Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Full Disk Encryption encrypted /boot GRUB Keyboard Layout Issue[edit]

4 Notice for users of full disk encryption.

If you would like to use full disk encryption (FDE), it can be done in the Partition tab. Choose "Encrypt system".

If you choose full disk encryption and your keyboard is NOT en_US QWERTY, please press on 'Learn More' on the right side.

Encryption Versus Keyboard Layout

The Calamares installer will encrypt /boot but with English US QWERTY keyboard. This can be confusing. The user might type the password in their local keyboard layout while GRUB at boot time will be interpreting the password using English US QWERTY keyboard layout.

• en_US QWERTY keyboards: This is a non-issue for users using US keyboards.
• other keyboards: This issue exists.

Which workarounds are available to users? Choose one.

• A) Use a separate English US QWERTY keyboard for password entry;
• B) Avoid characters which are different on your local vs the English US QWERTY keyboard layout;
• C) Use a different installation method. Using Distribution morphing it will be possible to avoid encrypted /boot by using Debian's old installer ("d-i" Debian's installer GUI (GTK based));
• D) Not using full disk encryption. Not recommended.

Less realistic workarounds, for developers only and tickets, see footnote. ^[1]

VirtualBox read-only mode[edit]

Troubleshooting: If the system does not boot, check the Recommended VirtualBox Version for Kicksecure VirtualBox is in use.

VirtualBox Generic Bug Reproduction using virtualbox-guest-additions-iso[edit]

This entry is based on Bug Report Recommendations, specifically Generic Bug Reproduction. The content is similar to the Try a non-Kicksecure VM chapter above.

A manual reproduction of the Kicksecure VirtualBox Integration.

1. Use the recommended (.onion) Linux distribution -- Debian bookworm -- as the host operating system. (Debian Tips)
2. Install the recommended version of the VirtualBox host software.
3. Installation of non-freedom software is not required, but the Debian "nonfree" (free in price but non-freedom) repository must be temporarily enabled; the reason is documented below.
4. virtualbox-guest-additions-iso (Freedom Software) from the Debian repository on the the Debian host operating system. Due to a Debian packaging bug the package is only available from Debian nonfree repository, but the package is not non-freedom. That package provides file /usr/share/virtualbox/VBoxGuestAdditions.iso.
5. Install Debian bookworm inside a VirtualBox VM.
6. Mount the VirtualBox Guest Additions CD iso file /usr/share/virtualbox/VBoxGuestAdditions.iso inside the Debian VM.
7. Install VirtualBox Guest Additions from the virtual CD-ROM drive inside the Debian VM. Change to the directory where the CD-ROM drive is mounted and run the following command as root: sh ./VBoxLinuxAdditions.run
8. Attempt to reproduce the original issue.

NTP[edit]

Disabling NTP[edit]

If ISP tampering with NTP is ever confirmed, users are advised to disable NTP and manually update the host clock out-of-band. For example, a watch or atomic clock can be used for this purpose. If the tampering is targeted and not a widescale attack, then the user already has much bigger problems to worry about than NTP; see Confirmation Attacks.

If following the advice above -- disabling NTP on the host and adjusting the clock out-of-band -- be aware that clearnet traffic might be easier to fingerprint. ^[4] The reason is that it introduces a device issuing clearnet traffic (such as OS updates), but without the use of NTP. It is unknown how many people have NTP which is deactivated, broken, uninstalled, or never in fact installed in the first place. Also unknown is how many people are using alternative time synchronization methods such as authenticated NTP, tails_htp, tlsdate, sdwdate or similar. However, search engine research suggests that very few people fall into both these categories.

NTP Issues[edit]

The host system clock synchronization mechanism still uses unauthenticated NTP from a single source. This is not optimal, but there is no real solution to this problem. ^[5] A potential attack vector is created by this NTP behavior; the ISP and/or time server could either inadvertently or maliciously introduce a significant clock skew, or the host clock could simply malfunction.

If the host clock value is grossly inaccurate -- more than one hour in the past or more than 3 hours in future -- Tor cannot connect to the Tor network. ^[6] This is easily solved by manually fixing the clock on the host, then powering the Kicksecure off and on again.

Another side effect of a significantly inaccurate host clock concerns operating system (OS) updates and cryptographic verification on the host. Until the host clock is manually fixed, it may no longer be possible to download updates or verify SSL certificates correctly with the host browser.

Users should always check whether a host clock defect relates to an empty battery before assuming the ISP is tampering with NTP.

???[edit]

KVM[edit]

<div class="toccolours mw-collapsible mw-collapsed">
For KVM, click on Expand on the right.
<div class="mw-collapsible-content">
[[KVM#XML_Modification_.28OPTIONAL.29|Edit the VM xml before import]] or [[KVM#Editing_an_imported_Machine.27s_XML_Configuration|edit the VM xml after import]] and change the following setting.
{{CodeSelect|code=
<clock offset='utc'>
}}
To.

{{CodeSelect|code=
<clock offset='variable' adjustment='123456' basis='utc'>
}}

The <code>adjustment</code> attribute takes any arbitrary value for seconds. The user must pick a random value that is unknown to others, ranging between 0 and 900 (a 15 minute range).
</div>
</div>

Qubes[edit]

TODO

Unfortunately, it is not yet possible to set a random clock offset for Kicksecure for Qubes VM to prevent clock correlation attacks since it is unsupported by Xen. A related issue is denying Kicksecure for Qubes access to "clocksource=xen", which may not be possible without Linux kernel and/or Xen patches. For a detailed discussion of these issues, see here.

VirtualBox[edit]

Footnotes[edit]

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!