If you want a full plug-and-play system with all your usual conveniences, despite the excellent efforts of the Puri.sm team, this operating system is probably going to frustrate you and leave you wishing for your old Windows or macOS environment.
- Very responsive/ takes minimal resources
- Structured towards user convenience
- Aesthetically pleasing
- Works with limited Wi-Fi adapters
- Google is the default search engine in the included Firefox web browser
- Use of potentially insecure browser extensions for Firefox
- Privacy browsers such as Tor, Brave or Dissenter are absent on install
- Insecure default firewall configuration
- NordVPN & NextDNS configuration challenges
What Is PureOS?
PureOS is a customised Linux distribution from the good folks over at the Puri.sm community with the express intention of being:
“A fully auditable operating system: you don’t have to trust our word that it respects and protects you—it is independently verifiable by security experts and software developers around the world.”
I am used to having a fairly heavily secured Windows 10 environment for my daily working system, and at home I use Pi-Hole combined with NextDNS to reduce Microsoft telemetry (spying & reporting). However, I suspect that I have not yet managed to fully eliminate it.
I wanted to see if I could use PureOS as a full replacement for my regular day-to-day Microsoft Windows addiction.
I have been using Linux since the mid 1990’s when the first commercial distribution from Caldera was available, so I know my way around any speed bumps in my path and can compare to the many other distributions that I regularly use for work and play.
As a daily Windows user and occasional Mac user (Mrs. Bodybagger has one), I can also appreciate if an environment is totally alien and hopefully will be able to convey an honest appraisal for anyone considering leaving macOS or Microsoft Windows.
I took my Windows 10 Pro laptop, an old Dell Latitude E7440 that was high spec in its day. It was configured with Secure Boot and full disk encryption so I made a backup in the hope that I could reinstate it if my experiment proved a catastrophic failure.
I then downloaded the PureOS ISO (disk image) from the downloads page and got a USB flash drive and fired up Rufus imager, selected the PureOS ISO image as the “boot selection”, the USB flash drive as the destination, accepted the suggested defaults and clicked “Start”.
Once that was complete, I needed to get my PC to boot from USB. For most people this is painless, just pressing the F2 or Del key, or holding down the left-hand shift key on boot will present you with a boot option.
The system I have uses Secure Boot which works on the top of UEFI and uses encryption and digital fingerprinting techniques to make sure that the Microsoft Windows operating system boot sequence and boot files remain safe from any unauthorised changes. Essentially, Secure Boot ensures that a device boots using only the software that the PC has been “told” is trusted.
If you have Secure Boot configured, then you will need to use Windows Settings to force your device to boot into the UEFI start up. Older laptops will not have UEFI but a BIOS that will boot from pretty much any device and so cannot be configured to use Secure Boot. There is a good article on disabling Secure Boot over on Microsoft Docs.
I liked the fact that the supplied image is what is known as a “live image” – a bootable version of the operating system that runs from the USB flash drive and system memory and does not require itself to be installed to try it out.
I also liked the fact that location services were not switched on by default, immediately giving a more data-protective experience.
There were not a lot of language options on the live boot menu so I chose English (American), hoping I would have a chance to change it later.
The initial external accounts setup screen has an option for configuring incoming (IMAP) & outgoing (SMTP) email options, along with the free and open source NextCloud for your own secure cloud storage and messaging options instead of Microsoft OneDrive or Google Drive.
As I was planning to use PureOS as a replacement for my day-to-day Microsoft Windows habit, I did not spend too long looking around before I kicked off the install.
For the sake of getting nice, clear screen grabs for this article, I also installed a copy using the excellent VMware Workstation software on my lab PC. Bear in mind that when you see names of storage devices and other hardware with “VMWare” in the screen grabs, these will differ on a physical PC, with device names representing the installed hardware.
If you are switching to PureOS for privacy reasons, then you should enable disk encryption with a memorable pass phrase. You should write this down and store it in your safe, as I was disappointed to find that you will need it every time you boot the device, along with your user account password.
The laptop I am using is intended for commercial office use and so has a TPM hardware encryption security chip. This can be used by Windows and Linux to store these encrypted passwords for automatically presenting to the hard disk at boot time, but renders the disk inaccessible without manually typing the pass phrase if the disk is removed from your PC or the PC force booted from another device.
If you are working on highly sensitive data in hostile territory and need very high levels of privacy and you have more than 4GB RAM installed, you should select “No Swap” to leave no trace of your activities that you have not chosen to save to a local file. The slightly-less-intensely-careful level of user should select “Swap (no Hibernate)”, and the “no sweat” majority types can enable “Swap & Hibernation” file creation which will store your active memory state and all system activity to the local disk. If you hibernate the system, this option should be the most useful to anyone installing PureOS on a laptop, unless you are working on highly-sensitive data in hostile territory.
