this post was submitted on 31 Aug 2023
84 points (95.7% liked)

Linux

48074 readers
781 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hi, Im searching for a secure distro for normal daily use for my laptop. Currently Im running arch linux with full disk encryption, secure boot, linux hardened, firewalld and most apps as flatpaks (with some disabled permissions using flatseal). I think its pretty secure laptop but it could be more secure.

Tails and Whonix are the most secure but they are not ment for normal daily use...

There is a lot of new immutable distros. Getting (system) malware is harder to get on them. Im most interested in blendOS, because its based. Does anyone know if it has full disk encryption, secure boot, etc. or can it be done by the user? What about other distros like Fedora Silverblue?

Any other recommendations?

Thank you :)

all 49 comments
sorted by: hot top controversial new old
[–] [email protected] 34 points 1 year ago (1 children)

While technically not a Linux distro, Qubes OS is the gold standard. With the primary cons being that it's kinda hard on system requirements and it doesn't play nice with dedicated GPUs and thus software that would require it.

Honorable mentions would be Fedora Silverblue/Kinoite/Sericea, Kicksecure, openSUSE Aeon/Kalpa and Vanilla OS. Of course, regular Fedora and openSUSE Tumbleweed are still good even without being immutable. The aforementioned distros all have varying levels of hardening out of the box. While the offerings of Fedora and openSUSE have better defaults than most other distros, Kicksecure -which is made by the same team behind Whonix- is almost completely hardened from the get-go. Vanilla OS is in a major overhaul, so I refrain from making any strong judgements on it yet.

For whatever it's worth, a couple of years ago the (infamous) Madaidan (AKA security researcher on Kicksecure and Whonix) did recommend running minimalist distros like Alpine, Artix, Gentoo and Void for the sake of security. However, he did that recommendation on the basis of minimalism and zero-trust. However, that would require the system administrator (read: you) to actually know their shit. Which, unfortunately, is often times not the case as not everyone that's sensitive of their digital security proceeds to study cybersecurity. That's where the "honorable mentions" in the previous paragraph come into play; all of the distros that were mentioned within actually have shown to take security very seriously and acknowledge with the amount of heavy-lifting they do that they hold a sense of responsibility in that regard.

Im most interested in blendOS, because its based.

I once had an interaction with its primary developer and the dude was oblivious on which MAC was configured on his distro; spoiler-alert: none. It does a bunch of cool stuff, but I wouldn't call it secure (by default) by any stretch of the imagination.

[–] [email protected] 6 points 1 year ago (1 children)

Thank you for your detailed answer! Im already using a minimalist distro (arch) with (almost) no problems. Before that I used Fedora. Becase of that and your recommendation I will probably switch to silverblue. Im a little scared of selinux (I was thinkering too much with fedora) but better with it than without. For AUR apps I will use distrobox. I would also like to try toolbx for my projects!

[–] [email protected] 5 points 1 year ago

Becase of that and your recommendation I will probably switch to silverblue.

Silverblue is incidentally also my daily-driver; custom image through uBlue's template to be more precise*.

Im a little scared of selinux (I was thinkering too much with fedora) but better with it than without.

Yup, SELinux is definitely a double-edged sword in that it's very powerful but can therefore be a bit more restrictive. Though, currently it's our only bet when it comes to confining containers as it's (vastly) superior over AppArmor in that aspect. Which explains openSUSE's recent conversion from AppArmor to SELinux for their distros that rely heavily on container workflows; like MicroOS, Aeon, Kalpa etc. Unfortunately it's not the easiest to understand, but I'm sure you'll manage 😉!

For AUR apps I will use distrobox.

Hehe, you know what's good 😛.

