Kicksecure for KVM with XFCE

From Kicksecure
Jump to navigation Jump to search

notice This is a pre-release. (What does that mean?)

unofficial logo re-design for the KVM virtualizer
About this KVM Page
Support Status stable
Difficulty medium
Contributor HulaHoop
Support KVM/Support


This is the KVM flavor of the Kicksecure project - a hardened and security centric version of Debian optimized for virtualized environments and clearnet usage. Much of the warnings and use case instructions from the Kicksecure edition, such as running the OS headlessly or using shared folders, are applicable.

For more details about Kicksecure, check Kicksecure pages.

Support tickets should be forwarded to the KVM subforum.

Build from Scratch[edit]

Advanced users are encouraged to build Kicksecure images for high security assurance.

Download Kicksecure[edit]

FREE Download

Ambox warning pn.svg.png By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.


Type Connection Link Download Security
without Verification
Download Security
with Verification
Download.png Https long.png

Download (TLS)

Medium High [1]
Download.png Iconfinder tor 386502.png

Download (Onion)

Medium High
Button sig.png Https long.png - -
Button sig.png Iconfinder tor 386502.png - -
Crypto key.png Verify images using this Signing Key

Verify the Kicksecure Image[edit]

1. Download HulaHoop's OpenPGP key from the website.

curl --tlsv1.3 --proto =https -o hulahoop.asc

2. Check fingerprints/owners without importing anything. [2]

gpg --keyid-format long --import --import-options show-only --with-fingerprint hulahoop.asc

3. Verify the output.

The output should be identical to the following.

pub   rsa4096/50C78B6F9FF2EC85 2018-11-26 [SCEA]
      Key fingerprint = 04EF 2F66 6D36 C354 058B  9DD4 50C7 8B6F 9FF2 EC85
uid                            HulaHoop
sub   rsa4096/EB27D2F8CEE41ACC 2018-11-26 [SEA]

4. Import the key.

gpg --import hulahoop.asc

The output should confirm the key was imported.

gpg: key 0x50C78B6F9FF2EC85: public key "HulaHoop" imported
gpg: Total number processed: 1
gpg:               imported: 1

If the Kicksecure signing key was already imported in the past, the output should confirm the key is unchanged.

gpg: key 0x50C78B6F9FF2EC85: "HulaHoop" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

5. Optional: For extra assurance, verify the key was also signed by Patrick Schleizer.

gpg --check-sigs "04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85"

The output should be identical to the message below.

pub   rsa4096/0x50C78B6F9FF2EC85 2018-11-26 [SCEA]
uid                   [ unknown] HulaHoop
sig!         0x8D66066A2EEACCDA 2018-12-14  Patrick Schleizer <>
sig!3        0x50C78B6F9FF2EC85 2018-11-26  HulaHoop
sub   rsa4096/0xEB27D2F8CEE41ACC 2018-11-26 [SEA]
sig!         0x50C78B6F9FF2EC85 2018-11-26  HulaHoop

gpg: 3 good signatures

If the following message appears at the end of the output.

gpg: no ultimately trusted keys found

Analyze the other messages as usual. This extra message does not relate to the Kicksecure signing key itself, but instead usually means the user has not created an OpenPGP key yet, which is of no importance when verifying virtual machine images.

6. Verify the archive with Hulahoop's key.

gpg --verify Kicksecure*.libvirt.xz.asc Kicksecure*.libvirt.xz

The output should include the following text.

gpg: Good signature from "HulaHoop"


Use tar to decompress the archive.

tar -xvf Kicksecure*.libvirt.xz

Do not use unxz! Extract the images using tar.

Importing Kicksecure VM Template[edit]

The supplied XML files serve as a description for libvirt and define the properties of a Kicksecure VM and the networking it should have.

1. Kicksecure works with the network named default out of the box.

2. Import the Kicksecure image.

virsh -c qemu:///system define Kicksecure*.xml

Moving the Kicksecure Image File[edit]

The XML files are configured to point to the default storage location of /var/lib/libvirt/images. The following steps move the images there so the machines can boot.

Note: Changing the default location may cause conflicts with SELinux, which will prevent the machines from booting.

It is recommended to move the image file instead of copying it.

sudo mv Kicksecure*.qcow2 /var/lib/libvirt/images/Kicksecure.qcow2


  1. It does not matter if the bulk download is done over an insecure channel if software signature verification is used at the end.

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.