If you set a disk encryption password, you will be prompted for that before the system will fully boot, so you may consider it redundant to be required to type a second password. In this case, select the “Log in automatically” option to log in if not working in hostile territory. Personally, I prefer being forced to authenticate on login.
The fact that the disk encryption did not work with TPM meant this is really unsuitable as a device for multiple users, unless you do not enable disk encryption.
PureOS was very, very snappy on my old generation i7 CPU with 16GB RAM and standard (not very fast) SSD. I was impressed with how responsive it felt, the Puri.sm team have clearly gone to lengths to remove much of the bloat that is in many other Linux distributions. The system is nicely set up and most options seem to go towards user convenience.
PureOS did not recognise the built-in Wi-Fi adapter in the laptop as it uses proprietary (closed source) drivers, so if you want to use Wi-Fi, you may have to get a supported USB Wi-Fi adapter. Alternatively, if you are more technically capable and your device supports it, you can change the built-in Wi-Fi card for a supported one. Currently, there are only a few modern Wi-Fi chipsets readily available that work with free software systems. For USB Wi-Fi devices, this list includes the Realtek RTL8187B chipset (802.11G) and the Atheros AR9170 chipset (802.11N). For Mini PCIe, all cards with an Atheros chipset are supported.
PureOS came with Libre Office and a PDF viewer installed by default and other generic productivity tools. Firefox was the default browser, which was set to include the “Privacy Badger”, “uBlock Origin” and “HTTPS Everywhere” extensions by default, which you may or may not trust as these extensions have rights to intercept all your browsing traffic by default. Some of the other settings left me mildly unimpressed from a privacy point of view. It defaulted to Google for the search engine, and although I could select a different default, I could not remove the option from the list like I can in Brave or Dissenter.
Under the Settings tool, I noted the very useful (for some) but very leaky options to connect to various cloud-based services, such as Facebook, Google, Microsoft & Flickr. If you are switching PureOS as a privacy-protective operating system, then these connections are a very risky option to use as we know these four providers collect and share copious amounts of your personal data–or “meta-data”- about your personal choices.
Neither Brave browser nor Dissenter browser were listed as options in the PureOS Software store, so you will need to install these manually if you choose to use them. You might if you want to use one of these options if you intend to browse over ToR, which they both support.
There were some ToR options listed in the PureOS software store, so if you don’t feel technically up to the task of installing software into Linux to get Brave or Dissenter, you could try one of these out for private surfing:
Although network security tools iptables and the firewall-daemon were installed, the default settings were for open access, which is not a secure configuration.
If you are a power user and have a good understanding of iptables and firewalls in general, then consider installing the firewall-config tool by RedHat. This will provide a detailed graphical interface and configure some default Zones that are more secure.
For non-power users that just want a simple interface to allow them control of their privacy when connected to any network/internet, then consider installing the simpler GUFW firewall manager. I found that there was an error running GUFW that, upon further digging, required a setting to allow the “root” user to start graphical apps under “Wayland” sessions, which is the secure display server interface on PureOS. For more detail on the differences, check this out.
Configuring NordVPN and NextDNS was not entirely straightforward and took me considerable time to get working. Even then NordVPN was not working using its native NordLynx variant of the Wireguard protocol.
I found PureOS to be capable of handling most daily tasks that most users would tend to be involved in with little effort to configure and excellent use of computing resources, making it very snappy to use on an aged laptop. Attention has clearly been paid to the interface and it is very pleasing to the eye.
I appreciated much of the conscientious approach to security reflected in the choice of display server and many of the default packages and suggested settings.
Where it falls short seems more to be a maturity issue in choice of some software and settings options, and the non-firewall defaults. I expect that in the next few revisions, PureOS will shine in many of these areas.
Mass surveillance and Big Tech spying is something everyone should resist, but particularly Christians, as we are told that the world will seek to persecute and prevent our witness of Christ.
The Apostle Peter exhorts us to:
“Be sober-minded; be watchful. Your adversary, the devil prowls around like a roaring lion, seeking someone to devour.” -1 Peter 5:8
The proverbs reminds us that it is the wise who are cautious, but fools are reckless:
“One who is wise is cautious and turns away from evil, but a fool is reckless and careless.” -Proverbs 14:16
We must not assume that if our data is exposed today that it won’t be used against us tomorrow. It is time to educate Christians on the dangers of data vulnerabilities as we see The Day approaching.
Excellent article! Absolutely loved it! It especially opened my eyes when you mentioned: “”Mass surveillance and Big Tech spying is something everyone should resist, but particularly Christians, as we are told that the world will seek to persecute and prevent… Read more »