Skip to content

Kodachi Desktop Debian XFCE

Kodachi Desktop XFCE Edition

A full-featured desktop OS based on Debian 13 (Trixie) with the XFCE desktop environment, purpose-built for daily privacy-focused computing. Ships with the full Kodachi binary suite pre-installed, the Kodachi Dashboard (Tauri 2 + Svelte 5), a Lua-powered Conky system monitor, and a complete GUI application suite spanning browsers, office, multimedia, security tools, and development environments. Supports KAICS plus ai-gateway as optional add-ons, and kodachi-claw for anonymous autonomous AI agent operations with embedded Tor circuits. 18 months of development. Built for privacy-conscious desktop users.

XFCE Desktop Privacy-First AI-Powered Tor-Ready Dark Theme Kodachi Claw

These are the live-session kodachi account credentials. root login is disabled and does not use this password.

Download & Installation First Release: 26 February 2026 9.0.1 | Desktop last updated 07 March 2026 - build #15

Download ISO

Direct Download

Latest

Download the latest Kodachi Desktop XFCE ISO directly. Full desktop experience with privacy tools pre-configured.

9.0.1-amd64 ~5GB
Download ISO

Browse All Files

Access the complete archive of Kodachi releases, checksums, and documentation on SourceForge.

Open SourceForge
ISO Integrity Verification

Verify the downloaded ISO file integrity using the SHA256 checksum below to ensure secure installation:

SHA256 Checksum: 3f367d06349b767a2b2abc3b7dc3b41f20d57507d32cbf4c4067af8ba8c90b3c

Verification Command:
sha256sum linux-kodachi-desktop-9.0.1-amd64.iso

GPG Signature Verification Available

SourceForge also provides GPG signature files for cryptographic verification. Download the signature files from the same location:

  • linux-kodachi-desktop-9.0.1-amd64.iso.sig - GPG signature file
  • linux-kodachi-desktop-9.0.1-amd64.iso.sig.info - Signature information

Kodachi is built and maintained by one person since 2013. If this ISO is useful to you or your organisation, please consider supporting the project before you leave.

Installation Methods

  1. Bare Metal - Install directly on hardware for maximum performance and daily use
  2. Virtual Machine - Run in VMware/VirtualBox/QEMU for testing or isolated environments
  3. Live USB - Boot from USB drive without installation (portable, leaves no traces)
  4. Persistent Storage - Enable persistence for configuration retention across reboots

Create Bootable USB

Tool Platform Multiboot Best For
Ventoy Linux Windows Yes Drag-and-drop multiple ISOs onto one USB. Install once, reuse forever.
Rufus Windows No Industry-standard. Select ISO, select USB, write in DD or ISO mode.
Etcher Linux Windows macOS No Simplest UI. Three-step flash: select, target, burn.
YUMI Windows Yes Add multiple OSes to one USB, one at a time. Boot menu included.
UUI Windows No Single-OS USB creator from the YUMI team. Lightweight and reliable.
Linux (dd) Recommended 
# Find USB device
lsblk

# Write ISO (replace /dev/sdX)
sudo dd if=linux-kodachi-desktop-9.0.1-amd64.iso \
  of=/dev/sdX bs=4M status=progress oflag=sync
macOS (dd) 
# Find disk identifier
diskutil list

# Unmount and write ISO
diskutil unmountDisk /dev/diskN
sudo dd if=linux-kodachi-desktop-9.0.1-amd64.iso \
  of=/dev/rdiskN bs=4m
Double-check your target device. The dd command will overwrite the entire drive without confirmation. Use lsblk or diskutil list to verify the correct device before writing.

Why Kodachi Desktop

Kodachi Desktop is not a respin. It is a purpose-built operating system where every package, every configuration file, and every default setting was chosen with a single objective: uncompromising privacy for daily desktop computing.

Built over 18 months on Debian 13 (Trixie), Kodachi Desktop combines the terminal security stack with a complete XFCE desktop environment. The system includes 460 curated packages: 268 terminal-level security and networking packages plus 192 desktop GUI applications, each serving a specific privacy role.

The desktop ships with a dark theme (LK_Material-Black-Lime) optimized for operational security. Under the hood, Kodachi binaries form a unified security control plane managed through the Kodachi Dashboard (Tauri 2 + Svelte 5).

Privacy by Design

Every network connection leaving Kodachi Desktop is privacy-protected by default. The system enforces privacy from the moment the kernel loads.

12+ Routing Protocols

WireGuard, OpenVPN, Shadowsocks, V2Ray, Xray (VLESS/Reality), Hysteria2, Mieru (MITA), Dante, and Microsocks. Any protocol can be layered with system-wide Tor routing via tor-switch torrify-system-nftables-dns, encrypting every packet including DNS queries.

DNSCrypt Auto-Config

Encrypted DNS activates automatically on first boot via dns-switch. No manual configuration required — the system selects optimal servers and enforces encrypted resolution from the moment the desktop loads.

MAC Randomization

Hardware identity is randomized on every boot via health-control. Your network adapter presents a different MAC address each session, preventing device fingerprinting across networks.

VPN Kill Switch

Blocks all outbound traffic instantly if the VPN connection drops. Prevents IP leaks during connection interruptions, ensuring your real address is never exposed to the network.

System Hardening

Kodachi Desktop applies defense-in-depth from the kernel upward. Mandatory access controls, file integrity monitoring, audit logging, device whitelisting, and application sandboxing create a layered security posture.

AppArmor

Mandatory access control that confines critical applications to minimum required permissions. Profiles restrict file access, network capabilities, and system call usage per application.

AIDE

File integrity monitoring with cryptographic hash detection. Maintains a baseline database of system files and alerts on unauthorized modifications, additions, or deletions.

auditd

System call recording, file access logging, and privilege escalation tracking. Writes tamper-resistant audit logs for forensic analysis and compliance reporting.

Firejail

Application sandboxing with separate filesystem namespaces and network stacks. Isolates browser, email, and messaging apps from each other and from sensitive system resources.

Portmaster

Application-level firewall and network monitor from Safing. Provides per-application traffic visibility and policy enforcement through a desktop UI and system service.

Secure Boot

UEFI Secure Boot with signed GRUB and shim packages. Verifies bootloader integrity before execution, preventing rootkits and unauthorized boot-time modifications.

Binary Security Suite

Kodachi Desktop ships a full set of high-performance binaries that form a unified security control plane. Each binary uses strict error handling with no .unwrap() calls in production code.

health-control

213 commands — System monitoring, emergency panic modes, security scoring, kill switches, MAC randomization, hostname management, and memory security controls.

tor-switch

107 commands — Tor lifecycle management, load balancing, exit node control, system-wide torrification, and circuit management.

dns-switch

27 commands — DNS server management, DNSCrypt configuration, Pi-hole integration, and encrypted resolution enforcement.

routing-switch

18 commands — VPN and Tor routing control, protocol switching between 12+ transport methods, and traffic redirection rules.

integrity-check

Binary signature verification, cryptographic hash validation, and system file integrity monitoring against the signed baseline.

permission-guard

File permission monitoring and enforcement. Detects unauthorized permission changes and restores correct ownership across critical system paths.

All binaries communicate through logs-hook, which writes structured JSON for forensic analysis. The kodachi-dashboard (Tauri 2 + Svelte 5) exposes the entire suite through a unified GUI.

Kodachi Dashboard

Four Modes. One Mission. Total Control.

Built with Tauri 2 + Svelte 5, the Kodachi Dashboard orchestrates 517+ commands across 24 Rust binaries with zero GUI freezing. Choose your interface: gamified security ring, first-boot AutoShield wizard, compact command center, or professional multi-panel workstation.

CIRCLE MODE

Gamified Security Ring

720×720px ~230MB RAM Beginner-Friendly

Interactive circular interface with 7 clickable security arcs surrounding a central hub showing real-time IP, country flag, and security score (0-100 with color-coded risk levels).

7 Security Arcs: Authenticate, MAC Randomize, Hostname Spoof, Random Timezone, DNSCrypt, WireGuard VPN, Torrify System

Victory Animations: Celebrate security milestones at 25%, 50%, 75%, and 100% completion

Dual Auto-Refresh: 30s for IP/status checks, 60s for deep metrics with pause/resume controls

4 Emergency Controls: Routing Recover, Internet Recover, Restart Tor, Secure Shutdown

11 Commands
5 Services
7 Segments
~230 MB RAM
AUTOSHIELD

First-Boot Setup Wizard

720×720px ~180MB RAM First Boot

Countdown-driven setup wizard that launches automatically on first boot. Configures anonymity layers, randomizes system identity, and establishes secure connections with real-time telemetry and protection level visualization.

Automated Security Setup: VPN protocol selection, Tor configuration, DNSCrypt activation, and MAC randomization in one guided flow

Countdown Timer: Auto-executes security configuration after countdown, with manual override for custom setup

Protection Level Viz: Real-time system telemetry with security score, IP geolocation, and connection status indicators

Binary Verification: Validates all bundled core binaries, authenticates session, and collects system status on first run

25 Commands
2 Services
10 Profiles
~180 MB RAM
LITE MODE RECOMMENDED

Compact Command Center

1128×774px ~230MB RAM Intermediate

Collapsible sidebar with 15 tabs providing quick access to essential security operations, AI chat, command library, system monitoring, and direct terminal access with live output display.

