Skip to content
Open Secure-K OS ThinClient is the most secure encrypted thin client operating system for VDI and RDP. Live OS with kernel update and indestructible filesystem.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
live-build
screenshots
ABOUT.rst
LICENSE
README.rst

README.rst

Open Secure-K OS ThinClient

What is

Open Secure-K OS ThinClient is the most secure encrypted thin client operating system for VDI and RDP. It's a live Linux-based operating system with kernel update and indestructible filesystem.

Unique system features are:

  • liveng compliancy: https://liveng.readthedocs.io;
  • encrypted data persistence;
  • kernel update (on a ISO9660 filesystem, which is the best option for a live operating system because of its strength against data corruption and tampering);
  • UEFI, with UEFI Secure Boot compatibility, with a real efi partition.

Screenshots

screenshots/open-securek-os-thin-horizon.png

For users

Usage

  • Download the pre-built IMG image file from https://github.com/LumIT-Labs/thin-vdi/releases or build it yourself (see the For developers section).
  • Write the image onto a USB key. See the section How to write below for more.
  • Open Secure-K OS ThinClient features a native encrypted data persistence, which is protected by a passphrase. If you opt for downloading the pre-built IMG image, the passphrase is hardwired and immutable (securek) and the filesystem space (encrypted partition) is limited in size.
  • Boot the live operating system and type in the decryption passphrase (securek). Open Secure-K OS ThinClient boots as any other Linux live operating system.
  • The VDI/RDP user is created upon the first boot.
  • VDI/RDP user has got very limited capabilities for security.
  • The administrative user is hidden from the login manager: login as securek, with password: securek in order to set up the system for the day-to-day usage. Use sudo for super-cow powers. Change the default password for security.

How to write

Open Secure-K OS ThinClient can be deployed onto a USB key as any other Linux live operating system.

Linux Linux users can make use of dd. Run all the following commands as root or with sudo in a terminal emulator:

  • plug the USB key into your PC;
  • use fdisk -l for locating the device file, for example: /dev/sdx (change for your case);
  • it's better to unmount the auto-mounted devices, if any (umount /dev/sdxN);
  • finally write the image: dd if=path/to/imageFile.img of=/dev/sdx;
  • please note that dd always refers to the whole disk, so do not use /dev/sdx1 but /dev/sdx, as an example.

Microsoft Windows Windows operating system's users can write the image by the use of Win32DiskImager (download from SourceForge: https://sourceforge.net/projects/win32diskimager) or Etcher (https://www.balena.io/etcher).

Plug the USB key into your computer and launch Win32DiskImager/Etcher; now load the .img file image and write it to the key.

Apple OS X

Being a UNIX-like operating system, OS X users can make use of dd as the Linux people or they can use Etcher as the Windows ones, https://www.balena.io/etcher.

Plug the USB key into your computer and launch Etcher; now load the .img file image and write it to the key.

Programs

Open Secure-K OS ThinClient comes with a short list of RDP programs installed (only the best ones for Linux!) and it's ready for the installation of commercial VDI software. Because the best clients for VDI (Horizon / Citrix) are not open source and/or have a EULA users must accept, they must be installed manually. Fortunately this process is simple and straightforward; please see the VDI software installation section below (at the bottom of the page).

Domain and Enterprise users

Anti-tampering measures performed during the bootstrap are available in the Enterprise build: a self-checking kernel component is responsible of verifying that system files have not been tampered, preventing the virtualization of the image, the use of the init= kernel boot parameter, and so on. This way corporate users cannot modify the filesystem and so inject files, programs or install anything. Open Secure-K OS ThinClient Enterprise is also desiged for domain users (Active Directory).

Enterprises are strongly encouraged to use the Secure-K OS ThinClient Enterprise build. Please contact us at labs@lumit.it for more information.

For developers

Contribute to the project

Open Secure-K OS ThinClient is a free and open source project by LumIT Labs; code and documentation contributions are welcome.

How to build the initial ISO image

A Debian Stretch host is required for the build; other Debian-derived systems may also work.

The Open Secure-K OS ThinClient ISO image is built using the standard Debian live-build framework, so you first need to install it:

apt-get install -y live-build

Git clone this project as root.

In order to build the image, open the terminal emulator as root:

cd /path/to/thin-vdi/live-build
bash lb

A .iso image will be built according to your host architecture (if building on an amd64, a 64bit iso will be produced; an i386 iso will be built on i386 hosts). Only the 64 bit system is really supported by LumIT Labs.

How to deploy

Open Secure-K OS Deployer (https://github.com/LumIT-Labs/open-securekos-deployer) is the deployment system for writing the initial Open Secure-K OS ThinClient ISO image onto a USB key - it will create the liveng partitioning scheme: run the Deployer, select the image you have built and type in a passphrase of your choice for LUKS-encrypting the data persistence partition (remember: Open Secure-K OS ThinClient features native encrypted persistence), then click on Write. Deployer will write the Open Secure-K OS ThinClient ISO image onto all the plugged-in (and listed) USB devices, thus creating the complete Open Secure-K OS ThinClient operating system.

Some Open Secure-K OS ThinClient notes:

  • use sudo for super-cow powers;
  • during the boot, you will be asked for the decryption password of the data persistence partition - the secret you enter while deploying;
  • system user will be created upon the first boot;
  • [only for 32 bit builds] a GNOME Initial Setup bug triggers a crash if setting the network in the Initial Setup interface. In this case, just reboot the system.

VDI software installation

VMware Horizon

How to install:

Log in with the securek user.

Download the VMware Horizon Client for Linux from its website by using the installed browser (Firefox).

Open the terminal emulator and do sudo -i.

cd /path/to/file
# /home/securek/Downloads for the English language desktops.

bash VMware-Horizon-Client-5.0.0-12557422.x64.bundle
Extracting VMware Installer...done.
You must accept the VMware Horizon Client End User License Agreement
to continue.  Press Enter to proceed.

[EULA]

Do you agree? [yes/no]: yes

Client Drive Redirection(The Client Drive Redirection component
enables folder redirection from your local computer to the remote
desktop.) [yes]:

Multimedia Redirection (MMR)(With multimedia redirection (MMR), the
multimedia stream is processed on the client system.) [yes]: no

Smart Card(The Smart Card component enables Smart Card device
redirection from your local computer to the remote desktop.) [yes]:

Real-Time Audio-Video(The Real-Time Audio-Video component allows you
to use local computer's webcam or microphone on the remote desktop.)
[yes]:

VMware Horizon(R) Virtualization Pack for Skype for Business(VMware
Horizon(R) Virtualization Pack for Skype for Business enables Skype
for business on linux view client.) [yes]:

USB Redirection(The USB component enables USB device redirection from
your local computer to the remote desktop.) [yes]: no

SerialPort Redirection(The SerialPort Redirection component allows you
to use local serialport devices from a remote desktop.) [yes]:

Virtual Printing(The Virtual Printing component allows you to use
local or network printers from a remote desktop without requiring that
additional print drivers be installed in the remote desktop.) [yes]:

Scanner Redirection(The Scanner Redirection component allows you to
use local scanner devices from a remote desktop.) [yes]:

The product is ready to be installed:
        Virtual Printing
        SerialPort Redirection
        Client Drive Redirection
        Smart Card
        VMware Horizon(R) Virtualization Pack for Skype for Business
        Real-Time Audio-Video
        PCoIP
        Horizon Client
        Scanner Redirection
Press Enter to begin installation or Ctrl-C to cancel.

Installing VMware Horizon Client 5.0.0
    Configuring...
[######################################################################] 100%
Installation was successful.
Register and start installed services(s) after installation(Select
yes, the Installer will create necessary entries in your system
autostart or generate a launching script, so that the installed
service(s) can be ready before the Horizon Client starts)[yes/no]: yes

Do you want to check your system compatibilities for Horizon Client,
this Scan will NOT collect any of your data?[yes/no]: yes
You can’t perform that action at this time.