{{Header}} {{Title|title= Security Operating System Comparison - {{project_name_short}} vs Debian }} {{#seo: |description=Comparison of {{project_name_long}} with Debian. About security, privacy, usability and hardening-by-default. |image=Kicksecure_versus_Debian.png }} {{tech_intro_mininav}} [[File:Kicksecure_versus_Debian.png|thumb|150px]] {{intro| This page contains a detailed comparison of {{project_name_short}} and Debian regarding security hardening, privacy defaults and usability. }} = Introduction = This wiki page compares the security‑focused, hardened defaults of {{project_name_short}} against upstream [https://www.debian.org Debian]. = Security Hardening by Default = == Account & Privilege Management == {| class="wikitable" |+ ''Account & Privilege Management Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[sysmaint|user‑sysmaint‑split]] | Separate daily and admin accounts by default | {{Yes}} | {{No}} |- | Improved protection from [[Backdoor#Firmware_Trojan|firmware trojan]]s (a type of [[malware]] / [[Backdoor#Hardware_Backdoor|hardware backdoor]]) and rootkits | Due to above. | {{Yes}} | {{No}} |- | Holistic administrative ("[[root]]") account protection | * [[Dev/Strong_Linux_User_Account_Isolation#Root_Account_Locked|Root Account Locked]] * [[Dev/Strong_Linux_User_Account_Isolation#su_restrictions|su restrictions]] * Protection from [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]] * [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]] | {{Yes}} | {{No}} |- | [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]] | Enforces strict separation between user accounts with protections against privilege escalation, password sniffing, cross-account access, and brute-force attacks. | {{Yes}} | {{No}} |- | [[Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir|libpam-tmpdir]] | Make symlink attacks and other /tmp based attacks harder or impossible. | {{Yes}} | {{No}} |- | [[Dev/Strong_Linux_User_Account_Isolation#Permission_Lockdown|Permission Lockdown]] | Permission Lockdown enforces strong user separation by restricting access to other users’ home directories using strict file permissions. | {{Yes}} | {{No}} |- | [[Dev/Strong_Linux_User_Account_Isolation#umask_hardening|umask hardening]] | Restrictive umask to tighten file system permissions for newly created files. | {{Yes}} | {{No}} |- | [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] / [[Dev/Strong_Linux_User_Account_Isolation#.2Fetc.2Fsecuretty|/etc/securetty]] hardening | Console lockdown reduces the attack surface for console based attacks. | {{Yes}} | {{No}} |- | [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_Account_Passwords_Protection|Bruteforcing Linux Account Passwords Protection]] | [[Dev/Strong_Linux_User_Account_Isolation#Online_Password_Cracking_Restrictions|Online Password Cracking Restrictions]] / [[Dev/Strong_Linux_User_Account_Isolation#sudo_restrictions|sudo restrictions]] | {{Yes}} | {{No}} |} == Package & Binary Security == {| class="wikitable" |+ ''Package & Binary Hardening Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[SUID Disabler and Permission Hardener]] | Improves security by disabling SUID binaries, tightening file permissions, and enhancing user account isolation to reduce potential attack surfaces. | {{Yes}} | {{No}} |- | Default package selection | Only minimal, no exim/samba/cups by default | {{Yes}} See also: [[About#Default security software|Default package selection]] | {{No}} |- | Secure APT sources | HTTPS APT sources enabled by default | {{Yes}} | {{BlueBackground}} Depends. See footnote: [[About#Secure_Package_Sources_Configuration]]. |- | [https://github.com/{{project_name_short}}/security-misc security‑misc] | Kernel hardening, entropy, mount/options, brute‑force protection | {{Yes}} | {{No}} |} == Network Security == {| class="wikitable" |+ ''Network Security Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | {{Anchor|torified_updates}}Torified APT upgrades | APT upgrades run over Tor by default | {{Yes}} [[About#torified_updates|See Torified Updates]] | {{No}} |- | [https://github.com/{{project_name_short}}/tirdad TCP ISN randomization (tirdad)] | TCP Initial Sequence Numbers Randomization: mitigates TCP ISN-based CPU information leakage; see footnote.