15 Sidebar Tabs: Actions, AI Chat, Library, Health, Resources, Processes, Network, Firewall, Startup, Logs, Passwords, Settings, About, Help

12 Primary Actions: Login/Logout, WireGuard, Torrify, DNSCrypt, Random DNS, Harden, MAC/Hostname/Timezone randomization, Recovery controls

Grid/List Toggle: Two visualization modes for command output with syntax highlighting and error detection

Live Metrics Footer: Real-time CPU usage, memory consumption, and network throughput monitoring

147 Commands
10 Services
15 Tabs
~230 MB RAM
FULL MODE

Professional Workstation

1800×1000px ~380MB RAM Advanced Users

Multi-panel command center with 22 tabs across 4 major sections. Supports drag-and-drop command queuing, resizable panels, and parallel/sequential execution modes for power users.

4 Major Sections: Essentials (9 subtabs), Advanced (11 service tabs), System Monitor (7 subtabs), AI Integration

Drag & Drop Queue: Build complex operation sequences with reordering, parallel/sequential execution, and danger level badges

4 Panel Presets: Balanced split, logs-focused (70% logs), output-expanded, minimal sidebar with custom layout saving

24 Rust Binaries: Complete access to health-control (213 commands), tor-switch (107 commands), routing-switch (18 commands), dns-switch (27 commands), online-auth, workflow-manager, and more

517+ Commands
24 Services
22 Tabs
~380 MB RAM

Core Infrastructure Across All Modes

All four modes share the same powerful backend: 517+ commands orchestrated across 24 Rust binaries with async execution to prevent GUI freezing. Security score aggregates 5 categories (Core, Network, Hardening, Device, Advanced) with color-coded risk levels: Green (80+), Yellow (60-79), Red (<60).

Async Execution Danger Level Badges 4 Output Formats Auto-Refresh IP + Flag + Auth Status Mode Switcher

Mode Comparison Matrix

Mode Window Size RAM Usage Interface Skill Level Primary Use
Circle 720×720px ~230MB Gamified Ring Beginner Quick security setup
Lite 1128×774px ~230MB 7-Tab Sidebar Intermediate Daily operations
Full 1800×1000px ~380MB 23-Tab Workstation Advanced Power user workflows

Browser Privacy Configuration

Kodachi treats browsers as high-risk attack surfaces and applies aggressive privacy hardening. Both LibreWolf and Tor Browser run inside Firejail sandboxes with telemetry elimination, fingerprinting defense, and tracking protection at the configuration level.

LibreWolf

Primary clearnet browser with 16 pre-installed privacy extensions

Core Extensions

uBlock Origin (8 filter lists), ClearURLs (tracking parameter removal), Decentraleyes (local CDN resources), Cookie AutoDelete (tab-close cleanup)

Multi-Account Containers

4 isolated contexts with strict cookie separation: Personal, Work, Banking, Shopping

Fingerprinting Defense

Font Fingerprint Defender (blocks enumeration), WebRTC disabled (prevents IP leaks), Canvas protection, User-Agent randomization

DNS-over-HTTPS (DoH)

TRR mode 3 (fail-closed) forces all DNS through encrypted channels with zero plaintext fallback. Excludes localhost/kodachi.local for VPN/Tor compatibility

Search Engine Hardening

Removed 6 tracking engines (Google, Bing, Yahoo, Amazon, eBay, Wikipedia). Default: DuckDuckGo with privacy parameters (!safeoff, !ads-off)

Privacy Testing Bookmarks

20+ testing links: IP detection (whatismyip, ipleak.net), DNS leaks (dnsleaktest.com), WebRTC leaks, fingerprinting (amiunique.org, EFF Panopticlick)

16 Extensions
8 Filter Lists
4 Containers
20+ Test Links

Tor Browser

Dedicated .onion access with three security levels

Three Security Modes

Standard: Full features. Safer: Disables JavaScript on non-HTTPS. Safest: Disables JS/fonts/media on all sites

Circuit Display

Transparent routing path visualization showing entry guard, middle relay, and exit node with country flags

Firejail Sandboxing

Restricted filesystem access (read-only /usr, /lib, /bin; write-only ~/.tor-browser), seccomp filtering, disabled network namespaces to preserve Tor routing

.onion Service Access

Native support for onion addresses with automatic circuit creation for hidden services. No clearnet DNS lookups for .onion domains

Profile Separation

Dedicated browser profile prevents cross-contamination with LibreWolf. Separate cookie jars, cache, and browsing history

Circuit Refresh

New Identity button wipes all cookies/cache and creates fresh Tor circuits. Prevents long-term tracking correlation

3 Security Modes
100% Onion Native
3 Tor Hops
0 Telemetry

Dual-Browser Architecture with Firejail Isolation

Both browsers run in Firejail sandboxes with restricted filesystem access, seccomp filtering to block dangerous syscalls, and disabled network namespaces to preserve VPN/Tor routing. This dual-browser approach separates clearnet browsing (LibreWolf) from onion services (Tor Browser), preventing cross-contamination of browsing profiles and reducing fingerprinting surface area.

Read-Only System Directories Write-Only Browser Profiles Seccomp Syscall Filtering Network Namespace Disabled Separate Cookie Jars Zero Profile Cross-Contamination

AI-Powered Intelligence

Kodachi Desktop integrates an AI operations suite running entirely through anonymous channels. AI queries, model interactions, and automated tasks cannot be traced to your identity or location.

kodachi-claw is an autonomous AI agent runtime operating through embedded Tor circuits. Every API request routes through dedicated Tor circuits, making correlation impossible for AI providers. KAICS (Kodachi AI Command System) provides 8 specialized sub-binaries including ai-cmd for natural language OS control, ai-trainer for local model fine-tuning, and ai-gateway for routing AI requests through anonymous channels. All AI operations route through Tor for complete anonymity.

Dashboard Fortress

The Kodachi Dashboard is locked behind a multi-layer authentication system. Password, TOTP two-factor, recovery codes, and automated threat response combine to create an impenetrable access control system that makes unauthorized dashboard access virtually impossible.

Password + TOTP 2FA

Primary authentication requires a strong password. Enable TOTP-based two-factor authentication for a second verification layer. Compatible with any authenticator app (Google Authenticator, Authy, etc.). Both factors required on every login.

8 Single-Use Recovery Codes

When TOTP is enabled, the system generates 8 single-use recovery codes. Each code works exactly once. If you lose your authenticator device, these codes are your lifeline. Store them offline, printed, or in a separate encrypted volume.

Auto-Lock Timer

Configure automatic session lockout: 1 minute, 5 minutes, 15 minutes, 30 minutes, 1 hour, 4 hours, or never. When the timer expires, the dashboard locks and requires full re-authentication. Prevents walk-away exposure.

Audit Logging

Every authentication event is logged: successful logins, failed attempts, TOTP verifications, recovery code usage, lockouts, and configuration changes. Full audit trail for forensic review. Logs are tamper-resistant and timestamp-verified.

Threat Response Levels

When too many failed authentication attempts are detected, the system escalates through four configurable threat response levels. Each level applies progressively stronger countermeasures.

1
Temporary Lockout REVERSIBLE

Lock dashboard for configurable duration. User must wait before retrying. No data affected. Auto-unlocks after timeout.

2
Block Until Recovery RECOVERY CODE

Lock dashboard indefinitely. Requires recovery code or system-level intervention to unlock.

3
System Shutdown POWER CYCLE

Immediately powers off the machine. All volatile data in RAM is lost. Requires physical power-on to resume.

4
Trigger Panic IRREVERSIBLE

Initiates full panic mode sequence. Wipes sensitive data, kills network, clears RAM. See Emergency Response for details.

Lockout  →  Block  →  Shutdown  →  Panic

Nuclear Options

When compromise is imminent or confirmed, Kodachi provides irreversible data destruction capabilities that no forensic team can recover from. Two independent nuke systems — LUKS Nuke at boot and Dashboard Duress Protocol at login — ensure data destruction is always one password away.

LUKS Nuke Password

Configure a special nuke password alongside your normal LUKS decryption password. At the boot screen, entering the nuke password instead of the real password triggers instant LUKS header destruction. The encrypted partition becomes permanently unrecoverable.

Header Overwrite

Overwrites LUKS header with random data, destroying all key slots

Key Slot Wipe

Individually destroys each LUKS key slot to prevent partial recovery

Sector Zeroing

Zeros the first sectors of the partition, eliminating filesystem signatures

GPG Backup

Before nuke configuration, automatically creates a GPG-encrypted backup of the LUKS header for authorized recovery

Under duress, you hand over the nuke password. The system appears to attempt decryption, fails, and the data is permanently gone. The adversary sees only a corrupted partition with no evidence of intentional destruction.

Dashboard Duress Protocol (Nuke Password)

Set a secret duress password in the dashboard. When entered at the login screen instead of the real password, the dashboard shows a convincing "System Update" screen while destruction runs silently in the background. The attacker sees fake package installation progress bars and realistic update text. Zero audit trail. Complete plausible deniability.

