Security-Focused Operating System

Reasonably Secure Stable by Design Hardened Debian Linux

Download Now Kicksecure Overview Preview Kicksecure Overview

Learn What Is Kicksecure?

FREE Download

Hardware

Virtual Machine

Other

Wiki
FAQ
Features
Forum
News
Donate

Pre-installed applications are reviewed and configured for security

Encrypted Email Symbol Thunderbird KeePassXC Symbol KeePassXC VLC Symbol VLC Terminal Symbol Terminal Electrum Symbol Electrum Bitcoin Symbol Bitcoin Monero Symbol Monero

Fully Featured with Advanced Security Components

TCP ISN Leak Protection

CPU Information Leak Protection (TCP ISN Randomization)

Without TCP ISN randomization, sensitive information about a system’s CPU activity can leak through outgoing traffic, exposing the system to side-channel attacks. Tirdad protects against this vulnerability.

Without TCP ISN randomization, patterns in outgoing traffic can reveal unique characteristics of a system’s CPU, compromising user security. TCP ISN randomization helps preserve security by masking these signals.

Available for many virtualizers

Available for Many Virtualizers

With support for multiple virtualization options, trying out Kicksecure is easy. VMs also help contain and prevent the spread of malware.

You can easily try Kicksecure by using various virtualizers , which enables security compartmentalization by running a Kicksecure VM on top of a Kicksecure host to isolate malware and testing inside the VM.

15 more amazing features →

Entropy Enhancements

Entropy Enhancements

Strong entropy is required for computer security to ensure the unpredictability and randomness of cryptographic keys and other security-related processes. Kicksecure makes encryption more secure thanks to preinstalled random number generators.

Strong entropy is required for computer security to ensure the unpredictability and randomness of cryptographic keys and other security-related processes. Kicksecure makes encryption more secure thanks to preinstalled random number generators.

Live Mode

Live Mode

Booting into Live Mode is as simple as choosing Live Mode in the boot menu. After the session, all data will be gone.

Booting a VM into Live Mode is as simple as choosing Live Mode in the boot menu. After the session, all data will be gone.

USBGuard

USBGuard

USBGuard attempts to mitigate a limited subset of USB hardware attacks by rejecting most USB devices that are plugged in after boot.

USBGuard uses the Linux USB device authorization feature and a rule-based policy to allow, block, or reject USB devices based on their attributes. Kicksecure’s policy is designed to refuse suspicious or unexpected devices plugged in after boot, helping reduce exposure to BadUSB-style attacks. USBGuard is an additional layer, not a replacement for only using trusted USB devices, and it cannot stop physical damage attacks (for example "USB killer") or filter keystrokes from a device you have already allowed.

Based on Linux

Based on Linux

Linux is highly reliable, secure, free, and Open Source. That's why Kicksecure is based on Linux.

Linux is highly reliable and secure. Its Open Source freedom paradigm sets it apart from other operating systems. That's why Kicksecure is based on Linux.

Onion Website

Onion Website for Enhanced Connection Security

Our website offers an alternative onion service. This provides higher connection security between the user and the server.

Our website offers an alternative onion service , which provides higher connection security between the user and the server. This is because connections over onion services provide an alternative end-to-end encryption that is independent of flawed TLS certificate authorities and the mainstream Domain Name System (DNS).

Risk Minimization

Risk Minimization

AppArmor profiles restrict the capabilities of commonly used, high-risk applications.

AppArmor profiles restrict the capabilities of commonly used, high-risk applications such as the Tor Browser.

Strong Linux User Account Isolation

Strong Linux User Account Isolation

Kicksecure strengthens user account boundaries with console hardening, anti-bruteforce protections, strict permission defaults, and per-user temporary directory isolation.

Kicksecure implements strong Linux user account isolation through Console Lockdown, root login disabled, and restrictions on su and sudo. It also applies Permission Lockdown so other accounts cannot read your home folder by default, sets a more restrictive default umask (for example 027), and provides per-user /tmp isolation via libpam-tmpdir. Online password cracking is limited by locking accounts after repeated failed login attempts. Learn more about our Strong Linux User Account Isolation.

Safer System Maintenance through User-Sysmaint-Split

Safer System Maintenance through User-Sysmaint-Split

Kicksecure boosts security by separating everyday use from system admin tasks. Two accounts are used by default, one for daily work and one for maintenance, limiting what harm malware could do.

