Advice on best security focussed daily driver desktop OS

Volatile161

For some time now, I have been looking into what would be the best OS for me to run on my desktop PC as daily driver. I think I have a good picture now, but I'd like your input to check whether I'm on the right path here. Critique is welcome!

Requirements

The OS should run on my somewhat modern desktop PC.
The OS should function well as a daily driver and provide good usability once set up.
The OS should provide security and privacy, with security being more important.
Time investments into learning or maintaining the OS are acceptable, but only when justified by increased security, usability, or privacy compared to other options. Customizability or "user choice" aren't a good justification in and of themselves.

Windows

Initially, it seemed to me like Linux was the obvious choice over Windows or macOS. At least that's what so many people said. Having looked into it, I am not convinced that's necessarily the case. I'll link an article from PrivSec.dev and an article from Madaidan's Insecurities, which both go into why that is. I admit that I can't easily verify arguments from both sides if they are sufficiently in-depth. The reason I have come to trust opinions like Madaidan's more is that the people expressing them seem to have reliably better track records or closer involvements to security research and development. Anything I have been able to verify as I learned more about these topics has supported this as well.

I still decided against Windows. I can't use it in S-Mode, which would provide the best security, and I still care about my privacy somewhat. I'm also concerned over what data Windows might hand over if requested to. It feels like fighting a loosing battle while supporting a company I have little sympathy for, to put it mildly. And all the while, having used Fedora for some time, going back to Windows doesn't even feel like a usability improvement anymore.

Other OS

Qubes OS would provide great security, and I might even accept the time investment to learn to use it. Sadly, my hardware isn't compatible, so it isn't an option for now.

Tails and Whonix are both great and I do use them, but they simply don't fit the role.

An option I'm not very knowledgeable about is Chrome OS Flex. Chrome OS is generally recommended as a relatively secure OS. However, I don't know how much of this depends on using it on a Chromebook and might be lost with Flex. I also don't know to what extent Google will just replace Microsoft as privacy and security problem. If anyone knows more about this, I'd be glad to hear.

Linux

So Linux it is. While sharing many of the same issues, different distros have made a different amount of progress and effort towards becoming more secure. Here are some attributes that I think I should be looking for:

Modern security-improving technologies
Proximity to upstream software
Immutability

Fedora Workstation is often recommended, and I really liked using it during the last months. It has a six-month release schedule, staying reasonably close to upstream, and adopts modern technologies relatively fast. Fedora Silverblue is its immutable version, so it might be a little more secure. I like to use Flatpak as much as possible anyway, so the downsides do not seem to be much of an issue for me.

What can still be improved, is proximity to upstream software. Arch Linux is a rolling release distro that might be great for people that are suited to using it. My understanding is that you can choose what you want, enabling a focus on security if the user wants. However, I'm definitely not suited to using it. The number of mistakes I'd make would negate any benefits.

A rolling release distro better suited for someone like me is openSUSE Tumbleweed. Its updates are thoroughly tested, providing great stability for a rolling-release. It seems to also adopt modern tech quickly, and YaST provides a GUI for things most other distros don't have one for. There is also an immutable version, openSUSE Micro OS, in the variants Aeon and Kalpa for GNOME and KDE.

Conclusion

My conclusion is that the best choice for me would be openSUSE Micro OS. It provides good usability while being close to upstream, still stable, modern and immutable. For someone with my knowledge and requirements, it currently has the most to offer in the relevant aspects.

Thanks for reading all of this:) What do you think? Is my approach correct? Am I misinformed about something? Is there something I'm not seeing? Are there alternatives I haven't considered that might be better?

Mwgg

Volatile161 what you are looking for is a pixel tablet or a mac/ipad. if I have correctly understood the security and private privacy respected

N1b

[deleted] OP is very good in my opinion, well researched, clear goal and much more specific than anything else I have seen here when people were asking for more general advice and didn't put in such work to prepare for expert feedback.