Fake Update Screen: Displays 13 simulated update phases with realistic Debian package names, version numbers, progress percentages, and completion messages. Indistinguishable from a real system update. By the time the "update completes," all sensitive data is destroyed.

Nuke Execution Paths

Dashboard Native — 9 Phases

1 Authentication — Validate nuke password + one-time token
2 Network Kill — Block all internet via nftables/iptables
3 Tor Shutdown — Stop all Tor instances and circuits
4-7 Parallel Destruction — Browser wipe, credential wipe, logs wipe, temp/cache wipe (concurrent)
8 RAM Wipe — Secure memory clearing (sdmem/kodachi-wiper)
9 Shutdown — Power off or reboot

Uses privileged helper binary with one-time token validation. Falls back to individual phase execution if helper unavailable.

Health-Control CLI — 14 Phases

1 Initialization — Detect storage types (SSD/NVMe/HDD)
2 Network Kill — Kill all network interfaces
3 Tor Shutdown — Terminate all Tor processes
4-10 Parallel Wipe — Browsers, credentials, SSH/GPG keys, crypto wallets, messaging, logs, cache (concurrent)
11 Swap Wipe — Secure swap partition clearing
12 Free Space — Overwrite free disk space
13 RAM Wipe — Multi-method memory destruction
14 Shutdown — Power off system

Full standalone destruction with storage-aware wiping. Detects SSD, NVMe, and HDD for optimal destruction method.

Wipe Intensity Comparison

Mode Passes Speed Standard Use Case
Fast 1-pass zero ~30s Single overwrite Quick destruction when time is critical
Secure 3-pass DoD ~45s DoD 5220.22-M Standard secure wipe meeting military spec
Paranoid 7-pass ~60s Extended overwrite Maximum destruction for highest threat scenarios

Storage-Aware Wiping

SSD

blkdiscard --secure — TRIM-based secure erase triggers the drive's built-in secure wipe. Instant on drives supporting secure discard.

NVMe

nvme format --secure — NVMe secure format command utilizes the drive's cryptographic erase capability for complete destruction.

HDD

shred multi-pass — Traditional multi-pass overwriting with random data patterns. Necessary for magnetic media where TRIM is not available.

Emergency Response

Three escalation levels of panic mode let you choose between recoverable defensive measures and irreversible destruction. Network kill switches provide instant isolation. Every action is designed for split-second activation when seconds matter.

Panic Soft

Recoverable. Defensive lockdown without data loss.

  • Block all internet traffic (nftables)
  • Stop Tor instances
  • Clear DNS cache
  • Randomize MAC addresses
  • Randomize hostname
  • Clear clipboard & recent files

Recovery: recover-internet restores connectivity

Panic Medium

Partially reversible. Adds data wiping to lockdown.

  • Everything in Panic Soft, plus:
  • Wipe all browser data
  • Destroy SSH/GPG keys
  • Wipe messaging app data
  • Clear all application logs
  • Wipe temporary files & caches
  • Secure RAM wipe

Recovery: Network recoverable, wiped data is gone

Panic Hard

IRREVERSIBLE. Total destruction and shutdown.

  • Everything in Panic Medium, plus:
  • Destroy cryptocurrency wallets
  • Wipe email client data
  • Overwrite free disk space
  • Wipe swap partition
  • Full RAM destruction
  • System power-off

Recovery: None. All data permanently destroyed.

Panic Soft Panic Medium Panic Hard IRREVERSIBLE

Network Kill Switches

Command Method Effect
block-internet --method nftables nftables Drop all traffic via nftables ruleset (preferred on modern systems)
block-internet --method iptables iptables Drop all traffic via iptables rules (legacy fallback)
block-internet --method firewall UFW/firewalld Reject all traffic via system firewall (user-facing tools)
block-internet --method interfaces Interface down Bring down all network interfaces (physical disconnection)
block-internet --method all All methods Apply all four methods simultaneously for maximum guarantee
kill-network Combined Kill all network processes, connections, and interfaces
kill-network-interface --interface <iface> Targeted interface kill Disable a specific network interface (for example: wlan0) without affecting others

Recovery Commands

After Panic Soft or manual kill switch activation, use recover-internet which attempts 9 recovery methods automatically: flush nftables, flush iptables, reset UFW, bring up interfaces, restart NetworkManager, restart systemd-networkd, flush DNS, restore resolv.conf, and restart DHCP. Falls back through each method until connectivity is restored.

Identity Randomization

Every identifying attribute of your system can be randomized on demand. MAC address, hostname, timezone, and IPv6 settings combine to make your machine appear as a completely different device on every connection.

Before
MAC 00:1A:2B:3C:4D:5E
Hostname kodachi-desktop
Timezone America/New_York
IPv6 2001:db8::1
After
MAC F2:7C:9A:11:B8:03
Hostname DESKTOP-K4N92TX
Timezone Asia/Tokyo
IPv6 Disabled
MAC Address Control
  • mac change-all — Randomize all interfaces
  • mac force-change — Force change even if busy
  • mac change <iface> — Target specific interface
  • mac reset — Restore original hardware MAC
  • mac show — Display current vs. original
Hostname Randomization

7 categories of fake hostnames to blend in with any network:

  • Windows — DESKTOP-XXXXXXX patterns
  • Linux — ubuntu-server, fedora-ws, etc.
  • Apple — MacBook-Pro, iMac patterns
  • Fiction — Creative fictional names
  • Gaming — Gaming console patterns
  • Tech — Generic tech device names
  • Nature — Nature-inspired names
Timezone Management

8 timezone categories with intelligent selection:

  • IP-based sync — Match timezone to Tor exit node
  • Random — Pick completely random timezone
  • Americas / Europe / Asia / Africa / Pacific / Middle East — Region-specific random selection
IPv6 Control

IPv6 leaks your real identity through link-local addresses and SLAAC. Kodachi provides complete IPv6 management:

  • ipv6 disable — Disable via GRUB + sysctl
  • ipv6 enable — Re-enable if needed
  • Reboot recommended after changes
  • Prevents all IPv6 traffic leak vectors

Data Destruction Arsenal

Beyond the nuke sequences, Kodachi provides granular control over data destruction. Wipe specific categories, target individual applications, scrub RAM against cold boot attacks, or create encrypted containers for sensitive data isolation.

Wipe Standards

DoD 5220.22-M
3

passes — US Department of Defense standard. Overwrite with zeros, ones, then random data.

Gutmann (Simplified)
9

passes — Simplified Gutmann method targeting modern drive architectures.

RCMP TSSIT OPS-II
7

passes — Royal Canadian Mounted Police standard. Alternating overwrite patterns.

Wipe Target Categories

Browsers

Firefox, Chromium, Tor Browser, Brave — history, cookies, cache, saved passwords, form data, downloads

Credentials

SSH keys, GPG keyrings, password stores, KeePassXC databases, authentication tokens

Crypto Wallets

Bitcoin, Monero, Ethereum wallets — wallet files, transaction history, key stores

Messaging

Signal, Session, Pidgin, Thunderbird — message databases, contact lists, media files

System Logs

Journal, syslog, auth.log, kern.log, application logs — complete audit trail elimination

Disk Targets

Free space overwrite, swap partition wipe, temp directories, user cache, thumbnail cache

RAM Wipe & Cold Boot Defense

4 Wipe Policies

Choose the RAM wipe engine:

  • kodachi-wiper — Custom Kodachi memory wiper
  • sdmem — Secure-delete memory wiper
  • both — Run both engines sequentially
  • auto — System chooses optimal method
Automatic on Shutdown

RAM wipe integrates with systemd shutdown hooks. When the system powers off or reboots, RAM is automatically scrubbed before the power-off sequence completes. Defends against cold boot attacks where an adversary freezes RAM chips to extract encryption keys.

Encrypted Containers

Create on-demand LUKS encrypted containers for sensitive data isolation:

  • container-create — Create new encrypted volume
  • container-mount — Mount with passphrase
  • container-unmount — Securely unmount

System Hardening & Security Score

Kodachi calculates a real-time Security Score (0–100) across five categories. Seven hardening modules can be enabled independently, and three security profiles provide preset configurations from standard protection to full paranoid isolation.

Security Score

80+
Excellent
60-79
Moderate
<60
Needs Attention
Category Checks What It Measures
Core VPN, Tor, DNS, firewall status Whether fundamental privacy layers are active
Network DNS leak, IPv6 leak, WebRTC, routing Network-level information leak vectors
Hardening Kernel, filesystem, process, memory System-level security hardening status
Device USB, webcam, microphone, Bluetooth Hardware attack surface control
Advanced Sandboxing, integrity, authentication Advanced security features and monitoring

7 Hardening Modules

Kernel Hardening

Restrict kernel module loading, disable kexec, protect /proc, enforce BPF JIT hardening, disable unprivileged user namespaces

Process Isolation

Restrict ptrace scope, enforce YAMA LSM, limit core dumps, hide kernel pointers, restrict dmesg access

Filesystem Protection

Restrict hardlinks/symlinks, enforce noexec on /tmp, mount options hardening, file permission auditing

Network Hardening

SYN cookies, ICMP redirect blocking, source routing disabled, reverse path filtering, TCP timestamps disabled

Memory Protection

ASLR enforcement, NX bit verification, stack canary checks, KASLR status, mmap randomization

Monitoring

Process monitoring, file integrity checking (AIDE), rootkit scanning (rkhunter + chkrootkit), antivirus (ClamAV)

Sandboxing

AppArmor profiles, Firejail sandboxing, namespace isolation, seccomp filters, capability dropping

Security Profiles

Standard

Balanced protection for daily use. Network-safe settings that don't break common applications. Enables kernel, network, and memory hardening. Suitable for browsing, communication, and general computing.

