10 best Linux distros for privacy fiends and security buffs in 2017
Introduction
The awesome operating system Linux is free and open source. As such, there are thousands of different ‘flavours’ available – and some types of Linux such as Ubuntu are generic and meant for many different uses.
But security-conscious users will be pleased to know that there are also a number of Linux distributions (distros) specifically designed for privacy. They can help to keep your data safe through encryption and operating in a ‘Live’ mode where no data is written to your hard drive in use.
Other distros focus on penetration testing (pen-testing) – these come with tools actually used by hackers which you can use to test your network’s security. In this article, we’re going to highlight 10 of the best offerings when it comes to both privacy and security.
1. Qubes OS
While definitely not for novice users, Qubes is one of the top privacy-conscious distros. The graphical installer must be used to install the OS to your hard drive, which will be encrypted.
Qubes OS uses the Xen Hypervisor to run a number of virtual machines, compartmentalising your life into ‘personal’, ‘work’, ‘internet’ and so on for the sake of security. This means if you accidentally download malware on your work machine for instance, your personal files won’t be compromised.
The main desktop uses colour-coded windows to show different virtual machines, making it easy for you to tell them apart.
2. Tails
Tails (which stands for ‘The Amnesiac Incognito Live System’) is probably the most well-known privacy-focused distro. It can be run from a DVD in Live mode whereby it loads entirely into your system RAM and will leave no trace of its activity. The OS can also be used in ‘persistent’ mode where your settings can be stored on an encrypted USB stick.
All connections are routed through the anonymity network Tor, which conceals your location. The applications in Tails have also been carefully selected to enhance your privacy – for example, there’s the KeePassX password manager. Do note that vulnerabilities are constantly discovered with Tails so be sure to check for updates (as you should do with any OS, of course).
3. BlackArch Linux
This lightweight pen-testing distro is based on Arch Linux. While relatively new, it contains over 1,600 different hacking tools, saving you the trouble of having to download what you need each time.
BlackArch can be run live from a USB stick or CD, or installed onto a computer or virtual machine. It can even be installed onto a Raspberry Pi to give you a portable pen-testing computer that you can carry anywhere.
The ‘anti-forensics’ category is particularly worth mentioning as it contains tools to scan your memory for passwords to encrypted devices. This helps protect your machine from a ‘cold boot’ attack.
4. Kali
Named after the Hindu goddess, Kali is one of the oldest and most well-known pen-testing distros. The Kali download page offers ISOs that are updated weekly, which can be run in live mode or installed to a drive. Kali will also happily run on ARM devices like the Raspberry Pi.
Kali’s reputation is so formidable that its creators offer training through the Kali Linux Dojo. Lessons include customising your own Kali Linux ISO and learning the fundamentals of pen-testing. For those unable to attend the training, all educational resources from the classes are available on Kali’s website free of charge.
5. IprediaOS
This privacy-oriented operating system is based on Fedora Linux and can be run in Live mode or installed to your hard drive. Just as Tails OS routes all your connections through the Tor network to anonymise your connection, Ipredia routes all your network traffic through the anonymous I2P network.
Features include anonymous email, BitTorrent client, and the ability to browse eepsites (special domains with the extension .i2p). Unlike Tor, I2P doesn’t act as a gateway to the normal internet, so Ipredia cannot safely access regular websites. The advantage of only accessing eepsites is that your connection is truly untraceable.
6. Whonix
Booting a Live operating system is a nuisance as you have to restart your machine, while installing it to a hard drive means there’s a risk of it being compromised. Whonix offers an elegant compromise by being designed to work as a virtual machine inside the free program Virtualbox.
Whonix is split into two parts. The first ‘Gateway’ routes all connections to the Tor network for the second ‘Workstation’ part. This hugely reduces the chance of DNS leaks which can be used to monitor what websites you visit.
As it runs in a virtual machine, Whonix is compatible with all operating systems that can run Virtualbox.