Kicksecure increases safety by using separate accounts for daily use and admin tasks. This is called user-sysmaint-split. It prevents routine software, like a hacked browser, from gaining full system access or installing rootkits.

Hardening with Securing Debian Manual

Hardening with Securing Debian Manual

Kicksecure applies key system hardening techniques from the Securing Debian Manual by default, and adds original research to boost the baseline security.

Kicksecure integrates many of the system hardening practices from the Securing Debian Manual to improve its security posture. Although Debian's manual is older, Kicksecure supplements it with its own research and publishes updated security guidance in its wiki, ensuring users benefit from both foundational and current best practices.

Virus Protection

Virus Protection

Kicksecure provides additional security hardening measures and user education for better protection from virus attacks.

Kicksecure provides additional security hardening measures and user education to provide better protection from viruses / malware.

Home Folder Permission Lockdown

Home Folder Permission Lockdown

Kicksecure locks down user home folders by default, preventing one user from viewing another's files. This adds an extra layer of privacy and security.

Kicksecure enforces strict file permission settings in /home, automatically removing read, write, and execute access for others during setup or account creation. This prevents users from accessing each other's files and corrects unsafe permissions that may exist from earlier configurations. The approach aligns with hardening principles from the Securing Debian Manual.

Umask Hardening for Safer File Defaults

Umask Hardening for Safer File Permissions

Kicksecure improves file security by setting a stricter default umask for non-root accounts, so new files aren’t readable by others unless explicitly allowed.

To reduce the risk of unintended file exposure, Kicksecure sets a stricter default umask for non-root accounts so that new files are inaccessible to other accounts by default. This enhances security beyond the /home folder, especially in shared areas like the folder /var.

Based on Debian

Based on Debian

Kicksecure is based on Debian, one of the most reliable Linux distributions.

In oversimplified terms, Kicksecure is just a collection of configuration files and scripts. Kicksecure is not a stripped down version of Debian; anything possible in "vanilla" Debian GNU/Linux can be replicated in Kicksecure. About Kicksecure

Warrant Canary

Warrant Canary

A canary confirms that no warrants have ever been served on the Kicksecure project.

A canary confirms that no warrants have ever been served on the Kicksecure project.

Swap File Creator

Swap File Creator

swap-file-creator automatically creates and enables a swap file on LUKS-encrypted disks at boot, helping prevent low-RAM freezes without exposing swap on unencrypted storage by default.

swap-file-creator creates a new swap file on every boot when the target path is on a LUKS-encrypted device. By default, it does not create swap on unencrypted disks, but this can be overridden (not recommended for privacy).

Permission Hardener

SUID Disabler and Permission Hardener

SUID Disabler and Permission Hardener enhances system security by strengthening the isolation of Linux user accounts and more.

The purpose of SUID Disabler and Permission Hardener is to enhance system security. It does this by strengthening the isolation of Linux user accounts, implementing stricter file permission settings, and decreasing potential security vulnerabilities by turning off SUID-enabled binaries.

Digital Signature Policy

Digital Signature Policy

Signed git commits, tags, and images are required. Unsigned code is strictly prohibited in builds and deployments. Documentation encourages digital signature verification.

Checking digital signatures helps protect users from harmful software (malware or viruses). It proves the software is real, hasn't been tampered with, and keeps users safer. The Kicksecure Digital Signature Policy requires signed git commits, tags, and images. Unsigned code is strictly prohibited in builds and deployments. Documentation encourages digital signature verification.

Freedom Values

Open Source

Open Source

We respect user rights to review, scrutinize, modify, and redistribute Kicksecure. This improves security and privacy for everyone.

All the Kicksecure source code is licensed under OSI Approved Licenses. We respect user rights to review, scrutinize, modify, and redistribute Kicksecure. This improves security and privacy for everyone.

Research and Implementation Project

Research and Implementation Project

Kicksecure is an actively maintained research project making constant improvements; no shortcomings are ever hidden from users.

Research and Implementation Project: Kicksecure makes modest claims and is wary of overconfidence. Kicksecure is an actively maintained research project making constant improvements; no shortcomings are ever hidden from users.

Deep Scan Ready

Deep Scan Ready

Kicksecure supports offline inspection so you can verify storage and boot components from a clean external environment, without trusting the running system.

