I’ve bought a new mini PC that I’m going to use specifically for internet browsing. I’m looking for a simple hardened OS that will provide good security and privacy by default. I will only be using a browser to “browse” and save files while connected to VPN. Nothing else. Looking for something that is easy to use and requires little or no configuration. I don’t need anything as extreme as tails, qubesOS etc.
Would something like SecureBlue be a good choice? or do you have any other recommendations that may fit the bill?
Secureblue is good enough, and has very few friction points. Also look into layering whonix over it if you want tor connection. Or just layer Tor browser if your needs aren’t too demanding. If you don’t need tor, look into brave and hardened chromium (this is the default on secureblue).
Most the recommendations by PG don’t conform to the requirements listed by OP.
Non-atomic distros are disqualified because they require configuration and maintenance, and are not hardened.
Among atomic distros, none of the current recommendations are hardened. By definition they are base distribution intended for general use.
Whonix is a useful recommendation, but it requires a secure host to run in. A VM is only as secure as its host is.
OP has disqualified tails and qubes, and would probably not like Kicksecure too, since there are similar frictions.
I have always held the opinion that PG desktop recommendations are flawed as of now, and do not actually have a recommendation for a hardened, user-friendly, no-configuration base for running secure VMs like Whonix.
Tails is not intended to run in VMs. The primary security and privacy benefit of Tails is non-persistence on storage memory by using only RAM. It’s a live CD program, not a VM OS.
Better than tails in VM? Yes. Whonix is specifically designed to run in VMs.
It’s a term used by atomic distros like Secureblue/Fedora, it just means installing a program into the base OS instead of a flatpak, or on brew, etc… My bad for not explaining it.
You can though? There is secureblue. It’s hardened, uses hardened malloc, uses hardended chromium with vanadium patches, disables most of the useless stuff that increases attack surface area, and is based on atomic stable distros like Fedora Silverblue.
Don’t really see where you are getting that nothing like that exists. Also, fedora atomic might become more like secureblue over time as they keep implementing more and more security measures. Then the hardened malloc and native hardened chromium would be the only big differentiator over time (both of which are still significant security gains).
Also recommending arch or Gentoo or anything similar for non-sadomasochist users is not nice
To clarify I don’t need total anonymity and want fast uploads/downloads so I’m discounting anything using Tor.
I’m decided on going with either Secureblue or Kicksecure.
Which of the two choices would be better for installing directly to SSD, and using out of the box (other than configuring VPN)?
Could you explain what you mean by frictions in KS ?
Basically I’m a linux noob so there’s no point in using anything where it requires knowledge and know-how to make secure, because I wouldn’t know where to start!
In my opinion, that would be secureblue. It’s based on Fedora, and has easy GUI for everything a basic user wants to do. Just go through the steps listed in SecureBlue and follow basic on screen instructions. Finally, perform the post install steps and you are good to go.
Kicksecure brings in some friction like:
It’s based on debian, and is a traditional Linux system. This means it requires maintenance and command line. Plus it’s debian stable, so not exactly cutting edge. Complete opposite of fedora atomic based distros.
Updating firmware is hard. (They might have made it easier? Not sure.)
It makes a lot of opinionated choices, especially when it comes to password managers, browsers, etc. A normal user would have to fiddle stuff around a lot to suit their preference, most of which would be command line again.
It’s too locked down sometimes. (Which is excellent for some threat models, not much for others)
No worries there. Projects like Atomic Fedora, OpenSUSE Aeon, etc. were made to make Linux simple for basic users. Projects like SecureBlue exist to give you secure defaults out of the box, no need to fiddle with security settings.
Just install secureblue as detailed on their GitHub. Download the Linux app of whatever VPN service you use (or download their wireguard config files and use native Linux VPN). Download Brave/Use the default hardened chromium. Start browsing reasonable safely . You can also use the browser to view PDF safely.