The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked. It may prove very dangerous for long-running cryptographic operations. Research has demonstrated that it can be used for de-anonymization of location-hidden services.
| {{Yes}} | {{No}} |- | Secure network time synchronization / Protection from [[Time Attacks]] | Uses authenticated web‑date protocol / [[Sdwdate#Sdwdate_vs_NTP|sdwdate versus NTP]] | {{Yes}} ([[sdwdate]]) | {{No}} (NTP) |- | [https://github.com/{{project_name_short}}/open-link-confirmation open‑link-confirmation] | This is enabled by default and prevents links from being unintentionally opened in supported browsers. | {{Yes}} | {{No}} |- | No open server ports by default | All unsolicited incoming connections are blocked | {{Yes}} | {{No}} [[Debian_Tips#Open_Ports|Debian Open Ports]] |} == Encryption & Data Protection == {| class="wikitable" |+ ''Encryption & Data Protection Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | Strong Entropy Generation | Ensures secure cryptographic operations by providing high-quality randomness. See also [[Dev/Entropy]]. | {{Yes}} | {{No}} |- | [[Full Disk Encryption|{{Fde}}]] | Enabled by default in installer | {{Yes}} | {{BlueBackground}} Depends |- | [[Ram-wipe|ram-wipe - Wipe RAM on shutdown and reboot]] | Wipe RAM at shutdown to prevent information extraction from memory. | Coming in Kicksecure 18. | {{No}} |} * upcoming in Kicksecure 18:
## Emergency shutdown

- Forcibly powers off the system if the drive the system booted from is
  removed from the system.
- Forcibly powers off the system if a user-configurable "panic key sequence"
  is pressed (Ctrl+Alt+Delete by default).
- Forcibly powers off the system if
  `sudo /run/emerg-shutdown --instant-shutdown` is called.
- Optional - Forcibly powers off the system if shutdown gets stuck for longer
  than a user-configurable number of seconds (30 by default). Requires tuning
  by the user to function properly, see notes in
  `/etc/security-misc/emerg-shutdown/30_security_misc.conf`.
== System Hardening == {| class="wikitable" |+ ''System Hardening Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]] Audit | [[systemcheck]] | {{Yes}} ([[Systemcheck#Physical_Security_Check|Physical Security Check]]) | {{No}} |- | [[Recovery#Recovery_Mode|Recovery Mode Lockdown]] | Disabled Recovery Mode by default. | {{Yes}} | {{No}} |} == Build Integrity & Transparency == {| class="wikitable" |+ ''Build Integrity & Transparency Features'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | Protects its in-house source code from malicious [[unicode]] | [https://trojansource.codes/ Some Vulnerabilities are Invisible. Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts.] | {{Yes}} * {{Github_link|repo=developer-meta-files|path=/blob/master/usr/bin/dm-check-unicode}} * https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754/29 | {{No}} * [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014029 invisible malicious unicode in source code - detection and prevention] * Most other Linux distributions do not seem to have this issue on the radar either. |- | [[Trust#canary|Warrant canary]] | Public statement confirming no secret warrants or gag orders have been served on the project, helping maintain user trust. | {{Yes}} | {{No}} |- | [[Dev/Build Documentation|build documentation]] | Building your own images is encouraged, made as secure and easy as possible, with free user support being provided in the forums. | {{Yes}} | ? |} = Security Tools = {| class="wikitable" |+ ''Security Tools'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[Protection_Against_Physical_Attacks#grub-pwchange|grub-pwchange]] | grub-pwchange is a GRUB bootloader password management tool for setting a [[Protection_Against_Physical_Attacks#Bootloader_Password|Bootloader Password]]. | {{Yes}} | {{No}} |- | [[Unicode#Searching_Files_and_Folders_for_Unicode|Searching Files and Folders for Unicode]] tools pre-installed | [[Unicode#grep-find-unicode-wrapper|grep-find-unicode-wrapper]] and [[unicode-show]] pre-installed | {{Yes}} | {{No}} |- |} = Usability = {| class="wikitable" |+ ''Usability and Convenience'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[Live Mode]] | Easily activated from the boot