Differences between revisions 3 and 4
Revision 3 as of 2013-10-29 19:16:32
Size: 3963
Comment: Fix link to WNPP bugfiling - thanks to Nick Daly!
Revision 4 as of 2013-10-29 19:23:42
Size: 4084
Comment: Add reference to recent mailinglist discussion about DNSSEC and DANE.
Deletions are marked like this. Additions are marked like this.
Line 52: Line 52:
    . (See e.g. [[lists.debian.org/1382809952.16288.38938833.72FFFE53@webmail.messagingengine.com|here]] for more info)

Debian for privacy-oriented use

This page tries to collect and organize info on the many ways Debian can be used to preserve and enhance privacy.

  • Workstations with enhanced access controls and counter-measures against leak of private data
  • Workstations with stealth capabilities to seem harmless if inspected, either physically or over the wire
  • Server-hosted applications respecting and/or enhancing privacy of individuals and/or team-based collaboration
  • Routing daemons respecting and/or enhancing privacy (e.g. VPN, Tor, DNSSEC)
  • Trust management tools (e.g. for PGP signatures and TLS certification)


General constraints/expectations for tools and services provided, and questions exposed at runtime:

  • grades of complexity - some target users have little time to deal with technical issues, others have high technical skills and demands
  • secure - privacy has high priority for data and communication, both personal and team-shared
  • grades of comfort - some target users need GUI and web-based tools, others need console
  • grades of compatibility - some need to operate in heterogenous environments, others has higher demands for Free software and Open standards

Some installation and server hosting is expected done by technicians, while others have (similar to e.g. FreedomBox and DebianEdu) special constraints related to that.


The goal is a Debian Pure Blend e.g. with these metapackages:

  • privacy-tools - tools to handle privacy (e.g. encryption, trust management, monitoring suspicious activities on surounding network)
  • privacy-workstation - selection of common-task workstation applications with improved privacy
  • privacy-stealth-workstation - tools to make your freedom-fighter workstation look and feel like an ordinary PC
  • privacy-network-services - Network-facing privacy-oriented applications and services
  • privacy-web-apps - Web-based privacy-oriented applications
  • privacy-routing-services - network-accesible services for parliamentary-specific teamwork
  • privacy-docs - guides and promotional material about sensible use of DebianPrivacy


Tools and services especially privacy-related, which should be included in some of above listed metapackages.

  • monkeysign - OpenPGP key signing and exchange for humans

See also FreedomBox/LeavingTheCloud .

For tools/services not yet in Debian please file an ITP or RFP bugreport, and reference resulting bug number here to ease tracking its progress.


System tweaks (adjustments, tunings, corrections...) needed for some privacy features:

  • DNSSEC - ensure DNSSEC and DANE is enabled always (or perhaps only by default, if otherwise carefully warned and explicitly confirmed)
    • (See e.g. ?here for more info)

  • TLS trust grading - system-wide levels of TLS trust, enforced in SSL/TLS frameworks (and conflicting against non-cooperating packages)
    • Trust common mainstream certificate authorities (a.k.a. the CA cartel)
    • Trust common peer-review governed certificate authorities (e.g. cacert.org - i.e only that one for now)
    • Trust local-derived trust chains (e.g. Monekeysphere and a locally run certificate authority)
    • Trust non-authority (i.e. self-signed) certificates
  • smtp grading - system-wide levels of smtp exchange handling, enforced in MTAs and MUAs (and conflicting against non-cooperating packages)
    • Use specific mail exchange (e.g. for trusted mail server or stealth workstation operation)
    • Use any unencrypted mail exchange (e.g. for opportunistic or stealth server operation)
    • Use any TLS-trusted mail exchange (i.e. respcting selected TLS grade(s))

Ideally these should all be handled automatically by Debian packages.

See also

FreedomBox, DebianParl, http://www.polippix.org/

  • ?CategoryPureBlends