Kodachi KODACHI Download Free Upgrade to Premium
Declassified   for operational use Ref // LK9-CB-0001 · Debian 13 · Wiki
Subject

Linux Kodachi 9Privacy OS as a live command center.

Privacy operating system // prepared field workstation

Kodachi gives you a prepared privacy workstation: dashboard controls, signed binaries, multiple routing modes, verification tools, recovery paths, and panic actions in one guided system. You still choose the right mode for your threat model; Kodachi makes the stack visible, controllable, and recoverable.

CLEARED FOR
RELEASE
RSA-4096 // SIGNED
ClassificationDebian 13 XFCE
OriginIndependent since 2013
MaintainerWarith Al Maawali
Routing11 protocols
Panic tiers3-tier response
Local AIOffline-first (KAICS)
11 routing protocols 96+ workflows 25 Rust binaries 28 signed artifacts offline-first local AI (KAICS) open source on GitHub
Most Linux distributions give you tools. Kodachi gives you a purpose-built privacy operating environment, hardened by default.
Summary of finding // over a decade of research, field use and hardening, shipped as a coherent default
A Exhibit // the operating system

One dashboard. Everything that matters.

A single native control plane drives VPN, Tor, DNS, identity, hardening, workflows, AI, integrity, recovery, and emergency response from one process, sharing state and a live security score across all of them. Read the full dashboard tour >

Field notes // capabilities you won’t find together anywhere else
NOTE A.1

Built-in SOC, your host as a neural map

A live Security Operations Center page renders the machine as a neural map: a central security score orbited by 8 cluster hubs, vitals, network, connections, processes, threats, auth, privacy, system, with colour-coded nodes, MITRE ATT&CK, tagged findings, a top-findings list, privacy posture, and a live alert feed. Read-only situational awareness no other distro ships on the desktop.

kodachi-soc reference
NOTE A.2

Multi-Tor + HAProxy load balancing

Run N parallel Tor instances behind an HAProxy front end, configurable per-circuit, with independent exit selection. Faster real-world throughput than single-instance Tor, and circuit correlation costs an adversary more.

tor-switch reference
NOTE A.3

Three destruction paths, always ready

The LUKS nuke password destroys keys at boot. The dashboard adds a live nuke surface: armable kill-switch, countdown, memory wipe, and an optional fake update screen to stall whoever is watching. A red “Destroy Kodachi” sidebar icon (skull) sits at the bottom of the dashboard’s left sidebar in Full, Lite, and Circle dashboards (show/hide from Settings › Security): one click wipes the LUKS header of every active encrypted device, then runs the full nuke, network kill, RAM wipe, file shred, MBR/EFI destroy, power-off. Confirmation style is configurable (type DESTROY / Yes-No / immediate). Emergency global hotkeys via the session helper are a third path, triggerable without opening the dashboard.

health-control
NOTE A.4

Three-tier panic, by design

Soft: kill network, clear clipboard, lock screen (reversible). Medium: kill processes, wipe memory, unmount devices. Hard: irreversible destruction path. Triggered from dashboard or hotkey. Backed by cold-boot defense and multi-pass shred.

Anti-forensics
NOTE A.5

Dashboard-first, not bolt-on

Most privacy distros launch separate GUIs per tool. Kodachi ships a single native dashboard that drives VPN, Tor, DNS, identity, hardening, workflows, AI, recovery, and emergency from one process, sharing state and live scoring across all of them.

Dashboard tour
NOTE A.6

96+ pre-built workflows

One click runs a chained sequence: rotate identity, restart Tor, re-check IP, verify DNS, regenerate MAC. Or build your own with the visual workflow builder. Repeatable privacy playbooks instead of a wiki of bash commands.

Workflows & AI
NOTE A.7

Dynamic security scoring

Live score across hardening, privacy, network, and auth, with history tracking and threat-response actions. Know exactly how exposed you are right now, not by reading a 50-page audit checklist.

Scoring engine
NOTE A.8

Always-on threat watchdog

health-control runs a background watchdog that continuously monitors network, hardware, USB and integrity state, then fires automated responses (re-block leaks, kill suspect connections, raise the security posture) without you watching the dashboard. Automated responses, not just alerts.

health-control watchdog
NOTE A.9

Plain-English command intelligence

KAICS + ai-gateway translate “am I leaking my IP?” into dns-leak test --check-ip. Offline-first, with cloud routed through VPN/Tor when you opt in. Policy-aware so it can’t hurt you.

ai-cmd guide
NOTE A.10

Dev-ready on first boot

Compilers, language runtimes, editors, and security toolchains ship inside the ISO. Boot, install, and start coding the same hour, with a privacy stack already wrapping every connection your build process makes.

Desktop edition
B Exhibit // the routing arsenal

Every major privacy protocol, pre-configured.

One-click switching across the whole stack. Tagged, catalogued, and connectable from a single dashboard tab, plus your own pasted configs and subscriptions.

ItemDesignationClassStatus
B-01Tor (multi-instance + HAProxy LB)onion / load-balancedISSUED
B-02OpenVPNvpn tunnelISSUED
B-03WireGuardvpn tunnelISSUED
B-04ShadowsockscircumventionISSUED
B-05V2RaycircumventionISSUED
B-06Xray (VLESS / Reality / Trojan)circumventionISSUED
B-07Hysteria2quic transportISSUED
B-08Mieru / MitacircumventionISSUED
B-09Dante (SOCKS5)socks gatewayISSUED
B-10DNSCryptencrypted dnsISSUED
B-11VPNGateexternal sourceISSUED
B-12Riseup VPNexternal sourceISSUED
B-13bring-your-own VPNbyo sourceISSUED

13 holds, 11 routing protocols: VPNGate and Riseup are external config sources rather than protocols, and B-13 is bring-your-own. Some holds carry multiple protocol variants (Xray: VLESS / Reality / Trojan).

NOTE B.1

13 VPN providers, one tab

Browse VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, Mullvad, AirVPN, Windscribe, ProtonVPN, ExpressVPN, TorGuard, plus your own pasted configs (.ovpn, WireGuard, Shadowsocks, V2Ray, Hysteria2, or vmess:///vless:///ss:// URI schemes and Clash/sing-box subscriptions) from one dashboard tab. Sort, filter, ping-benchmark, save credentials, and connect, all without leaving the GUI.

External VPN Providers
Exhibit B-14 // routing switch
Kodachi routing switch panel
EVID // routing-switchone-click posture change
Tails gives you a Tor browser. Whonix gives you VM isolation. Parrot gives you a toolbox. Kodachi gives you a complete control plane.
Comparative assessment // capabilities no other distro ships pre-integrated
C Exhibit // comparative assessment

vs Tails, Whonix, Parrot & Qubes.

Other privacy distros are excellent at what they target. Kodachi is built to cover the gaps between them: a daily-driver OS, not a live-only tool or a hypervisor.

Capability Kodachi 9 Tails Whonix Parrot Qubes
Persistent daily-driver install Yes, XFCE desktop Live only VM Yes Yes
Multi-protocol routing switcher 11 protocols, one click Tor only Tor only Manual Per-VM
Multi-Tor instances + HAProxy LB Built-in No No No No
Single dashboard for the whole stack Native desktop app Separate tools Separate tools Separate tools Manager + per-VM
Tiered panic modes & dashboard NUKE 3-tier + live nuke Wipe on shutdown No No No
Pre-bundled workflows (chained actions) 96+ No No No No
Local AI command bar (offline-first) KAICS + ai-gateway No No No No
Always-on threat watchdog health-control No No No No
SOC neural monitor (MITRE ATT&CK, tagged, 8 clusters) Built-in No No No No
Crypto wallets pre-installed Electrum, Monero GUI/CLI Electrum No No No
Offline install (no network needed) Yes, bundled Secure Boot N/A (live) Manual Yes Yes
Comparison reflects default out-of-the-box capability. Anything above has been verified against each project’s published documentation.

Everything in this table ships in the Free edition. Upgrade to Premium for low-density nodes and commercial use

D Exhibit // the fleet

Kodachi is an infrastructure, not just an OS.

The ISO you boot is the visible tip. The rest of the stack runs continuously behind it: an authority master, an elastic worker fleet, and on-device shielding.

