Kicksecure - Secure by Default Operating System

Kicksecure update servers know neither the identity nor IP address of the user because all upgrades are downloaded over Tor by default.

Kicksecure uses strong Kernel Hardening Settings as recommended by the Kernel Self Protection Project (KSPP).

Time attacks on Kicksecure users are defeated by Boot Clock Randomization and secure network time synchronization through sdwdate (Secure Distributed Web Date).

Kicksecure provides a much lower attack surface since there are no open server ports by default unlike other Linux distributions. All unsolicited incoming connections are rejected.

Without TCP ISN randomization, patterns in outgoing traffic can reveal unique characteristics of a system’s CPU, compromising user security. TCP ISN randomization helps preserve security by masking these signals.

You can easily try Kicksecure by using various virtualizers , which enables security compartmentalization by running a Kicksecure VM on top of a Kicksecure host to isolate malware and testing inside the VM.

Kicksecure protects Linux user accounts against brute force attacks by using pam faillock.

Strong entropy is required for computer security to ensure the unpredictability and randomness of cryptographic keys and other security-related processes. Kicksecure makes encryption more secure thanks to preinstalled random number generators.

Booting a VM into Live Mode is as simple as choosing Live Mode in the boot menu. After the session, all data will be gone.

Linux is highly reliable and secure. It is Open Source and freedom paradigm sets it apart from other OS. That's why Kicksecure is based on Linux.

Our website offers an alternative onion version which offers a higher connection security between the user and the server. This is because connections over onions are providing an alternative end-to-end encryption which is independent from flawed TLS certificate authorities and the mainstream Domain Name System (DNS).

Our Firewall is configured specifically for securely using the Internet.

AppArmor profiles restrict the capabilities of commonly used, high-risk applications such as Tor Browser.

Learn more about our Linux User Account Separation .

Kicksecure increases safety by using separate accounts for daily use and admin tasks. This is called user-sysmaint-split. It prevents routine software—like a hacked browser—from gaining full system access or installing rootkits.

To prevent /tmp-based attacks, Kicksecure uses libpam-tmpdir, which creates secure, per-user temporary folders and sets strict permissions. This blocks common threats like symlink exploits.

Kicksecure integrates many of the system hardening practices from the Securing Debian Manual to improve its security posture. Although Debian's manual is older, Kicksecure supplements it with its own research and publishes updated security guidance in its wiki, ensuring users benefit from both foundational and current best practices.

Knowledge is a defense: Explore Kicksecure's comprehensive documentation to strengthen your security posture and reduce vulnerabilities.

Kicksecure provides additional security hardening measures and user education to provide better protection from viruses / malware.

Console Lockdown disables legacy login methods and thereby improves security hardening.

Kicksecure enforces strict file permission settings in /home, automatically removing read, write, and execute access for others during setup or account creation. This prevents users from accessing each other's files and corrects unsafe permissions that may exist from earlier configurations. The approach aligns with hardening principles from the Securing Debian Manual.

To reduce the risk of unintended file exposure, Kicksecure sets a stricter default umask for non-root accounts so that new files are inaccessible to other accounts by default. This enhances security beyond the /home folder, especially in shared areas like folder /var.

In oversimplified terms, Kicksecure is just a collection of configuration files and scripts. Kicksecure is not a stripped down version of Debian; anything possible in "vanilla" Debian GNU/Linux can be replicated in Kicksecure. About Kicksecure

Downloads are signed so genuine Kicksecure releases can be verified.

A canary confirms that no warrants have ever been served on the Kicksecure project.

Running low on RAM isn't a security problem. swap-file-creator will create an encrypted swap file.

All the Kicksecure source code is licensed under OSI Approved Licenses. We respect user rights to review, scrutinize, modify, and redistribute Kicksecure. This improves security and privacy for everyone.

Kicksecure is Freedom Software and contains software developed by the Free Software Foundation and the GNU Project.

Research and Implementation Project: Kicksecure makes modest claims and is wary of overconfidence. Kicksecure is an actively maintained research project making constant improvements; no shortcomings are ever hidden from users.

Kicksecure is independently verifiable by security experts and software developers around the world; you don’t have to trust developer claims. This improves security and privacy for everyone.

Kicksecure respects data privacy principles. We don’t make advertising deals or collect sensitive personal data. There are no artificial restrictions imposed on possible system configurations .

The purpose of SUID Disabler and Permission Hardener is to enhance system security. It does this by strengthening the isolation of Linux user accounts, implementing stricter file permission settings, and decreasing potential security vulnerabilities by turning off SUID-enabled binaries.