The awesome operating system Linux is free and open source. As such, there are thousands of different ‘flavours’ available – and some types of Linux such as Ubuntu are generic and meant for many different uses.
But security-conscious users will be pleased to know that there are also a number of Linux distributions (distros) specifically designed for privacy. They can help to keep your data safe through encryption and operating in a ‘live’ mode where no data is written to your hard drive in use.
Other distros focus on penetration testing (pen-testing) – these come with tools actually used by hackers which you can use to test your network’s security. In this article, we’re going to highlight 10 of the best offerings when it comes to both privacy and security.
1. Qubes OS
While definitely not for novice users, Qubes is one of the top privacy-conscious distros. The graphical installer must be used to install the OS to your hard drive, which will be encrypted.
Qubes OS uses the Xen Hypervisor to run a number of virtual machines, compartmentalising your life into ‘personal’, ‘work’, ‘internet’ and so on for the sake of security. This means if you accidentally download malware on your work machine for instance, your personal files won’t be compromised.
The main desktop uses colour-coded windows to show different virtual machines, making it easy for you to tell them apart.
Tails (which stands for ‘The Amnesiac Incognito Live System’) is probably the most well-known privacy-focused distro. It can be run from a DVD in ‘live’ mode whereby it loads entirely into your system RAM and will leave no trace of its activity. The OS can also be used in ‘persistent’ mode where your settings can be stored on an encrypted USB stick.
All connections are routed through the anonymity network Tor, which conceals your location. The applications in Tails have also been carefully selected to enhance your privacy – for example, there’s the KeePassX password manager. Do note that vulnerabilities are constantly discovered with Tails so be sure to check for updates (as you should do with any OS, of course).
3. BlackArch Linux
This lightweight pen-testing distro is based on Arch Linux. While relatively new, it contains over 1,600 different hacking tools, saving you the trouble of having to download what you need each time.
BlackArch can be run live from a USB stick or CD, or installed onto a computer or virtual machine. It can even be installed onto a Raspberry Pi to give you a portable pen-testing computer that you can carry anywhere.
The ‘anti-forensics’ category is particularly worth mentioning as it contains tools to scan your memory for passwords to encrypted devices. This helps protect your machine from a ‘cold boot’ attack.
Named after the Hindu goddess, Kali is one of the oldest and most well-known pen-testing distros. The Kali download page offers ISOs that are updated weekly, which can be run in live mode or installed to a drive. Kali will also happily run on ARM devices like the Raspberry Pi.
Kali’s reputation is so formidable that its creators offer training through the Kali Linux Dojo. Lessons include customising your own Kali Linux ISO and learning the fundamentals of pen-testing. For those unable to attend the training, all educational resources from the classes are available on Kali’s website free of charge.
This privacy-oriented operating system is based on Fedora Linux and can be run in live mode or installed to your hard drive. Just as TAILS OS routes all your connections through the Tor network to anonymise your connection, Ipredia routes all your network traffic through the anonymous I2P network.
Features include anonymous email, BitTorrent client, and the ability to browse eepsites (special domains with the extension .i2p). Unlike Tor, I2P doesn’t act as a gateway to the normal internet, so Ipredia cannot safely access regular websites. The advantage of only accessing eepsites is that your connection is truly untraceable.
Booting a live operating system is a nuisance as you have to restart your machine, while installing it to a hard drive means there’s a risk of it being compromised. Whonix offers an elegant compromise by being designed to work as a virtual machine inside the free program Virtualbox.
Whonix is split into two parts. The first ‘Gateway’ routes all connections to the Tor network for the second ‘Workstation’ part. This hugely reduces the chance of DNS leaks which can be used to monitor what websites you visit.
As it runs in a virtual machine, Whonix is compatible with all operating systems that can run Virtualbox.
7. Discreete Linux
This intentionally misspelled distro is the successor to the awesome Ubuntu Privacy Remix. The OS contains no support for network hardware or internal hard drives, so all data is stored offline in RAM or on a USB stick. It can be run in live mode, but when booting from a volume also allows you to store some of your settings in an encrypted ‘Cryptobox’.
Another clever feature is that kernel modules can only be installed if they’ve been digitally signed by the Discreete Linux team. This prevents hackers from trying to sneak in malware. Note that this operating system is currently in the beta testing stage.
8. Parrot Security OS
This pen-testing distro comes to us from the Italian team Frozenbox. Like Kali and BlackArch it categorises tools for easy access and even has a section for the ones you most commonly use.
Parrot is based on Debian but has much more colourful backgrounds and menus. As such, its hardware requirements are rather more than other pen-testing distros such as Kali. A minimum of 2GB of RAM is recommended.
For those with minimal resources, Parrot Cloud is a special version of the distro specifically designed to run on a server. It has no graphics but does contain a number of networking and forensic tools to allow you to run tests remotely.
9. Subgraph OS
Subgraph OS is based on Debian Linux and is designed for ultra-tight security. The kernel has been hardened with a number of security enhancements, and Subgraph also creates virtual ‘sandboxes’ around risky applications like web browsers. As such any attacks against individual applications won’t compromise the entire system.
A specialised firewall also routes all outgoing connections through the anonymous Tor network. Each application has to be manually approved by you.
The OS is designed to be installed to a hard drive. Encryption of your file system is mandatory meaning there’s no danger of writing unencrypted data anywhere.
Our tenth offering is, rather aptly, TENS (Trusted End Node Security). Formerly known as LPS (Lightweight Portable Security), this Linux distro has been designed by none other than the US Air Force and is NSA approved [PDF].
TENS is specifically designed to be run in live mode, meaning any malware is removed on shutdown. It includes a minimal set of applications but there is also a ‘public deluxe’ version which includes Adobe Reader and LibreOffice. All versions include a customisable firewall. The OS also supports logging in via smart card.