filesystem based encryption is really cool.
Can’t agree more.
filesystem based encryption is really cool.
Can’t agree more.
Sorry to be that guy, but you should just sit down and go over Qubes OS’ documentation. Some specific entries that might prove useful:
If you ask me, read a lot more beyond these. But if you really got no time, then at least suffice with the aforementioned.
Wish ya good luck!
Mandatory read on the subject for the curious (also goes over Secure Boot, Boot Guard etc):
The pursuit of Freedom led me to Linux.
Are you referring to Qubes OS? If so, what do you mean exactly with hardware support?
I think we’ve probably already spoken on the matter.
That’s definitely possible. Unfortunately, I don’t recall it 😅.
Indeed, Lemmy has a serious dearth of users interested and using secure distros over the averages.
It’s definitely better at this than the platform that starts with an “R” and rhymes with “shit”.
Thanks for your efforts; I do not know how to follow users on Lemmy but if I did I’d follow you. Do you have a blog/any other forum you’re more active on?
That’s such a compliment. This is definitely one of the nicest things I’ve read on Lemmy. I really appreciate it.
Unfortunately, I’m only somewhat active on Lemmy. FWIW, consider checking out the following places if you haven’t yet:
And, of course, Qubes OS’ forums.
Personally, I find it difficult to justify the time to learn Secureblue (especially the immutable part) or NixOS on Qubes because custom DispVMs with curated salt states work so well already. I’m interested in use-cases that will improve my security but I haven’t found any dialogue on this yet. If you do have opinions on this and know where I can look, I would greatly appreciate it!
As I’ve previously alluded to, I don’t have any hands-on experience with Qubes OS yet. So, I don’t think I can contribute meaningfully in this discussion. However, IIRC, there are some discussions found on the forums/discussions page for Qubes OS.
Aight. I’m glad to hear that that has been resolved. I’d love to hear about your experiences on secureblue, so consider to report back. Finally, note that as a hardened distro, some things might work differently from what you’d expect. So be prepared to relearn a thing or two 😉.
Whonix is an OS exclusively meant to be used within a VM; at least, until Whonix-Host is released. Therefore, I didn’t include it as it’s not actually competing within the same space; as it can be run on any of the aforementioned systems within a VM. Finally, it’s worth noting that by its own documentation, it’s desirable to do so with Qubes OS.
Please allow me to link to an earlier comment of mine that goes over this in more length. You may also find it copied-and-pasted down below:
First of all, apologies for delaying this answer.
Disclaimer:
Qubes OS >> secureblue >~ Kicksecure
Context: Answering this question puts me in a genuinely conflicted position 😅. I have immense respect for the Kicksecure project, its maintainers and/or developers. Their contributions have been invaluable, inspiring many others to pursue similar goals. Unsurprisingly, some of their work is also found in secureblue. So, to me, it feels unappreciative and/or ungrateful to criticize them beyond what I’ve already done. However, I will honor your request for the sake of providing a comprehensive and balanced perspective on the project’s current state and potential areas for improvement.
Considerations: It’s important to approach this critique with nuance. Kicksecure has been around for over a decade, and their initial decisions likely made the most sense when they started. However, the Linux ecosystem has changed dramatically over the last few years, causing some of their choices to age less gracefully. Unfortunately, like most similar projects, there’s insufficient manpower to retroactively redo some of their earlier work. Consequently, many current decisions might be made for pragmatic rather than idealistic reasons. Note that the criticisms raised below lean more towards the idealistic side. If resources allowed, I wouldn’t be surprised if the team would love to address these issues. Finally, it’s worth noting that the project has sound justifications for their decisions. It’s simply not all black and white.
With that out of the way, here’s my additional criticism along with comparisons to Qubes OS and secureblue:
What are the main advantages of using this, that make it more secure?
More secure compared to your average distro? Or more secure compared to a specific set of distros? Unless, this is properly specified, this comment could become very unwieldy 😅.
Thanks in advance for specifying!
I daily drive secureblue; or, to be more precise, its bluefin-main-userns-hardened
image.
“Why?”, you ask. Because security is my number one priority.
I dismiss other often mentioned hardened systems for the following reasons:
Nix, the package manager, is distro-agnostic. Add Home Manager on top of it and you’re good to go; both packages and dotfiles are dealt with.
If security is a serious concern of yours, perhaps consider NovaCustom’s offerings instead. Intel BootGuard is coming to their new models (i.e. the 14 inch V54 the 16 inch V56). Add Dasharo’s coreboot, the possibility to disable Intel Management Engine, (soon hardware-based) kill switches, open source EC, ongoing work to get it Qubes OS certified (like how they managed on their NV41) and perhaps even Heads (also like how they did on NV41). We haven’t even talked about how they’ll soon achieve HSI-3 and their plans to tackle Trenchboot next year.
It’s a lot of good stuff. And simply unheard of for vendors that are Linux-first. Heck, if their ongoing work on lvfs
delivers and they manage to put out updates like industry leader (at least in this regard) Dell does[1], they might even be a contender for most secure laptop for general use.
While it may seem as if I’ve been gushing a lot already, I have not even mentioned how they fare in other important aspects:
It’s a pity that they’re underappreciated and underrated for not putting as much money into advertising as they do on delivering an excellent product.
I could probably summarize your experience as “skill issue”.
I don’t understand the hype of immutables, or usability even.
I suppose this article/blogpost by Lennart Poettering should suffice. Though, this article/blogpost by Colin Walters is also cool.
I tried Bazzite today after Nobara nuked itself, and I couldn’t even paste my old Firefox profile since the actual folder apparently sits within the immutable folder structure.
This is simply false as pointed out by others already.
I didn’t even have time to reach the software limitations with how fast I tried the next distro.
You will have a very hard time on Linux with that mindset. And, to be honest, literally any OS you aren’t already familiar with.
Still hopping though, because apparently Fedora just nukes itself when you try to install codecs
I wouldn’t be surprised if you just searched this through your favorite search engine and settled with whatever random solution you came across instead of relying upon RPM Fusion’s documentation on the matter.
and I think I have about every major distro tested by now.
While this could be true, I wonder what prevented you from sticking with any one of them.
Linux is cursed.
It’s definitely a lot harder if you’ve got major skill issues.
Thanks for clarifying!
IMO immutable distros aren’t a best fit for a desktop computer. It can do so much more than gaming and turning it into a dedicated console is a step back if a normal linux distro can do just as well.
I would personally nuance this to: “Current iterations of ‘immutable distros’ that have evolved from traditional distros haven’t matured sufficiently yet to tackle 99.99% of the use cases ‘easily’.” The exact number on the percentage I don’t know. I believe most people that use their PCs as a glorified app launcher should be more than fine. But we start experiencing major difficulties the very moment that (a)kmods are involved; some of which are ‘supported’~ish, while others certainly aren’t.
But, I simply fail to see why a future iteration would not be able to solve related issues.
Those definitely amount to a major difference. Thanks for clarifying!
Thank you. This does give an idea.
It has been my pleasure.
Follow up question : Is Arch really that good?
Depends entirely on your needs. There is a use case for Arch. However, if you’re completely new to Linux, then it’s very likely that a ‘slower’-moving distro (like (anything based on) Debian (or Ubuntu)) might better suit you.
Wait for Ubuntu Core Desktop to come out.
To me, Endless OS seems to be the best fit for you; install it once and you never ever have to give it a second glance for troubleshooting or whatsoever. It achieves this through using “a read-only root file system managed by OSTree with apps installed using Flatpak.”. This translates to: