introduce
Excellent Linux operating systems are free and open source. As a result, there are thousands of different “flavors” to choose from—and some types of Linux, such as Ubuntu, are universal and suitable for many different uses.
However, security-conscious users are more interested in Linux distributions designed specifically for privacy and security. These distributions can help protect your data through encryption and support running in Live mode, without writing data to the hard drive in use.
This article will list ten Linux distributions that prioritize privacy and security.
1. QubesOS
While not geared towards novice users, Qubes is one of the top privacy-focused distributions. The operating system must be installed to the hard drive using a graphical installer, and this installation is encrypted.
QubesOS uses XenHypervisor to run multiple virtual machines, its main concept being security based on isolation. It isolates the system into "personal," "work," and "internet" zones. This way, even if you accidentally download malware on your work machine, your personal files will remain unaffected.
The main desktop uses color-coded windows to display different virtual machines for easy differentiation.
2. Tails
Tails (The Amnesiac Incognito LiveSystem) is perhaps one of the most well-known privacy-focused Linux distributions, a Debian-based bootable CD and USB distribution. Tails can run from a DVD in Live mode, fully loading itself into system RAM, and its activity leaves no trace. The system can also run in "persistent" mode like most systems, with system settings stored on an encrypted USB drive.
Tails provides users with complete internet anonymity. All network traffic passes through the anonymous network Tor, hiding your browsing history and making your network traffic difficult to trace. The applications included with Tails are also carefully selected and pre-configured with security in mind to enhance user privacy. These include the KeePassX password manager, a web browser, an IRC client, and an email client. It's worth noting that Tails is constantly discovering vulnerabilities, so please be sure to check for updates frequently. (This applies to any operating system, of course.)
3. BlackArchLinux
This lightweight penetration testing distribution based on Arch Linux includes over 1,600 different hacking tools for penetration testing and computer forensics analysis, saving time compared to previous downloads. BlackArchLinux is designed for system penetration testers and security researchers and includes several lightweight window managers such as Fluxbox, Openbox, Awesome, and spectrwm.
BlackArchLinux is provided as a bootable DVD image that can be run directly from a USB drive or CD, installed on a computer or virtual machine, or even installed on a Raspberry Pi to provide you with a portable penetration testing computer.
Of particular note is its 'anti-forensics' directory, as it contains tools for scanning the memory of encrypted devices, which helps protect machines from 'cold start attacks'.
4. Kali
Kali Linux (formerly known as BackTrack), named after a Hindu goddess, is one of the most well-known penetration testing distributions and is a Debian-based distribution. It comes with a suite of security and computer forensics tools. Its features include timely security updates (weekly updates to the ISO image), support for the ARM architecture (allowing it to run on Raspberry Pi), four popular desktop environments to choose from, and smooth upgrades to newer versions.
Kali enjoys an awe-inspiring reputation, and its creators offer training through KaliLinuxDojo. Course content includes customizing your own KaliLinuxISO and learning the basics of penetration testing. For those unable to attend the training, all course resources are available free of charge through Kali's website.
5. IprediaOS
IprediaOS is a fast, powerful, and stable Linux-based operating system that provides an anonymous environment. All network traffic is automatically and transparently encrypted and anonymized. This privacy-oriented operating system is based on Fedora Linux and can run in Live mode or be installed on a hard drive. Just as TailsOS uses the Tor network to avoid tracking, all network traffic in Ipredia passes through an anonymous I2P network.
Its features include anonymous email and a BitTorrent client, IRC chat, and the ability to browse eepsites (with the special .i2p extension). Unlike Tor, I2P cannot act as a gateway to the normal internet, so Ipredia cannot securely access regular websites. However, the advantage of only being able to access eepsites is that your connection is truly untraceable.
6. Whonix
Booting a live operating system is troublesome because it requires restarting the computer, but installing it to a hard drive carries the risk of attack. Whonix offers an elegant solution, designed to work as a virtual machine running within Virtualbox. Because it runs in a virtual machine, Whonix is compatible with all operating systems that can run Virtualbox.
Whonix is an operating system focused on anonymity, privacy, and security. It's based on the Tor anonymous network, Debian GNU/Linux, and isolation-based security. Whonix consists of two parts: one runs solely on Tor and acts as a gateway, called Whonix-Gateway; the other, called Whonix-Workstation, resides in an isolated network. Only connections via Tor are permitted. With Whonix, you can anonymously use applications and run servers on the internet. Information leaks due to anonymous resolution are impossible, and even malware with root privileges cannot discover a user's real IP address.
7. DiscreeteLinux
This deliberately misspelled distribution is the successor to the excellent Ubuntu PrivacyRemix. The operating system does not support network hardware or internal hard drives, so all data is stored offline in RAM or on a USB device. It can run in Live mode, but also allows some settings to be stored in an encrypted 'Cryptobox' when booting from a volume.
Another noteworthy feature is that its kernel modules can only be installed after being digitally signed by the DiscreeteLinux team. This prevents hackers from attempting to secretly install malware. Please note that this operating system is currently in the Beat testing phase.
8. ParrotSecurityOS
This penetration testing system was developed by the Italian team Frozenbox. Like Kali and BlackArch, it includes many easy-to-use tools. ParrotSecurityOS is a security-oriented operating system designed for penetration testing, computer forensics, reverse engineering, attacks, cloud penetration testing, privacy/anonymity, cryptography, and other applications.
Parrot is based on Debian and features the MATE desktop environment, offering more colorful backgrounds and menus. Therefore, it has higher hardware requirements than other penetration testing distributions (such as Kali). At least 2GB of RAM is recommended.
For users with limited resources, ParrotCloud is a special distribution designed to run on a server. It lacks a graphical interface but includes some networking and forensics tools for remote testing.
9. SubgraphOS
SubgraphOS is a Debian-based Linux distribution designed for robust security, offering a variety of secure, anonymous, and hardened features. Its kernel is hardened with numerous security enhancements, and Subgraph also creates virtual "sandboxes" for high-risk applications such as browsers. Therefore, any attack targeting a single application will not compromise the entire system.
SubgraphOS uses a hardened Linux kernel and application firewall to block specific executables from accessing the network and forces all internet traffic to pass through the Tor network. Each application needs to manually grant permission to connect to the network and access the "sandbox" of other applications.
The release's file manager features a tool to remove metadata from data files and integrates OnionShare file-sharing software. It uses the Icedove email client to automatically encrypt emails in conjunction with Enigmail.
In Subgraph, encryption of the file system is mandatory, meaning there is no risk of writing unencrypted data. It's important to note that Subgraph is still in beta, so do not rely on it to protect any truly sensitive data (and continue with regular backups as always).
10. TENS
The tenth distribution happens to be TENS (TrustedEndNodeSecurity). Formerly known as LPS (LightweightPortableSecurity), this Linux distribution is a product of the U.S. Department of Defense. TrustedEndNodeSecurity (TENS) is a Linux-based bootable CD-ROM designed to allow users to work on their computers without the risk of exposing their credentials and private data to malware, keyloggers, and other scourges of the Internet age.
It includes a complete set of essential applications and utilities, such as the Firefox web browser, and an encryption wizard for encrypting and decrypting personal documents. However, a 'Public Deluxe' version also includes tools like Adobe Reader and LibreOffice. All versions include a custom firewall, and notably, the operating system supports login via SmartCard.
For more information, please follow the Embedded Systems channel.
