{{Header}}
{{Title|title=
Security Operating System Comparison - {{project_name_short}} vs Debian
}}
{{#seo:
|description=Comparison of {{project_name_long}} with Debian. About security, privacy, usability and hardening-by-default.
|image=Kicksecure_versus_Debian.png
}}
{{tech_intro_mininav}}
[[File:Kicksecure_versus_Debian.png|thumb|150px]]
{{intro|
This page contains a detailed overview and comparison of {{project_name_short}} and Debian regarding security hardening, privacy defaults and usability.
}}
= Introduction =
This wiki page compares the security‑focused, hardened defaults of {{project_name_short}} against upstream [https://www.debian.org Debian]. The differences are comprehensively detailed in several tables and visual highlighted below. The considered aspects are security hardening, a couple of privacy aspects and usability aspects.
= Security Hardening by Default =
== Account & Privilege Management ==
{| class="wikitable"
|+ ''Account & Privilege Management Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! [[sysmaint|user‑sysmaint‑split]]
| Separate daily and admin accounts by default
| {{Yes}}
| {{No}}
|-
! Improved protection from [[Backdoor#Firmware_Trojan|firmware trojan]]s (a type of [[malware]] / [[Backdoor#Hardware_Backdoor|hardware backdoor]]) and rootkits
| Due to above.
| {{Yes}}
| {{No}}
|-
! Holistic administrative ("[[root]]") account protection
|
* [[Dev/Strong_Linux_User_Account_Isolation#Root_Account_Locked|Root Account Locked]]
* [[Dev/Strong_Linux_User_Account_Isolation#su_restrictions|su restrictions]]
* Protection from [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]]
* [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]]
| {{Yes}}
| {{No}}
|-
! [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
| Enforces strict separation between user accounts with protections against privilege escalation, password sniffing, cross-account access, and brute-force attacks.
| {{Yes}}
| {{No}}
|-
! [[Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir|libpam-tmpdir]]
| Make symlink attacks and other /tmp based attacks harder or impossible.
| {{Yes}}
| {{No}}
|-
! [[Dev/Strong_Linux_User_Account_Isolation#Permission_Lockdown|Permission Lockdown]]
| Permission Lockdown enforces strong user separation by restricting access to other users’ home directories using strict file permissions.
| {{Yes}}
| {{No}}
|-
! [[Dev/Strong_Linux_User_Account_Isolation#umask_hardening|umask hardening]]
| Restrictive umask to tighten file system permissions for newly created files.
| {{Yes}}
| {{No}}
|-
! [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] / [[Dev/Strong_Linux_User_Account_Isolation#.2Fetc.2Fsecuretty|/etc/securetty]] hardening
| Console lockdown reduces the attack surface for console based attacks.
| {{Yes}}
| {{No}}
|-
! [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_Account_Passwords_Protection|Bruteforcing Linux Account Passwords Protection]]
| [[Dev/Strong_Linux_User_Account_Isolation#Online_Password_Cracking_Restrictions|Online Password Cracking Restrictions]] / [[Dev/Strong_Linux_User_Account_Isolation#sudo_restrictions|sudo restrictions]]
| {{Yes}}
| {{No}}
|-
|}
== Package & Binary Security ==
{| class="wikitable"
|+ ''Package & Binary Hardening Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! [[SUID Disabler and Permission Hardener]]
| Improves security by disabling SUID binaries, tightening file permissions, and enhancing user account isolation to reduce potential attack surfaces.
| {{Yes}}
| {{No}}
|-
! Default package selection
| Only minimal, no exim/samba/cups by default
| {{Yes}} [See also: [[About#Default security software|Default package selection]]]
| {{No}}
|-
! Secure APT sources
| HTTPS APT sources enabled by default
| {{Yes}}
| {{BlueBackground}} Depends. [See footnote: [[About#Secure_Package_Sources_Configuration]].]
|-
! [https://github.com/{{project_name_short}}/security-misc security‑misc]
| Kernel hardening, entropy, mount/options, brute‑force protection
| {{Yes}}
| {{No}}
|-
|}
== Network Security ==
{| class="wikitable"
|+ ''Network Security Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! {{Anchor|torified_updates}}Torified APT upgrades
| APT upgrades run over Tor by default
| {{Yes}} [[[About#torified_updates|See Torified Updates]]]
| {{No}}
|-
! [https://github.com/{{project_name_short}}/tirdad TCP ISN randomization (tirdad)]
| TCP Initial Sequence Numbers Randomization: mitigates TCP ISN-based CPU information leakage; see footnote. [
]The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked. It may prove very dangerous for long-running cryptographic operations. Research has demonstrated that it can be used for de-anonymization of location-hidden services.
