Linux Kodachi 9.0.1 · Debian 13 · Maximum page
Privacy OS as a
live command center.
Kodachi gives you a prepared privacy workstation: dashboard controls, signed binaries, multiple routing modes, verification tools, recovery paths, and panic actions in one guided system. You still choose the right mode for your threat model; Kodachi makes the stack visible, controllable, and recoverable.
Choose an edition View live architecture
11 routing protocols 92+ workflows 26 Rust binaries 3-tier panic modes offline-first local AI (KAICS) since 2013 · active
— Choose your edition
Three paths. One privacy stack.
Same hardened core, three deployment shapes. Pick the one that matches how you work.
Kodachi Desktop
Full XFCE privacy OS · dev-ready
Permanent install of the full Kodachi experience. Privacy-hardened Debian 13 XFCE with the dashboard, all 11 protocols, all 26 binaries, all dev tools, and Secure Boot, pre-configured from first boot.
Best for: daily users, crypto holders, journalists, researchers, developers, and anyone who needs a secure desktop without months of manual setup.
Terminal Server
Headless · live · gateway
Minimal live ISO for headless privacy operations. Boot as a SOCKS gateway, run a privacy lab, stage VM exit nodes, or operate a hardened jump host, with no GUI overhead and the full backend stack.
Best for: power users, VPS operators, VM labs, SOCKS gateways, and pen-test infrastructure.
Binary Suite
26 components · Rust · signed
The 26 signed Rust binaries that power Kodachi, usable on any compatible Debian-based system. Bring the Kodachi engine to your existing OS without committing to the full distribution.
Best for: sysadmins, advanced users, and developers who want individual Kodachi components or to integrate Kodachi into their own stack.
— Inside Kodachi 9
Kodachi is an infrastructure, not just an OS.
The ISO you boot is the visible tip. The rest of the stack runs continuously behind it.
01
Master
Auth, PKI, and the card vault. Hardware-bound sessions with a 2-minute heartbeat.
02
Worker fleet
An elastic VPS fleet on DMCA-resistant hosting runs the full protocol stack and pushes signed JSON cards to the master.
03
Your device
Pick any source: Kodachi fleet, Riseup VPN, VPNGate, or your own VPN. Tunnel up, on-device shield on top.
— Every major privacy protocol, pre-configured, one-click switch
Tor (multi-instance + HAProxy LB) OpenVPN WireGuard Shadowsocks V2Ray Xray (VLESS / Reality / Trojan) Hysteria2 Mieru / Mita Dante (SOCKS5) DNSCrypt VPNGate Riseup VPN bring-your-own VPN
— What you won’t find in any other distro
Capabilities you won’t find together anywhere else.
Tails gives you a Tor browser. Whonix gives you VM isolation. Parrot gives you a toolbox. Kodachi gives you a complete control plane, and a stack of features that simply don’t exist anywhere else.
Multi-Tor + HAProxy load balancing
Run N parallel Tor instances behind an HAProxy front end, configurable per-circuit, with independent exit selection. Faster real-world throughput than single-instance Tor, and circuit correlation costs an adversary more.
Three destruction paths, always ready
The LUKS nuke password destroys keys at boot. The dashboard adds a live nuke surface: armable kill-switch, countdown, memory wipe, and an optional fake update screen to stall whoever is watching. A floating “Destroy Kodachi” button sits always-on-top on the desktop (show/hide from Settings in Lite and Full): one click wipes the LUKS header of every active encrypted device, then runs the full nuke — network kill, RAM wipe, file shred, MBR/EFI destroy, power-off. Confirmation style is configurable (type DESTROY / Yes-No / immediate). Emergency global hotkeys via the session helper are a third path, triggerable without opening the dashboard.
Three-tier panic, by design
Soft: kill network, clear clipboard, lock screen (reversible). Medium: kill processes, wipe memory, unmount devices. Hard: irreversible destruction path. Triggered from dashboard or hotkey. Backed by cold-boot defense and multi-pass shred.
Dashboard-first, not bolt-on
Most privacy distros launch separate GUIs per tool. Kodachi ships a single native dashboard that drives VPN, Tor, DNS, identity, hardening, workflows, AI, recovery, and emergency from one process, sharing state and live scoring across all of them.
92+ pre-built workflows
One click runs a chained sequence: rotate identity, restart Tor, re-check IP, verify DNS, regenerate MAC. Or build your own with the visual workflow builder. Repeatable privacy playbooks instead of a wiki of bash commands.
Dynamic security scoring
Live score across hardening, privacy, network, and auth, with history tracking and threat-response actions. Know exactly how exposed you are right now, not by reading a 50-page audit checklist.
