Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

An existing Debian version 12 (codename: bookworm) installation can be converted into Kicksecure by installing a Kicksecure deb package. This procedure is also called distro-morphing.

There are different options to install Kicksecure. Two options. Choose one.

• A) (Easier) Download: Use the ISO or a different installation option from the Download page. In that case, you can stop reading this wiki page.; or
• B) (Advanced) Distribution morphing method: See below.

To increase the chances of success, it is best to start with a minimal Debian installation either,

• A) Debian graphical user interface (GUI) (Xfce); or
• B) Debian command line interface (CLI)

and then install a Kicksecure meta package as documented below.

It is easiest to set the Linux user account name to user during the installation of Debian bookworm.

Debian Live sessions: Distribution morphing a Debian Live ISO is unnecessary and unsupported. Use Kicksecure ISO instead. ^[1]

There are some specifics about distro-morphing which the user should be aware.

• No creation of usable accounts for the user: Neither Linux user account user nor sysmaint will be created. ^[2] The user can continue to use their already existing user account(s).
• No default user-sysmaint-split: Is not installed by default but can later be installed by the user according to user-sysmaint-split documentation.
• No password changes: No passwords for any already existing user accounts will be modified. The user can continue to use their already existing passwords. This means passwords for Full Disk Encryption (pre-boot authentication), sudo, su, Login, etc. will remain the same.
• No root account locking: The password of the root account will not be locked. The user can manually Disable Root Account for better security.
• No user account settings changes: Any user account settings will remain unchanged.
• No user account shell changes: The user's default shell will remain the same.
• Autologin: Kicksecure package usability-misc will set up auto-login for account user for LightDM, Kicksecure's default login manager at time of writing. Auto login can be disabled by the user by following the documentation for Disable Autologin
• Swap / mount / fstab related: Swap partition / swap files, mounts, /etc/fstab set up by Debian installer or the user are not disabled or modified during distribution morphing. This might be a concern for users interested in non-persistent live mode.
• Live Mode Information: Live mode indicator systray, a tool in systray that graphically shows if booted into live mode or persistent mode - at time of writing - is for Xfce only. (Will support all major desktop environments at a later time.)
• Desktop environment related: For GNOME, KDE, LXQt, LXDE and any desktop environment other than the current desktop environment Kicksecure is based on, which is Xfce at time of writing), see Other Desktop Environments.

1. Essentials.

2. Gain administrative (root) rights. ^[3]

3. Install sudo and adduser package.

4. Root rights hardening notice.

5. sudo configuration.

Optional.

Allow account user to run sudo without as password.

Note: Replace account user with your actual user name.

6. Create group console.

/usr/sbin/addgroup --system console

7. Add your Linux account user name to group console. ^[8]

Note: Replace account user with your actual user name.

/usr/sbin/adduser user console

8. Install console related packages.

This might also result in removal of plymouth, which is good, because it is unsupported. ^[9]

sudo apt install console-data console-common kbd keyboard-configuration

There are two different options to enable the Kicksecure APT repository. Choose one. ^[10]

Using extrepo

1. Install package extrepo.

sudo apt install extrepo

2. Enable the stable kicksecure APT repository. (See footnote for other options.) ^[11]

A : Kicksecure

===

Kicksecure

sudo extrepo enable kicksecure

B : Kicksecure for Qubes Template

===

Kicksecure-Qubes Template (kicksecure-17)

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable kicksecure

3. Advanced options.

For advanced options such as clearnet over Tor or onion. ^[12]

Please press on expand on the right side.

Optional.

Install apt-transport-tor.

Install package(s) apt-transport-tor following these instructions

1 Platform specific notice.

• Kicksecure: No special notice.
• Kicksecure-Qubes: In Template.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the apt-transport-tor package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends apt-transport-tor

4 Platform specific notice.

• Kicksecure: No special notice.
• Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) apt-transport-tor is complete.

Find out filename.

ls -la /etc/apt/sources.list.d/extrepo_*

NOTE: Filename will be different if using a repository other than the stable repository such as the testers repository.

Open file /etc/apt/sources.list.d/extrepo_kicksecure.sources in an editor with root rights.

Select your platform.

Kicksecure

See Open File with Root Rights for detailed instructions on why using sudoedit improves security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

Kicksecure-Qubes

Notes:

• When using Kicksecure-Qubes, this must be done inside the Template.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

• After applying this change, shut down the Template.
• All App Qubes based on the Template need to be restarted if they were already running.
• This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Others and Alternatives

Notes:

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

Choose either option A) or B).

• A) Clearnet over Tor Repository: To enable clearnet over Tor, tor+ needs do be prepended in front of the https. The same in other words, look for Uris: https and replace it with Uris: tor+https .
• B) Onion Repository: To enable onion, look for the line starting with Uris:. Delete the whole line. Or out-comment it by adding as hash ("#") in front of it. Then add a new line: Uris: tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion

4. Done.

The Kicksecure APT repository has been enabled ^[13]

Manually

Add Signing Key

Complete the following steps to add the Kicksecure Signing Key to the system's APT keyring.

Open a terminal.

1. Package curl needs to be installed.

Install package(s) curl following these instructions

1 Platform specific notice.

• Kicksecure: No special notice.
• Kicksecure-Qubes: In Template.

2 Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

3 Install the curl package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends curl

4 Platform specific notice.

• Kicksecure: No special notice.
• Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

5 Done.

The procedure of installing package(s) curl is complete.

2. Download Kicksecure Signing Key. ^[14]

Choose your operating system.

A : Debian

If you are using Debian, run.

Choose TLS or onion.

TLS (Debian)

sudo curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc

onion (Debian)

Downloading over onion requires an already functional system Tor.

sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc

B : Qubes

If you are using a Qubes Debian Template, run.

Choose TLS or onion.

TLS (Qubes)

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc

onion (Qubes)

Downloading over onion requires an already functional system Tor.

sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc

3. Users can check Kicksecure Signing Key for better security.

4. Done.

The procedure of adding the Kicksecure signing key is now complete.

Add Repository

Add the Kicksecure APT Repository.

Choose either: Option A, Option B OR Option C

A : Onion Rep.

Option A: Add Kicksecure Onion Repository.

To add Kicksecure Repository over Onion please install apt-transport-tor from the Debian repository.

sudo apt install apt-transport-tor

Add Kicksecure APT repository for default Kicksecure using Debian stable. At the time of writing this was bookworm.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

B : Clearnet Rep. via Tor

Option B: Add Kicksecure Clearnet Repository over Tor.

To add Kicksecure Repository over torified clearnet install apt-transport-tor from the Debian repository.

sudo apt install apt-transport-tor

Add Kicksecure APT repository for default Kicksecure using Debian stable. At the time of writing this was bookworm.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

C : Clearnet Rep.

Option C: Add Kicksecure Clearnet Repository over clearnet.

NOTE: When later using Kicksecure repository tool, then this will be upgraded to "Clearnet Rep. via Tor", unless see footnote. ^[15]

To add Kicksecure Repository over clearnet please add Kicksecure APT repository for default Kicksecure using Debian stable. At the time of writing this was bookworm.

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

The procedure of adding the Kicksecure repository is now complete.

1. Pick a Kicksecure package.

2. Troubleshooting. (Optional.)

Only in case of issues, see footnote. ^[16] Otherwise proceed to next step.

3. Next.

USB Installation Documentation VirtualBox Previous page: USB Installation Index page: Documentation Next page: VirtualBox

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!