Volatile161 I'm unfortunately not an expert on Desktop OS, but ever since I started using GOS on my phones it gets harder and harder to get satisfied with anything else.
So what I can tell you from experience is that a Pixel Tablet with GOS would likely fulfill your security and privacy goals, but on Android 13 it is still a bit janky. The whole UI is not easy to navigate with a mouse (e.g. for going back, to the quick settings or to home screen, you have to go all the way to the edge, click and pull the mouse in the opposite direction). Also many apps are not optimized for the big screen or the advantages of using mouse and keyboard, shortcuts and gestures are very limited and you'll likely end up using touch for navigation and the keyboard for typing. I want to replace my working laptop with the Pixel Tablet but it's hard to use productivity software such as Asana or Zoom (both not my first choice but demanded by employer). I'm constantly switching between web apps and dedicated apps to compensate for their disadvantages. Hopefully this is mitigated with Android 14.

If you can wait a bit, maybe the Pixel 8 series will allow to attach monitor, mouse and keyboard and basically become your all-in-one device, this would be the dream for me. There are rumors out there, but nothing is confirmed to my knowledge.

As for the Linux OS, I'm currently going back and forth between Fedora Workstation and Nix OS. The latter has a really interesting USP that your entire setup is summarized in a single config file which makes changing or cloning devices a very easy experience, maybe that's interesting for you. I wouldn't trust any closed source company OS such as Windows, MacOS or ChromeOS because of privacy reasons. You did your homework and from my perspective nothing looks off with your assessment, so OpenSuse Micro OS might be the best solution for you currently. Please let us know about your experience down the road.

Eagle_Owl

Volatile161
Maybe you know this great YT video made by The Hated One:
Why phones are more secure than desktops.

No desktop operating system without sandboxed design is really as secure as GrapheneOS or even like a current Android OS.
That's why I almost never do online banking on my MacBook Air M2, but do it daily on the Pixel 7 Pro, of course with GrapheneOS. ;-)

By the time my MacBook Air M2 will stop getting updates, Asahi Linux will be ready for the masses with their OS supporting Apple's Silicon Chip (M1, M2, M3) so that we can continue to run an Apple desktop computer with it instead of disposing of it. :-)
But that will take a few more years (Asahi Linux will be ready sooner).
I'm also playing with the idea of using a Google Pixel Tablet as a computer replacement, at least for security-related things like online banking.

[deleted]

Volatile161
You've done good legwork.

I can just second above comments.
Apple, Microsoft and Google's OSs are not privacy friendly, a must for me.

I do like Fedora, Nix and Suse. Nothing would beat the Pixel Tablet in comparison, it being essentially a paragon of accessible secure/private devices. I'm debating between getting it now, waiting for the next gen and seeing what P8 would offer. My current Pixel is used exclusively for when I prefer higher security and at the moment use Fedora when, say, editing images.

All of this is mentioned above. If you needed another person's take on it, slash confirmation, go for it.

Best of luck!

[deleted]

This has been discussed numerous times already on here. Please read through those posts.

Volatile161

[deleted] I thought I did, and now I searched again. There have been a few discussions on Linux Distros in general. Most of these are just broad questions and personal preferences, not going into so much detail. Others focus on Tails, Whonix or Qubes which for me, like for many others, can't fill the role of daily desktop driver.

What I tried to do is to combine all the advice, links and opinions I've found here and elsewhere, analyzing the desirable attributes and trying to find the distros that match those best. If you think this is still too close, I understand. Still, I don't think the contents of my post and the questions I ask have been covered yet. If they have, would you please provide me a link?

Volatile161

Mwgg Security and privacy wise, I definitely might consider a Pixel Tablet with GOS in the future. But meanwhile, I still need to know what to do with the desktop PC I already have. One reason I need to know what's the best I could do with it is, so I can evaluate what I'm comfortable using it for (depending on the achievable level of security) or if I must buy something else.

UpStream

Mwgg This aged well (considering the new 0-click 0 day ;))

Mwgg

Volatile161 windows is too well secured, with whonix it looks pretty good to me

[deleted]

N1b Linux OS

Linux is not an OS, Its an Kernel.

Volatile161

Thank you for all the comments!:)

Windows

final Here are some Windows comments:

Thank you so much, this was a great read! I'll probably still not use Windows, but knowing this is still extremely useful. There are plenty of people who will have to keep using Windows, and being able to help them improve their security is great.