Paranoid

Maximum isolation for high-threat scenarios. All 7 modules at maximum settings. Network-isolated, sandboxed processes, aggressive filesystem restrictions. May break some applications. Use when security trumps convenience.

Break-Monitoring

Active breach detection profile. Enhanced monitoring, file integrity tripwires, process anomaly detection, real-time alerting. Designed for detecting active compromise attempts. Generates alerts on suspicious activity.

Integrated Security Tools

Kloak

Keystroke anonymization. Randomizes key event timing to defeat keylogger-based timing analysis attacks. Makes keyboard fingerprinting impossible.

Tirdad

TCP ISN randomization kernel module. Prevents TCP/IP stack fingerprinting by randomizing Initial Sequence Numbers. Anti-fingerprinting at the protocol level.

AIDE

Advanced Intrusion Detection Environment. Monitors file integrity by comparing file hashes against a known-good database. Detects unauthorized modifications.

Rootkit Scanning

Dual-engine scanning with rkhunter and chkrootkit. Detects kernel rootkits, backdoors, and hidden processes. Cross-validates results between engines.

ClamAV

Open-source antivirus engine. Real-time scanning, scheduled scans, and on-demand file checking. Signature database updated via Tor for anonymous updates.

USB & Hardware Security

Physical hardware ports are attack vectors. Kodachi implements a 4-layer USB defense system combined with hardware device controls to shut down physical attack surfaces that software-only solutions miss.

4-Layer USB Defense

Layer 1: USBGuard Policies

Rule-based device authorization. Whitelist known devices, block unknown USB by default. Policy-driven access control for every USB port.

Layer 2: Kernel Modules

Blacklist USB storage kernel modules (usb-storage, uas). Prevents the kernel from recognizing USB mass storage devices entirely.

Layer 3: Device Authorization

Sysfs-level authorization control. Set authorized attribute to 0 for individual USB devices, preventing driver binding at the bus level.

Layer 4: Blacklist Rules

Modprobe blacklist configuration for specific device classes. Block entire categories of USB devices (HID, audio, video) via persistent rules.

Hardware Device Controls

Device Disable Method Why It Matters
Webcam Kernel module blacklist (uvcvideo) Prevents remote camera activation by malware or exploits
Microphone PulseAudio/PipeWire source mute + module unload Blocks audio surveillance and room monitoring
Bluetooth rfkill block + kernel module blacklist Eliminates Bluetooth tracking, pairing attacks, and BLE beacons
WiFi Module blacklist per chipset Prevents WiFi probe requests that reveal device identity
Hardware RNG Verification

Verify that hardware random number generators (RDRAND, RDSEED) are functioning correctly. Tests entropy quality and detects potentially compromised RNG implementations. Critical for cryptographic key generation.

Entropy Pool Monitoring

Monitor /proc/sys/kernel/random/entropy_avail in real-time. Low entropy starves cryptographic operations. The system alerts when entropy drops below safe thresholds and can feed additional entropy sources.

Boot Integrity Checking

Verify boot partition integrity against known-good hashes. Detects Evil Maid attacks, bootloader tampering, and initramfs modifications. Compare checksums on every boot cycle.

WatchGuard & Monitoring

Continuous monitoring detects changes to your network identity, active interfaces, and running processes. WatchGuard runs as a background daemon that automatically blocks internet on detection and triggers alerts. Combined with Oniux process isolation, every connection is monitored and contained.

Watch Types

Watch Type What It Monitors On Detection
IP Change External IP address shifts (VPN drop, Tor circuit change) Auto-block internet via nftables/iptables/firewall/interfaces
Timezone Change System timezone modifications (potential deanonymization) Alert + optional auto-block
Interface Change New network interfaces appearing (USB ethernet, rogue WiFi) Auto-block + disable new interface
Process Monitor Specific process lifecycle (e.g., Tor, VPN, DNS proxy) Alert + auto-restart or auto-block
Daemon Mode

WatchGuard runs as a persistent background daemon. Configurable polling intervals, automatic recovery attempts, and integration with the dashboard notification system. Survives user session changes. Starts on boot.

Auto-Block Methods

When a watch triggers, internet is blocked using 4 layered methods: nftables (drop all), iptables (reject all), UFW/firewalld (deny all), and interface down. All four applied simultaneously for guaranteed isolation.

System Monitoring (Full Mode)

Extended monitoring covers: CPU/memory/disk resources, active network connections, running processes, firewall rule integrity, application logs, and startup service audit. Full-system visibility in one view.

Oniux Process Isolation

Oniux provides per-process Tor routing through Linux namespace isolation. Each isolated process gets its own mount namespace, user namespace, and network namespace. Traffic is forced through a dedicated Tor circuit with no possibility of leaking to the real network. Unlike proxychains or torsocks which rely on library preloading, Oniux uses kernel-level namespace isolation that cannot be bypassed by the application.

Mount Namespace

Isolated filesystem view. Process sees only the files it needs. Prevents reading system configuration or other users' data.

User Namespace

Unprivileged isolation. Process runs as a pseudo-root inside its namespace but has no real system privileges. Limits damage from exploitation.

Network Namespace

Dedicated network stack. Process can only reach the Tor SOCKS proxy. All DNS queries route through Tor. No direct internet access possible.

Audible Alert System

When WatchGuard detects a trigger event or a panic sequence activates, an audible alert sounds through the system speakers. Configurable alert sounds for different event types ensure you notice critical security events even when the screen is not visible. Sound player integration handles watchguard triggers and panic event notifications with distinct audio patterns.

Security Models & Layered Anonymity

Kodachi Desktop includes 92 pre-built security workflows plus unlimited custom workflows via workflow-manager. Below are 18 example workflows by anonymity level covering WireGuard, OpenVPN, Shadowsocks, Hysteria2, V2Ray, Xray, and Mita. Workflows 1-3 (Triple VPN + Tor) provide maximum anonymity. Workflows 4-8 (Double VPN + Tor) offer ultra anonymity. Workflows 9-11 (Single VPN + Double Tor) provide very high anonymity. All profiles are in /opt/kodachi/dashboard/hooks/config/profiles/.

Workflow Comparison Matrix

01

Router VPN → Host Mullvad → VM Kodachi WireGuard → Torrified

Chain: ISP → Router VPN → Host Mullvad VPN → Kodachi WireGuard (VM NAT) → Torrified System → Tor DNS

Anonymity: Ultra++ (6/6 - Triple VPN) Speed: Slowest

Ideal for: Ultimate anonymity, extreme threat models, maximum deniability, state-level adversaries.

sudo routing-switch connect wireguard sudo tor-switch torrify-system-nftables-dns
02

Router VPN → Host ProtonVPN → VM Kodachi OpenVPN → Torrified

Chain: ISP → Router VPN → Host ProtonVPN → Kodachi OpenVPN (VM NAT) → Torrified System → Tor DNS

Anonymity: Ultra++ (6/6 - Triple VPN) Speed: Slowest

Ideal for: Whistleblowing, state-level adversaries, journalist protection, maximum operational security.

sudo routing-switch connect openvpn sudo tor-switch torrify-system-nftables-dns
03

Router VPN → Host NordVPN → VM Kodachi Shadowsocks → Torrified

Chain: ISP → Router VPN → Host NordVPN → Kodachi Shadowsocks (VM NAT) → Torrified System → Tor DNS

Anonymity: Ultra++ (6/6 - Triple VPN) Speed: Very Slow

Ideal for: Maximum obfuscation, defeating DPI in hostile networks, evading advanced surveillance.

sudo routing-switch connect shadowsocks sudo tor-switch torrify-system-nftables-dns
04

Host Mullvad → VM Kodachi OpenVPN → Torrified + Tor DNS

Chain: ISP → Normal Router → Host Mullvad → Kodachi OpenVPN (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Slow

Ideal for: Different VPN providers, avoiding single-point surveillance, investigative journalism.

sudo routing-switch connect openvpn sudo tor-switch torrify-system-nftables-dns
05

Host ProtonVPN → VM Kodachi Shadowsocks → Torrified + Tor DNS

Chain: ISP → Normal Router → Host ProtonVPN → Kodachi Shadowsocks (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Slow

Ideal for: Censorship bypass with double VPN + Tor, evading DPI, hostile network environments.

sudo routing-switch connect shadowsocks sudo tor-switch torrify-system-nftables-dns
06

Host NordVPN → VM Kodachi V2Ray → Torrified + Tor DNS

Chain: ISP → Normal Router → Host NordVPN → Kodachi V2Ray (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Moderate

Ideal for: Traffic obfuscation, triple anonymity layer, defeating advanced network analysis.

