:
sudo apt updateRemoving these components prevents installing or updating packages from contrib, non-free, and non-free-firmware. Any currently installed non-free packages remain on the system but will not receive updates. If critical firmware is installed from these components, removing them could affect hardware functionality after a kernel update.
The non-free component contains proprietary software that does not meet the Debian Free Software Guidelines, such as NVIDIA drivers and unrar. The non-free-firmware component, introduced in Debian 12, contains only device firmware (WiFi, GPU, CPU microcode). This separation was made after a 2022 Debian vote so firmware could be included on official installation media without bundling all non-free software. Debian 11 and older have no non-free-firmware component, so firmware packages are found in non-free instead.
This warning appears because the non-free-firmware component does not exist on Debian 11 (Bullseye). It was introduced in Debian 12 (Bookworm). If you copied a sources configuration from a Debian 12 or 13 system, remove non-free-firmware from each Components: line in your debian.sources file. On Debian 11, firmware packages are available in the non-free component instead.
You can enable components selectively. For example, if you only need hardware firmware, add non-free-firmware without non-free or contrib (Debian 12+ only). If you need proprietary drivers like NVIDIA, add non-free. The contrib component is for free software that depends on non-free packages. Add only the components you actually need to minimize exposure to proprietary software.
Enabling these repositories is safe and does not install any additional software automatically. APT only downloads package metadata until you explicitly install a package with apt install. The contrib and non-free components are hosted on official Debian infrastructure and signed with the same archive keys. However, packages in non-free may have restricted licenses and do not receive the same level of maintenance as packages in main.
This message appears when you try to install firmware packages like intel-microcode or amd64-microcode without the non-free-firmware component enabled. APT cannot find the package because your sources only include main. Add non-free-firmware to the Components: line in /etc/apt/sources.list.d/debian.sources (Debian 12+) and run sudo apt update, then retry the install.
HTTPS connections require the ca-certificates package to verify server identity. Minimal or netinstall Debian systems may not have it installed. Run sudo apt install ca-certificates using your existing HTTP-based sources before switching to the HTTPS-based DEB822 configuration, then run sudo apt update again.
Yes, APT still supports the legacy one-line sources.list format on all current Debian releases. However, the DEB822 .sources format is the default on new Debian 12 and 13 installations and offers clearer syntax with labeled fields like Types:, URIs:, Suites:, and Components:. Mixing both formats causes duplicate repository warnings. If you switch to DEB822, comment out the Debian lines in /etc/apt/sources.list to avoid conflicts.
Conclusion
Contrib, non-free, and non-free-firmware are active on your Debian system, so APT can now reach proprietary drivers, hardware firmware, and CPU microcode directly. After a major Debian upgrade, update the Suites: codename in debian.sources and run sudo apt update. From here you can install NVIDIA drivers on Debian, set up Steam on Debian, or manage third-party repos with extrepo on Debian.
After updating the debian.sources file, I’ve got 443 error responses when running
sudo apt-get update.Solution: before following the steps, install
ca-certificatespackage usingsudo apt-get install ca-certificatesreference: https://askubuntu.com/a/1145374
Thanks for flagging this, and you are absolutely correct. The guide should have accounted for minimal installs missing
ca-certificates. I have added a troubleshooting subsection and FAQ entry covering this exact scenario. Appreciate you bringing it up.Thank you very much for your comprehensive and intuitive guide. Everything to the point with useful examples. This was exactly what I needed. I had installed Debian with Ethernet only and your guide enabled me to add a WiFi connection, now that I cannot use Ethernet.
Anna
Good Evening!
With these command lines, I was able to enable and allow the installation of Steam, which I needed.
Thank you, Joshua James!
Djalma FC
Joshua,
In section
“Confirming the Presence of the Contrib and Non-Free Repositories”
it is written
grep -E “(contrib|non-free)” /etc/apt/sources.list /etc/apt/sources.list
but I think you meant to write
grep -E “(contrib|non-free)” /etc/apt/sources.list
Gérard
Thanks Gérard for pointing out the extra line out for me to fix.