[–] [email protected] 15 points 1 year ago (1 children)

I guess you're getting to the point in security where you really should consider the cost/benefit of safety vs convenience. Do you really want or need to have an immutable system? While there's obviously an argument to be made about the security benefits on those distros, I'd say that they're mainly made for CI/CD, cloud environments etc, and probably not something you want to put in a laptop and use as a daily driver. Your laptop is likely already more secure than 99% of other laptops, and in the end all you need to not get malware are a firewall and common sense if you're not an exposed entity.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

I’d say that they’re mainly made for CI/CD, cloud environments etc, and probably not something you want to put in a laptop and use as a daily driver.

Why do you think that? Would you be so kind to elaborate?

[–] [email protected] 13 points 1 year ago (1 children)

Seems to me like you already have a secure setup. You just need to keep it secure. I personally can't imagine downgrading from using Arch to an inflexible immutable distro.

[–] [email protected] 9 points 1 year ago (1 children)

an inflexible immutable distro

Besides the somewhat unfortunate and false 'immutable' name, what makes them inflexible according to you?

[–] [email protected] -1 points 1 year ago* (last edited 1 year ago) (2 children)

Can't install a new system package for most immutable distros without going through some magic incantation, then doing a reboot as an example.

Everything immutable is designed to be inflexible for the user. Am not saying that it's a bad thing if that's what you clearly want.

[–] [email protected] 11 points 1 year ago

First of all, thank you for replying 💙 !

Can’t install a new system package for most immutable distros without going through some magic incantation

blendOS: Replace sudo pacman -Syu with system install

Fedora's 'immutable' distros: Replace sudo dnf install with rpm-ostree install

openSUSE's 'immutable' distros: Replace sudo zypper install with sudo transactional-update pkg install

While Guix and NixOS offer somewhat similar functionality with their guix install and nix-env -iA commands respectively, usage of said comments are rarely done by advanced users as other means to install packages are more sophisticated. And in terms of how sophisticated installing a mere package can get, one might argue that Guix and NixOS are to 'immutable' distros what Gentoo is to mutable distros.

And with that we just went over the 'immutable' distros that are prevalent in 95% of the discourse (besides Vanilla OS; but that one's in a major overhaul) and none of the commands found above strike me as particularly hard. Though, of course, your mileage may vary.

then doing a reboot

I'll just briefly mention that --apply-live exist for Fedora's immutable distros if you like living on the edge. Furthermore, both Guix and NixOS don't require a reboot in most cases. Finally, while the soft-reboot feature from systemd benefits all distros, one can't deny how impactful it is to 'immutable' distros in particular.

[–] [email protected] 4 points 1 year ago (1 children)

Everything immutable is designed to be inflexible for the user

laughs in NixOS being as flexible as Arch, having about the same number of packages and better stability, as well as offering rollbacks, a stable release if you want that breadth of package availability on a static release system, that also has a declarative configuration, making it far, far easier to set up over time, or on multiple machines

[–] [email protected] 0 points 1 year ago (1 children)

NixOS is very different from something like Fedora Silverblue or MicroOS. Am not even sure we are talking about the same thing here.

[–] [email protected] 3 points 1 year ago (1 children)

Still immutable. You can't make a claim about all immutable systems, when some don't follow the same principles and don't necessarily have the same limitations. With SilverBlue you can still use rpm-ostree and I think it is also possible to install such packages on MicroOS, but I don't know how.

[–] [email protected] 1 points 1 year ago (1 children)

Found an article that clearly describes what immutable distros are. I don't know where NixOS fits in all this.

My claim about them being inflexible is because that's how they are designed. Doesn't take 5 minutes to come to that conclusion compared to traditional distros.

[–] [email protected] 0 points 1 year ago (1 children)

They are not as flexible, but claiming them to be inflexible creates a false perception. It might not be as easy to change some parts of them, but it is certainly possible

[–] [email protected] -1 points 1 year ago

An saying that's how they are designed.

[–] [email protected] 10 points 1 year ago (1 children)
[–] [email protected] 3 points 1 year ago (2 children)

Programming, school, and everything else.

[–] [email protected] 22 points 1 year ago (1 children)

You don't need a security focused distro to hide the hentai from your mom, nor to shield your 0.0047 XMR from hackers.

