Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

This page contains a detailed overview and comparison of Kicksecure and Debian regarding security hardening, privacy defaults and usability.

This wiki page compares the security‑focused, hardened defaults of Kicksecure against upstream Debian. The differences are comprehensively detailed in several tables and visual highlighted below. The considered aspects are security hardening, a couple of privacy aspects and usability aspects.

Package & Binary Hardening Features

Feature	Description	Kicksecure	Debian
SUID Disabler and Permission Hardener	Improves security by disabling SUID binaries, tightening file permissions, and enhancing user account isolation to reduce potential attack surfaces.	Yes	No
Default package selection	Only minimal, therefore no attack surface by exim / samba / cups [1] by default	Yes [2]	No
Secure APT sources	HTTPS APT sources enabled by default	Yes	Depends. [3]
security‑misc	Kernel hardening, entropy, mount/options, brute‑force protection	Yes	No

Network Security Features

Feature	Description	Kicksecure	Debian
Protection against targeted, malicious software upgrades	Anonymous (Torified) software upgrades / (APT) upgrades run over Tor by default	Yes [4]	No
TCP ISN randomization (tirdad)	TCP Initial Sequence Numbers Randomization: mitigates TCP ISN-based CPU information leakage; see footnote. [5]	Yes	No
Secure network time synchronization / Protection from Time Attacks	Uses authenticated web‑date protocol / sdwdate versus NTP	Yes (sdwdate)	No (NTP)
open‑link-confirmation	This is enabled by default and prevents links from being unintentionally opened in supported browsers.	Yes	No
No open server ports by default	All unsolicited incoming connections are blocked	Yes	No [6]
Bluetooth Hardening	Bluetooth is enabled in the kernel but disabled by default; private MAC addresses, limited discoverability timeout, and manual user activation required.	Yes [7]	No

Build Integrity & Transparency Features

Feature	Description	Kicksecure	Debian
Protects its in-house source code from malicious unicode	Some Vulnerabilities are Invisible. Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts.	Yes [8]	No [9]
Protection from supply chain attacks	Mandates digital signature verification at all stages of development. This includes source code commits, git tags, the build process, and final downloads. Execution or deployment of unsigned code is strictly forbidden. The policy helps prevent supply chain attacks by ensuring the authenticity and integrity of software throughout its development and distribution.	Yes [10]	No [11]
Warrant canary	Public statement confirming no secret warrants or gag orders have been served on the project, helping maintain user trust.	Yes	No
build documentation	Building your own images is encouraged, made as secure and easy as possible, with free user support being provided in the forums.	Yes	Yes

Usability and Convenience

Feature	Description	Kicksecure	Debian
Live Mode	Easily activated from the boot menu, Live Mode discards all data after shutdown, leaving no trace of the session.	Yes	No
Calamares installer with improved UX	Graphical installer offering a user-friendly installation experience with fewer steps and clearer options.	Yes [12]	No
Functional APT sources list	Pre-configured and working APT sources to ensure package updates and installations function out of the box.	Yes [13]	No
sudo pre‑configured	sudo is ready to use without additional setup, allowing safe privilege escalation by default.	Yes [14]	Depends.
bash‑completion, zsh shell	Command-line enhancements like tab completion and Zsh shell for improved terminal usability.	Yes	No
vm-config-dist		Yes	No
usability‑misc		Yes	No
Popular apps pre‑installed	Frequently used applications are pre-installed with secure defaults for convenience and security.	Yes with secure defaults	No
chmod-calc pre-installed	Comprehensive File and Directory Inspection Tool	Yes	No

TODO: add

• apt-get-noninteractive
• apt-get-reset
• version 18 and above: set-system-keymap

Plattform Support

Feature	Description	Kicksecure	Debian
Extensive architecture support	Availability of support across multiple processor architectures, such as x86_64 (Intel / AMD64), ARM, PPC, RISCV and others.	Limited. See Architecture Support.	Yes
Major Virtualizer Support	Availability of official images for virtualizers.	VirtualBox, VirtualBox Linux installer, KVM, Qubes	OpenStack, QEMU, Amazon EC2 / AWS Marketplace, Microsoft Azure / Azure Marketplace.
Extensive desktop environment support	GNOME, KDE, LXQt, MATE, Cinnamon and more	No, see Other Desktop Environments.	Yes

General Comparison

Feature	Description	Kicksecure	Debian
Open Source distribution	Freely available source code and licensed under open-source terms.	Yes	Yes
Based on Debian	Built directly on top of Debian for compatibility, stability, and maintainability.	Yes (Kicksecure is based on Debian)	N/A
High quality packaging distribution	Ensures software is secure, reproducible, license-compliant, and well-integrated into the distribution through auditing, patching, and enforcing technical and legal standards. See Purpose of Packaging.	Yes	Yes
Based on Linux	Built on the reliable, secure, and freedom-respecting Linux operating system to leverage its open-source foundation.	Yes	Yes
Pre‑installed security tools	Comes with hardened tools and services for security, privacy, and anonymity.	AppArmor, sdwdate, tirdad, security-misc	Minimal (optional install)
Secure defaults (network, packages, accounts)	Defaults favor security: no open ports, limited user privileges, hardened configurations.	Yes	No
Target audience	Designed for users needing strong security and privacy protections.	Seeking strong defense	General-purpose users, servers, desktops
Implementation of the Securing Debian Manual	Applies relevant recommendations from Debian’s official security manual by default, adapting and modernizing where necessary.	Yes	No
Onion service version of website	Provides a more secure, end-to-end encrypted connection that bypasses traditional DNS and avoids reliance on certificate authorities.	Yes	Yes
Comprehensive security Documentation	In-depth guides and resources to help users understand, implement, and maintain strong security practices.	Yes (System Hardening Checklist)	No
Signed downloads	All downloads are cryptographically signed, allowing users to verify the authenticity and integrity of releases.	Yes	Yes
Documentation encourages users to perform digital software signature verification	Verifying Software Signatures is consistently pointed out in documentation.	Yes [15]	No [16]

todo

• upcoming in Kicksecure 18:

## Emergency shutdown

- Forcibly powers off the system if the drive the system booted from is
  removed from the system.
- Forcibly powers off the system if a user-configurable "panic key sequence"
  is pressed (Ctrl+Alt+Delete by default).
- Forcibly powers off the system if
  `sudo /run/emerg-shutdown --instant-shutdown` is called.
- Optional - Forcibly powers off the system if shutdown gets stuck for longer
  than a user-configurable number of seconds (30 by default). Requires tuning
  by the user to function properly, see notes in
  `/etc/security-misc/emerg-shutdown/30_security_misc.conf`.

• USBGuard
• https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128
• todo

Development Tools and Debugging

Feature	Description	Kicksecure	Debian
Easy setup of Serial Console	serial-console-enable: simplifies enabling a serial console for debugging purposes.	Yes	No
debug-misc	debug-misc: Simplifies enabling settings required for troubleshooting and debugging.	Yes	No

• Not anti-Debian: This article should not be misunderstood as "Debian hate."
• Lineage: Kicksecure is based on Debian.
• Fork friendly: Debian welcomes software forks, meaning anyone can create a new project by copying Debian under the respective licenses and developing it in their own way. See also Debian is Fork Friendly.
• Gratitude: Without Debian, Kicksecure would not exist. Gratitude is expressed to the Debian project and its contributors.

We stand on the shoulders of giants - Kicksecure and many other Libre software projects are only made possible because people invested in writing code that is kept accessible for the public benefit.Reasons for Freedom Software / Open Source

Debian—the best parent one can havePureOS

Reasons for being based on Debian:chapter Debian - Security-Focused Operating System Comparison as Base for Whonix

• Hardening by Default
• Kicksecure Development Goals
• Full Disk Encryption
• sysmaint
• Debian Tips

FAQ Documentation Trust Previous page: FAQ Index page: Documentation Next page: Trust

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!