Kicksecure ™ for KVM with XFCE

From Whonix

< Kicksecure

Kicksecure ™: A Security-hardened, Non-anonymous Linux Distribution.

logo of the KVM [archive] virtualizer

About this Kicksecure/KVM Page
Support Status stable
Difficulty medium
Contributor HulaHoop [archive]
Support KVM/Support


This is the KVM flavor of the Kicksecure ™ project - a hardened and security centric version of Debian optimized for virtualized environments and clearnet usage. Much of the warnings and use case instructions from the Whonix ™ edition, such as running the OS headlessly or using shared folders, are applicable.

For more details about Kicksecure ™, check these pages.

Support tickets should be forwarded to the KVM subforum [archive].

Build from Scratch[edit]

Advanced users are encouraged to build Kicksecure ™ images for high security assurance.

Download Kicksecure ™[edit]

FREE Download

Ambox warning pn.svg.png By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.


Type Connection Link Download Security
without Verification
Download Security
with Verification
Download.png Https long.png

Download (TLS)

Medium High [1]
Download.png Iconfinder tor 386502.png

Download (Onion)

Medium High
Button sig.png Https long.png - -
Button sig.png Iconfinder tor 386502.png - -
Crypto key.png Verify images using this Signing Key

Verify the Kicksecure ™ Image[edit]

1. Download HulaHoop [archive]'s OpenPGP key from the website.

curl --tlsv1.3 --proto =https -o hulahoop.asc

2. Check fingerprints/owners without importing anything. [2]

gpg --keyid-format long --import --import-options show-only --with-fingerprint hulahoop.asc

3. Verify the output.

The output should be identical to the following.

pub   rsa4096/50C78B6F9FF2EC85 2018-11-26 [SCEA]
      Key fingerprint = 04EF 2F66 6D36 C354 058B  9DD4 50C7 8B6F 9FF2 EC85
uid                            HulaHoop
sub   rsa4096/EB27D2F8CEE41ACC 2018-11-26 [SEA]

4. Import the key.

gpg --import hulahoop.asc

The output should confirm the key was imported.

gpg: key 0x50C78B6F9FF2EC85: public key "HulaHoop" imported
gpg: Total number processed: 1
gpg:               imported: 1

If the Whonix ™ signing key was already imported in the past, the output should confirm the key is unchanged.

gpg: key 0x50C78B6F9FF2EC85: "HulaHoop" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

5. Optional: For extra assurance, verify the key was also signed by Patrick Schleizer.

gpg --check-sigs "04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85"

The output should be identical to the message below.

pub   rsa4096/0x50C78B6F9FF2EC85 2018-11-26 [SCEA]
uid                   [ unknown] HulaHoop
sig!         0x8D66066A2EEACCDA 2018-12-14  Patrick Schleizer <>
sig!3        0x50C78B6F9FF2EC85 2018-11-26  HulaHoop
sub   rsa4096/0xEB27D2F8CEE41ACC 2018-11-26 [SEA]
sig!         0x50C78B6F9FF2EC85 2018-11-26  HulaHoop

gpg: 3 good signatures

If the following message appears at the end of the output.

gpg: no ultimately trusted keys found

Analyze the other messages as usual. This extra message does not relate to the Kicksecure ™ signing key itself, but instead usually means the user has not created an OpenPGP key yet, which is of no importance when verifying virtual machine images.

6. Verify the archive with Hulahoop's key.

gpg --verify Kicksecure*.libvirt.xz.asc Kicksecure*.libvirt.xz

The output should include the following text.

gpg: Good signature from "HulaHoop"


1. Ensure the tarball is in the user home folder before applying these steps.

2. Do not use unxz! Extract the images using gnu tar.

3. Use gnu tar to decompress the archive.

tar -xvf Kicksecure*.libvirt.xz

Importing Kicksecure ™ VM Template[edit]

The supplied XML files serve as a description for libvirt and define the properties of a Kicksecure ™ VM and the networking it should have.

1. Kicksecure ™ works with the network named default out of the box.

2. Import the Kicksecure ™ image.

virsh -c qemu:///system define Kicksecure*.xml

Moving the Kicksecure ™ Image File[edit]

The XML files are configured to point to the default storage location of /var/lib/libvirt/images. The following steps move the images there so the machines can boot.

Note: Changing the default location may cause conflicts with SELinux, which will prevent the machines from booting.

It is recommended to move the image file instead of copying it.

sudo mv Kicksecure*.qcow2 /var/lib/libvirt/images/Kicksecure.qcow2


  1. It does not matter if the bulk download is done over an insecure channel if software signature verification is used at the end.
  2. [archive]

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Check out the Whonix ™ News Blog. Rss.png

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.