sudo routing-switch connect v2ray sudo tor-switch torrify-system-nftables-dns
07

Host ExpressVPN → VM Kodachi Hysteria2 → Torrified + Tor DNS

Chain: ISP → Normal Router → Host ExpressVPN → Kodachi Hysteria2 (VM NAT) → Torrified → Tor DNS

Anonymity: Ultra (5/5) Speed: Moderate

Ideal for: High-performance with maximum anonymity, restrictive network circumvention.

sudo routing-switch connect hysteria2 sudo tor-switch torrify-system-nftables-dns
08

Anonymous VPN → Tor → Torrified System + Tor DNS

Chain: ISP → Kodachi VPN (anonymous node) → Tor → Torrified System → Tor DNS

Anonymity: Ultra (5/5) Speed: Slow

Ideal for: Investigative journalism, activist operations, secure communications.

sudo routing-switch connect openvpn sudo tor-switch torrify-system-nftables-dns
09

Forced Xray → Torrified System + Tor DNS

Chain: ISP → Kodachi Xray (forced traffic) → Torrified System → Tor DNS

Anonymity: Very High (4.5/5) Speed: Very Slow

Ideal for: Extreme anonymity requirements, .onion operations, dark web access.

sudo routing-switch connect xray sudo tor-switch torrify-system-nftables-dns
10

WireGuard → Torrified System + Tor DNS

Chain: ISP → Kodachi WireGuard → Torrified System → Tor DNS

Anonymity: Very High (4.5/5) Speed: Slow

Ideal for: Dark web research, sensitive communications, enhanced privacy.

sudo routing-switch connect wireguard sudo tor-switch torrify-system-nftables-dns
11

Router VPN → VM WireGuard → Tor (Single Tor)

Chain: ISP → Router VPN → Kodachi WireGuard (VM via NAT) → Torified System → Tor DNS

Anonymity: Very High (4.5/5) Speed: Slow

Ideal for: Maximum deniability with physical isolation, secure operations.

sudo routing-switch connect wireguard sudo tor-switch torrify-system-nftables-dns
12

Host Mullvad → VM Kodachi Shadowsocks → DNScrypt

Chain: ISP → Normal Router → Host Mullvad → Kodachi Shadowsocks (VM NAT) → DNScrypt

Anonymity: High (4/5) Speed: Good

Ideal for: Censorship bypass with double VPN layer, evading DPI.

sudo routing-switch connect shadowsocks sudo dns-switch switch --names dnscrypt-cloudflare health-control net-check
13

Host ProtonVPN → VM Kodachi Hysteria2 → DNScrypt

Chain: ISP → Normal Router → Host ProtonVPN → Kodachi Hysteria2 (VM NAT) → DNScrypt

Anonymity: High (4/5) Speed: Very Good

Ideal for: High-performance double VPN for restrictive networks, streaming with privacy.

sudo routing-switch connect hysteria2 sudo dns-switch switch --names dnscrypt-quad9 ip-fetch
14

Host ExpressVPN → VM Kodachi Xray-VLESS-Reality → DNScrypt

Chain: ISP → Normal Router → Host ExpressVPN → Kodachi Xray-VLESS-Reality (VM NAT) → DNScrypt

Anonymity: High (4/5) Speed: Good

Ideal for: Advanced anti-detection with Xray Reality, defeating sophisticated censorship.

sudo routing-switch connect xray sudo dns-switch switch --names dnscrypt-quad9 health-control security-score
15

Forced Hysteria2 → Torrified System + Tor DNS

Chain: ISP → Kodachi Hysteria2 (forced traffic) → Torrified System → Tor DNS

Anonymity: Moderate-High (3.5/5) Speed: Moderate

Ideal for: Hostile network environments, censorship bypass with good performance.

sudo routing-switch connect hysteria2 sudo tor-switch torrify-system-nftables-dns
16

V2Ray → Torrified System + Tor DNS

Chain: ISP → Kodachi V2Ray → Torrified System → Tor DNS

Anonymity: Moderate-High (3.5/5) Speed: Moderate

Ideal for: General privacy and anonymous browsing, traffic obfuscation.

sudo routing-switch connect v2ray sudo tor-switch torrify-system-nftables-dns
17

Anonymous Shadowsocks → Tor + Tor DNS

Chain: ISP → Kodachi Shadowsocks (anonymous node) → Tor → Tor DNS

Anonymity: Moderate-High (3.5/5) Speed: Moderate

Ideal for: Daily privacy operations, secure communications, DPI evasion.

sudo routing-switch connect shadowsocks sudo tor-switch start-tor-dns-nftables
18

Forced OpenVPN → DNScrypt (Fast Performance)

Chain: ISP → Kodachi OpenVPN (forced traffic) → DNScrypt

Anonymity: Moderate (3/5) Speed: Fast

Ideal for: Online banking, shopping, business email, general secure browsing.

sudo routing-switch connect openvpn sudo dns-switch switch --names dnscrypt-quad9 health-control net-check

Protocol-Specific Initial Setup Workflows

Kodachi Desktop includes ready-to-use initial setup profiles for multiple routing protocols:

VPN Protocols:

  • initial_terminal_setup_openvpn_only - OpenVPN connection setup
  • initial_terminal_setup_wireguard_only - WireGuard connection setup

Anti-Censorship Protocols:

  • initial_terminal_setup_shadowsocks_only - Shadowsocks proxy setup
  • initial_terminal_setup_v2ray_only - V2Ray traffic obfuscation
  • initial_terminal_setup_xray_vless_only - Xray VLESS protocol
  • initial_terminal_setup_xray_trojan_only - Xray Trojan protocol
  • initial_terminal_setup_xray_vless_reality_only - Xray VLESS Reality
  • initial_terminal_setup_hysteria2_only - Hysteria2 high-performance

Proxy Servers:

  • initial_terminal_setup_dante_only - Dante SOCKS5 server
  • initial_terminal_setup_mita_only - Microsocks lightweight SOCKS5

Tor Combinations:

  • initial_terminal_setup_tor_only - Tor-only setup
  • initial_terminal_setup_wireguard_torrify - WireGuard + Tor torrification
  • initial_terminal_setup_auth_torrify_only - Authentication + Tor torrification

Execute with: sudo workflow-manager run <profile-name>

Workflow Selection Guide - Organized by Anonymity Tiers

TIER 1: Maximum Anonymity - Triple VPN + Tor (Workflows 01-03) - Anonymity Level: Ultra++ (6/6) - Triple VPN protection with Tor torrification - Best for: Ultimate anonymity, extreme threat models, state-level adversaries, whistleblowing, maximum deniability - Configuration: Router VPN → Host VPN (Mullvad/ProtonVPN/NordVPN) → Kodachi VPN (WireGuard/OpenVPN/Shadowsocks) → Torrified System → Tor DNS - Speed: Slowest to Very Slow

TIER 2: Ultra Anonymity - Double VPN + Tor (Workflows 04-08) - Anonymity Level: Ultra (5/5) - Double VPN with Tor torrification - Best for: Different VPN providers, avoiding single-point surveillance, investigative journalism, activist operations, censorship bypass with maximum protection - Configuration: Normal Router → Host VPN (Mullvad/ProtonVPN/NordVPN/ExpressVPN) → Kodachi VPN (OpenVPN/Shadowsocks/V2Ray/Hysteria2) → Torrified System → Tor DNS - Speed: Slow to Moderate

TIER 3: Very High Anonymity - Single VPN + Double Tor (Workflows 09-11) - Anonymity Level: Very High (4.5/5) - Double Tor circuits or Router + Guest VPN + Tor - Best for: Extreme anonymity requirements, .onion operations, dark web research, sensitive communications, maximum deniability - Configuration: Kodachi VPN (Xray/WireGuard) → Torrified → Double Tor Circuits OR Router VPN → Kodachi VPN → Torrified System - Speed: Very Slow to Slow

TIER 4: High Anonymity - Double VPN without Tor (Workflows 12-14) - Anonymity Level: High (4/5) - Double VPN layer - Best for: Censorship bypass, DPI evasion, advanced anti-detection, high-performance with strong privacy - Configuration: Normal Router → Host VPN (Mullvad/ProtonVPN/ExpressVPN) → Kodachi VPN (Shadowsocks/Hysteria2/Xray-VLESS-Reality) → DNScrypt - Speed: Good to Very Good

TIER 5: Moderate-High Anonymity - Single VPN + Tor (Workflows 15-17) - Anonymity Level: Moderate-High (3.5/5) - Single VPN with Tor - Best for: Hostile network environments, general privacy, anonymous browsing, daily privacy operations, secure communications - Configuration: Kodachi VPN (Hysteria2/V2Ray/Shadowsocks) → Torrified System → Tor DNS - Speed: Moderate

TIER 6: Moderate Anonymity - Single VPN Only (Workflow 18) - Anonymity Level: Moderate (3/5) - Single VPN with encrypted DNS - Best for: Online banking, shopping, business email, general secure browsing, fast performance requirements - Configuration: Kodachi VPN (OpenVPN) → DNScrypt - Speed: Fast

Create Custom Workflows using workflow-manager for: Multi-protocol chains, adaptive failover, custom threat models, automated security responses, and specialized use cases.

NOT Recommended: Tor → VPN

Avoid Configuration: Your Computer → Tor → VPN → Internet

This configuration is widely discouraged; it blocks .onion access, lets the guard see your real IP, makes Tor usage detectable, degrades performance, and shifts trust to the VPN.

Why this is dangerous: Entry nodes see your real IP • ISP detects Tor usage • NO access to .onion sites • Severely degraded performance • VPN provider can see your activity

Evidence: For detailed analysis, read the Tor Project's official documentation on Tor+VPN configurations.

Source Information

Based on Privacy Guides 2025 recommendations, Tor Project official documentation, and Kodachi security research. These workflows represent comprehensive threat modeling from maximum anonymity to secure financial operations.

Technical Specifications Dashboard

Core System Specifications
Component Details
Base SystemDebian 13 (Trixie)
Architectureamd64 (x86_64)
Desktop EnvironmentXFCE 4
Display ManagerLightDM with GTK Greeter
ISO Size~5GB (full desktop with GUI applications)
Total Packages~464 packages (270 terminal + 194 desktop GUI)
Terminal Packages270 security-focused terminal packages (from terminal.list.chroot)
GUI Packages194 desktop GUI packages (from gui-xfce.list.chroot)
Kodachi Binaries29 pre-installed binaries in /opt/kodachi/dashboard/hooks/ (core + AI + companion runtimes)
ThemeLK_Material-Black-Lime (dark)
IconsLK_Newaita-Reborn-Mint-Dark
CursorLK_Capitaine-Cursors
FontNoto Sans 9pt
BrowsersLibreWolf (primary) + Tor Browser
Kernel6.16+
Boot SupportBIOS + UEFI + Secure Boot
InstallerCalamares graphical installer
Login CredentialsUsername: kodachi / Password: Security4All
Sudo AccessPasswordless sudo enabled

Pre-Installed Kodachi Binaries

All 29 bundled Kodachi binaries are pre-installed at /opt/kodachi/dashboard/hooks/, including the full AI suite and companion runtimes. Launch the complete security toolkit instantly without additional setup.

Core Binaries

health-control tor-switch dns-switch dns-leak routing-switch ip-fetch online-auth integrity-check permission-guard logs-hook deps-checker oniux online-info-switch conky-status workflow-manager global-launcher kodachi-claw kodachi-dashboard tun2socks-linux-amd64

AI Suite (KAICS)

ai-cmd ai-trainer ai-learner ai-admin ai-discovery ai-scheduler ai-monitor ai-gateway zeroclaw

Desktop Applications

Kodachi Desktop ships a curated selection of GUI applications organized by dynamic layers. Always-on applications are loaded at every boot; optional layers can be activated on demand.

Always-On Applications (Layer 02 - XFCE Core)
Category Applications
DesktopXFCE 4, Thunar file manager, Double Commander
BrowsersLibreWolf (primary), Tor Browser, Onioncircuits
TerminalsKitty, Tilix, Terminator, XFCE4 Terminal
EditorsGeany + plugins, Mousepad
SecurityFiretools (Firejail GUI), SiriKali (encryption), Kleopatra (GPG)
NetworkNetworkManager GUI, OpenVPN/VPNC plugins, RiseUp VPN
SystemConky system monitor, GNOME Disks, Baobab, GParted, System Monitor
UtilitiesGalculator, Ristretto image viewer, Evince PDF, File Roller, Engrampa, GTKHash
DisplayLightDM, Plymouth boot splash, Redshift (blue light filter)
AudioPulseAudio, PavuControl mixer, ALSA
InstallerCalamares graphical installer, GDebi package installer
Optional Layer Applications
Layer Category Applications
03Network GUIRemmina, FileZilla, Transmission, uGet, Syncthing, OnionShare
04Multimediampv, OBS Studio, SimpleScreenRecorder, Inkscape, gThumb, guvcview
05OfficeLibreOffice, Atril PDF viewer, pdftk-java, gedit
06PrintingCUPS printing system, HP drivers, Brother/Epson/Gutenprint, Simple Scan, SANE scanner support
07AVM GuestVMware Tools (auto-detect when running inside VM)
07BVM Hostvirt-manager, QEMU/KVM, libvirt, SPICE agent
08Security GUIWireshark, Zenmap, EtherApe, KeePassXC, OTPClient, metadata-cleaner, gnome-nettool, Catfish, GRSync
09Developmentgit-gui, gitk, meld, dkms, build tools, crypto libs, Python3 pip, ShellCheck, strace, GNOME Terminal
11UtilitiesTimeshift, Synaptic, Qalculate, CopyQ, wavemon, Font Manager, MenuLibre

External Packages (installed via hooks)

Always-on: LibreWolf, VeraCrypt, Monero GUI, VS Code, GitKraken, Termius

Optional: Session Desktop (messaging), ExifCleaner (metadata), Tabby terminal, VLC, WaveTerm

Dynamic Layer System

Kodachi Desktop uses a modular layer system that lets you activate feature sets on demand, keeping the base system lean while providing access to the full application suite when needed.

Layer Activation Map
Layer Name Activation Approximate Size
02XFCE DesktopAlways loaded (core desktop)~400MB
03Network GUINormal boot or "Enable Browser" button~300MB
04Multimedia"Enable Multimedia" button~450MB
05Office"Enable Office Suite" button~800MB
06Printing"Enable Printing" button~200MB
07AVM GuestAuto-detect (VMware only)~20MB
07BVM Host"Enable Virtualization" button~400MB
08Security GUI"Enable Security Tools" button~280MB
09Development"Enable Development" button~350MB
11Utilities"Enable Extra Utilities" button~120MB

Boot Modes

Normal boot: Layers 02 + 03 auto-loaded (desktop + browsers/network)

Minimal boot: Layer 02 only. Desktop shows "Enable" buttons for each optional layer

VM detected: Layer 07A (VMware guest tools) auto-enabled when running inside a VM

Package Categories Breakdown

Desktop GUI Package Categories
Category Count Signature Packages
XFCE Desktop Core~85xfce4, xfce4-goodies, thunar, lightdm, kitty, tilix, terminator, conky-all, geany
Network GUI Apps6remmina, filezilla, transmission-gtk, syncthing, onionshare, uget
Multimedia8mpv, obs-studio, simplescreenrecorder, inkscape, gthumb, guvcview
Office Suite5libreoffice, atril, pdftk-java, gedit
Printing & Scanning19cups, hplip, printer-driver-gutenprint, simple-scan, sane-utils
VM Guest Tools2open-vm-tools, open-vm-tools-desktop
Virtualization Host9virt-manager, qemu-system-x86, libvirt-daemon-system
Security Tools GUI12wireshark, zenmap, keepassxc, otpclient, metadata-cleaner, catfish
Development Tools32git-gui, meld, dkms, linux-headers-amd64, python3-pip, shellcheck
Extra Utilities7timeshift, synaptic, qalculate-gtk, copyq, font-manager
Accessibility3speech-dispatcher, onboard, orca
Terminal Security (inherited)270All terminal.list.chroot packages (networking, VPN, security, firmware)
AI & IntelligenceOptionalKAICS tools and kodachi-claw (anonymous agent runtime)

Supported Routing Protocols

Kodachi Desktop ships with 12+ routing protocols via the routing-switch binary, covering everything from battle-tested VPNs to advanced censorship-resistant transports.

Routing Protocol Coverage
Category Protocols & Features
VPN ProtocolsOpenVPN (industry-standard, AES encryption), WireGuard (modern, ChaCha20 encryption) with kill switch and DNS leak protection
Anti-CensorshipShadowsocks (SOCKS5 + encryption), V2Ray (traffic obfuscation), Xray (enhanced V2Ray), Hysteria2 (high-performance for restrictive networks), Mieru (MITA - lightweight anti-censorship proxy)
Proxy ProtocolsSOCKS5 (standard proxy), Dante (SOCKS server), HTTP/HTTPS (proxy support), Microsocks (lightweight SOCKS5 server)
Tor IntegrationRedsocks (transparent Tor routing), SOCKS proxy configuration, TransPort routing, DNS over Tor, System-wide torrification (can run on top of any existing VPN service)
Multi-LayerVPN + Tor (double encryption), protocol chaining for enhanced anonymity, traffic obfuscation layers

Protocol Documentation

For detailed protocol configuration and usage, see the routing-switch documentation.

Torrification Capability

Kodachi Desktop supports system-wide torrification that can run on top of any existing VPN service. Layer Tor routing on top of WireGuard, OpenVPN, Hysteria2, Shadowsocks, V2Ray, or Xray connections for enhanced anonymity. Use sudo tor-switch torrify-system-nftables-dns to torrify your entire system regardless of your underlying VPN connection.

Security & Privacy Features

Kodachi Desktop inherits the full terminal security stack and adds GUI-specific protections for desktop environments.