7. Discreete Linux
This intentionally misspelled distro is the successor to the awesome Ubuntu Privacy Remix. The OS contains no support for network hardware or internal hard drives, so all data is stored offline in RAM or on a USB stick. It can be run in Live mode, but when booting from a volume also allows you to store some of your settings in an encrypted ‘Cryptobox’.
Another clever feature is that kernel modules can only be installed if they’ve been digitally signed by the Discreete Linux team. This prevents hackers from trying to sneak in malware. Note that this operating system is currently in the beta testing stage.
8. Parrot Security OS
This pen-testing distro comes to us from the Italian team Frozenbox. Like Kali and BlackArch it categorises tools for easy access and even has a section for the ones you most commonly use.
Parrot is based on Debian but has much more colourful backgrounds and menus. As such, its hardware requirements are rather more than other pen-testing distros such as Kali. A minimum of 2GB of RAM is recommended.
For those with minimal resources, Parrot Cloud is a special version of the distro specifically designed to run on a server. It has no graphics but does contain a number of networking and forensic tools to allow you to run tests remotely.
9. Subgraph OS
Subgraph OS is based on Debian Linux and is designed for ultra-tight security. The kernel has been hardened with a number of security enhancements, and Subgraph also creates virtual ‘sandboxes’ around risky applications like web browsers. As such any attacks against individual applications won’t compromise the entire system.
A specialised firewall also routes all outgoing connections through the anonymous Tor network. Each application has to be manually approved by you both to connect to the network, and to access other applications’ sandboxes.
The OS is designed to be installed to a hard drive. Encryption of your file system is mandatory meaning there’s no danger of writing unencrypted data anywhere. Subgraph is still in its testing phase so do not rely on it to protect any truly sensitive data (and as always, keep regular backups).
10. TENS
Our tenth offering is, rather aptly, TENS (Trusted End Node Security). Formerly known as LPS (Lightweight Portable Security), this Linux distro has been designed by none other than the US Air Force and is NSA approved [PDF].
The public version of TENS is specifically designed to be run in Live mode, meaning that any malware is removed on shutdown. It includes a minimal set of applications but there is also a ‘Public Deluxe’ version which comes with Adobe Reader and LibreOffice. All versions include a customisable firewall, and it’s also worth noting that this operating system supports logging in via Smart Card.