| {{Yes}}
| {{No}}
|-
! Secure network time synchronization / Protection from [[Time Attacks]]
| Uses authenticated web‑date protocol / [[Sdwdate#Sdwdate_vs_NTP|sdwdate versus NTP]]
| {{Yes}} ([[sdwdate]])
| {{No}} (NTP)
|-
! [https://github.com/{{project_name_short}}/open-link-confirmation open‑link-confirmation]
| This is enabled by default and prevents links from being unintentionally opened in supported browsers.
| {{Yes}}
| {{No}}
|-
! No open server ports by default
| All unsolicited incoming connections are blocked
| {{Yes}}
| {{No}} [
[[Debian_Tips#Open_Ports|Debian Open Ports]]
]
|-
|}
== Encryption & Data Protection ==
{| class="wikitable"
|+ ''Encryption & Data Protection Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! Strong Entropy Generation
| Ensures secure cryptographic operations by providing high-quality randomness. See also [[Dev/Entropy]].
| {{Yes}}
| {{No}}
|-
! [[Full Disk Encryption|{{Fde}}]]
| Enabled by default in installer
| {{Yes}}
| {{BlueBackground}} Depends
|-
! [[Ram-wipe|ram-wipe]]
| Wipe RAM at shutdown and reboot to prevent information extraction from memory.
| Coming in Kicksecure 18.
| {{No}}
|-
|}
== System Hardening ==
{| class="wikitable"
|+ ''System Hardening Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]] Audit
| [[systemcheck]]
| {{Yes}} ([[Systemcheck#Physical_Security_Check|Physical Security Check]])
| {{No}}
|-
| [[Recovery#Recovery_Mode|Recovery Mode Lockdown]]
| Disabled Recovery Mode by default.
| {{Yes}}
| {{No}}
|}
== Build Integrity & Transparency ==
{| class="wikitable"
|+ ''Build Integrity & Transparency Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! Protects its in-house source code from malicious [[unicode]]
| [https://trojansource.codes/ Some Vulnerabilities are Invisible. Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts.]
| {{Yes}} [
* {{Github_link|repo=developer-meta-files|path=/blob/master/usr/bin/dm-check-unicode}}
* https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754/29
]
| {{No}} [
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014029 invisible malicious unicode in source code - detection and prevention]
* Most other Linux distributions do not seem to have this issue on the radar either.
]
|-
! Protection from supply chain attacks
| Mandates digital signature verification at all stages of development. This includes source code commits, git tags, the build process, and final downloads. Execution or deployment of unsigned code is strictly forbidden. The policy helps prevent supply chain attacks by ensuring the authenticity and integrity of software throughout its development and distribution.
| {{Yes}} [
[[Digital_Signature_Policy|Digital Signature Policy]]
]
| {{No}} [
Debian's live-build does not authenticate all files that it downloads at time of writing in August 2025. Debian bug report: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225 live-build should authenticate files it downloads]
]
|-
! [[Trust#canary|Warrant canary]]
| Public statement confirming no secret warrants or gag orders have been served on the project, helping maintain user trust.
| {{Yes}}
| {{No}}
|-
! [[Dev/Build Documentation|build documentation]]
| Building your own images is encouraged, made as secure and easy as possible, with free user support being provided in the forums.
| {{Yes}}
| {{Yes}}
|-
|}
= Security Tools =
{| class="wikitable"
|+ ''Security Tools''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[Protection_Against_Physical_Attacks#grub-pwchange|grub-pwchange]]
| grub-pwchange is a GRUB bootloader password management tool for setting a [[Protection_Against_Physical_Attacks#Bootloader_Password|Bootloader Password]].
| {{Yes}}
| {{No}}
|-
| [[Unicode#Searching_Files_and_Folders_for_Unicode|Searching Files and Folders for Unicode]] tools pre-installed
| [[Unicode#grep-find-unicode-wrapper|grep-find-unicode-wrapper]] and [[unicode-show]] pre-installed
| {{Yes}}
| {{No}}
|-
|}
= Usability =
{| class="wikitable"
|+ ''Usability and Convenience''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! [[Live Mode]]
| Easily activated from the boot menu, Live Mode discards all data after shutdown, leaving no trace of the session.
| {{Yes}}
| {{No}}
|-
! Calamares installer with improved UX
| Graphical installer offering a user-friendly installation experience with fewer steps and clearer options.
| {{Yes}} [Debian Live uses Calamares; regular D-I does not]
| {{No}}
|-
! Functional APT sources list
| Pre-configured and working APT sources to ensure package updates and installations function out of the box.
