{{Header}}
{{Title|title=
Security Operating System Comparison - {{project_name_short}} vs Debian
}}
{{#seo:
|description=Comparison of {{project_name_long}} with Debian. About security, privacy, usability and hardening-by-default.
|image=Kicksecure_versus_Debian.png
}}
{{tech_intro_mininav}}
[[File:Kicksecure_versus_Debian.png|thumb|150px]]
{{intro|
This page contains a detailed comparison of {{project_name_short}} and Debian regarding security hardening, privacy defaults and usability.
}}
= Introduction =
This wiki page compares the security‑focused, hardened defaults of {{project_name_short}} against upstream [https://www.debian.org Debian].
= Security Hardening by Default =
== Account & Privilege Management ==
{| class="wikitable"
|+ ''Account & Privilege Management Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[sysmaint|user‑sysmaint‑split
]]
| Separate daily and admin accounts by default
| {{Yes}}
| {{No}}
|-
| Improved protection from [[Backdoor#Firmware_Trojan|firmware trojan]]s (a type of [[malware]] / [[Backdoor#Hardware_Backdoor|hardware backdoor]]) and rootkits
| Due to above.
| {{Yes}}
| {{No}}
|-
| Holistic administrative ("[[root]]") account protection
|
* [[Dev/Strong_Linux_User_Account_Isolation#Root_Account_Locked|Root Account Locked]]
* [[Dev/Strong_Linux_User_Account_Isolation#su_restrictions|su restrictions]]
* Protection from [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]]
* [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]]
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
| Enforces strict separation between user accounts with protections against privilege escalation, password sniffing, cross-account access, and brute-force attacks.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir|libpam-tmpdir]]
| Make symlink attacks and other /tmp based attacks harder or impossible.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#Permission_Lockdown|Permission Lockdown]]
| Permission Lockdown enforces strong user separation by restricting access to other users’ home directories using strict file permissions.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#umask_hardening|umask hardening]]
| Restrictive umask
to tighten file system permissions for newly created files.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] / [[Dev/Strong_Linux_User_Account_Isolation#.2Fetc.2Fsecuretty|/etc/securetty]] hardening
| Console lockdown reduces the attack surface for console based attacks.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_Account_Passwords_Protection|Bruteforcing Linux Account Passwords Protection]]
| [[Dev/Strong_Linux_User_Account_Isolation#Online_Password_Cracking_Restrictions|Online Password Cracking Restrictions]] / [[Dev/Strong_Linux_User_Account_Isolation#sudo_restrictions|sudo restrictions]]
| {{Yes}}
| {{No}}
|}
== Package & Binary Security ==
{| class="wikitable"
|+ ''Package & Binary Hardening Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[SUID Disabler and Permission Hardener]]
| Improves security by disabling SUID binaries, tightening file permissions, and enhancing user account isolation to reduce potential attack surfaces.
| {{Yes}}
| {{No}}
|-
| Default package selection
| Only minimal, no exim/samba/cups by default
| {{Yes}} See also: [[About#Default security software|Default package selection]]
| {{No}}
|-
| Secure APT sources
| HTTPS APT sources enabled by default
| {{Yes}}
| {{BlueBackground}} Depends. See footnote: [[About#Secure_Package_Sources_Configuration]].
|-
| [https://github.com/{{project_name_short}}/security-misc security‑misc
]
| Kernel hardening, entropy, mount/options, brute‑force protection
| {{Yes}}
| {{No}}
|}
== Network Security ==
{| class="wikitable"
|+ ''Network Security Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| {{Anchor|torified_updates}}Torified APT upgrades
| APT upgrades run over Tor by default
| {{Yes}} [[About#torified_updates|See Torified Updates]]
| {{No}}
|-
| [https://github.com/{{project_name_short}}/tirdad TCP ISN randomization (tirdad)]
| TCP Initial Sequence Numbers Randomization: mitigates TCP ISN-based CPU information leakage; see footnote.
