I’d like to break my feedback into separate posts, each covering a single topic, to keep things clear. First, I have to say I’m genuinely impressed with Kicksecure. Over the years I’ve written countless post install scripts just to harden a vanilla Debian installation. Despite trying several distributions, I always end up back at Debian. Only to be frustrated by its insecure defaults and the tedious manual hardening required. Literally editing config files till I go crazy lol. Kicksecure feels refreshingly different, the defaults are already security focused, which is fantastic. Kudos to the developers and the community!
Installation Details
Version: Kicksecure 17.4.4.6
Install medium: Sandisk USB
Partition format: ext4 (auto-formatted)
I flashed the ISO to one USB stick, then used a second USB as the target for the installation (for testing purposes).
Missing “Etc/UTC” Timezone Option
Under timezone there is no Etc/UTC which I really wanted to set and had to set after post install timedatectl set-timezone "Etc/UTC". This isn’t really Kicksecures fault but a Calamares configuration issue. I believe this timezone is omitted or ignored in the default installer but I haven’t digged enough yet to see.
Can’t show LUKS password (LUKS Password Visibility)
Again, this is an installer side matter rather than a Kicksecure problem. While many installers (e.g., Ubuntu) let you toggle password visibility for user accounts, the Calamares stage that collects the LUKS passphrase lacks such a toggle. In a previous Debian install, long some time ago I entered the wrong LUKS password. I had to reinstall cause I was off on the keys I set for the LUKS password at this stage.
Is there a way to expose a “show password” option for the LUKS field in the Calamares configuration? If not, perhaps this could be proposed upstream to libkpmcore?
FYI, Kicksecure 18 is out and 17 will likely be deprecated soon. If you have the time, you might want to give it a shot, it has a lot of neat security improvements over version 17 (like Wayland by default and a “panic button” for instant shutdown).
Using Etc/UTC as a timezone is more of an anonymity measure than a security one, and we generally keep the anonymity enhancements in Whonix. That being said, this does still sound like a useful feature, maybe you could file a request for this at https://codeberg.org/Calamares/calamares/issues?
That would also be a good thing to file a feature request for. Doesn’t look like the feature exists at first glance.
Feeling kinda stupid here but I meant 18.0.8.7 NOT 17. I saw that post at the top of forum when formatting this post and thought that post for most recent. I’m on 18.0.8.7 not the pre LXQT release sorry for goofing.
Well I can’t say your not right, I guess I never really looked for it when using GUI installer as I would always set it afterwards. For me personally it’s about javascript fingerprinting/browser thing for me, but again that is anonymity thang. Although on a “user choice” basis it makes sense to provide the option to set the keymap. To my knowledge I know little about it. Is more then just a configuration thing with Calamares?
Was not aware if it did exist or not, but hey I’ll try to file one. Would be a cool first if Kicksecure was first to implement it. When you get a luks password wrong cause you couldn’t view it first when you initially set it up you will always remember the experience.
I would guess so. I don’t see an option for UTC anywhere in the GUI, and I don’t see a configuration option for it in Calamares, so I would say a feature request would be good for this. Worst case scenario, the feature already exists or the Calamares devs say they don’t want it.
(Note that it’s generally a bad idea to report bugs or feature requests to “upstream” projects when using stable release distributions like Kicksecure, but in this instance the version of Calamares we have at the moment is the latest stable version, it doesn’t look like the feature exists in the latest code, and there doesn’t appear to be any bug report or feature request for this, so it should be fine to file a feature request for this.)