unofficial logo re-design for the KVM virtualizer
This is the KVM flavor of the Kicksecure project - a hardened and security centric version of Debian optimized for virtualized environments and clearnet usage. Much of the warnings and use case instructions from the Kicksecure edition, such as running the OS headlessly or using shared folders, are applicable.
For more details about Kicksecure, check Kicksecure pages.
Support tickets should be forwarded to the KVM subforum.
Build from Scratch
Advanced users are encouraged to build Kicksecure images for high security assurance.
Verify the Kicksecure Image
1. Download HulaHoop's OpenPGP key from the website.
curl --tlsv1.3 --proto =https https://www.kicksecure.com/hulahoop.asc -o hulahoop.asc
2. Check fingerprints/owners without importing anything. 
gpg --keyid-format long --import --import-options show-only --with-fingerprint hulahoop.asc
3. Verify the output.
The output should be identical to the following.
pub rsa4096/50C78B6F9FF2EC85 2018-11-26 [SCEA]
Key fingerprint = 04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85
sub rsa4096/EB27D2F8CEE41ACC 2018-11-26 [SEA]
4. Import the key.
gpg --import hulahoop.asc
The output should confirm the key was imported.
gpg: key 0x50C78B6F9FF2EC85: public key "HulaHoop" imported
gpg: Total number processed: 1
gpg: imported: 1
If the Kicksecure signing key was already imported in the past, the output should confirm the key is unchanged.
gpg: key 0x50C78B6F9FF2EC85: "HulaHoop" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
5. Optional: For extra assurance, verify the key was also signed by Patrick Schleizer.
gpg --check-sigs "04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85"
The output should be identical to the message below.
pub rsa4096/0x50C78B6F9FF2EC85 2018-11-26 [SCEA]
uid [ unknown] HulaHoop
sig! 0x8D66066A2EEACCDA 2018-12-14 Patrick Schleizer <email@example.com>
sig!3 0x50C78B6F9FF2EC85 2018-11-26 HulaHoop
sub rsa4096/0xEB27D2F8CEE41ACC 2018-11-26 [SEA]
sig! 0x50C78B6F9FF2EC85 2018-11-26 HulaHoop
gpg: 3 good signatures
If the following message appears at the end of the output.
gpg: no ultimately trusted keys found
Analyze the other messages as usual. This extra message does not relate to the Kicksecure signing key itself, but instead usually means the user has not created an OpenPGP key yet, which is of no importance when verifying virtual machine images.
6. Verify the archive with Hulahoop's key.
gpg --verify Kicksecure*.libvirt.xz.asc Kicksecure*.libvirt.xz
The output should include the following text.
gpg: Good signature from "HulaHoop"
Use tar to decompress the archive.
tar -xvf Kicksecure*.libvirt.xz
Do not use unxz! Extract the images using tar.
Importing Kicksecure VM Template
The supplied XML files serve as a description for libvirt and define the properties of a Kicksecure VM and the networking it should have.
1. Kicksecure works with the network named default out of the box.
2. Import the Kicksecure image.
virsh -c qemu:///system define Kicksecure*.xml
Moving the Kicksecure Image File
The XML files are configured to point to the default storage location of
/var/lib/libvirt/images. The following steps move the images there so the machines can boot.
Note: Changing the default location may cause conflicts with SELinux, which will prevent the machines from booting.
It is recommended to move the image file instead of copying it.
sudo mv Kicksecure*.qcow2 /var/lib/libvirt/images/Kicksecure.qcow2
Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.