The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked. It may prove very dangerous for long-running cryptographic operations. Research has demonstrated that it can be used for de-anonymization of location-hidden services.
| {{Yes}}
| {{No}}
|-
| Secure network time synchronization / Protection from [[Time Attacks]]
| Uses authenticated web‑date protocol / [[Sdwdate#Sdwdate_vs_NTP|sdwdate versus NTP]]
| {{Yes}} ([[sdwdate]])
| {{No}} (NTP)
|-
| [https://github.com/{{project_name_short}}/open-link-confirmation open‑link-confirmation]
| This is enabled by default and prevents links from being unintentionally opened in supported browsers.
| {{Yes}}
| {{No}}
|-
| No open server ports by default
| All unsolicited incoming connections are blocked
| {{Yes}}
| {{No}}
[[Debian_Tips#Open_Ports|Debian Open Ports]]
|}
== Encryption & Data Protection ==
{| class="wikitable"
|+ ''Encryption & Data Protection Features''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| Strong Entropy Generation
| Ensures secure cryptographic operations by providing high-quality randomness. See also [[Dev/Entropy]].
| {{Yes}}
| {{No}}
|-
| [[Full Disk Encryption|{{Fde}}]]
| Enabled by default in installer
| {{Yes}}
| {{BlueBackground}} Depends
|-
| [[Ram-wipe|ram-wipe - Wipe RAM on shutdown and reboot]]
| Wipe RAM at shutdown to prevent information extraction from memory.
| Coming in Kicksecure 18.
| {{No}}
|}
* upcoming in Kicksecure 18:
## Emergency shutdown - Forcibly powers off the system if the drive the system booted from is removed from the system. - Forcibly powers off the system if a user-configurable "panic key sequence" is pressed (Ctrl+Alt+Delete by default). - Forcibly powers off the system if `sudo /run/emerg-shutdown --instant-shutdown` is called. - Optional - Forcibly powers off the system if shutdown gets stuck for longer than a user-configurable number of seconds (30 by default). Requires tuning by the user to function properly, see notes in `/etc/security-misc/emerg-shutdown/30_security_misc.conf`.== System Hardening == {| class="wikitable" |+ ''System Hardening Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]] Audit | [[systemcheck]] | {{Yes}} ([[Systemcheck#Physical_Security_Check|Physical Security Check]]) | {{No}} |- | [[Recovery#Recovery_Mode|Recovery Mode Lockdown]] | Disabled Recovery Mode by default. | {{Yes}} | {{No}} |} == Build Integrity & Transparency == {| class="wikitable" |+ ''Build Integrity & Transparency Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | Protects its in-house source code from malicious [[unicode]] | [https://trojansource.codes/ Some Vulnerabilities are Invisible. Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts.] | {{Yes}} * {{Github_link|repo=developer-meta-files|path=/blob/master/usr/bin/dm-check-unicode}} * https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754/29 | {{No}} * [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014029 invisible malicious unicode in source code - detection and prevention] * Most other Linux distributions do not seem to have this issue on the radar either. |- | [[Trust#canary|Warrant canary]] | Public statement confirming no secret warrants or gag orders have been served on the project, helping maintain user trust. | {{Yes}} | {{No}} |- | [[Dev/Build Documentation|build documentation]] | Building your own images is encouraged, made as secure and easy as possible, with free user support being provided in the forums. | {{Yes}} | ? |} = Security Tools = {| class="wikitable" |+ ''Security Tools'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[Protection_Against_Physical_Attacks#grub-pwchange|grub-pwchange]] |
grub-pwchange
is a GRUB bootloader password management tool for setting a [[Protection_Against_Physical_Attacks#Bootloader_Password|Bootloader Password]].
| {{Yes}}
| {{No}}
|-
| [[Unicode#Searching_Files_and_Folders_for_Unicode|Searching Files and Folders for Unicode]] tools pre-installed
| [[Unicode#grep-find-unicode-wrapper|grep-find-unicode-wrapper]] and [[unicode-show]] pre-installed
| {{Yes}}
| {{No}}
|-
|}
= Usability =
{| class="wikitable"
|+ ''Usability and Convenience''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[Live Mode]]
| Easily activated from the boot menu, Live Mode discards all data after shutdown, leaving no trace of the session.
| {{Yes}}
| {{No}}
|-
| Calamares installer with improved UX
| Graphical installer offering a user-friendly installation experience with fewer steps and clearer options.
| {{Yes}} Debian Live uses Calamares; regular D-I does not
| {{No}}
|-
| Functional APT sources list
| Pre-configured and working APT sources to ensure package updates and installations function out of the box.
