Kicksecure ™

Download

Debian morph to Kicksecure (Hardware) Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) USB ISO (coming soon) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Debian tips, tricks, recommendations related to Kicksecure.

Introduction[edit]

This wiki page describes how to:

1. securely download and verify Debian;
2. install Debian as a host operating system; and
3. configure it to minimize the attack surface.

Readers who are interested in running Kicksecure for Debian inside VirtualBox should refer to this page.

Prerequisite Knowledge[edit]

Download and Verification[edit]

This chapter documents how to securely download and perform digital software verification of a Debian installation iso image. The recommended way to verify the Debian Signing key is to use the web of trust. This is more secure, but not available to everyone. This chapter documents an alternative and supplementary way to verify the Debian Signing key. It utilizes an existing installation such as for example Debian, Qubes Debian Template, or Ubuntu, which is already considered trusted by the user; for example one bought from a reseller or provided by a friend who verified it.

• Digital signatures: A tool enhancing download security. Commonly used across the internet.
• Learn more: Curious? Learn more about digital software signatures.
• Optional: Digital signatures are optional. If you've never used them before, there might be no need to start now.
• No worries: New to digital software signatures? It's okay, no need to worry.
• Not a requirement: Not mandatory for using Kicksecure, but an extra security measure for advanced users.

gpg: Good signature

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

OK

Installation[edit]

Writing the iso image to USB[edit]

Debian

Undocumented.

Qubes

These instructions are for users of Qubes only.

It is recommended to use a dedicated App Qubes, perhaps named iso-download.

1. Physically detach all removable USB hard drives, if any.

In dom0.

As per the usual process.

2. Have a look at the Qubes systray area in dom0.

3. However over with the mouse to the yellow symbol which should show "Qubes Devices" in dom0.

4. Left click on Qubes Devices in dom0.

5. Remember the currently available devices.

Consider making a photo or notes.

6. Attach the USB hard drive using Qubes Devices which the ISO should be written in dom0.

7. Recognize the hopefully recognized newly attached USB hard drive in Qubes Devices in dom0.

Should show something like sys-usb:sda.

If there is also sys-usb:sda1 then that is ok. It's a partition. And can be safely ignored for this procedure.

8. Attach the newly added USB hard drive to the VM where the ISO has been downloaded.

In dom0. Using Qubes Devices.

9. Write the iso the the USB hard drive.

Inside the iso-download App Qubes.

Warnings:

• Do not proceed if other devices are connected to that VM!
• All data on the device will be lost!

NOTE: Replace debian-11.7.0-amd64-DVD-1.iso with the file name / path to another ISO file if another ISO was downloaded or downloaded in a different location.

• freedom version: sudo dd bs=64K conv=noerror,sync status=progress if=debian-11.7.0-amd64-DVD-1.iso of=/dev/xvdi
• non-freedom version: sudo dd bs=64K conv=noerror,sync status=progress if=firmware-11.7.0-amd64-DVD-1.iso of=/dev/xvdi

10. Check exit code.

Inside the iso-download App Qubes.

echo $?

Expected output if success.

0

11. Shutdown the VM.

Inside the iso-download App Qube.

sudo poweroff

11. Use Qubes Devices in dom0 to detach the USB hard drive from the iso-download App Qube.

12. Done.

The process of writing the ISO image to the USB drive has been completed.

Upstream Documentation[edit]

For more detailed information on every step in the installation process consult the Debian manual available in HTML, preferably on another device than the one that will be formatted.

Tips[edit]

To successfully and safely complete the installation, note the following:

• In Linux, the dd utility is utilized to create install media.
• In Windows, the Debian install USB/DVD can be created with the rufus utility as described here.
• From a usability perspective, it is recommended to always have a network connection when installing Debian; see here.
• From a security perspective, it is safest to avoid Internet connections until ready; see here.

Default Desktop Environment[edit]

Readers may have noticed the default desktop environment for Kicksecure Virtual Machines is Xfce (although that can be changed). The preferred desktop environment is of little consequence; for example the default Debian desktop environment is GNOME. Users who are already accustomed to Kicksecure (Xfce) can utilize the same environment for the Debian host as well, but this is not compulsory.

## Installing KDE, LXDE or Xfce this way works if you are using a DVD image or network installation (but not with CD images)

Debian boot menu → Advanced Options → Alternative Desktop Environments →
Feel free to choose:
- KDE
- LXDE
- Xfce

It is also possible to install another desktop environment later on or configure a switch from one to another.

Other Packages[edit]

To learn more about the "default", "notebook" or "standard" packages see: tasksel.

Post-installation Steps[edit]

Open Ports[edit]

Security[edit]

Quote:

Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default. In any case, the system administrator needs to adapt the security of the system to the local security policy.

It is unclear if Debian is referring to running services after installing them or having no services running (no open ports) after an installation with default settings. Debian does not do the latter, which is a pity. Despite Debian's preference for running services after installation, this issue should not distract from the relative strength of the platform when properly configured.

Some useful security links are listed below. Some content in the references are outdated because they only apply to older Debian versions. Similarly, some content does not apply to Kicksecure hosts.

• Securing Debian Manual
• Securing Debian Manual Chapter 12: Frequently asked Questions (FAQ)
• Towards a moderately paranoid Debian laptop setup (this is also useful for non-laptops)

sudoers[edit]

Setup sudoers. Add the operating system user name to sudoers.

Footnotes[edit]

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!