Kicksecure ™ for KVM with XFCE

From Whonix

< Kicksecure

Kicksecure ™: A Security-hardened, Non-anonymous Linux Distribution.


This is the KVM flavor of the Kicksecure ™ project - a hardened and security centric version of Debian optimized for virtualized environments and clearnet usage. Much of the warnings and use case instructions from the Whonix ™ edition, such as running the OS headlessly or using shared folders, are applicable.

For more details about Kicksecure ™, check these pages.

Support tickets should be forwarded to the KVM subforum [archive].

Build from Scratch[edit]

Advanced users are encouraged to build Kicksecure ™ images for high security assurance.

Download Kicksecure ™[edit]

FREE Download

Ambox warning pn.svg.png By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.


Kicksecure ™
Download Security
without Verification
Download Security
with Verification
Https long.png


Medium High [1]
Button sig.png

OpenPGP Signature ( sha512 , sig )

- -
Crypto key.png Verify images using this Signing Key -

Verify the Kicksecure ™ Image[edit]

1. Download HulaHoop [archive]'s OpenPGP key from the website.

curl --tlsv1.2 --proto =https -o hulahoop.asc

2. Check fingerprints/owners without importing anything. [2]

gpg --keyid-format long --import --import-options show-only --with-fingerprint hulahoop.asc

3. Verify the output.

The output should be identical to the following.

pub   rsa4096/50C78B6F9FF2EC85 2018-11-26 [SCEA]
      Key fingerprint = 04EF 2F66 6D36 C354 058B  9DD4 50C7 8B6F 9FF2 EC85
uid                            HulaHoop
sub   rsa4096/EB27D2F8CEE41ACC 2018-11-26 [SEA]

4. Import the key.

gpg --import hulahoop.asc

The output should confirm the key was imported.

gpg: key 0x50C78B6F9FF2EC85: public key "HulaHoop" imported
gpg: Total number processed: 1
gpg:               imported: 1

If the Whonix ™ signing key was already imported in the past, the output should confirm the key is unchanged.

gpg: key 0x50C78B6F9FF2EC85: "HulaHoop" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

5. Optional: For extra assurance, verify the key was also signed by Patrick Schleizer.

gpg --check-sigs "04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85"

The output should be identical to the message below.

pub   rsa4096/0x50C78B6F9FF2EC85 2018-11-26 [SCEA]
uid                   [ unknown] HulaHoop
sig!         0x8D66066A2EEACCDA 2018-12-14  Patrick Schleizer <>
sig!3        0x50C78B6F9FF2EC85 2018-11-26  HulaHoop
sub   rsa4096/0xEB27D2F8CEE41ACC 2018-11-26 [SEA]
sig!         0x50C78B6F9FF2EC85 2018-11-26  HulaHoop

gpg: 3 good signatures

If the following message appears at the end of the output.

gpg: no ultimately trusted keys found

Analyze the other messages as usual. This extra message does not relate to the Kicksecure ™ signing key itself, but instead usually means the user has not created an OpenPGP key yet, which is of no importance when verifying virtual machine images.

6. Verify the archive with Hulahoop's key.

gpg --verify Kicksecure*.libvirt.xz.asc Kicksecure*.libvirt.xz

The output should include the following text.

gpg: Good signature from "HulaHoop"


Use tar to decompress the archive.

tar -xvf Kicksecure*.libvirt.xz

Do not use unxz! Extract the images using tar.

Importing Kicksecure ™ VM Template[edit]

The supplied XML files serve as a description for libvirt and define the properties of a Kicksecure ™ VM and the networking it should have.

1. Kicksecure ™ works with the network named default out of the box.

2. Import the Kicksecure ™ image.

virsh -c qemu:///system define Kicksecure*.xml

Moving the Kicksecure ™ Image File[edit]

The XML files are configured to point to the default storage location of /var/lib/libvirt/images. The following steps move the images there so the machines can boot.

Note: Changing the default location may cause conflicts with SELinux, which will prevent the machines from booting.

It is recommended to move the image file instead of copying it.

sudo mv Kicksecure*.qcow2 /var/lib/libvirt/images/Kicksecure.qcow2


  1. It does not matter if the bulk download is done over an insecure channel if OpenPGP verification is used at the end.
  2. [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Please help in testing new features and bug fixes in Whonix ™.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.