[–] [email protected] 3 points 1 year ago (1 children)

Why are you looking for security so much with that, besides paranoia that is. Welcome to the club.

[–] [email protected] 1 points 1 year ago

they are afraid they will be targeted by the government for existing

source: I know someone who does that paranoid shit, they are like 19

[–] [email protected] 9 points 1 year ago

How is blendOS based?

And personally most distros will do since linux is secure over all. I like Linux Mint personally and is good for programming and generic use.

[–] [email protected] 8 points 1 year ago (1 children)

Your setup is already pretty good, but I can recommend Silverblue with my personal use.

[–] [email protected] 5 points 1 year ago (2 children)

Thank you! Does silverblue support full disk encryption and secure boot?

[–] [email protected] 4 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago

Great, I will try it!

[–] [email protected] 2 points 1 year ago (1 children)

Also has an extensive SElinux setup.

[–] [email protected] 2 points 1 year ago

Great, thats one thing I miss about my current setup.

[–] [email protected] 7 points 1 year ago

Puppy Linux - the OS is spooled into RAM from a single signed compressed image. by default there is no write back to physical data store; this can include user folders etc. each boot can be a clean slate.

Since the OS itself is in a single compressed & signed package, if someone alters it via a sidecar boot to an alt OS, it and you would know.

When there are chain of custody issues it is pretty secure when added with the usual bevy of other securing options.

[–] [email protected] 6 points 1 year ago

nixos. make containers, easy encryption and firewall config, immutable /etc and a lot of small stuff that makes this more secure

[–] [email protected] 6 points 1 year ago

OpenBSD.

Period.

Sure, you can harden Linux to the same level of security. But OpenBSD comes with all the goodies installed out of the box.

[–] [email protected] 6 points 1 year ago

You want Qubes. And keep a stick of TAILS on you for high-risk situations. But Qubes is your easy daily driver.

[–] [email protected] 6 points 1 year ago

Depends on your use case, but any up-to-date distro is secure. Security issues mainly comes from the user's actions.

[–] [email protected] 5 points 1 year ago (2 children)

I'm not really into security-focused distros, but heard good things about QubesOS. Also, what about OpenBSD?

[–] [email protected] 3 points 1 year ago (1 children)

Openbsd is really good but it is not linux. It doesn't have as much packages as linux and may perform a bit slower on applications compared to it's linux counterpart. Also, drivers for some hardware may not be available for Openbsd. Some filesystems like btrfs are not supported.

Still, openbsd and freebsd are worth checking out for learning about UNIX like OSes and routers, servers etc. It can also be daily driven if you can make do with the available packages.

[–] [email protected] 2 points 1 year ago

We are talking about programming, studying, surfing the web and average computer usage. OpenBSD is more than enough for all that.

[–] [email protected] 1 points 1 year ago

Openbsd IS based. It might not be for the average joe, and it’s never cutting edge. FreeBSD is though. And Netbsd can run on just about anything

[–] [email protected] 5 points 1 year ago

Few of the recommendations here are good for general use. I'd recommend fedora silverblue

[–] [email protected] 4 points 1 year ago

Use qubes os I guess

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

a secure distro for normal daily use

Any distro, really. Tails and Tor may have some extra features but aren't mandatory by any means. Just make sure Common Sense Antivirus (tm) is g2g and you should be good.

[–] [email protected] 3 points 1 year ago

I would recommend VanillaOS because it's not as difficult as QubesOS and immutable with encryption.

[–] [email protected] -1 points 1 year ago (1 children)

I'm guessing pull the plug wile the computer and never log back into the internet. What are you so paranoid about.

[–] [email protected] 5 points 1 year ago

Come on, let people talk about stuff.

[–] [email protected] -3 points 1 year ago (1 children)
[–] [email protected] 11 points 1 year ago

NO! Pentest OSes are the opposite of secure

[–] [email protected] -4 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago