Most secure Linux distros in 2018

Think of a Linux distribution as a bundle of software delivered together, based on the Linux kernel - a kernel being the core of a system that connects software to hardware and vice versa – with a GNU operating system and a desktop environment, giving the user a visual way to operate the system via a graphical user interface.

Linux has a reputation as being more secure than Windows and Mac OS due to a combination of factors – not all of them about the software.

Firstly, although desktop Linux users are on the up, Linux environments are far less common in the grand scheme of things than Windows devices on personal computers. The Linux community also tends to be more technical. There are technical reasons too, including fundamental differences in the way the distribution architecture tends to be structured.

Nevertheless over the last decade security-focused distributions started to appear, which will appeal to the privacy-conscious user who wants to avoid the worldwide state-sanctioned internet spying that the west has pioneered and where it continues to innovate. Of course, none of these will guarantee your privacy, but they're a good start. Here we list some of them.

It is worth noting that security best practices are often about process rather than the technology, avoiding careless mistakes like missing patches and updates, and using your common sense about which websites you visit, what you download, and what you plug into your computer.

Qubes OS

Qubes OS

A more suitable distribution for your home use, Qubes OS is an operating system that splits itself into two virtualized environments to boost security by isolation.

The virtualisation creation and management is based on the Xen hypervisor, and Qubes environments can be based on Fedora and Debian – as well as Whonix (more on that later).

When the distro was launched in 2012, founder of Invisible Things Lab – which created Qubes OS – said at the time that it was a “reasonably secure OS” because it can be unwise to use definite statements in security unless the developer is 100 percent confident that it is secure (in which case, you might be looking at snake oil).

“In Qubes OS we took a practical approach and we have tried to focus on all those sensitive parts of the OS, and to make them reasonably secure,” she said. “And, of course, in the first place, we tried to minimise the amount of those trusted parts, in which Qubes really stands out, I think.”

It is regularly updated. Note that while it can be booted via USB it’s not a particularly stable way to run the distro so your mileage may vary. And while it can be booted up inside a virtual machine, this method won’t take advantage of all the security that’s baked in to the OS.

Edward Snowden endorsed Qubes OS in September 2016. “No one does VM isolation better,” he said, adding that it’s “not bulletproof” but “nothing is”.

“It’s as close as you can get right now,” Snowden added.

Tails OS

Tails OS

First released in 2009, Tails OS is a lightweight Debian-based Linux distro that is designed with security in mind, enforcing all outgoing connections through the Tor router (otherwise blocking non-anonymous traffic).

Most of the system RAM is overwritten when Tails is shut down or when the boot medium – such as a live DVD or USB stick – is removed. Tails avoids using the hard drive and store as much as possible in RAM. Memory allocated to processes is erased too. Check here for more technical details on what the software’s doing during the memory erasure process.

NSA whistleblower Edward Snowden is among Tails’ users.

But it’s perhaps a victim of its own success. A 2014 report noted that the American intelligence apparatus was paying special attention to TOR and Tails users.

Most likely you won’t want to use this as your main distro. It’s better suited to booting from the USB. And if you’re really security conscious (paranoid?) you’ll only boot it from a machine that’s free from Windows and on public networks to mask your location.

You’ll now need a 64-bit processor to run it (present in most modern machines). One thing to watch out for is that the software on your install of Tails won’t be updated – so if there’s a critical patch for some of the software bundled in with Tails, you won’t get it until Tails is updated and freshly installed, potentially leaving you exposed.

Heads OS

Heads OS

Heads OS is also a 100 percent FOSS distro that's active as of this year, with the latest version 0.4 released in March 2018.

It distinguishes itself from Tails because Tails contains non-free software, the developers say. They have also binned the systemd init booting process that Tails uses because, they argue, it's a bloated piece of software that is difficult to audit.

As you might expect the OS runs on a hardened kernel and offers the option for TOR-routed browsing.

Find out more here.

Whonix
Image: Whonix/Wikipedia

Whonix

Whonix is an unusual Debian-based Linux distro runs in two VMs at once, a workstation for the operating system itself, and a ‘gateway’ that runs traffic through the Tor network. This means that if your traffic is compromised, your core OS isn’t.

