Kicksecure - Secure by Default Operating System

Brute Force Defense

Kicksecure protects Linux user accounts against brute force attacks by using pam_faillock.

Kicksecure protects Linux user accounts against brute force attacks by using pam_faillock.

Entropy Enhancements

Strong entropy is required for computer security to ensure the unpredictability and randomness of cryptographic keys and other security-related processes. Kicksecure makes encryption more secure thanks to preinstalled random number generators.

Strong entropy is required for computer security to ensure the unpredictability and randomness of cryptographic keys and other security-related processes. Kicksecure makes encryption more secure thanks to preinstalled random number generators.

Live Mode

Booting into Live Mode is as simple as choosing Live Mode in the boot menu. After the session, all data will be gone.

Booting a VM into Live Mode is as simple as choosing Live Mode in the boot menu. After the session, all data will be gone.

Ram Wipe

ram-wipe is a software project designed to protect against RAM extraction attacks by erasing the contents of a computer's random access memory (RAM) when the system is shut down or restarted.

ram-wipe wipes system RAM during the Linux shutdown and reboot sequence to reduce the risk of RAM extraction (warm boot) attacks.

USBGuard

USBGuard attempts to mitigate a limited subset of USB hardware attacks by rejecting most USB devices that are plugged in after boot.

USBGuard uses the Linux USB device authorization feature and a rule-based policy to allow, block, or reject USB devices based on their attributes. Kicksecure’s policy is designed to refuse suspicious or unexpected devices plugged in after boot, helping reduce exposure to BadUSB-style attacks. USBGuard is an additional layer, not a replacement for only using trusted USB devices, and it cannot stop physical damage attacks (for example "USB killer") or filter keystrokes from a device you have already allowed.

Based on Linux

Linux is highly reliable, secure, free, and Open Source. That's why Kicksecure is based on Linux.

Linux is highly reliable and secure. Its Open Source freedom paradigm sets it apart from other operating systems. That's why Kicksecure is based on Linux.

Onion Website for Enhanced Connection Security

Our website offers an alternative onion service. This provides higher connection security between the user and the server.

Our website offers an alternative onion service , which provides higher connection security between the user and the server. This is because connections over onion services provide an alternative end-to-end encryption that is independent of flawed TLS certificate authorities and the mainstream Domain Name System (DNS).

Risk Minimization

AppArmor profiles restrict the capabilities of commonly used, high-risk applications.

AppArmor profiles restrict the capabilities of commonly used, high-risk applications such as the Tor Browser.

Strong Linux User Account Isolation

Kicksecure strengthens user account boundaries with console hardening, anti-bruteforce protections, strict permission defaults, and per-user temporary directory isolation.

Kicksecure implements strong Linux user account isolation through Console Lockdown, root login disabled, and restrictions on su and sudo. It also applies Permission Lockdown so other accounts cannot read your home folder by default, sets a more restrictive default umask (for example 027), and provides per-user /tmp isolation via libpam-tmpdir. Online password cracking is limited by locking accounts after repeated failed login attempts. Learn more about our Strong Linux User Account Isolation.

Safer System Maintenance through User-Sysmaint-Split

Kicksecure boosts security by separating everyday use from system admin tasks. Two accounts are used by default, one for daily work and one for maintenance, limiting what harm malware could do.

Kicksecure increases safety by using separate accounts for daily use and admin tasks. This is called user-sysmaint-split. It prevents routine software, like a hacked browser, from gaining full system access or installing rootkits.

Safer Temporary Files with libpam-tmpdir

Kicksecure includes libpam-tmpdir to improve system security by isolating temporary files per user and tightening file permissions, reducing the risk of /tmp-based and symlink attacks.

To prevent /tmp-based attacks, Kicksecure uses libpam-tmpdir, which creates secure, per-user temporary folders and sets strict permissions. This blocks common threats like symlink exploits.

Hardening with Securing Debian Manual

Kicksecure applies key system hardening techniques from the Securing Debian Manual by default, and adds original research to boost the baseline security.

Kicksecure integrates many of the system hardening practices from the Securing Debian Manual to improve its security posture. Although Debian's manual is older, Kicksecure supplements it with its own research and publishes updated security guidance in its wiki, ensuring users benefit from both foundational and current best practices.

Comprehensive Security Documentation

Knowledge is a defense: Kicksecure offers extensive documentation to empower users with critical security information and best practices.

Knowledge is a defense: Explore Kicksecure's comprehensive documentation to strengthen your security posture and reduce vulnerabilities.

Virus Protection

Kicksecure provides additional security hardening measures and user education for better protection from virus attacks.

Kicksecure provides additional security hardening measures and user education to provide better protection from viruses / malware.

Console Lockdown

Legacy login methods can be a security risk. Console Lockdown disables them for improved security hardening.

Console Lockdown disables legacy login methods and thereby improves security hardening.

Home Folder Permission Lockdown

Kicksecure locks down user home folders by default, preventing one user from viewing another's files. This adds an extra layer of privacy and security.

Kicksecure enforces strict file permission settings in /home, automatically removing read, write, and execute access for others during setup or account creation. This prevents users from accessing each other's files and corrects unsafe permissions that may exist from earlier configurations. The approach aligns with hardening principles from the Securing Debian Manual.

Umask Hardening for Safer File Permissions

Kicksecure improves file security by setting a stricter default umask for non-root accounts, so new files aren’t readable by others unless explicitly allowed.

To reduce the risk of unintended file exposure, Kicksecure sets a stricter default umask for non-root accounts so that new files are inaccessible to other accounts by default. This enhances security beyond the /home folder, especially in shared areas like the folder /var.

Based on Debian

Kicksecure is based on Debian, one of the most reliable Linux distributions.

In oversimplified terms, Kicksecure is just a collection of configuration files and scripts. Kicksecure is not a stripped down version of Debian; anything possible in "vanilla" Debian GNU/Linux can be replicated in Kicksecure. About Kicksecure

Digitally signed releases

Downloads are signed so genuine Kicksecure releases can be verified.

Downloads are signed so genuine Kicksecure releases can be verified.

Warrant Canary

A canary confirms that no warrants have ever been served on the Kicksecure project.

A canary confirms that no warrants have ever been served on the Kicksecure project.

Swap File Creator

swap-file-creator automatically creates and enables a swap file on LUKS-encrypted disks at boot, helping prevent low-RAM freezes without exposing swap on unencrypted storage by default.

swap-file-creator creates a new swap file on every boot when the target path is on a LUKS-encrypted device. By default, it does not create swap on unencrypted disks, but this can be overridden (not recommended for privacy).