Kicksecure Testing Release Brings Hardened Debian Trixie

The Kicksecure project exists because stock Debian prioritizes compatibility over security, leaving users to manually configure protections that should ship by default. Version 18.0.7.5, entered testing November 27, 2025, with testers wanted for the upgrade from Kicksecure 17, takes this philosophy further by enabling RAM wipe and USBGuard out of the box while migrating to Debian 13 Trixie and Wayland.

The RAM wipe feature addresses cold boot attacks, where an attacker with physical access can extract encryption keys and sensitive data from memory chips that retain contents briefly after power loss. When you shut down or reboot Kicksecure 18, the system uses kexec to boot into a minimal kernel that overwrites all RAM before completing the shutdown sequence. This happens automatically without user configuration, though the feature requires dracut and may need manual configuration on some installation types, particularly VMs. The kernel parameter wiperam=skip exists for troubleshooting if the feature causes issues, but the default protects against forensic memory extraction that law enforcement and sophisticated attackers can use.

USBGuard blocks the class of attacks where malicious USB devices impersonate keyboards, network adapters, or storage devices to compromise systems. The Kicksecure implementation accepts all devices present at boot, then rejects anything plugged in afterward unless explicitly whitelisted. New keyboards and mice get conditional acceptance only when no existing USB input devices are attached, preventing scenarios where a malicious device injects keystrokes while a legitimate keyboard sits ignored. Devices with malformed interface descriptors get automatically denied, catching common attack signatures.

The desktop environment shift from Xfce to LXQt reflects the broader move from X11 to Wayland. X11's security model dates from an era when applications on the same display server trusted each other completely, allowing any application to capture keystrokes, read clipboard contents, and screenshot other windows. Wayland enforces isolation between applications by design, though implementation quality varies by compositor. The labwc compositor handles window management, and the wlr-resize-watcher tool enables dynamic resolution adjustment when VM window sizes change, addressing a common pain point for virtual machine users.

The base system upgrade from Debian 12 Bookworm to Debian 13 Trixie brings newer packages across the board. Kicksecure uses the trixie-developers repository suite, and installation packages follow the naming pattern kicksecure-baremetal-gui-lxqt or kicksecure-vm-gui-lxqt depending on deployment target.

Privilege escalation gets a new mechanism called privleap that replaces pkexec in certain contexts. The kernel hardening configurations follow recommendations from the Kernel Self Protection Project, implemented through sysctl settings in /usr/lib/sysctl.d/990-security-misc.conf. The SUID Disabler and Permission Hardener strengthens Linux user account isolation by turning off SUID-enabled binaries that could provide privilege escalation paths.

Boot infrastructure moves exclusively to Dracut, dropping initramfs-tools support. A new GRUB keyboard layout selection menu appears at boot, with dedicated tools (set-system-keymap, set-console-keymap, set-labwc-keymap, set-grub-keymap) for configuring keyboard layouts at each system layer. This matters because full-disk encryption passwords entered at GRUB need the correct keymap before the operating system loads.

The APT package sources migrate to deb822 format, and all updates download over Tor by default, preventing the update servers from learning user identities or IP addresses.

Some features ship disabled pending Wayland compatibility work. Clipboard sharing between VirtualBox or KVM hosts and Kicksecure guests requires manual configuration because the integration tools expect X11. The xpdf reader was removed from the default installation.

Known issues include a bug where changing keyboard layout in labwc requires restarting kloak (the keystroke anonymization tool) with Right Shift + Escape for the new layout to take effect. The Calamares installer has keyboard layout issues under Wayland that developers are addressing.

Download options include ISO images, VirtualBox OVA files, and KVM/libvirt images. In-place upgrades from Kicksecure 17 follow documented release upgrade procedures for users who prefer migrating existing installations.