ChromeOS Flex

ujjayi Two layman cents in here since you mention two distros I've tried recently, and you also mention Chrome OS Flex. Some differences in potential security aspects with the latter are listed here: https://support.google.com/chromeosflex/answer/11542901?hl=en

Great, that page is going straight into my bookmarks! No surprises, though. Even if I was willing to accept the problems that come with ChromeOS because of its security, that tradeoff would fall apart with Flex.

NixOS

N1b [Nix] has a really interesting USP that your entire setup is summarized in a single config file which makes changing or cloning devices a very easy experience, maybe that's interesting for you.

For some reason, I never really considered NixOS even though I knew about it. It's still not as good as immutable openSUSE or Fedora for me, but for others it might be better, so good to have that in mind.

openSUSE vs Fedora

ujjayi Some things felt buggy and slow with Kalpa

Yeah, that's my experience as well. As I said, I used Fedora Workstation for a few months and switched to Kalpa yesterday. I'd like to go back to Fedora (Silverblue or Kinoite), but I'm determined to use the most secure option in the range of what's possible for me. Mainly because I want to be able to recommend people in a similar situation an OS, and feel only comfortable doing so if I have experience using it.

I'll have to look into how big the difference in security between them is from openSUSE being rolling release. If it doesn't make that much of a difference, maybe I'll return to Fedora.

Whether GNOME vs. KDE makes a difference in security is also something I haven't seen conclusively answered, although I think they are close enough where it doesn't matter much. So much research to do… but it is what it is. I think I'm close to finished when it comes to desktop. And that choice of words is deliberate.

GOS Pixel Tablet

N1b ever since I started using GOS on my phones it gets harder and harder to get satisfied with anything else.

Yeah, same. It's hard to accept that the combination of usability, freedom of choice and security that GrapheneOS offers knows no equal. Choosing a desktop OS feels like desperately looking for the least bad option. In comparison, using GOS almost doesn't seem to have downsides.

As someone who knew very little about Privacy, Security, Linux etc. until quite recently, I really wonder how the desktop got to the state it is in now. Why is there no GOS-like desktop OS? Is it impossible for some reason?

Anyway. I'll probably just give up on desktop once I can get a Pixel Tablet. Or only use Tails sticks or something.

[deleted] at the moment use Fedora when, say, editing images.

Yeah, if I could get a Pixel Tablet something like this might be the only thing I'd use desktop for – if that. I don't know what's possible on there, but GIMP and Inkscape might actually be some of the most problematic uses to replace.

Tails vs. Qubes OS vs. GrapheneOS

Having put a little thought into it now, a Pixel Tablet might be all I need in addition to my phone. This would be a dream in its simplicity. There is only one thing I'm not so sure of, as I haven't seen anyone going into the comparison in too much detail: How does the privacy and especially security of using GrapheneOS compare to either using Qubes OS or using (potentially multiple) Tails Sticks with persistent storage?

Compartmentalization

In terms of security through compartmentalization, I expect Tails to be hard to beat in theory. In practice, I expect Qubes OS to be safer because realistically, you'd compartmentalize your workflow better. Please, just picture some paranoid, sweating dude running 20 Tails on 20 laptops simultaneously in a crammed room.

While Qubes has, well, Qubes, Graphene has user profiles, which might be used somewhat similarly. They can easily be deleted, and creating them is quick as well. You can even install the apps you need during creation if you have them on the owner profile. That means you can, among other things, turn off the ability to install apps for the whole profile. I've never thought about embracing this feature to this extent, but I don't really see why it shouldn't be possible.

You might even have a separate user profile only for specific password managers, heavily isolating them from the profiles you use the passwords in. I don't expect copy & paste to work through switching user profiles, but when using randomized multi-word-passphrases, simply remembering them for 10s can work.

When I began writing, I was sure Qubes should come out on top. Now I'm not sure at all anymore. I have never used Qubes, but GrapheneOS seems to hold lots of potential for this as well. I do remember a user on this forum complaining that a language change in one profile influenced an app in another profile, so if this was indeed the case and wasn't an outlier, there might be some problems with leakage. But even if the isolation between Qubes was stricter and harder to overcome than the isolation between user profiles, it's not decided.