- You can download TENS here (if you have issues downloading the ISO from the official site, check here for support)
使用Linux最具说服力的原因之一就是能够提供安全的计算体验。本文介绍了一些安全的Linux发行版,这些发行版额外增加了匿名选项,通过使用TOR、沙箱、防火墙等技术,可以更好的满足安全爱好者的需求,这之中涉及一些比较受欢迎的发行版比如Tails、Whoix、Kodachi等。
1. Tails
对于程序员来说,Tails是安全Linux发行版的默认选择。Tails或The Amnesic Incognito Live System,是一款基于Debian的Linux发行版,一个开放源码的发行版,大约在8年前被发布。通过Tor重定向所有Web流量,Tails实现了匿名功能。
由于Tails将所有内容存储在RAM中,并且避免了使用硬盘。一旦关闭,它就会擦除所有内容。此外,由于默认的GNOME桌面环境,Tails也适用于一般开发者。
2. Whonix
与Tails一样,Whonix也基于Debian GNU/Linux。这个私有操作系统由两个虚拟机组成,虽然一个VM是运行Debian的“Tor Gateway”,但另一个是“Workstation”。请注意,Whonix可以安装在Linux、Windows、macOS或Qubes主机操作系统上。通过利用Tor的开放和分布式中继网络,Whonix打破了网络监控的可能性。
为了安全起见,该发行版隐藏了用户真实的IP地址。此外,许多预安装应用程序在Whonix中进行了流隔离,并且使用专用的Tor SocksPort增加了额外的安全性。
3. Qubes OS
Qubes OS也被称为世界上最安全的操作系统,它通过Xen虚拟机管理程序执行虚拟化,虚拟机管理程序模仿硬件并允许运行多个虚拟机。Qubes OS的用户环境可以是Fedora、Debian、Whoix和Windows。
在Qubes中,通过将硬件控制器转换为功能域来执行隔离。它也将活动区域分为不同的信任级别,例如工作领域,购物领域,随机域等。所有这些领域都运行在不同的虚拟机中。使用这种技术,即便出现一个漏洞被利用,攻击者也无法接管整个计算机。
4. Subgraph OS
Subgraph OS是基于Debian的安全Linux发行版,承诺提供匿名体验和强化功能。 经Edward Snowden批准,Subgraph OS旨在避免不同的恶意软件攻击。
Subgraph OS运行在沙箱环境中,该环境运行诸如Web浏览器、具有内置加密的电子邮件客户端、LibreOffice、PDF查看器、视频播放器、Hexchat等应用程序。它包含一个硬化内核,具有grsecurity/ PaX补丁,可保护所有流程免受攻击。这个Linux发行版自定义的代码是用Go写的,这是一种内存安全语言。它还包括一个应用程序防火墙,确保访问意外的出站连接时也可受到保护。
5. Discreete Linux
Discreete Linux是一个免费的软件项目,有些人可能会将这个安全的Linux发行版看作Ubuntu Privacy Remix。它基于Debian,它承诺保护用户免受特洛伊木马监控的攻击,目前正处于测试阶段。
Discreete Linux适合于不深入了解计算机但认为互联网安全是主要关注点的人。Discreete Linux借助加密和孤立的环境,构建了一个安全的工作环境。 这个匿名Linux发行版的内核模块只有在开发人员团队进行数字签名的情况下才能安装。此外,它甚至不支持内部硬盘驱动器或网络硬件。相反,它将其所有数据存储在RAM或外部驱动器中。
6. Kodachi
Kodachi Linux基于Debian GNU / Linux,安装运行Kodachi很简单,不需要投入过多时间或精力。Kodachi Linux使用户可以从PC硬件启动或外部USB驱动器选项进行额外的安全性选择。
通过运行带有活动VPN连接的Kodachi系统,TOR和DNScrypt服务可提供良好的隐私,所有与互联网的连接都被迫通过上述服务。整个操作系统从易失性RAM存储器运行,因此在关闭之后,不会留下任何活动痕迹。Kodachi Linux还提供最新的隐私工具,用于电子邮件,加密和即时消息,Xfce桌面环境使其在旧机器上更为有用。
7. TENS
TENS Linux for security表示可信终端安全,以前被称为LPS或轻量级便携式安全。基于Arch Linux,TENS可以在任何支持Intel的机器上运行。由于它仅在内存中启动,因此它作为用户的安全终端节点。它加载了加密向导,这是一个简单而强大的加密软件,用于保护敏感信息。TENS 还支持美国政府网站上使用的CAC和PIV接入节点。总体而言,它有最小的应用程序,以确保更少的感染机会和更好的性能。
8. Tin Hat
来自硬化的Gentoo,Tin Hat Linux是一个安全的操作系统,可提供快速安全的Linux体验。Tin Hat Linux完全在RAM中,不会直接从引导设备装载任何文件系统,因此避免了任何数据丢失的机会。如预期那样,您可以从CD或USB闪存驱动器启动。
请注意,在开始使用Tin Hat Linux进行安全和匿名之前,程序员应该了解Gentoo Linux的工作原理,它可以在32位和64位硬件架构上运行,桌面环境围绕GNOME构建。许多应用程序,如Firefox、电子邮件客户端、LibreOffice和视频播放器都已预装在Tin Hat Linux上。
除了上述Linux发行版之外,还有许多其他选项,哪个安全的Linux发行版是您的首选? 请在下面的评论中告诉我们您的意见。