Tinfoil Hat Linux

Last updated
Tinfoil Hat Linux
Developer Shmoo Group[ citation needed ]
OS family Linux (Unix-like)
Working stateDiscontinued
Source model Open source
Latest release 2.0pre1 / February 2002;21 years ago (2002-02)
Platforms i386
Kernel type Monolithic kernel
user interface
CLI / Bourne shell
License Documentation: Modified BSD license [1]
Software: Original licences
Official website tinfoilhat.shmoo.com

Tinfoil Hat Linux (THL) was a compact security-focused Linux distribution designed for high security developed by The Shmoo Group. The first version (1.000) was released in February 2002. By 2013, it had become a low-priority project. Its image files and source are available in gzip format. THL can be used on modern PCs using an Intel 80386 or better, with at least 8 MB of RAM. The distribution fits on a single HD floppy disk. The small footprint provides additional benefits beyond making the system easy to understand and verify. The computer need not even have a hard drive, making it easier to "sanitize" the computer after use.


The logo of Tinfoil Hat is Tux, the Linux mascot, wearing a tinfoil hat.

The Shmoo Group website says "It started as a secure, single floppy, bootable Linux distribution for storing PGP keys and then encrypting, signing, and wiping files. At some point, it became an exercise in over-engineering."

Security features

Tinfoil Hat uses a number of measures to defeat hardware and software surveillance methods like keystroke logging, video camera, and TEMPEST:


THL can be used on most modern PCs using the x86 processor architecture. For example, one might install it on a computer that is kept in a locked room, not connected to any network, and used only for cryptographically signing keys. It is fairly easy to create the Tinfoil Hat booting floppy with Microsoft Windows. Verifying the checksum can pose a greater challenge. The text of the documentation is salted with a few jokes, the humor working in stark contrast to the serious and paranoiac tone of the surrounding text. The very name of the distribution pokes fun at itself, as Tinfoil Hats are commonly ascribed to paranoiacs as a method of protecting oneself from mind-control waves.

Tinfoil Hat Linux requires one to work in a text-only environment in Linux, electing to start users with a Bourne shell, the text editor vi, and with no graphical user interface. It uses BusyBox instead of the normal Util-Linux, the GNU Core Utilities (formerly known as FileUtils, ShellUtils, and TextUtils), and other common Unix tools. Tinfoil Hat also offers the GNU nano text editor.

See also

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">GNU Privacy Guard</span> Complete implementation of the OpenPGP and S/MIME standards

GNU Privacy Guard is a free-software replacement for Symantec's PGP cryptographic software suite. The software is compliant with RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP-compliant systems. GnuPG is however expected to break compliance with the upcoming revision of OpenPGP and thus with other implementations that will continue to comply.

<span class="mw-page-title-main">Key exchange</span> Cryptographic protocol enabling the sharing of a secret key over an insecure channel

Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Disk encryption software is computer security software that protects the confidentiality of data stored on computer media by using disk encryption.

Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over the Internet.

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

This is a technical feature comparison of different disk encryption software.

dm-crypt is a transparent block device encryption subsystem in Linux kernel versions 2.6 and later and in DragonFly BSD. It is part of the device mapper (dm) infrastructure, and uses cryptographic routines from the kernel's Crypto API. Unlike its predecessor cryptoloop, dm-crypt was designed to support advanced modes of operation, such as XTS, LRW and ESSIV, in order to avoid watermarking attacks. In addition to that, dm-crypt addresses some reliability problems of cryptoloop.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

<span class="mw-page-title-main">Gpg4win</span> Email and file encryption package

Gpg4win is an email and file encryption package for most versions of Microsoft Windows and Microsoft Outlook, which utilises the GnuPG framework for symmetric and public-key cryptography, such as data encryption, digital signatures, hash calculations etc.

<span class="mw-page-title-main">KWallet</span> Password manager

KDE Wallet Manager (KWallet) is free and open-source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on a Linux-based OS and Its main feature is storing encrypted passwords in KDE Wallets. The main feature of KDE wallet manager (KWallet) is to collect user's credentials such as passwords or IDs and encrypt them through Blowfish symmetric block cipher algorithm or GNU Privacy Guard encryption.

Incognito was a Linux distribution based on Gentoo Linux. Its main feature was the inclusion of anonymity and security tools such as Tor by default and being able to be used as a Live CD or Live USB.

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

<span class="mw-page-title-main">Linoma Software</span>

Linoma Software was a developer of secure managed file transfer and IBM i software solutions. The company was acquired by HelpSystems in June 2016. Mid-sized companies, large enterprises and government entities use Linoma's software products to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's software runs on a variety of platforms including Windows, Linux, UNIX, IBM i, AIX, Solaris, HP-UX and Mac OS X.

<span class="mw-page-title-main">GPG Mail</span>

GPG Mail is a commercial extension for Apple Mail which comes as part of GPG Suite, a software collection that provides easy access to a collection of tools designed to secure your communications and encrypt files. GPG Mail provides public key email encryption and signing. It integrates with the default email client Apple Mail under macOS and the actual cryptographic functionality is handled by GNU Privacy Guard.

crypt is a POSIX C library function. It is typically used to compute the hash of user account passwords. The function outputs a text string which also encodes the salt, and identifies the hash algorithm used. This output string forms a password record, which is usually stored in a text file.

<span class="mw-page-title-main">VeraCrypt</span> Free and open-source disk encryption utility

VeraCrypt is a free and open-source utility for on-the-fly encryption (OTFE). The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.