Install Kicksecure inside Debian

From Kicksecure
Jump to navigation Jump to search
Documentation Previous page: USB Installation Index page: Documentation Next page: VirtualBox Install Kicksecure inside Debian

An existing Debian version 12 (codename: bookworm) installation can be converted into Kicksecure by installing a Kicksecure deb package. This procedure is also called distro-morphing.

Introduction[edit]

There are different options to install Kicksecure. Two options. Choose one.

  • A) (Easier) Download: Use the ISO or a different installation option from the Download page. In that case, you can stop reading this wiki page.; or
  • B) (Advanced) Distribution morphing method: See below.

Distribution Morphing Introduction[edit]

To increase the chances of success, it is best to start with a minimal Debian installation either,

  • A) Debian graphical user interface (GUI) (Xfce); or
  • B) Debian command line interface (CLI)

and then install a Kicksecure meta package as documented below.

It is easiest to set the Linux user account name to user during the installation of Debian bookworm.

Debian Live sessions: Distribution morphing a Debian Live ISO is unnecessary and unsupported. Use Kicksecure ISO instead. [1]

Distribution Morphing versus ISO - Differences[edit]

There are some specifics about distro-morphing which the user should be aware.

  • No creation of usable accounts for the user: Neither Linux user account user nor sysmaint will be created. [2] The user can continue to use their already existing user account(s).
  • No default user-sysmaint-split: Is not installed by default but can later be installed by the user according to user-sysmaint-split documentation.
  • No password changes: No passwords for any already existing user accounts will be modified. The user can continue to use their already existing passwords. This means passwords for Full Disk Encryption (pre-boot authentication), sudo, su, Login, etc. will remain the same.
  • No root account locking: The password of the root account will not be locked. The user can manually Disable Root Account for better security.
  • Autologin: Kicksecure package usability-misc will set up auto-login for account user for LightDM, Kicksecure's default login manager at time of writing. Auto login can be disabled by the user by following the documentation for Disable Autologin
  • Swap / mount / fstab related: Swap partition / swap files, mounts, /etc/fstab set up by Debian installer or the user are not disabled or modified during distribution morphing. This might be a concern for users interested in non-persistent live mode.
  • Live Mode Information: Live mode indicator systray, a tool in systray that graphically shows if booted into live mode or persistent mode - at time of writing - is for Xfce only. (Will support all major desktop environments at a later time.)
  • Desktop environment related: For GNOME, KDE, LXQt, LXDE and any desktop environment other than the current desktop environment Kicksecure is based on, which is Xfce at time of writing), see Other Desktop Environments.

Prerequisites[edit]

1. Essentials.

The user needs to verify that the following prerequisites are met.

  • Debian bookworm installed.
  • A user account such as for example account user exists.
  • Calling the user name user is recommended because then you could copy and paste the commands below and do not need to adjust for another user name.

2. Gain administrative (root) rights. [3]

Becoming root is required because the following commands need to be run with administrative (root) rights as documented below. [4]

  • A) Debian: Use su or sudo su as documented below.
  • B) Most Qubes users: same as above.
  • C) Advanced Qubes users: If using a Debian minimal template or not having the passwordless-root package installed, see footnote. [5]

Try to come root by running the following command in a terminal.

su

Executing plain su might not be possible depending on how Debian has been installed. [6] In that case, try.

sudo su

3. Install sudo and adduser package.

1. Update the package lists.

apt update

2. Upgrade the system.

apt full-upgrade

3. Install sudo and adduser package.

apt install --no-install-recommends sudo adduser

4. Root rights hardening notice.

Note:

  • A) Most users: No special notice.
  • B) Advanced users: If the user is intending to lockdown account user by not granting root rights, see footnote. [7]

5. sudo configuration.

Optional.

Allow account user to run sudo without as password.

Note: Replace account user with your actual user name.

Configuration File Method

Securely create file /etc/sudoers.d/user.conf using visudo.

echo "user ALL=(ALL:ALL) NOPASSWD:ALL" | EDITOR=tee visudo -f /etc/sudoers.d/nopassword >/dev/null

Adduser Method

Add account user to group sudo.

/usr/sbin/adduser user sudo

Reboot required.

/sbin/reboot

Gain administrative rights after reboot. Same as in step 2.

6. Create group console.

/usr/sbin/addgroup --system console

7. Add your Linux account user name to group console. [8]

Note: Replace account user with your actual user name.

/usr/sbin/adduser user console

8. Install console related packages.

This might also result in removal of plymouth, which is good, because it is unsupported. [9]

sudo apt install console-data console-common kbd keyboard-configuration


Installation[edit]

Add the Kicksecure Repository[edit]

There are two different options to enable the Kicksecure APT repository. Choose one. [10]

Using extrepo

1. Install package extrepo.

sudo apt install extrepo

2. Enable the stable kicksecure APT repository. (See footnote for other options.) [11]

A : Kicksecure

===

Kicksecure

sudo extrepo enable kicksecure

B : Kicksecure for Qubes Template

===

Kicksecure-Qubes Template (kicksecure-17)

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure

3. Advanced options.

For advanced options such as clearnet over Tor or onion. [12]

Please press on expand on the right side.

Optional.

Install apt-transport-tor.

Install package(s) apt-transport-tor following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the apt-transport-tor package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends apt-transport-tor

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) apt-transport-tor is complete.

Find out filename.

ls -la /etc/apt/sources.list.d/extrepo_*

NOTE: Filename will be different if using a repository other than the stable repository such as the testers repository.

Open file /etc/apt/sources.list.d/extrepo_kicksecure.sources in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

Kicksecure for Qubes

NOTES:

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

Choose either option A) or B).

  • A) Clearnet over Tor Repository: To enable clearnet over Tor, tor+ needs do be prepended in front of the https. The same in other words, look for Uris: https and replace it with Uris: tor+https .
  • B) Onion Repository: To enable onion, look for the line starting with Uris:. Delete the whole line. Or out-comment it by adding as hash ("#") in front of it. Then add a new line: Uris: tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion

4. Done.

The Kicksecure APT repository has been enabled [13]

Manually

Add Signing Key

Complete the following steps to add the Kicksecure Signing Key to the system's APT keyring.

Open a terminal.

1. Package curl needs to be installed.

Install package(s) curl following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the curl package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends curl

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) curl is complete.

2. Download Kicksecure Signing Key. [14]

Choose your operating system.

A : Debian

If you are using Debian, run.

Choose TLS or onion.

TLS (Debian)

sudo curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc

onion (Debian)

Downloading over onion requires an already functional system Tor.

sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc

B : Qubes

If you are using a Qubes Debian Template, run.

Choose TLS or onion.

TLS (Qubes)

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc

onion (Qubes)

Downloading over onion requires an already functional system Tor.

sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc

3. Users can check Kicksecure Signing Key for better security.

4. Done.

The procedure of adding the Kicksecure signing key is now complete.

Add Repository

Add the Kicksecure APT Repository.

Choose either: Option A, Option B OR Option C

A : Onion Rep.

Option A: Add Kicksecure Onion Repository.

To add Kicksecure Repository over Onion please install apt-transport-tor from the Debian repository.

sudo apt install apt-transport-tor

Add Kicksecure APT repository for default Kicksecure using Debian stable. At the time of writing this was bookworm.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

B : Clearnet Rep. via Tor

Option B: Add Kicksecure Clearnet Repository over Tor.

To add Kicksecure Repository over torified clearnet install apt-transport-tor from the Debian repository.

sudo apt install apt-transport-tor

Add Kicksecure APT repository for default Kicksecure using Debian stable. At the time of writing this was bookworm.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

C : Clearnet Rep.

Option C: Add Kicksecure Clearnet Repository over clearnet.

NOTE: When later using Kicksecure repository tool, then this will be upgraded to "Clearnet Rep. via Tor", unless see footnote. [15]

To add Kicksecure Repository over clearnet please add Kicksecure APT repository for default Kicksecure using Debian stable. At the time of writing this was bookworm.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

The procedure of adding the Kicksecure repository is now complete.

Install the Kicksecure Package[edit]

1. Pick a Kicksecure package.

GUI version

Installs the Xfce graphical desktop environment and default applications. This is useful if Debian was installed without a graphical desktop environment and the Kicksecure graphical desktop environment (Xfce) is desired.

For host operating systems

Install package(s) kicksecure-xfce-host following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the kicksecure-xfce-host package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends kicksecure-xfce-host

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) kicksecure-xfce-host is complete.

For Qubes users

Install package(s) kicksecure-qubes-gui following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the kicksecure-qubes-gui package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends kicksecure-qubes-gui

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) kicksecure-qubes-gui is complete.

For any other VMs (not Qubes)

Install package(s) kicksecure-xfce-vm following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the kicksecure-xfce-vm package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends kicksecure-xfce-vm

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) kicksecure-xfce-vm is complete.

CLI version

Command line interface (CLI) version only. This does not modify the graphical desktop environment. This package provides better kernel hardening, improved entropy, and other security features.

For host operating systems

Install package(s) kicksecure-cli-host following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the kicksecure-cli-host package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends kicksecure-cli-host

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) kicksecure-cli-host is complete.

For Qubes users

Install package(s) kicksecure-qubes-cli following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the kicksecure-qubes-cli package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends kicksecure-qubes-cli

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) kicksecure-qubes-cli is complete.

For any other VMs (not Qubes)

Install package(s) kicksecure-cli-vm following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the kicksecure-cli-vm package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends kicksecure-cli-vm

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) kicksecure-cli-vm is complete.

2. Troubleshooting. (Optional.)

Only in case of issues, see footnote. [16] Otherwise proceed to next step.

3. Next.

Post-Installation[edit]

1. Enable the /etc/apt/sources.list.d/derivative.list Kicksecure APT repository.

Can be done using the Kicksecure repository tool.

Two options. Choose one. Either using,

  • A) CLI: sudo repository-dist --enable --repository stable , or
  • B) GUI: Start MenuSystemDerivative Repositorychoose either "stable", "stable-proposed-updates" , "Testers" or "Developers" repository

See the tool's wiki page for more detailed documentation if needed.

2. Disable the extrepo kicksecure APT repository.

Only needed in case the user has chosen the extrepo signing key adding method above.

This is to avoid a duplicate Kicksecure repository.

sudo extrepo disable kicksecure

3. Check APT sources.

Check if some APT sources in /etc/apt/sources.list should be kept.

Move the original /etc/apt/sources.list file out of the way (or delete it) because it is replaced by Kicksecure's /etc/apt/sources.list.d/debian.list.

sudo mv /etc/apt/sources.list ~/

4. Create an empty /etc/apt/sources.list file.

sudo touch /etc/apt/sources.list

5. Optional: Set the onionized Debian repositories.

If onion repository sources are preferred, follow these Debian onion repositories instructions.Onion network Logo.

6. Done.

The Kicksecure installation is complete.

Footnotes[edit]

  1. Debian Live ISO (live session) is unnecessary and unsupported. Reasons:
    • All changes will be lost on reboot.
    • We already offer a live Kicksecure ISO.
    • None of the security-misc kernel hardening options will be enabled, and they can't be enabled, because that would require a reboot which will discard everything.
    • permission-hardener doesn't expect anything under /usr to be read-only.
    Use Kicksecure ISO instead.
  2. https://github.com/Kicksecure/dist-base-files/blob/master/debian/dist-base-files.postinstarchive.org iconarchive.today icon
  3. Use any method to gain administrative (root) rights. Gain root one way or another.
  4. When a user is using su to gain administrative rights, the user is required to use full path to the programs addgroup, adduser, reboot because when using su the PATH environment variable is not adjusted for use with root rights. See echo "$PATH". echo "$PATH" user rights PATH printout: 
    /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

    root rights PATH printout: 

    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

    By comparison, when using sudo using /full/path/to/application is not required.

  5. A root terminal is required to proceed which can be started from Qubes dom0 terminal as per the Qubes upstream documentation. Unspecific to Kicksecure.
  6. If a root password has not configured during Debian installation, Debian-Installer might have already set up sudo.
  7. The following command /usr/sbin/adduser user sudo grants root rights to account user. If the user intents to use account user without root rights for better security, the user should omit running the /usr/sbin/adduser user sudo and instead 1) make sure that another Linux user account such as user sysmaint is a member of Linux user group sudo and 2) adhere to the following platform specific instructions.
    • Debian: Use su.
    • Kicksecure for Qubes: If not installing the passwordless-root package and/or when distribution morphing a Debian minimal template into Kicksecure, root terminal is required to proceed which can be started from Qubes dom0 terminal as per the Qubes upstream documentation. Unspecific to Kicksecure.
  8. Context: Console Lockdown Required for login into a Virtual Consoles which might be handy in context of Recovery.
  9. https://forums.kicksecure.com/t/error-plymouth-conflict-in-debian-morphing/641archive.org iconarchive.today icon
  10. extrepo vs manual:
    • Usability:
      • There are some detail usability differences. Using onion connection might be easier with manual method until Kicksecure gets ported to Debian 13 / trixie because extrepo might get onion support then.
      • Apart from that, extrepo's usability seems generally better.
    • Security:
      • A detailed comparative research of both methods is unavailable.
      • If usability is considered a security feature, then extrepo might be considered more secure. This is because users do not have to learn as much about Verifying Software Signatures, OpenPGP, its many Software Signature Verification Usability Issues. Debian which is already trusted by the user providing a trust path to the Kicksecure signing key. Manual key fingerprint verification not required.
      • The extrepo project is a huge amount of work adding all the signing keys for many different projects. The code for securely downloading a signing key in the Python is not among the most difficult programming tasks to get correct. Compared with curl (written in C), it might be more secure.
    • Keeping support for manual method:
      • Removal of the manual method is not planned. Since already written, the maintenance effort for that very part of documentation is low. In case extrepo signing key is outdated, get deprecated, it's easy to switch back to manual method.
  11. stable-proposed-updates repository: sudo extrepo enable kicksecure_proposed testers repository: sudo extrepo enable kicksecure_testers developers repository: sudo extrepo enable kicksecure_developers
  12. extrepo feature request: extrepo apt-transport-tor and onion supportarchive.org iconarchive.today icon
  13. forum discussion: extrepo - safely adding reposarchive.org iconarchive.today icon
  14. See Secure Downloads to understand why curl and the parameters --tlsv1.3 are used instead of wget.

    Placing an additional signing key into folder /usr/share/keyrings by itself alone has no impact on security as this folder is not automatically used by Debian's APT by default. Only when an APT sources list configuration file points to folder /usr/share/keyrings using the signed-by keyword the signing key will be actually used. Therefore deleting keys in /usr/share/keyrings is optional if intending to disable an APT repository. See also APT Signing Key Folders.
  15. Unless using repository-dist --transport plain-tls. See also man repository-dist.
  16. If apt returns an error about console-common when trying to install the Kicksecure package, install console-common first: sudo apt install console-common Then try installing the Kicksecure package again. Meta package installation has been completed. Please proceed with the post-installation steps below.

Documentation Previous page: USB Installation Index page: Documentation Next page: VirtualBox

Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Debian&oldid=97086"