| {{Yes}} [Debian default APT source may be broken or incomplete; see [[Debian Tips]]]
| {{No}}
|-
! sudo pre‑configured
| sudo is ready to use without additional setup, allowing safe privilege escalation by default.
| {{Yes}} [See [[Root#Root_Account_Management|Root Account Management]]]
| {{BlueBackground}} Depends.
|-
! bash‑completion, zsh shell
| Command-line enhancements like tab completion and Zsh shell for improved terminal usability.
| {{Yes}}
| {{No}}
|-
! [https://github.com/{{project_name_short}}/vm-config-dist vm-config-dist]
|
| {{Yes}}
| {{No}}
|-
! [https://github.com/{{project_name_short}}/usability-misc usability‑misc]
|
| {{Yes}}
| {{No}}
|-
! Popular apps pre‑installed
| Frequently used applications are pre-installed with secure defaults for convenience and security.
| {{Yes}} [[Software|with secure defaults]]
| {{No}}
|-
! [[chmod-calc]] pre-installed
| Comprehensive File and Directory Inspection Tool
| {{Yes}}
| {{No}}
|-
|}
TODO: add
* apt-get-noninteractive
* apt-get-reset
= Plattform Support =
{| class="wikitable"
|+ ''Plattform Support''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! Extensive architecture support
| Availability of support across multiple processor architectures, such as x86_64 ([[Intel_AMD64|Intel / AMD64]]), [[ARM64|ARM]], [[PPC64|PPC]], [[RISCV64|RISCV]] and others.
| {{RedBackground}} Limited. See [[Architecture Support]].
| {{Yes}}
|-
! Major Virtualizer Support
| Availability of official images for virtualizers.
| [[VirtualBox]], [[Linux|VirtualBox Linux installer]], [[KVM]], [[Qubes]]
| OpenStack, QEMU, Amazon EC2 / AWS Marketplace, Microsoft Azure / Azure Marketplace.
|-
! Extensive desktop environment support
| GNOME, KDE, LXQt, MATE, Cinnamon and [https://wiki.debian.org/DesktopEnvironment more]
| {{No}}, see [[Other Desktop Environments]].
| {{Yes}}
|-
|}
= General =
{| class="wikitable"
|+ ''General Comparison''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! Open Source distribution
| Freely available source code and licensed under open-source terms.
| {{Yes}}
| {{Yes}}
|-
! Based on Debian
| Built directly on top of Debian for compatibility, stability, and maintainability.
| {{Yes}} ([[Based_on_Debian|Kicksecure is based on Debian]])
| {{BlueBackground}} N/A
|-
! High quality packaging distribution
| Ensures software is secure, reproducible, license-compliant, and well-integrated into the distribution through auditing, patching, and enforcing technical and legal standards. See [[Dev/About_Debian_Packaging#Purpose_of_Packaging|Purpose of Packaging]].
| {{Yes}}
| {{Yes}}
|-
! Based on Linux
| Built on the reliable, secure, and freedom-respecting Linux operating system to leverage its open-source foundation.
| {{Yes}}
| {{Yes}}
|-
! Pre‑installed security tools
| Comes with hardened tools and services for security, privacy, and anonymity.
| [[AppArmor]], [[sdwdate]], [https://github.com/{{project_name_short}}/tirdad tirdad], [https://github.com/{{project_name_short}}/security-misc security-misc]
| Minimal (optional install)
|-
! Secure defaults (network, packages, accounts)
| Defaults favor security: no open ports, limited user privileges, hardened configurations.
| {{Yes}}
| {{No}}
|-
! Target audience
| Designed for users needing strong security and privacy protections.
| Seeking strong defense
| General-purpose users, servers, desktops
|-
! [[About#Implementation_of_the_Securing_Debian_Manual|Implementation of the Securing Debian Manual]]
| Applies relevant recommendations from Debian’s official security manual by default, adapting and modernizing where necessary.
| {{Yes}}
| {{No}}
|-
! Onion service version of website
| Provides a more secure, end-to-end encrypted connection that bypasses traditional DNS and avoids reliance on certificate authorities.
| {{Yes}}
| {{Yes}}
|-
! Comprehensive security [[Documentation]]
| In-depth guides and resources to help users understand, implement, and maintain strong security practices.
| {{Yes}} ([[System_Hardening_Checklist|System Hardening Checklist]])
| {{No}}
|-
! Signed downloads
| All downloads are cryptographically signed, allowing users to verify the authenticity and integrity of releases.
| {{Yes}}
| {{Yes}}
|-
! Documentation encourages users to perform digital software signature verification
| [[Verifying Software Signatures]] is consistently pointed out in documentation.
| {{Yes}} [
[[Digital_Signature_Policy|Digital Signature Policy]]
]
| {{No}} [
Debian wiki does not consistently always stress digital signature verification.