Technically ostree is a burden that slows a system down more you pile atop it… and a very painful proposition for infrastructure, mirrors, et al
I don’t think any popular distro can afford to embrace ostree the way SB has
I do not think we share one line of common code in all that makes SB different from Fedora or Aeon different from TW
So suggesting there is any technical similarities at all is downright silly
We don’t even have our own flatpaks like Fedora does (which is probably why people keep citing broken flatpaks on Fedora… flathub has better ones)
Philosophically - Silverblue falls into the same trap as KDE and many other FOSS projects fall into - thinking that “customising everthing” is a valid usecase
Aeon prioritises getting things right and getting out of the way, rather than focusing on letting people tinker instead of using their system
For us, immutability is a route to ensuring your system keeps working
For SB it’s an excuse to try different ways of breaking your system/trying out new toys
Wildly different mindsets
This is why features like rebasing and composability/determinism are mostly irrelevant to Aeon
It aims to be an OS you shouldn’t need to heavily play with, just one to use… you can’t say that about Silverblue, NixOS, Tumbleweed and many other distros out there
Those distros use immutability as part of a story about customisation
I think heavy customisation is already better done in traditional distros built for it - the community who wants that is well served by Tumbleweed
Aeon doesn’t want to be messing around with rebasing and stuff like Silverblue or spinning up hundreds of different flavours like Universal Blue
We want to get it right and use our immutability to keep it right, working and self healing
Installing anything via transactional-update should be a last resort done sparingly for edge cases and quirks we can’t handle for everyone together
Comparing Aeon to Silverblue is a bit like comparing a family car to a Battle Tank
Sure they’re both vehicles, and have wheels, and drive
But there really isn’t any commonality, no technical relationship, and there’s no intention by Aeon to walk in Silverblues footsteps
We’re walking our own path and do almost everything differently, from our update stack to flatpaks being user installed not system wide
Why haven’t you simply referred to the recommendations on PG?
PG does not recommend Secureblue - it recommends Fedora Workstation, which is the OG Fedora and the easiest to use as someone new to Linux. Don’t go for Silverblue or any other Fedora variant.
Because the OP explicitly asked for a hardened OS.
Outside of the obvious conflict of interest, Aeon is definitely an interesting project. I want to see a bit more of it in general use before I say it’s better than Fedora SB. Two additional points though:
Fedora is moving to bootc from rpm-ostree, and might eventually move away from ostree overall.
Aeon’s transactional updates may still bork the system, ostree definitely can’t.
A couple of issues:
There was no “PG voted to not recommend”. Not adopting does not mean rejection, it also means waiting and seeing. Also, PG isn’t some democratic, representative entity, and all of the decisions are dependent on owners of the website. There are still matters with a lot of votes not adopted, and lots of issues that were adopted despite not so significant vote count. It all depends on what PG owners wish to make happen or not make happen. PG is not a democracy (and that is not a problem).
I don’t take PG’s recommendations as edicts from a supreme being. It’s more of a “some random strangers are saying something, so maybe I should check it out”, rather than “the god emperor has spoken, and anyone shouldn’t dare to venture out of what is known by them”
I have read the entire thread back to front, and there is not a single technical objection that wasn’t objectively clarified. The only objection is “single maintainer” (which should also disqualify any project under DivestOS, which would be a horrible thing), and that it was new. Both of the objections have been rectified slightly, with more maintainers on the project, and it being recognized by a lot of trusted projects like GrapheneOS.
If you have a technical argument against it outside of “PG didn’t put it on the website”, do ping again
Yes. If my grandparents can use one, OP can too. It’s no different from a Chromebook or Windows or MacBooks in user experience with regards to maintenance and installation of apps. Traditional Linux users need to look outside of their command line to see atomic is the future for “Year of the Linux desktop”. Nobody basic wants to fiddle with config files, nobody basic wants to write shell commands, and nobody basic wants to access apps outside of easy to use app stores.
Most Linux users dunk on atomic distros because they don’t support the advanced configs and customization on the fly that most Linux users are used too. But basic users aren’t “most Linux users”. Go look numbers of Bazzite adoption over time and compare it to any other non-atomic distro. The delta of users gained would surprise you.
Nobody wants to fight their computer, and atomic distros ensure they get out of your way.
Anyway, this is not a discussion on atomic vs non-atomic. OP asked for something specific to run “only browser” on, I helped them with what I thought would work for them. If you have a technical critique on what they shouldn’t use it to run a browser, please continue, otherwise create a new thread.
. You can also use the browser to view PDF safely.