| {{Yes}} Debian default APT source may be broken or incomplete; see [[Debian Tips]]
| {{No}}
|-
| sudo pre‑configured
| sudo is ready to use without additional setup, allowing safe privilege escalation by default.
| {{Yes}} See [[Root#Root_Account_Management|Root Account Management]]
| {{BlueBackground}} Depends.
|-
| bash‑completion, zsh shell
| Command-line enhancements like tab completion and Zsh shell for improved terminal usability.
| {{Yes}}
| {{No}}
|-
| [https://github.com/{{project_name_short}}/vm-config-dist vm-config-dist]
|
| {{Yes}}
| {{No}}
|-
| [https://github.com/{{project_name_short}}/usability-misc usability‑misc]
|
| {{Yes}}
| {{No}}
|-
| Popular apps pre‑installed
| Frequently used applications are pre-installed with secure defaults for convenience and security.
| {{Yes}} [[Software|with secure defaults]]
| {{No}}
|-
| [[chmod-calc]] pre-installed
| Comprehensive File and Directory Inspection Tool
| {{Yes}}
| {{No}}
|-
|}
= Plattform Support =
{| class="wikitable"
|+ ''Plattform Support''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| Extensive architecture support
| Availability of support across multiple processor architectures, such as x86_64 ([[Intel_AMD64|Intel / AMD64]]), [[ARM64|ARM]], [[PPC64|PPC]], [[RISCV64|RISCV]] and others.
| {{RedBackground}} Limited. See [[Architecture Support]].
| {{Yes}}
|-
| Major Virtualizer Support
| Availability of official images for virtualizers.
| [[VirtualBox]], [[Linux|VirtualBox Linux installer]], [[KVM]], [[Qubes]]
| OpenStack, QEMU, Amazon EC2 / AWS Marketplace, Microsoft Azure / Azure Marketplace.
|-
| Extensive desktop environment support
| GNOME, KDE, LXQt, MATE, Cinnamon and [https://wiki.debian.org/DesktopEnvironment more]
| {{No}}, see [[Other Desktop Environments]].
| {{Yes}}
|-
|}
= General =
{| class="wikitable"
|+ ''General Comparison''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| Open Source distribution
| Freely available source code and licensed under open-source terms.
| {{Yes}}
| {{Yes}}
|-
| Based on Debian
| Built directly on top of Debian for compatibility, stability, and maintainability.
| {{Yes}} ([[Based_on_Debian|Kicksecure is based on Debian]])
| {{BlueBackground}} N/A
|-
| High quality packaging distribution
| Ensures software is secure, reproducible, license-compliant, and well-integrated into the distribution through auditing, patching, and enforcing technical and legal standards. See [[Dev/About_Debian_Packaging#Purpose_of_Packaging|Purpose of Packaging]].
| {{Yes}}
| {{Yes}}
|-
| Based on Linux
| Built on the reliable, secure, and freedom-respecting Linux operating system to leverage its open-source foundation.
| {{Yes}}
| {{Yes}}
|-
| Pre‑installed security tools
| Comes with hardened tools and services for security, privacy, and anonymity.
| [[AppArmor]], [[sdwdate]], [https://github.com/{{project_name_short}}/tirdad tirdad], [https://github.com/{{project_name_short}}/security-misc security-misc]
| Minimal (optional install)
|-
| Secure defaults (network, packages, accounts)
| Defaults favor security: no open ports, limited user privileges, hardened configurations.
| {{Yes}}
| {{No}}
|-
| Target audience
| Designed for users needing strong security and privacy protections.
| Seeking strong defense
| General-purpose users, servers, desktops
|-
| [[About#Implementation_of_the_Securing_Debian_Manual|Implementation of the Securing Debian Manual]]
| Applies relevant recommendations from Debian’s official security manual by default, adapting and modernizing where necessary.
| {{Yes}}
| {{No}}
|-
| Onion service version of website
| Provides a more secure, end-to-end encrypted connection that bypasses traditional DNS and avoids reliance on certificate authorities.
| {{Yes}}
| {{Yes}}
|-
| Comprehensive security [[Documentation]]
| In-depth guides and resources to help users understand, implement, and maintain strong security practices.
