Security is nothing new to Linux distributions. Linux distros have always emphasized security and related matters like firewalls, penetration testing, anonymity, and privacy. So it is hardly surprising that security conscious distributions are common place. For instance, Distrowatch lists sixteen distros that specialize in firewalls, and four for privacy.
Most of these specialty security distributions, however, share the same drawback: they are tools for experts, not average users. Only recently have security distributions tried to make security features generally accessible for desktop users.
These accessible security distros are often still in development, but they are worth investigating now before they become mainstream. In alphabetical order, here are five of the leading distributions for accessible:
Compartmentalization is innate to everything from permissions to root accounts. By isolating parts of the operating system from others, any intrusions can be easily closed down. The difference in Qubes OS is that the compartments are formalized, and accessible from the desktop.
The distribution comes with three security domains (aka AppVMs) — work, personal, and untrusted — and users can add their own. Each domain is available from the top of the desktop menu, and color-codes the border of all windows running in it, making the set up obvious at a glance. Other operations, such as file copying, open a temporary domain that closes automatically when done.
This extra level of security comes at a cost of extra memory. To run smoothly, Qubes OS requires at least eight gigabytes of RAM – about twice what most computers are sold with. However, I know of no other distribution that integrates such tight security so thoroughly into the desktop. You can evade its precautions — in fact, you have to in order to burn a DVD — but you have to make a deliberate effort.
Currently in alpha, SubgraphOS is being developed by a small collection of security experts in Montreal. Its distinguishing feature is the integration of many standard security features into the desktop.
For example, filesystem encryption is mandatory during installation, and partitioning begins with the random overwriting of the partition. Similarly, on the desktop itself, the browser sets up with the anonymizer Tor, while Thunderbird installs Enigmail to enable encrypted email.
In addition, SubgraphOS is developing a sandbox application called Oz, with a list of sandboxed applications on the upper right of the panel. In the alpha, only chat, LibreOffice, and other applications likely to come in contact with other systems are sandboxed automatically, but the potential is obvious.
What is particularly impressive about SubgraphOS is how much it tightens security while using mostly existing tools. More than any of the other distributions described here, SubgraphOS shows badly security standards have been lagging behind what is readily available.
Tails is the best known accessible security distribution. Designed to run from an exterior drive, it is best known for its easy implementation of the Tor and I2P anonymizers. Its other tools include encryption apps, and secure deletion.
Not being installed on a drive, Tails essentially runs in a safe domain, but is less versatile than Qubes OS. What it is ideal for is a quick tutorial in security matters, all of which are explained with numerous links. You probably wouldn’t want to rely on Tails for business security, but it remains the best distribution from which to learn about the available tools and issues.
Formerly LightWeight Portable Security, Trusted End Node Security (TENS)) resembles Tails in that it is designed to book from an exterior drive, running a thin version of Linux. Since nothing is installed, a root password is not required. However, no persistent storage is used, and the effects of malware last only during the current session. In fact, the project site suggests rebooting before beginning important transactions or after visiting risky sites.
TENS also includes support for CAC and PIV access cards, which are used on restricted American government web sites. However, even if you have no need for such access, TENS is a somewhat more advanced, less user- friendly version of Tails.
Whonix runs off Virtualbox. It consists of two installations: the Whonix Gateway, which deals with Tor and anonymization generally, and the Whonix Desktop. To use the distribution, start the gateway. then the Desktop. Both the gateway and desktop are upgraded via Tor, using standard Debian package tools. By running in a virtualized environment with a separate Tor gateway, Whonix gives two extra levels of security.
The desktop is a mixture of configuration tools, Whonix project links, and other security tools. Since Whonix uses the KDE environment, whose tools such as KGpg, an interface for gpg, may be unfamiliar for some.
While Whonix is not as user-friendly as Qubes OS or Subgraph OS, its unique setup is worth looking at just to familiarize yourself with the variety of security configurations.
Other Linux Distro Security Choices
Using any of these security-focused Linux distributions will change your work-flow. For instance, in Qubes OS, the simple act of copying requires the additional stage of specifying the security domain being copied to.
If such a change seems too great a step, you might prefer to look to applications below the distribution level for your security. Firejail, for example, secures common applications simply by prefacing their commands with firejail, while, increasingly many are using containers as a quick, if somewhat resource-heavy form of sandboxing.
However, the advantage of using distribution-level solutions is that security is likely to be greater. Get to know the distributions described here, and you should be able to find a solution to suit your basic security needs.