privacyguides.org/docs/linux-desktop.en.md
Jonah Aragon 9c0f39f19d
Update primary button text (#1095)
Co-Authored-By: Daniel Nathan Gray <dng@disroot.org>
2022-04-24 15:19:48 -05:00

16 KiB
Raw Blame History

title icon
Linux fontawesome/brands/linux

Linux distributions are commonly recommended for privacy protection and user freedom.

If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions.

Traditional Distributions

Fedora Workstation

!!! recommendation

![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right }

**Fedora Workstation** is our recommended distribution for users new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), and soon, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). These new technologies often come with improvements in security, privacy, and usability in general.

[Homepage](https://getfedora.org/){ .md-button .md-button--primary }

Fedora has a semi-rolling release cycle. While some packages like GNOME are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.

openSUSE Tumbleweed

!!! recommendation

![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right }

**openSUSE Tumbleweed** is a stable rolling release distribution.

openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.

[Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary }

Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When the user upgrades their system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by openQA to ensure its quality.

Arch Linux

!!! recommendation

![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right }

**Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions).

[Homepage](https://archlinux.org/){ .md-button .md-button--primary }

Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.

Being a DIY distribution, the user is expected to set up and maintain their system. Arch has an official installer to make the installation process a little easier.

A large portion of Arch Linuxs packages are reproducible.

Immutable Distributions

Fedora Silverblue

!!! recommendation

![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right }

**Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.

[Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary }

Silverblue (and Kinoite) differ from Fedora Workstation as they replace the DNF package manager with a much more advanced alternative called rpm-ostree. The rpm-ostree package manager works by downloading a base image for the system, then overlaying packages over it in a git-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.

After the update is complete the user will reboot the system into the new deployment. rpm-ostree keeps two deployments of the system so that a user can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed.

Flatpak is the primary package installation method on these distributions, as rpm-ostree is only meant to overlay packages that cannot stay inside of a container on top of the base image.

As an alternative to Flatpaks, there is the option of Toolbox to create Podman containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a useful feature for the discerning developer.

NixOS

!!! recommendation

![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right }

NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability.

[Homepage](https://nixos.org/){ .md-button .md-button--primary }

NixOSs package manager keeps every version of every package in a different folder in the Nix store. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only.

NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also test the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system.

Nix the package manager uses a purely functional language - which is also called Nix - to define packages.

Nixpkgs (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config.

Nix is a source-based package manager; if theres no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed pure environment, which is as independent of the host system as possible, thus making binaries reproducible.

Anonymity-Focused Distributions

Whonix

!!! recommendation

![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right }

**Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet.

[Homepage](https://www.whonix.org/){ .md-button .md-button--primary }

Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway”. All communications from the Workstation has to go through the Tor gateway, and will be routed through the Tor Network.

Some of its features include Tor Stream Isolation, keystroke anonymization, encrypted swap, and a hardened memory allocator.

Future versions of Whonix will likely include full system AppArmor policies and a sandbox app launcher to fully confine all processes on the system.

Whonix is best used in conjunction with Qubes.

Tails

!!! recommendation

![Tails logo](assets/img/linux-desktop/tails.svg){ align=right }

**Tails** is a live operating system based on Debian that routes all communications through Tor.

It can boot on almost any computer from a DVD, USB stick, or SD card. It aims to preserve privacy and anonymity while circumventing censorship and leaving no trace of itself on the computer it is used on.

[Homepage](https://tails.boum.org/){ .md-button .md-button--primary }

By design, Tails is meant to completely reset itself after each reboot. Encrypted persistent storage can be configured to store some data.

General Recommendations

Drive Encryption

Most Linux distributions have an installer option for enabling LUKS FDE upon installation.

If this option isnt set at installation time, the user will have to backup their data and re-install, as encryption is applied after disk partitioning, but before file systems are formatted.

When securely erasing storage devices such as a Solid-state drive (SSD) you should use the ATA Secure Erase command. This command can be issued from your UEFI setup. If the storage device is a regular hard drive (HDD), consider using nwipe.

Swap

Consider using ZRAM or encrypted swap instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to swap space. Fedora based distributions use ZRAM by default.

Wayland

We recommend using a desktop environment that supports the Wayland display protocol as it developed with security in mind. Its predecessor, X11, does not support GUI isolation, allowing all windows to record screen, log and inject inputs in other windows, making any attempt at sandboxing futile. While there are options to do nested X11 such as Xpra or Xephyr, they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland.

Fortunately, common environments such as GNOME, KDE, and the window manager Sway have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default and some others may do so in the future as X11 is in hard maintenance mode. If youre using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager (GDM, SDDM).

We recommend against using desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.

Proprietary Firmware (Microcode Updates)

Linux distributions such as those which are Linux-libre or DIY (Arch Linux) dont come with the proprietary microcode updates. Some notable examples of these vulnerabilities include Spectre, Meltdown, SSB, Foreshadow, MDS, SWAPGS, and other hardware vulnerabilities.

We highly recommend that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default.

Privacy Tweaks

MAC Address Randomization

Many desktop Linux distributions (Fedora, openSUSE etc) will come with NetworkManager, to configure Ethernet and Wi-Fi settings.

It is possible to randomize the MAC address when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network youre connected to. It does not make you anonymous.

We recommend changing the setting to random instead of stable, as suggested in the article.

If you are using systemd-networkd, you will need to set MACAddressPolicy=random which will enable RFC 7844 (Anonymity Profiles for DHCP Clients).

There isnt much point in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the network switch. Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fis firmware.

Other Identifiers

There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your threat model:

  • Hostnames: Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings.
  • Usernames: Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
  • Machine ID:: During installation a unique machine ID is generated and stored on your device. Consider setting it to a generic ID.

System Counting

The Fedora Project counts how many unique systems access its mirrors by using a countme variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary.

This option is currently off by default. We recommend adding countme=false to /etc/dnf/dnf.conf just in case it is enabled in the future. On systems that use rpm-ostree such as Silverblue, the countme option is disabled by masking the rpm-ostree-countme timer.

openSUSE also uses a unique ID to count systems, which can be disabled by deleting the /var/lib/zypp/AnonymousUniqueId file.

--8<-- "includes/abbreviations.en.md"