| {{Yes}} ([[System_Hardening_Checklist|System Hardening Checklist]])
| {{No}}
|-
| Signed downloads
| All downloads are cryptographically signed, allowing users to verify the authenticity and integrity of releases.
| {{Yes}}
| {{Yes}}
|-
| [[Digital_Signature_Policy|Digital Signature Policy]]
| [[Verifying Software Signatures]] always enforced in project source code and consistently pointed out in documentation.
| {{Yes}}
| {{No}}
Debian wiki does not consistently always stress digital signature verification.
|-
|}
= Freedom and Transparency =
{| class="wikitable"
|+ ''Freedom and Transparency''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| Open Source
| Users have the right to inspect, modify, and share the entire source code, promoting collective security and privacy benefits.
| {{Yes}}
| {{Yes}}
|-
| Freedom Software
| Includes software that adheres to Free Software Foundation (FSF) approved licenses.
| {{Yes}}
| {{Yes}}
|-
| Research and Implementation Project
| Maintained as a transparent and ongoing security-focused project with public visibility of issues and continual improvement.
| {{Yes}}
| {{No}}
|-
| Fully Auditable
| All software is open for inspection and verification by independent developers and researchers worldwide.
| {{Yes}}
| {{Yes}}
|-
| Complete respect for privacy and user freedom
| No user tracking, no advertising integrations, and no personal data harvesting.
| {{Yes}}
| {{Yes}}
|-
| No user freedom restrictions such as [[Miscellaneous_Threats_to_User_Freedom#Administrative_Rights|administrative rights refusal]]
|
| {{Yes}}
| {{Yes}}
|-
| no tivoization / no vendor lock-in
|
| {{Yes}}
| {{Yes}}
|-
| obey user settings as a project value and development goal
|
| {{Yes}}
| {{Yes}}
|-
| malware analysis / malicious backdoor and rootkit hunting possible
| Not a design that simplifies implementation of [[Backdoor#The_Perfect_Malicious_Backdoor|The "Perfect" Malicious Backdoor]].
| {{Yes}}
| {{Yes}}
|-
|}
= Opt-in and Testers =
todo
= Upcoming =
todo
= Development =
{| class="wikitable"
|+ ''Development Tools and Debugging''
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[Recovery#Serial_Console|Easy setup of Serial Console]]
| [https://github.com/{{project_name_short}}/serial-console-enable serial-console-enable]: simplifies enabling a serial console for debugging purposes.
| {{Yes}}
| {{No}}
|-
| [[debug-misc]]
| [https://github.com/{{project_name_short}}/debug-misc debug-misc]: Simplifies enabling settings required for troubleshooting and debugging.
| {{Yes}}
| {{No}}
|-
|}
= Attribution =
* Not anti-Debian: This article should not be misunderstood as "[https://www.debian.org Debian] hate."
* Linage: [[Based on Debian|Kicksecure is based on Debian]].
* Fork friendly: Debian welcomes [https://en.wikipedia.org/wiki/Fork_(software_development) software forks], meaning anyone can create a new project by copying Debian under the respective licenses and developing it in their own way. See also {{whonix_wiki
|wikipage=Dev/Operating_System#Debian_is_Fork_Friendly
|text=Debian is Fork Friendly
}}.
* Gratitude: Without Debian, Kicksecure would not exist. Gratitude is expressed to the Debian project and its contributors.
{{quotation
|quote=We stand on the shoulders of giants - Kicksecure and many other Libre software projects are only made possible because people invested in writing code that is kept accessible for the public benefit.
|context=[[Reasons_for_Freedom_Software|Reasons for Freedom Software / Open Source]]
}}
{{quotation
|quote=Debian—the best parent one can have
|context=[https://puri.sm/posts/what-is-pureos-and-how-is-it-built/ PureOS]
}}
{{quotation
|quote=Reasons for being based on Debian:
|context={{whonix_wiki
|wikipage=Dev/Operating_System#Debian
|text=chapter Debian - Security-Focused Operating System Comparison as Base for Whonix
}}
}}
= See Also =
* [[About#Hardening_by_Default|Hardening by Default]]
* [[About#Kicksecure_Development_Goals|Kicksecure Development Goals]]
* [[Full Disk Encryption]]
* [[sysmaint]]
* [[Debian Tips]]
= Table of Contents =
__TOC__
= Footnotes =