Built-in SOC — your host as a neural map
A live Security Operations Center page renders the machine as a neural map: a central security score orbited by 8 cluster hubs — vitals, network, connections, processes, threats, auth, privacy, system — with colour-coded nodes, MITRE ATT&CK–tagged findings, a top-findings list, privacy posture, and a live alert feed. Read-only situational awareness no other distro ships on the desktop.
Always-on threat watchdog
health-control runs a background watchdog that continuously monitors network, hardware, USB and integrity state, then fires automated responses (re-block leaks, kill suspect connections, raise the security posture) without you watching the dashboard. Self-healing privacy, not just alerts.
Plain-English command intelligence
KAICS + ai-gateway translate “am I leaking my IP?” into dns-leak test --check-ip. Offline-first, with cloud routed through VPN/Tor when you opt in. Policy-aware so it can’t hurt you.
Dev-ready on first boot
Compilers, language runtimes, editors, and security toolchains ship inside the ISO. Boot, install, and start coding the same hour, with a privacy stack already wrapping every connection your build process makes.
13 VPN providers, one tab
Browse VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, Mullvad, AirVPN, Windscribe, ProtonVPN, ExpressVPN, TorGuard, plus your own pasted configs (.ovpn, WireGuard, Shadowsocks, V2Ray, Hysteria2, or vmess:///vless:///ss:// URI schemes and Clash/sing-box subscriptions) from one dashboard tab. Sort, filter, ping-benchmark, save credentials, and connect — all without leaving the GUI.
— The control plane
One dashboard. Everything that matters.
VPN, Tor, DNS, identity, hardening, workflows, AI, integrity, recovery, and emergency response. Read the full dashboard tour →
The system in your hand.
Built as a native desktop app, the Kodachi Dashboard is one of the few privacy-OS UIs that controls every layer of the stack, not just a launcher for separate tools.
- Routing switcher · 11 protocols
- Multi-Tor + HAProxy console
- DNS leak + DNSCrypt control
- Identity rotation & MAC randomize
- 3-tier panic + armable kill switch
- Dashboard NUKE + countdown
- Workflow builder & runner
- Live security scoring + history
- SOC neural monitor · 8 clusters
- AI command bar (KAICS)
- Integrity & signature checks
- Recovery & rollback tools
- Centralised logs & audit trail
kodachi-dashboard · illustrative
— Status
RoutingVPN → Tor (3-hop)
Tor instances3 · balanced
DNSDNSCrypt · ✓ no leaks
Public IP185.220.x.x · NL
— Hardening
Security score94 / 100
Integrity✓ 26/26 signed
MAC randomizationenabled
— Emergency
Kill switchARMED
Nuke keyconfigured
Panic hotkeyCtrl+Alt+P
— AI
ai-cmdready · offline tier 2
ai-gatewaypolicy firewall · armed
Most Linux distributions give you tools.
Kodachi gives you a complete privacy operating environment.
Over a decade of research, field use, and hardening, shipped as a coherent default. Every package, every script, every binary was chosen so the first boot is already a defensible position.
— How Kodachi compares
vs Tails, Whonix, Parrot & Qubes
Other privacy distros are excellent at what they target. Kodachi is built to cover the gaps between them: a daily-driver OS, not a live-only tool or a hypervisor.
| Capability | Kodachi 9 | Tails | Whonix | Parrot | Qubes |
|---|---|---|---|---|---|
| Persistent daily-driver install | ✓ XFCE desktop | Live only | VM | ✓ | ✓ |
| Multi-protocol routing switcher | 11 protocols, one click | Tor only | Tor only | Manual | Per-VM |
| Multi-Tor instances + HAProxy LB | Built-in | — | — | — | — |
| Single dashboard for the whole stack | Native desktop app | Separate tools | Separate tools | Separate tools | Manager + per-VM |
| Tiered panic modes & dashboard NUKE | 3-tier + live nuke | Wipe on shutdown | — | — | — |
| Pre-bundled workflows (chained actions) | 92+ | — | — | — | — |
| Local AI command bar (offline-first) | KAICS + ai-gateway | — | — | — | — |
| Always-on threat watchdog | health-control | — | — | — | — |
| SOC neural monitor (MITRE ATT&CK–tagged, 8 clusters) | Built-in | — | — | — | — |
| Crypto wallets pre-installed | Electrum, Monero GUI/CLI | Electrum | — | — | — |
| Offline install (no network needed) | ✓ Bundled Secure Boot | N/A (live) | Manual | ✓ | ✓ |
Comparison reflects default out-of-the-box capability. Anything below has been verified against each project’s published documentation.
— For government, defense, law enforcement & critical-infrastructure operators
Built for environments where exposure is not an option.
Cyber operations targeting power grids, transport networks, hospitals, financial systems, and government platforms are documented, ongoing, and frequently successful against systems that were never hardened for operational use. Kodachi is a fully hardened privacy and security OS designed to reduce that attack surface from first boot: encrypted routing, DNS leak protection, system integrity monitoring, and a three-tier emergency response are integrated and active by default. Whether you are a regulatory authority, a military unit, a law enforcement agency, or a private operator of critical systems, the architecture is the same and the controls are yours from day one.
Your own isolated infrastructure
The Dedicated tier gives your organization a fully isolated VPS reserved to your devices, with no third-party traffic on your network. Fit for utilities, transport operators, carriers, hospitals, financial platforms, and government agencies alike. 5 to 100 devices, annual license.
Choose your country and provider
Select the exit country and infrastructure provider that fits your operational and legal requirements. You are not locked to a shared pool operated by a third party.
A custom build for your organization
Kodachi can be built for your organization with your own tools, workflows, and configuration preloaded, then delivered as a signed, deployable ISO. Available by arrangement.
Kodachi is independent. Built for over a decade and funded by people who use it. Personal use is free, and a license keeps it that way.
Buy Kodachi— Carefully curated, not blindly bundled
Every package had to earn its place.
Years of testing mean the apps in Kodachi were chosen because they survived the test, not because they were popular. Wallets, messengers, encryption, dev tools: production-grade, privacy-vetted, ready out of the box.
Crypto wallets
- Electrum BTC
- Monero GUI XMR
- Monero CLI XMR
- Monero daemon full node
Encryption
- VeraCrypt containers
- LUKS / cryptsetup full disk
- GnuPG 2 + Kleopatra signing
- KeePassXC passwords
- SiriKali + gocryptfs / cryfs fs-level
Secure comms & onion
- Tor Browser w/ Kodachi user.js
- Session Desktop onion-routed
- OnionShare file share
- OnionCircuits circuit viewer
Dev toolchain
- VSCodium privacy IDE
- Geany + plugins editor
- build-essential gcc / make
- Python 3 + pip + pipx system
- git + git-lfs + meld VCS
Network & recon
- nmap + Zenmap scan
- tshark + tcpdump capture
- mtr + traceroute + whois route
- mat2 metadata clean
- OpenSSL verify
Privacy protocols
- Tor + torsocks + obfs4proxy + nyx tor stack
- OpenVPN + WireGuard + OpenConnect VPN
- Shadowsocks-libev circumvention
- HAProxy + proxychains + microsocks LB & chain
Anti-forensics
- scrub + secure-delete wipe
- macchanger MAC randomize
- mat2 + steghide metadata / stego
- LUKS nuke boot-time
- health-control panic 3-tier
Hardening & sandboxing
- firejail sandbox
- AppArmor + profiles MAC
- ufw + nftables firewall
- permission-guard + integrity-check Rust
- Secure Boot bundled in ISO
— Try Kodachi tech without installing
Live tools, running right now.
Some of what Kodachi runs locally is also exposed as web tools you can use today to verify your current setup or test the engine behind Kodachi’s privacy stack.
— Current nightly builds
Live build stamps.
Every edition is built nightly and signed. These cards reflect the latest stamped versions and nightly build numbers fetched live from main-info.json.
Shared stamp: loading…
— Verify, don’t trust
Built in the open.
Privacy software has to earn trust. Here is how to check ours: sources, signatures, canaries, and where to find the maintainer.
Open source on GitHub
Source for the Rust binaries, dashboard, and live-build tooling. Read it, build it, audit it.
github.com/WMAL/Linux-KodachiSigned binaries (PGP)
Every Rust binary, every ISO, and the binary tarball are cryptographically signed. Public key published.
View public keyWarrant canary
A signed transparency statement refreshed regularly. If it stops appearing, assume the worst.
Open canaryTracked on DistroWatch
Independent public record of releases, packages, and project longevity, useful for sanity-checking what Kodachi claims here.
DistroWatch entryActive community
Discord and Matrix channels for issues, OPSEC discussion, and live help. The author replies.
Join DiscordMaintainer
Built by Warith Al Maawali (digi77.com). Same person, same name, since 2013. No anonymous shell.
digi77.comPublic changelog
Every release documented, including what was deprecated and what was hardened.
Read changelogLicensing terms
Free for personal use. Organizations need a written license. Plain English, in the open.
Read licenseBoot it. It’s already configured.
Pick your edition, write the ISO, and the first time you reach the desktop the dashboard is already running: routing, monitoring, and ready to defend.