menu, Live Mode discards all data after shutdown, leaving no trace of the session. | {{Yes}} | {{No}} |- | Calamares installer with improved UX | Graphical installer offering a user-friendly installation experience with fewer steps and clearer options. | {{Yes}} Debian Live uses Calamares; regular D-I does not | {{No}} |- | Functional APT sources list | Pre-configured and working APT sources to ensure package updates and installations function out of the box. | {{Yes}} Debian default APT source may be broken or incomplete; see [[Debian Tips]] | {{No}} |- | sudo pre‑configured | sudo is ready to use without additional setup, allowing safe privilege escalation by default. | {{Yes}} See [[Root#Root_Account_Management|Root Account Management]] | {{BlueBackground}} Depends. |- | bash‑completion, zsh shell | Command-line enhancements like tab completion and Zsh shell for improved terminal usability. | {{Yes}} | {{No}} |- | [https://github.com/{{project_name_short}}/vm-config-dist vm-config-dist] | | {{Yes}} | {{No}} |- | [https://github.com/{{project_name_short}}/usability-misc usability‑misc] | | {{Yes}} | {{No}} |- | Popular apps pre‑installed | Frequently used applications are pre-installed with secure defaults for convenience and security. | {{Yes}} [[Software|with secure defaults]] | {{No}} |- | [[chmod-calc]] pre-installed | Comprehensive File and Directory Inspection Tool | {{Yes}} | {{No}} |- |} = Plattform Support = {| class="wikitable" |+ ''Plattform Support'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | Extensive architecture support | Availability of support across multiple processor architectures, such as x86_64 ([[Intel_AMD64|Intel / AMD64]]), [[ARM64|ARM]], [[PPC64|PPC]], [[RISCV64|RISCV]] and others. | {{RedBackground}} Limited. See [[Architecture Support]]. | {{Yes}} |- | Major Virtualizer Support | Availability of official images for virtualizers. | [[VirtualBox]], [[Linux|VirtualBox Linux installer]], [[KVM]], [[Qubes]] | OpenStack, QEMU, Amazon EC2 / AWS Marketplace, Microsoft Azure / Azure Marketplace. |- | Extensive desktop environment support | GNOME, KDE, LXQt, MATE, Cinnamon and [https://wiki.debian.org/DesktopEnvironment more] | {{No}}, see [[Other Desktop Environments]]. | {{Yes}} |- |} = General = {| class="wikitable" |+ ''General Comparison'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | Open Source distribution | Freely available source code and licensed under open-source terms. | {{Yes}} | {{Yes}} |- | Based on Debian | Built directly on top of Debian for compatibility, stability, and maintainability. | {{Yes}} ([[Based_on_Debian|Kicksecure is based on Debian]]) | {{BlueBackground}} N/A |- | High quality packaging distribution | Ensures software is secure, reproducible, license-compliant, and well-integrated into the distribution through auditing, patching, and enforcing technical and legal standards. See [[Dev/About_Debian_Packaging#Purpose_of_Packaging|Purpose of Packaging]]. | {{Yes}} | {{Yes}} |- | Based on Linux | Built on the reliable, secure, and freedom-respecting Linux operating system to leverage its open-source foundation. | {{Yes}} | {{Yes}} |- | Pre‑installed security tools | Comes with hardened tools and services for security, privacy, and anonymity. | [[AppArmor]], [[sdwdate]], [https://github.com/{{project_name_short}}/tirdad tirdad], [https://github.com/{{project_name_short}}/security-misc security-misc] | Minimal (optional install) |- | Secure defaults (network, packages, accounts) | Defaults favor security: no open ports, limited user privileges, hardened configurations. | {{Yes}} | {{No}} |- | Target audience | Designed for users needing strong security and privacy protections. | Seeking strong defense | General-purpose users, servers, desktops |- | [[About#Implementation_of_the_Securing_Debian_Manual|Implementation of the Securing Debian Manual]] | Applies relevant recommendations from Debian’s official security manual by default, adapting and modernizing where necessary. | {{Yes}} | {{No}} |- | Onion service version of website | Provides a more secure, end-to-end encrypted connection that bypasses traditional DNS and avoids reliance on certificate authorities. | {{Yes}} | {{Yes}} |- | Comprehensive security [[Documentation]] | In-depth guides and resources to help users understand, implement, and maintain strong security practices. | {{Yes}} ([[System_Hardening_Checklist|System Hardening Checklist]]) | {{No}} |- | Signed downloads | All downloads are cryptographically signed, allowing users to verify the authenticity and integrity of releases. | {{Yes}} | {{Yes}} |- | [[Digital_Signature_Policy|Digital Signature Policy]] | [[Verifying Software Signatures]] always enforced in project source code and consistently pointed out in documentation. | {{Yes}} | {{No}} Debian wiki does not consistently always stress digital signature verification. |- |} = Freedom and Transparency = {| class="wikitable" |+ ''Freedom and Transparency'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | Open Source | Users have the right to inspect, modify, and share the entire source code, promoting collective security and privacy benefits. | {{Yes}} | {{Yes}} |- | Freedom Software | Includes software that adheres to Free Software Foundation (FSF) approved licenses. | {{Yes}} | {{Yes}} |- | Research and Implementation Project | Maintained as a transparent and ongoing security-focused project with public visibility of issues and continual improvement. | {{Yes}} | {{No}} |- | Fully Auditable | All software is open for inspection and verification by independent developers and researchers worldwide. | {{Yes}} | {{Yes}} |- | Complete respect for privacy and user freedom | No user tracking, no advertising integrations, and no personal data harvesting. | {{Yes}} | {{Yes}} |- | No user freedom restrictions such as [[Miscellaneous_Threats_to_User_Freedom#Administrative_Rights|administrative rights refusal]] | | {{Yes}} | {{Yes}} |- | no tivoization / no vendor lock-in | | {{Yes}} | {{Yes}} |- | obey user settings as a project value and development goal | | {{Yes}} | {{Yes}} |- | malware analysis / malicious backdoor and rootkit hunting possible | Not a design that simplifies implementation of [[Backdoor#The_Perfect_Malicious_Backdoor|The "Perfect" Malicious Backdoor]]. | {{Yes}} | {{Yes}} |- |} = Opt-in and Testers = todo = Upcoming = todo = Development = {| class="wikitable" |+ ''Development Tools and Debugging'' |- ! Feature ! Description ! {{project_name_short}} ! Debian |- | [[Recovery#Serial_Console|Easy setup of Serial Console]] | [https://github.com/{{project_name_short}}/serial-console-enable serial-console-enable]: simplifies enabling a serial console for debugging purposes. | {{Yes}} | {{No}} |- | [[debug-misc]] | [https://github.com/{{project_name_short}}/debug-misc debug-misc]: Simplifies enabling settings required for troubleshooting and debugging. | {{Yes}} | {{No}} |- |} = Attribution = * Not anti-Debian: This article should not be misunderstood as "[https://www.debian.org Debian] hate." * Linage: [[Based on Debian|Kicksecure is based on Debian]]. * Fork friendly: Debian welcomes [https://en.wikipedia.org/wiki/Fork_(software_development) software forks], meaning anyone can create a new project by copying Debian under the respective licenses and developing it in their own way. See also {{whonix_wiki |wikipage=Dev/Operating_System#Debian_is_Fork_Friendly |text=Debian is Fork Friendly }}. * Gratitude: Without Debian, Kicksecure would not exist. Gratitude is expressed to the Debian project and its contributors. {{quotation |quote=We stand on the shoulders of giants - Kicksecure and many other Libre software projects are only made possible because people invested in writing code that is kept accessible for the public benefit. |context=[[Reasons_for_Freedom_Software|Reasons for Freedom Software / Open Source]] }} {{quotation |quote=Debian—the best parent one can have |context=[https://puri.sm/posts/what-is-pureos-and-how-is-it-built/ PureOS] }} {{quotation |quote=Reasons for being based on Debian: |context={{whonix_wiki |wikipage=Dev/Operating_System#Debian |text=chapter Debian - Security-Focused Operating System Comparison as Base for Whonix }} }} = See Also = * [[About#Hardening_by_Default|Hardening by Default]] * [[About#Kicksecure_Development_Goals|Kicksecure Development Goals]] * [[Full Disk Encryption]] * [[sysmaint]] * [[Debian Tips]] = Table of Contents = __TOC__ = Footnotes = [[Category:Documentation]] {{Footer}}