System Hardening

Kernel

AppArmor mandatory access control, AIDE file integrity monitoring, auditd kernel auditing, usbguard device whitelisting, Firejail sandboxing with GUI (Firetools)

Network Anonymity

Network

Tor routing (system-wide torrification), VPN integration (12+ protocols), DNS encryption (DNSCrypt), MAC address randomization, kill switch protection

Application Firewall

GUI

Portmaster application-level firewall and monitor, UFW/GUFW graphical firewall management, nftables/iptables network filtering, per-application network rules

Data Protection

Files

Metadata cleaning (mat2, ExifCleaner, metadata-cleaner), secure deletion (secure-delete, BleachBit, nwipe), encrypted containers (SiriKali, VeraCrypt), LUKS disk encryption

Credential Management

Auth

KeePassXC password manager, OTPClient TOTP/HOTP authenticator, Kleopatra GPG key management, fail2ban SSH brute-force protection

Network Analysis

Tools

Wireshark packet capture, Zenmap network scanner, EtherApe traffic visualization, gnome-nettool diagnostics, DNS leak testing

Conky Desktop Monitor

Live Security Telemetry Rendered on Desktop

Lua-powered system monitor with 5 desktop panels, 22 monitoring scripts, 8 circular Cairo gauges, and 3 Lua rendering modules. Telemetry is unified through the Rust conky-status gateway and coordinated by a systemd watchdog service for auto-restart on crash or freeze.

The top-center Signal Deck is event-driven: it tracks high-signal identity/routing/security/system fields, stays silent when stable, and becomes visible when monitored values change. Changed items are grouped first for fast spotting, while monitor and TTL ring gauges show change ratio and visibility countdown.

Performance is optimized through shared gateway caching and snapshot reads, so multiple panels consume one telemetry source instead of repeating expensive checks. Conky renderers read typed key outputs from the gateway, escape displayed values before drawing, and do not execute returned text as shell commands, which significantly reduces command-injection risk in the display path.

5 Panels
22 Scripts
8 Cairo Gauges
7 Config Files

Resources + Gauges

280px × Full Height
Upload Ring: Orange, tx rate
Download Ring: Pink, rx rate
CPU Ring: Cyan, core average
Memory Ring: Green, used/total
Disk Ring: Purple, root partition
Swap Ring: Yellow, swap usage
Ping Ring: Red dual-ring, latency to privacy DNS
Bandwidth Ring: White, combined throughput

Security Status

320px × Full Height
4×6 Binary Grid: AUTH/VPN/TOR/DNS visual status (lit = active)
External IP: Country code + flag via ip-fetch
Security Score: 0-100 aggregate from 5 categories
Tor Circuits: Active circuit count via tor-switch
DNSCrypt Status: Encryption state via dns-switch
Firewall Rules: nftables active count

21 Metrics: Auth, VPN, MAC randomization, hostname spoofing, timezone obfuscation, swap encryption, kernel hardening, AppArmor, USBGuard, systemd health, package integrity, file permissions, network interfaces, connections, privilege escalation

System + Traffic

280px × Full Height
CPU Frequency: Scaling governor state
Thermal Zones: CPU temp, GPU temp, disk temp
Fan Speeds: If supported by sensors
Load Average: 1min, 5min, 15min
Uptime: Precision to seconds
Logged Users: Active session count
Sparkline Graphs: Upload/download trends (60s windows)
Top Processes: Bandwidth consumers ranked by bytes sent/received
Connection States: ESTABLISHED, TIME_WAIT, CLOSE_WAIT counts

Logo + AI Detection

200px × 150px
Kodachi Logo: Top-right corner overlay
13 AI Agents Detected: Claude Code, Ollama, OpenAI GPT, GitHub Copilot, Codex, TabNine, Kite, Codeium, Amazon CodeWhisperer, Replit Ghostwriter, JetBrains AI, Cursor, Continue
Per-Agent Stats: CPU % and memory consumption

Advanced Monitoring Features

Prime Number Refresh: 41s, 43s, 47s, 53s, 59s, 113s intervals prevent API collision
VPS Node Status: Pings configured servers, shows latency + packet loss
Crypto Prices: BTC, ETH, XMR, AZERO, Gold, Silver via privacy APIs
Version Alerts: Blink animation for outdated binaries (red = critical updates)
Lock Files: Prevent duplicate script execution (300s stale timeout)
Privacy DNS Ping: Cloudflare 1.1.1.1, Quad9 9.9.9.9, Mullvad 194.242.2.2 (zero Google)
Systemd Watchdog: Auto-restart on unresponsive panels (15s timeout) or memory leaks (>500MB)
DPI Scaling: Auto-detects Xft.dpi, scales fonts/gauges for HiDPI displays

Rofi Menu System

Kodachi Desktop ships a pre-configured Rofi menu system with 202 theme and configuration files covering application launchers, power menus, system applets, and color schemes. Combined with the Kodachi Rofi Actions menu scripts, this provides keyboard-driven access to security operations, network controls, and system utilities without touching the mouse.

Rofi Configuration Overview
Component Count Description
Launcher Themes7 typesApplication launcher styles ranging from minimal search bars to full-screen grid layouts, each with shared color/font configuration
Power Menus6 typesShutdown, reboot, lock, suspend, and logout dialogs with confirmation prompts and themed layouts
Applets5 typesQuick-access system applets (brightness, volume, screenshot, network, battery) with multiple visual styles
Color Schemes16 palettesPre-built .rasi color themes that apply across all launcher, power menu, and applet types
Theme Files162 .rasiComplete Rofi theme definitions covering layout, typography, colors, and element spacing
Scripts23 .shLauncher and power menu runner scripts that invoke Rofi with the correct theme, mode, and arguments
Images15 assetsBackground images and icons used by themed launcher and power menu layouts
Global Config1 fileconfig.rasi — master Rofi configuration setting default theme, font, and display options
Kodachi Rofi Actions (keyboard-driven security menus)
Menu Script Purpose
Actionsmenu-actions.shPrimary dispatcher — launches sub-menus for favorites, network, services, and utilities
Favoritesmenu-favorites.shQuick-launch frequently used security tools and applications
Networkmenu-network.shVPN connect/disconnect, Tor toggle, DNS switching, routing mode selection
Servicesmenu-services.shStart, stop, and check status of system services (Tor, DNSCrypt, firewall)
Utilitiesmenu-utilities.shSystem cleanup, MAC randomization, hostname change, panic triggers

All Rofi menu scripts are installed to /usr/local/lib/kodachi-rofi/ and invoked via the kodachi-rofi-actions launcher. Theme and configuration files live in ~/.config/rofi/ and are automatically deployed to new user accounts through the /etc/skel skeleton directory.

Hardware Support Matrix

Kodachi Desktop bundles 30+ firmware packages inherited from the terminal base, plus GPU drivers for desktop rendering.

Hardware Support Matrix
Hardware Type Supported Chipsets & Manufacturers
WiFiIntel (all generations), Broadcom (modern + legacy wl driver), Atheros/Qualcomm, Realtek, MediaTek, Marvell, TI, Atmel
EthernetBroadcom (bnx2, bnx2x), Cavium, Myricom, Netronome, QLogic, Realtek
BluetoothBlueZ firmware, miscellaneous nonfree firmware
GPU / GraphicsAMD (amdgpu), Intel (i915), NVIDIA (nouveau open-source driver)
MicrocodeIntel CPU microcode updates, AMD CPU microcode updates
AudioPulseAudio + ALSA, Bluetooth audio (pulseaudio-module-bluetooth)

Broadcom Wireless Support - Pre-Installed

Broadcom b43 and b43legacy firmware is pre-installed in the ISO at /lib/firmware/b43/ and /lib/firmware/b43legacy/. No post-boot installation required.

Desktop Customization

Kodachi Desktop ships with a carefully crafted dark theme optimized for long coding and privacy sessions.

Theme Configuration
Component Configuration
GTK ThemeLK_Material-Black-Lime (dark theme with lime green accents)
Icon ThemeLK_Newaita-Reborn-Mint-Dark (flat, modern icon set)
Cursor ThemeLK_Capitaine-Cursors (clean, high-DPI cursor)
Window ManagerXFWM4 with compositing and shadows
Panel LayoutTop panel with Docklike taskbar plugin (window grouping and pinning)
FontNoto Sans 9pt (with Noto Color Emoji)
WallpaperKodachi-branded privacy-themed dark wallpapers
Boot SplashPlymouth with Kodachi theme
Login ScreenLightDM GTK Greeter with Kodachi branding
Blue Light FilterRedshift-GTK for automatic color temperature adjustment

Boot Menu Overview

Kodachi Desktop groups every boot entry by security tier so you can pick the right hardening profile. Use the comparison table for a quick overview.

Boot Speed Tip

The first (top) GRUB entry applies the strongest hardening profile and will boot slower because it enables extra security controls. Hardening profiles that run fully from RAM (especially Forensics and Maximum Privacy) also consume more memory. If you want lower RAM usage and faster startup, select the normal Live mode from the boot menu. Some commands or services may fail under stricter hardening profiles; if something does not work, reboot and switch to a less restrictive profile.