Every profile has GOS running as OS, which I expect to be generally more secure and have better internal sandboxing than every OS you can run in a Qube. If you use GOS in way that, for example, means a threat has to compromise the app, then break out of sandboxing, compromise the heavily restricted user profile, break out of the profile into the owner profile and then break into the other (encrypted!) user profiles... that should be reasonably secure. You might also have crossed into 5-dollar-wrench-attack territory. So which is better? No clue. Can Graphene be used in a way where the difference probably isn't that meaningful? I think so.

Anonymous browsing

Another important area is anonymous browsing. Tails runs everything through TOR by default, and Qubes has Whonix-Qubes. In GOS you could create a heavily restricted user profile with either preinstalled Orbot as permanent VPN with Killswitch and browse through your browser of choice (probably vanadium) or preinstall Tor Browser.

I have no idea which would be best at anonymizing you. The only thing I can say is that Orbot + Vanadium should beat the security of Tor Browser on GOS, but I don't know about the anonymity.

Anti-forensics

How much evidence you leave matters as well. Assuming a threat actor captures all devices shortly after Tails (with persistent storage) was pulled out; after Qubes has been shut down; after all sensitive user profiles have been deleted and GOS has been shut down.

Here I am completely unable to evaluate the options.

Conclusion

This completely got out of hand and I need to go to bed now. Maybe I should make this into another post tomorrow? Until then, I'd love someone with more knowledge/experience than me to destroy what I said here with facts and logic;)

However, I do think that GrapheneOS is likely at least a usable option to adequately replace what I and many others have associated only with Tails, Qubes (and Whonix). I'll definitely go down this rabbit hole as soon as I have the opportunity to. If GrapheneOS turns out to indeed be a viable alternative, I'll be even more blown away.

You people all have a good night (or day)!

[deleted]

[deleted]
He meant an operating system based on Linux kernel. It is apparent due to context.

[deleted]

[deleted]
Its is possesive version of it. The correct form is a contraction it's

[deleted]

An is an indefinite article, used preceding a word beginning with a vowel.

Since word Kernel is beginning with a consonant, the correct form in such a case is a mere a.

Anyway, that's what I read when I learned English a few years ago.

Yet, we all knew what you meant. Not everything needs to be deconstructed

Alao, when you point out tiniest inconsistencies in others' wording, it follows you must adhere strictly to such rules and impositions yourself, no?

[deleted]

[deleted] Please stop. He doesn't need a lesson in grammar.

N1b

Guys let's stick to the OP here and help finding good answers. I don't take the comment from not_a_homosapien personally, and he's correct. Maybe it's just a knock on my comment here where I did the same thing. :D

So, is there anything wrong in the Linux Distribution assessment of OP or are there any suggestions we can give?

ujjayi

Two layman cents in here since you mention two distros I've tried recently, and you also mention Chrome OS Flex. Some differences in potential security aspects with the latter are listed here: https://support.google.com/chromeosflex/answer/11542901?hl=en

As for Linux distros I initially (this second time around) went with Kalpa. Now on Kinoite. Some things felt buggy and slow with Kalpa and eventually, after about 2 weeks, the system had too many hick ups and I couldn't deal with it anymore. Seems I've repressed what the issues were unfortunately, but one was related to my Pixel and not being able to transfer some files, another was a Bluetooth audio issue. The KDE wallet thing was acting up in several ways, and it hasn't on Kinoite. But Kalpa is in Alpha also, so I guess they're excused. Maybe. Very happy with Kinoite in general tho. Been running that daily for about a month. Still need Windows for certain things. Mostly working with audio and graphics, where I see no other alternatives than Mac, which I suppose some might advise even, given some superior security reasons compared to Windows and Linux distros, but I'm sure you've read up on that.

final

Nice read! After all, whatever you choose is completely down to your decisions and preferences.

Here are some Windows comments:

Volatile161 I can't use it in S-Mode, which would provide the best security, and I still care about my privacy somewhat. I'm also concerned over what data Windows might hand over if requested to.

As a Windows user I can attest there are some alternatives to the S-Mode approach. Overall you can get excellent security on Windows with some good privacy but this can take a long time to configure bit by bit. What I would say is overall you need to trust Microsoft for some aspects such as OS updates and threat intelligence updates. There is no real safe way to use Windows sans Microsoft.

This page gives details on OS telemetry info: https://learn.microsoft.com/en-gb/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-off - if you use Windows Enterprise editions you can turn off the telemetry entirely. You would still rely on Microsoft for updates and security though.

Where you cant use S-Mode, running Windows with enforced Smart App Control is a decent enough alternative. It prevents Windows from running any app that is both unsigned and unevaluated. Only apps that are signed and/or have been scanned by Microsoft's threat intelligence services can run with this mode on. It does require it's own telemetry as it needs to query that new apps you've installed are valid to run. Considering S-Mode limits apps to the Microsoft Store, you could say they make a similar connection that way. All the mainstream windows apps work fine on Smart App Control and give you more freedom that S-Mode alone couldn't have done.

The Madaidan article hasn't been updated in a while with Windows info, but the overall consensus still stands:

Windows application security and sandboxing is limited to specific circumstances.
Many application security features are also opt-in and need to be enabled by the application developer.

While you still can't sandbox Win32 apps like UWP apps, there are opt-in sandboxing mechanisms for those apps. Windows apps now have Win32 App Isolation options which can create consent-permissions for Win32 Apps. However, again, they are opt-in and only work if the developer of the app chooses to add the feature. Sadly, many developers don't. A requirement to enable this is to package the app in the MSIX format, which barely anyone does besides exceptions like NanaZip.

Exploit protections overall are great, and in Exploit Protection settings in the Windows Security app you can force apps to use exploit mitigations regardless if they were set-up to do so. Git for Windows is the only app I ever reported a compatibility issue with doing this (doesn't work with mandatory ASLR, but it could have changed).

Volatile161 The reason I have come to trust opinions like Madaidan's more is that the people expressing them seem to have reliably better track records or closer involvements to security research and development.

Volatile161 my somewhat modern desktop PC.

A different article from him (and more importantly Microsoft) suggest using a Secured-Core PC, which is something you might not have. These PC's are always running the latest hardware. Difference between Secured-Core PC's and ones that aren't is you typically cannot enable firmware protections or System Guard among some other stuff. If you wanted the full Windows security experience you'd have to get one of these.

[deleted]

I can't help but marvel at your intelligence. GOS is my desktop.

komiter

I have tried various Linux distros but I always come back to Xubuntu which is an XFCE spin of Ubuntu. Unlike GNOME which has a garish display with big icons, XFCE just has text menus that support a comfortable workflow.

I assume you visited distrowatch.com. Some of the distros listed there claim to be security specialists. Has anyone mentioned BSD. There are several BSDs, some with extra focus on security. FreeBSD for example has Jails which are similiar to Sandboxes.

Mwgg

Volatile161 If you use tor to stay on the darknet it's secure, but as soon as you go on the open web you don't know the exit nodes, you don't know if your information will be intercepted. The telephone network and the Internet must be considered hostile, so I think you should use the most secure browser possible: vanadium/chrome/safari.

mmmm

Volatile161 Compartmentalization

Just to touch on what you mentioned regarding compartmentalisation with Qubes V GOS.

I’m not a GOS user yet, but I am a Qubes user of several years. In theory, the newer model OS type that modern mobile OS’ follow, like GOS, AOSP, iOS, iPadOS, ChromeOS etc, is leaps a bounds more secure than traditional OS’ are. Qubes really excellently mitigates that, but should a Qubes style system be implemented over the top of a modern OS base, such as GOS, then that latter version would hands down beat Qubes as it stands today.

But - also as stands today, Qubes verses profiles on GOS, in theory, sounds comparable. In reality it’s not, at least not in anything other than a rudimentary way.

Qubes has a unified desktop (qube) to manage it all, this is completely offline. It has a Qubes manager to manage Qubes, it has multiple options of networking, vpn, tor, firewall, usb etc etc Qubes by which you can or not attach other Qubes to. It has extremely simple cut and paste between Qubes, any Qube can be any OS (actually any qube can be anything), just to mention a few of the things that make it what it is.

If this type of granular situation appeared in GOS, and if there could be a manager profile something similar to dom0 to connect/disconnect everything together, and if there can exist a secure built in and simple way of cut and paste, then Qubes for the most part would be redundant for me.

GOS is bordering a perfect system, and its security mitigations far surpass probably anything else around but it can’t be compared to the compartmentalisation abilities of Qubes yet.