This is a pre-release. (What does that mean?)

unofficial logo re-design for the KVM virtualizer

About this KVM Page
Support Status	stable
Difficulty	medium
Contributor	HulaHoop
Support	KVM/Support

Intro[edit]

This is the KVM flavor of the Kicksecure project - a hardened and security centric version of Debian optimized for virtualized environments and clearnet usage. Much of the warnings and use case instructions from the Kicksecure edition, such as running the OS headlessly or using shared folders, are applicable.

For more details about Kicksecure, check Kicksecure pages.

Support tickets should be forwarded to the KVM subforum.

Build from Scratch[edit]

Advanced users are encouraged to build Kicksecure images for high security assurance.

Download Kicksecure[edit]

FREE Download

By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.

Version: 16.0.3.7

Type	Connection	Link	Download Security without Verification	Download Security with Verification
		Download (TLS)	Medium	High ^[1]
		Download (Onion)	Medium	High
		OpenPGP Signature (TLS) sha512 sha512 OpenPGP sha512 Signify	-	-
		OpenPGP Signature (Onion) sha512 sha512 OpenPGP sha512 Signify	-	-
		Verify images using this Signing Key

Verify the Kicksecure Image[edit]

1. Download HulaHoop's OpenPGP key from the website.

curl --tlsv1.3 --proto =https https://www.kicksecure.com/hulahoop.asc -o hulahoop.asc

2. Check fingerprints/owners without importing anything. ^[2]

gpg --keyid-format long --import --import-options show-only --with-fingerprint hulahoop.asc

3. Verify the output.

The output should be identical to the following.

pub   rsa4096/50C78B6F9FF2EC85 2018-11-26 [SCEA]
      Key fingerprint = 04EF 2F66 6D36 C354 058B  9DD4 50C7 8B6F 9FF2 EC85
uid                            HulaHoop
sub   rsa4096/EB27D2F8CEE41ACC 2018-11-26 [SEA]

4. Import the key.

gpg --import hulahoop.asc

The output should confirm the key was imported.

gpg: key 0x50C78B6F9FF2EC85: public key "HulaHoop" imported
gpg: Total number processed: 1
gpg:               imported: 1

If the Kicksecure signing key was already imported in the past, the output should confirm the key is unchanged.

gpg: key 0x50C78B6F9FF2EC85: "HulaHoop" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

5. Optional: For extra assurance, verify the key was also signed by Patrick Schleizer.

gpg --check-sigs "04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85"

The output should be identical to the message below.

pub   rsa4096/0x50C78B6F9FF2EC85 2018-11-26 [SCEA]
      04EF2F666D36C354058B9DD450C78B6F9FF2EC85
uid                   [ unknown] HulaHoop
sig!         0x8D66066A2EEACCDA 2018-12-14  Patrick Schleizer <adrelanos@whonix.org>
sig!3        0x50C78B6F9FF2EC85 2018-11-26  HulaHoop
sub   rsa4096/0xEB27D2F8CEE41ACC 2018-11-26 [SEA]
sig!         0x50C78B6F9FF2EC85 2018-11-26  HulaHoop

gpg: 3 good signatures

If the following message appears at the end of the output.

gpg: no ultimately trusted keys found

Analyze the other messages as usual. This extra message does not relate to the Kicksecure signing key itself, but instead usually means the user has not created an OpenPGP key yet, which is of no importance when verifying virtual machine images.

6. Verify the archive with Hulahoop's key.

gpg --verify Kicksecure*.libvirt.xz.asc Kicksecure*.libvirt.xz

The output should include the following text.

gpg: Good signature from "HulaHoop"

Decompress[edit]

Use tar to decompress the archive.

tar -xvf Kicksecure*.libvirt.xz

Do not use unxz! Extract the images using tar.

Importing Kicksecure VM Template[edit]

The supplied XML files serve as a description for libvirt and define the properties of a Kicksecure VM and the networking it should have.

1. Kicksecure works with the network named default out of the box.

2. Import the Kicksecure image.

virsh -c qemu:///system define Kicksecure*.xml

Moving the Kicksecure Image File[edit]

The XML files are configured to point to the default storage location of /var/lib/libvirt/images. The following steps move the images there so the machines can boot.

Note: Changing the default location may cause conflicts with SELinux, which will prevent the machines from booting.

It is recommended to move the image file instead of copying it.

sudo mv Kicksecure*.qcow2 /var/lib/libvirt/images/Kicksecure.qcow2

Footnotes[edit]

↑ It does not matter if the bulk download is done over an insecure channel if software signature verification is used at the end.
↑ https://forums.whonix.org/t/gpg-show-key-warning-gpg-warning-no-command-supplied-trying-to-guess-what-you-mean/7859

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure ™ ...

Donate

FREE · PLUS · PREMIUM Support

At Kicksecure we believe in freedom and trust. That's why we fully support Open Source and Freedom Software. Learn more.

Kicksecure ™ is supported by Evolution Host DDoS Protected VPS.

Kicksecure ...

The personal opinions of moderators or contributors to the Kicksecure ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Kicksecure ™ © ENCRYPTED SUPPORT LP, 2022

Host or VM can be booted into Live Mode using Host Live Mode or VM Live Mode

[openpgpverification-1] It does not matter if the bulk download is done over an insecure channel if software signature verification is used at the end.

[2] ttps://forums.whonix.org/t/gpg-show-key-warning-gpg-warning-no-command-supplied-trying-to-guess-what-you-mean/7859

[1]

[2]

Kicksecure for KVM with XFCE

Contents