Main Boot Entries
Mode Tier Persistence Best For
Full HardeningTier 5NoHigh-threat environments, maximum kernel security
Forensics ModeTier 5No (RAM)Forensic analysis, volatile memory analysis
Secure Boot ModeTier 4NoUEFI Secure Boot, module signing enforcement
Maximum PrivacyTier 4No (RAM)Anonymity operations, anti-tracking
CPU HardenedTier 3NoVulnerable CPUs (Spectre/Meltdown protection)
Encrypted PersistenceTier 3LUKSLong-term use with encrypted storage
PersistentTier 2YesPersonal devices, everyday privacy
LiveTier 1NoQuick testing, hardware diagnostics

Layer Activation on Boot

Normal boot: Layers 02 (XFCE core) + 03 (Network GUI) are auto-loaded. Minimal boot: Only Layer 02. Desktop shows enable buttons for optional layers. All layers are included in the ISO and activate instantly without downloads.

Kodachi AutoShield

What Happens on First Boot

  1. LightDM Login - Kodachi-branded login screen appears. Enter credentials: kodachi / Security4All. Use the keyboard/language selector in the greeter first if you need to switch layout.
  2. XFCE Desktop - Dark-themed XFCE desktop loads with panel, taskbar, and system tray
  3. Conky Dashboard - Real-time system monitor appears on desktop showing CPU, RAM, network, VPN, and security status
  4. Kodachi AutoShield - Interactive setup wizard with VPN protocol selection, Tor configuration, and DNS encryption options
  5. Automatic Setup - DNSCrypt auto-configuration, binary verification, online authentication, and system status collection

Automatic First-Boot Operations

  • Binary deployment verification (validates all bundled core binaries)
  • DNSCrypt auto-configuration (encrypted DNS on first run)
  • Online authentication (Kodachi services and premium features)
  • System status collection (IP, geolocation, security score)
  • Conky dashboard initialization (real-time monitoring)

AutoShield — Interactive Setup Wizard

Kodachi AutoShield is a Tauri 2 + Svelte 5 desktop application that launches automatically on first boot, providing an interactive, countdown-driven setup wizard for configuring anonymity layers, randomizing system identity, and establishing secure connections. Features real-time system telemetry, protection level visualization, and persistent configuration storage.

Fortify Your Digital World

Countdown timer with auto-execution, real-time system resources monitoring, before/after identity comparison, and shield strength meter showing protection level based on enabled security steps.

Countdown Timer Ring

Auto

Animated circular countdown (60s / 2min / 5min / 10min / Manual) with step progress tracking. Auto-executes enabled steps when timer reaches zero. Shows real-time execution progress with animated ring fill.

System Resources Bar

Live

Real-time telemetry flanking the timer ring: CPU%, memory usage, swap, uptime, temperature, open ports, network I/O (tx/rx), disk I/O (read/write). Updates every 2 seconds.

Shield Strength Meter

Visual

Segmented bar visualization showing protection level (Low/Medium/High/Maximum) based on number of enabled steps. Pulsing glow animations with color-coded threat levels (red/yellow/green).

Before/After Panel

Compare

Shows identity values before and after execution: Hostname, MAC address, Timezone, Security Score. Each value has a copy button for easy clipboard access.

Auth Gate Protection

Premium

Non-authenticated users can only run Authenticate and Refresh steps. All other operations require successful Kodachi authentication. Premium users bypass support overlay prompts.

Persistent Settings

JSON

Timer duration, step toggles, auto-refresh interval, and auto-close preference persist across reboots via JSON settings file. Maintains user configuration between sessions.

9 Configurable Security Steps
Step Command Default Before/After Tracking
Authenticate with Kodachi Services online-auth authenticate --relogin Enabled Auth status (Not Authenticated → Authenticated)
Randomize Hostname health-control set-random-hostname Enabled Hostname (kodachi → random-string)
Randomize MAC Address health-control mac-force-change Enabled MAC address (real → randomized)
Randomize Timezone health-control set-random-timezone Enabled Timezone (UTC → random zone)
Harden PC Security health-control security-harden Disabled Security Score (before → after score)
Recover Internet Connectivity health-control recover-internet Enabled Network state (blocked → restored)
Quick Connect WireGuard routing-switch connect wireguard Enabled VPN status (Disconnected → Connected)
Torrify System + DNS tor-switch torrify-system-nftables-dns Disabled Tor status (Inactive → Active + Torrified)
Refresh System Status Fetches current IP, geolocation, auth, VPN, Tor, DNS status Enabled All current system values updated
Shield Strength Protection Levels
Level Steps Enabled Visual Effect Description
Low 0-2 steps Red pulsing bar Minimal protection. System identity exposed, no anonymity layers.
Medium 3-4 steps Yellow pulsing bar Partial protection. Some identity randomization, basic network security.
High 5-6 steps Green pulsing bar Strong protection. Full identity randomization, VPN active, DNS encrypted.
Maximum 7+ steps Bright green pulsing bar Ultimate protection. All anonymity layers active, system hardened, Tor routing enabled.

Quick Launch Buttons

Apps

5 instant-launch applications:
Kodachi Dashboard - Main control panel
Kodachi Browser - Privacy-hardened Chromium
Tor Browser - Anonymous browsing via Tor
RiseVPN - VPN management application
Kodachi Browser via Oniux - Isolated Tor routing per tab

Timer Options

Config

5 countdown modes:
60 seconds - Quick automated setup
2 minutes - Default balanced timer
5 minutes - Extended review time
10 minutes - Manual review and customization
Manual - No auto-execution, manual trigger only

Auto-Refresh Intervals

Live

Configurable system status refresh:
• 30 seconds, 1 minute, 5 minutes, 15 minutes, 30 minutes, 1 hour, 6 hours, 24 hours
Automatically updates IP, geolocation, VPN status, Tor status, DNS mode, and security metrics at selected interval.

System Status Tab

Info

Real-time telemetry display:
Auth status, IP address, geolocation with country flag, VPN status, Tor status, MAC address, Hostname, Timezone, DNS mode, Hardening modules, Security Score. All values have copy-to-clipboard buttons.

Output Log Tab

Debug

Live execution output:
Real-time command output with timestamps, duration tracking, success/failure indicators, and scrollable history. Shows stdout/stderr from all executed steps for debugging and verification.

Support Overlay

Donate

Periodic donation/share prompt:
Binary rain animation with support links. Hidden for premium authenticated users. Shows after initial setup and periodically during usage. Includes Bitcoin/PayPal donation links and social sharing options.

Default Configuration

Enabled by default: Authenticate, Randomize Hostname, Randomize MAC, Randomize Timezone, Recover Internet, Connect WireGuard, Refresh Status (7 steps = Maximum protection). Disabled by default: Harden PC Security (system-wide changes), Torrify System (conflicts with WireGuard on first boot). Default timer: 2 minutes with auto-execution enabled.

Settings Persistence

All configuration (timer duration, step toggles, auto-refresh interval, auto-close preference) is saved to a JSON settings file in the user's home directory. Settings persist across reboots and system updates, maintaining your preferred security configuration.

Editions Comparison

Kodachi Editions
Feature Terminal Server Desktop XFCE Kodachi OS
DesktopHeadless (CLI only)XFCE 4Custom
BaseDebian 13 (Trixie)Debian 13 (Trixie)Debian
ISO Size~2.4GB~5GB~2.9GB
Binary Suite19 core binaries + companion toolsFull suite (29 bundled binaries)Full suite
Tauri DashboardNoYesYes
Kodachi ClawYesYesYes
Conky MonitorNoYes (Lua-powered)Yes
BrowsersCLI only (w3m)LibreWolf + Tor BrowserCustom
Office SuiteNoLibreOffice (optional layer)Yes
Dynamic LayersNo10 optional layersLimited
InstallerCLI/CalamaresCalamares graphicalLive ISO
Target UseServers, VPS, proxy gatewaysDesktop workstations, daily useLive USB, privacy-first
StatusAvailableAvailableAvailable

Use Case Examples

Example 1: Daily Privacy Workstation

Install Kodachi Desktop on your main computer or laptop. Use LibreWolf for browsing, LibreOffice for documents, and Tor Browser for sensitive research. All traffic routed through VPN + Tor with Conky monitoring your security posture in real-time.

Example 2: Secure Development Machine

Enable the Development layer (Layer 09) for VS Code, git tools, build tools, and crypto libraries. Write code with Firejail sandboxing, GPG-signed commits via Kleopatra, and all network traffic anonymized through the routing stack.

Example 3: Multimedia & Content Creation

Activate the Multimedia layer (Layer 04) for video recording with OBS Studio, screen capture with SimpleScreenRecorder, and vector graphics with Inkscape. All content creation tools operate behind the privacy stack.

Example 4: Network Security Audit

Enable the Security GUI layer (Layer 08) for Wireshark packet capture, Zenmap network scanning, and EtherApe traffic visualization. Run analyses through Tor or VPN for anonymous reconnaissance.

Example 5: Air-Gapped Secure Computing

Boot from USB in Maximum Privacy mode (Tier 4). Runs entirely in RAM, leaves no traces on host hardware. Use KeePassXC for credential management, SiriKali for encrypted containers, and BleachBit for cleanup before shutdown.

Example 6: Virtual Machine Testing Lab

Enable the Virtualization Host layer (Layer 07B) for virt-manager and QEMU/KVM. Run additional VMs inside Kodachi Desktop for nested security testing, malware analysis in isolated environments, and network simulation.

Stay Updated

Check for release announcements and updates on SourceForge. For questions or feature requests, visit Discord Support.