Unlike Qubes OS, Whonix is perfect to run in a virtual machine on your OS, creating a VM within a VM. This is useful for adding another layer of security to isolate your workload on the OS.

Setting up a distribution in a VM is a pretty simple procedure. Pick your VM software (there are FOSS options out there, for instance you could spin up a VM on FOSS-Cloud, or use Oracle’s FOSS hypervisor for x86 machines, VirtualBox), download the .iso image, and load the iso onto the VM.

However, unlike Tails, Whonix preserves its past state after rebooting. This is useful for boosting security on the Tor network, however it does mean that old states could potentially be accessed by an attacker. There’s a workaround to this that involves snapshotting clean VM images and booting clones as and when they’re needed, which a Reddit user on the Tor subreddit helpfully outlines here.

OpenBDS
Image: wikipedia

OpenBDS

The free and open source OpenBSD evolved from the Berkeley Software Distribution from University of California, Berkeley, and NetBSD forked from OpenBSD. OpenBSD has a reputation for thorough code auditing and security by design, with in-built cryptography features, as well as packet filtering which is essential for firewalling inbound traffic. OpenBSD packet filtering has been ported to other OSes.

OpenBSD (and NetBSD) introduced a security feature in 2017 that randomises where its components reside in a system’s memory making them fundamentally more difficult to compromise.

The security-by-default design of the OS means it is a tough nut to crack on a fresh install and revisions are being made regularly to improve that security – for example, with the recent decision to disable Intel’s hyper-threading, following the Spectre hardware vulnerability scandal earlier this year.

Debian/CentOS

Debian/CentOS

Neither of these distributions are ‘security-first’ like Qubes OS or Tails, but for security-conscious home users they are good options, not least because they have strong community support and engagement, continuous patching, as well as the resources for security auditing and quality assurance.

Long-running free and open source Unix-like Debian had its first stable release over two decades ago now, so features have (obviously) come and gone since then. There is readily available support, and the OS is currently at 9.4 (‘Stretch’) with version 10 planned for early 2019. The project from the start has had a transparent, public disclosure approach to security and undergone plenty of revisions to boost its infosec credentials. The Register posted a thorough review of the stable version 9 here,  noting that although it skipped Secure Boot support, there were a series of revisions to improve the overall security of the OS.

It’s worth noting that Ubuntu by Canonical, which is based on Debian, was given the seal of approval by British intelligence service GCHQ back in 2014.

CentOSis based on and associated with (but separate to) Red Hat Enterprise Linux, a free equivalent that’s regularly maintained by a dedicated team and its wider community. For home users, you’ll probably want a distro like Fedora, an early adopter of the Security-Enhance Linux (SELinux) kernel module, which is user-friendly and has good, regular community support.

Honourable mentions

Honourable mentions

Relatively recent Debian-based project Subgraph OS is designed for security and billed as a “adversary resistant computing platform” by the developers. It was, they say, “designed to reduce the risks in endpoint systems so that individuals and organizations can communicate, share, and collaborate without fear of surveillance or interference by sophisticated adversaries through network-borne attacks.” Take a look at the kernel info here.

It has joined the ranks of Edward Snowden shout-out, but it should be noted the OS is in the alpha stage and so can’t be recommended as a secure distro at this stage. Linux.com’s Jack Wallen noted earlier this year that the OS is complex to boot via USB and there are also bugs being ironed out to make it work in a VM environment, where it currently struggles.

Other distros designed with security and/or privacy in mind include IprediaOS and Discreete Linux.

Adjacent to secure OS's is Kali - completely unsuitable for beginners or as a home distro, this is an OS specifically designed for penetration testing and ethical hacking, with a fairly steep learning curve. But don't let that dissuade you if you're interested in infosec - just proceed carefully.

Created by the Frozenbox dev team, the active ParrotSecurity distro is, similar to Kali, designed for specialist use in IT security - meaning penetration testing et al. It's based on Debian and available across 32- and 64-bit architectures and a slew of armhf architectures too. While it'll mainly appeal to infosec professionals there are also tools bundled in the distro for developing as well as private browsing, all out the box.

Copyright © 2018 IDG Communications, Inc.