Deep scan readiness means you can power the device off and inspect it from outside, for example by booting a trusted Live USB or scanning the disk from another computer. This enables full system checks, including bootloader and kernel components, and reduces the risk of malware hiding itself during a scan.

Upcoming Security Enhancements

Sandboxed Application Launcher

Sandbox App Launcher

sandbox-app-launcher is an application launcher that can start each application inside its own restrictive sandbox. Each application runs as its own user, in a bubblewrap sandbox and confined by AppArmor.

sandbox-app-launcher aims to run each desktop application as its own user inside a restrictive bubblewrap sandbox, confined by AppArmor and filtered with seccomp. This is intended to reduce the blast radius of a compromised app by limiting filesystem access, IPC, and dangerous system calls. The project is a work in progress and is currently developers-only.

8 more Enhancements →

AppArmor

AppArmor.d

apparmor.d - Full system Mandatory Access Control (MAC) policy - "AppArmor for everything".

apparmor.d is a full system AppArmor policy that aims to confine all user space processes, starting from init and systemd, and then applying profiles to services and applications. The goal is "AppArmor for everything" and stronger least-privilege enforcement across the whole OS. This is still in development and not yet supported or available for general users.

Deactivate malware after reboot

Deactivate malware after reboot

Deactivate malware after reboot from non-root compromise.

VirusForget is a design effort to make non-root malware persistence harder by cleaning up common autostart and hook locations in the user profile at boot. The idea is to reset or quarantine unexpected changes (for example in dotfiles and autostart entries) so that a compromise of the user account does not automatically survive a reboot. This is an active design topic and not yet a finished, default-enabled feature.

Hardened Linux Kernel

Hardened Linux Kernel

A hardened Linux kernel configuration and patch set.

hardened-kernel combines a hardened kernel configuration with hardening patches from the linux-hardened project. A VM-focused configuration can disable most hardware drivers to reduce attack surface, while a host configuration targets broader hardware support. For additional hardening, the VM kernel is designed to be compiled locally, producing unique symbols that can make some classes of kernel exploits harder.

Limit Kernel Information Leaks

Limit Kernel Information Leaks

Limit kernel and hardware information exposure to non-root users.

This enhancement builds on Reduce Kernel Information Leaks in security-misc. It restricts non-root access to sensitive hardware and kernel metadata (for example parts of /sys and /proc) to reduce fingerprinting and limit what locally running malware can learn. It is currently disabled by default because it can break applications, and root can still access this information.

Hide Other Users' Processes for Better Isolation

Hide Other Users' Processes

Hide other users' processes for better isolation.

hidepid hardens process privacy by mounting /proc so unprivileged users can only see their own processes. This reduces cross-user information leakage and helps isolation on multi-user systems. It is opt-in because it can break some workflows and tools (for example pkexec) unless additional compatibility workarounds are applied.

Enhanced Security via Mount Options (noexec)

Enhanced Security via Mount Options (noexec)

Harden writable directories using mount options such as noexec, nodev, and nosuid.

Mount options such as noexec, nodev, and nosuid reduce risk in writable data locations by preventing direct execution, device node interpretation, and SUID/SGID privilege escalation from those paths. The goal is to make common persistence and "run-from-home" attack patterns harder. Some advanced workflows may need adjustments or an opt-out when running programs from home directories.

Limit Compiler and Interpreter Access

Limit Compiler and Interpreter Access

Reduce post-compromise capability by restricting compilers and interpreters by default.

Restricting access to compilers and interpreters reduces the ability of malware to compile or run arbitrary code on the system after an initial compromise. This is intended as a defense-in-depth measure alongside sandboxing and mount hardening. Developers and power users will still be able to opt out when they need toolchains locally.

Post-quantum cryptography resistant signing

Post-quantum cryptography resistant signing of releases

Add quantum-resistant signatures to strengthen long-term release integrity.

Post-quantum cryptography (PQC) aims to provide digital signatures that remain secure even if future quantum computers can break widely used algorithms such as RSA and ECC. This enhancement explores adding quantum-resistant signing for releases, for example using Codecrypt, a GnuPG-like tool that uses quantum-resistant algorithms for encryption and signatures. PQC signing would complement existing signatures to strengthen long-term integrity and update trust.

Join the team!

Help Welcome Your help is very welcome! As a patron, a multiplier, or even a contributor!