Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

A reasonably accurate host clock is required for many general security properties. An inaccurate clock can lead to broken internet connectivity and time related security issues.

It is recommended to have a host clock with an accuracy of up to ± 30 minutes. Clocks that are hours, days, weeks, months or even years slow or fast can lead to many issues such as:

• A) Connectivity problems with Tor: If the host clock is more than 1 hour in the past or more than 3 hours in the future, Tor cannot connect.
• B) Inability to download operating system upgrades: APT (apt-get) and other tools can break and show errors until the clock is set correctly. ^[1]

Follow the recommendations below to avoid Tor connectivity problems and upgrade issues, and to limit possible adverse security impacts.

• Linux-based operating systems: See below.
• Non-Linux operating systems (Windows; Mac): Undocumented. Only in the case of using Kicksecure as a VM. In this case, refer to the documentation of your operating system on how to check and fix the clock.

1. Find out the current system time.

Run the following command to show the current system time in the UTC timezone.

date --utc

The output should be similar to the following.

Dec 05 02:51:44 UTC 2025

2. Compare with the actual time.

Use another clock. Preferably a simple, non-networked clock such as a quartz clock or atomic clock. Network-based clocks (other computers, mobile devices) should ideally be avoided as these are vulnerable to Time Attacks.

Note: Your clocks are probably using a timezone different from UTC. So it might appear a few hours slow or fast due to timezone differences.

In case the system clock is too slow or too fast.

Are the clock issues occurring on the host operating system (OS) or inside a virtual machine (VM)? Select below.

In case of re-occurring clock issues:

Check for an empty computer battery. If the battery is empty, your computers hardware clock might be reset to its production date and time. See also Hardware Clock.

Select easy instructions or advanced instructions below.

To restart sdwdate.

Start Menu → Applications → System → Time Synchronization Monitor (sdwdate-gui) → restart sdwdate

Or in a terminal.

sudo sdwdate-clock-jump

Usually not required. This should only be required if the clock is too fast, because at time of writing sdwdate can only fix clocks that are too slow but not yet clocks that are too fast.

Most systems have a Real-Time Clock (RTC) on the motherboard that keeps track of time while the system is powered down. On boot, the RTC is read and used to set the system clock to a sensible value. If a system is powered down for any length of time, it is important that it have a functional, up-to-date hardware clock.

Kicksecure does not currently synchronize the hardware clock to the system clock on shutdown. As a result, if the hardware clock is drifting out of date, it will continue to drift further and further out of date until problems result. To correct this:

1. Sysmaint Notice

2. Set the system clock.

If not done yet. Either set the manually set the clock or using sdwdate.

3. Set the hardware clock.

Run:

sudo hwclock --systohc

4. Done.

The hardware clock has now been updated.

5. Notice.

The procedure of setting the hardware clock will no longer be needed when setting the clock using sdwdate, clock-random-manual-cli, or clock-random-manual-gui once Kicksecure version 17.4.2.4 or above has been released, as these tools will perform this automatically.

Many single-board computers do not have a hardware clock. Many systems also have a broken, drained, or missing BIOS battery, which will result in the hardware clock pausing or becoming corrupted if power is removed from the system even briefly. Usually these systems will need to have their clock manually set on every boot.

There are a number of things that can be done to fix or mitigate this problem:

• Replace the system's BIOS battery, if it has one. This is usually a CR2032 coin-cell battery located in a socket on the motherboard, but some laptops may enclose the battery in plastic and connect it to the motherboard with a short electrical cable.
• Install the fake-hwclock package. This will save the system clock to disk periodically (including before shutdown) and restore it on boot, so that your system's time is frozen while powered off. This may make it easier to update the system clock to a sufficiently accurate time for Tor and sdwdate to function.
• Install the ntpsec-ntpdate package. This provides the ntpdate command, which can be used to update the system clock from an NTP server. Note that NTP time synchronization may be vulnerable to man-in-the-middle attacks if the date and time are not double-checked against a known-good clock.
  • Do NOT install the ntpsec package. It conflicts with sdwdate and will uninstall it (along with many Kicksecure-related metapackages).

To update the system clock using ntpdate:

1. Run ntpdate -q pool.ntp.org to display the time and date from pool.ntp.org.

2. Double-check the displayed date and time against a clock you know is accurate.

3. Use sudo ntpdate pool.ntp.org to update the clock and display the time that the clock has updated to.

4. Ensure that the date displayed after setting the clock is close to the date displayed when querying the server.

5. Done.

The process of setting the system time using NTP is complete.

• Can set the time if the clock is very slow. This is true even if Tor fails to bootstrap due to a very slow clock. ^[9]
• sdwdate never sets the time backwards. Only forwards. This is a security feature. Slow clocks can be a security issue because old, expired keys appear to be valid. Fast clocks however are only a functionality (and privacy) issue.

sdwdate is a Tor-friendly replacement for rdate and ntpdate that sets the system's clock by communicating via end-to-end encrypted TCP with Tor onion webservers. Since timekeeping is crucial for security, blocking network access until sdwdate succeeds is sensible. ^[10]

Note: When using this feature, there will be no internet connectivity until sdwdate succeeded which could take approximately 2 minutes.

How to enable this feature? Unsupported. This feature is has not been implemented yet for Kicksecure. Developers are welcome to contribute to Kicksecure.

If Tor failed or took too long to connect:

1. You need to fix Tor connection first.

2. Restart sdwdate.

sudo systemctl restart sdwdate

To deactivate sdwdate, run.

sudo service sdwdate stop

sudo systemctl mask sdwdate

• Timezone
• sdwdate
• sdwdate-gui
• Boot Clock Randomization
• Time Attacks
• Dev/sdwdate
• Dev/TimeSync

Social Engineering Documentation Operating System Hardening Previous page: Social Engineering Index page: Documentation Next page: Operating System Hardening

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!