]
|-
|}
= Freedom and Transparency =
{| class="wikitable"
|+ ''Freedom and Transparency''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! Open Source
| Users have the right to inspect, modify, and share the entire source code, promoting collective security and privacy benefits.
| {{Yes}}
| {{Yes}}
|-
! Freedom Software
| Includes software that adheres to Free Software Foundation (FSF) approved licenses.
| {{Yes}}
| {{Yes}}
|-
! Research and Implementation Project
| Maintained as a transparent and ongoing security-focused project with public visibility of issues and continual improvement.
| {{Yes}}
| {{No}}
|-
! Fully Auditable
| All software is open for inspection and verification by independent developers and researchers worldwide.
| {{Yes}}
| {{Yes}}
|-
! Complete respect for privacy and user freedom
| No user tracking, no advertising integrations, and no personal data harvesting.
| {{Yes}}
| {{Yes}}
|-
! No user freedom restrictions such as [[Miscellaneous_Threats_to_User_Freedom#Administrative_Rights|administrative rights refusal]]
|
| {{Yes}}
| {{Yes}}
|-
! no tivoization / no vendor lock-in
|
| {{Yes}}
| {{Yes}}
|-
! obey user settings as a project value and development goal
|
| {{Yes}}
| {{Yes}}
|-
! malware analysis / malicious backdoor and rootkit hunting possible reasonably easily
| Not a design that simplifies implementation of [[Backdoor#The_Perfect_Malicious_Backdoor|The "Perfect" Malicious Backdoor]].
| {{Yes}}
| {{Yes}}
|-
|}
= Opt-in and Testers =
todo
= Upcoming =
* upcoming in Kicksecure 18:
## Emergency shutdown
- Forcibly powers off the system if the drive the system booted from is
removed from the system.
- Forcibly powers off the system if a user-configurable "panic key sequence"
is pressed (Ctrl+Alt+Delete by default).
- Forcibly powers off the system if
`sudo /run/emerg-shutdown --instant-shutdown` is called.
- Optional - Forcibly powers off the system if shutdown gets stuck for longer
than a user-configurable number of seconds (30 by default). Requires tuning
by the user to function properly, see notes in
`/etc/security-misc/emerg-shutdown/30_security_misc.conf`.
* [[USBGuard]]
* todo
= Development =
{| class="wikitable"
|+ ''Development Tools and Debugging''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
! [[Recovery#Serial_Console|Easy setup of Serial Console]]
| [https://github.com/{{project_name_short}}/serial-console-enable serial-console-enable]: simplifies enabling a serial console for debugging purposes.
| {{Yes}}
| {{No}}
|-
! [[debug-misc]]
| [https://github.com/{{project_name_short}}/debug-misc debug-misc]: Simplifies enabling settings required for troubleshooting and debugging.
| {{Yes}}
| {{No}}
|-
|}
= Attribution =
* Not anti-Debian: This article should not be misunderstood as "[https://www.debian.org Debian] hate."
* Linage: [[Based on Debian|Kicksecure is based on Debian]].
* Fork friendly: Debian welcomes [https://en.wikipedia.org/wiki/Fork_(software_development) software forks], meaning anyone can create a new project by copying Debian under the respective licenses and developing it in their own way. See also {{whonix_wiki
|wikipage=Dev/Operating_System#Debian_is_Fork_Friendly
|text=Debian is Fork Friendly
}}.
* Gratitude: Without Debian, Kicksecure would not exist. Gratitude is expressed to the Debian project and its contributors.
{{quotation
|quote=We stand on the shoulders of giants - Kicksecure and many other Libre software projects are only made possible because people invested in writing code that is kept accessible for the public benefit.
|context=[[Reasons_for_Freedom_Software|Reasons for Freedom Software / Open Source]]
}}
{{quotation
|quote=Debian—the best parent one can have
|context=[https://puri.sm/posts/what-is-pureos-and-how-is-it-built/ PureOS]
}}
{{quotation
|quote=Reasons for being based on Debian:
|context={{whonix_wiki
|wikipage=Dev/Operating_System#Debian
|text=chapter Debian - Security-Focused Operating System Comparison as Base for Whonix
}}
}}
= See Also =
* [[About#Hardening_by_Default|Hardening by Default]]
* [[About#Kicksecure_Development_Goals|Kicksecure Development Goals]]
* [[Full Disk Encryption]]
* [[sysmaint]]
* [[Debian Tips]]
= Table of Contents =
__TOC__
= Footnotes =
[[Category:Documentation]]
{{Footer}}