01 // MASTER

Master authority

Auth, PKI, and the card vault. Hardware-bound sessions with a 2-minute heartbeat.

02 // FLEET

Worker fleet

An elastic VPS fleet on DMCA-resistant hosting runs the full protocol stack and pushes signed JSON cards to the master.

03 // DEVICE

Your device

Pick any source: Kodachi fleet, Riseup VPN, VPNGate, or your own VPN. Tunnel up, on-device shield on top.

Deployed worker nodes // signed-card sources
Owl
Worker node
full protocol stack
Hex
Worker node
signed JSON cards
Fox
Worker node
exit selection
Neo
Worker node
multi-protocol
Elk
Worker node
elastic capacity
E Exhibit // mission-critical deployment

Built for environments where exposure is not an option.

Power grids, transport networks, hospitals, financial systems, and government platforms run on machines that were rarely hardened for the threats they now face. Kodachi is a purpose-hardened privacy and security OS designed to reduce that attack surface from first boot: encrypted routing, DNS leak protection, system integrity monitoring, and a three-tier emergency response are integrated and active by default. Whether you are a regulatory authority, a military unit, a law enforcement agency, or a private operator of critical systems, the architecture is the same and the controls are yours from day one. For government, defense, law enforcement and critical-infrastructure operators.

Your own isolated infrastructure

The Dedicated tier gives your organization a fully isolated VPS reserved to your devices, with no third-party traffic on your network. Fit for utilities, transport operators, carriers, hospitals, financial platforms, and government agencies alike. 5 to 100 devices, annual license.

Dedicated tier

Choose your country and provider

Select the exit country and infrastructure provider that fits your operational and legal requirements. You are not locked to a shared pool operated by a third party.

Routing control

A custom build for your organization

Kodachi can be built for your organization with your own tools, workflows, and configuration preloaded, then delivered as a signed, deployable ISO. Available by arrangement.

Talk to me
Kodachi is independent. Built for over a decade and funded by people who use it. Personal use is free. A license is an annual subscription that funds continued development.
Buy Kodachi
F Exhibit // the curated arsenal

Every package had to earn its place.

Years of testing mean the apps in Kodachi were chosen because they survived the test, not because they were popular. Wallets, messengers, encryption, dev tools: production-grade, privacy-vetted, ready out of the box.

Crypto wallets
  • Electrum BTC
  • Monero GUI XMR
  • Monero CLI XMR
  • Monero daemon full node
Encryption
  • VeraCrypt containers
  • LUKS / cryptsetup full disk
  • GnuPG 2 + Kleopatra signing
  • KeePassXC passwords
  • SiriKali + gocryptfs / cryfs fs-level
Secure comms & onion
  • Tor Browser w/ Kodachi user.js
  • Session Desktop onion-routed
  • OnionShare file share
  • OnionCircuits circuit viewer
Dev toolchain
  • VSCodium privacy IDE
  • Geany + plugins editor
  • build-essential gcc / make
  • Python 3 + pip + pipx system
  • git + git-lfs + meld VCS
Network & recon
  • nmap + Zenmap scan
  • tshark + tcpdump capture
  • mtr + traceroute + whois route
  • mat2 metadata clean
  • OpenSSL verify
Privacy protocols
  • Tor + torsocks + obfs4proxy + nyx tor stack
  • OpenVPN + WireGuard + OpenConnect VPN
  • Shadowsocks-libev circumvention
  • HAProxy + proxychains + microsocks LB & chain
Anti-forensics
  • scrub + secure-delete wipe
  • macchanger MAC randomize
  • mat2 + steghide metadata / stego
  • LUKS nuke boot-time
  • health-control panic 3-tier
Hardening & sandboxing
  • firejail sandbox
  • AppArmor + profiles MAC
  • ufw + nftables firewall
  • permission-guard + integrity-check Rust
  • Secure Boot bundled in ISO
G Exhibit // live tools, running now

Try Kodachi tech without installing.

Some of what Kodachi runs locally is also exposed as web tools you can use today to verify your current setup or test the engine behind Kodachi’s privacy stack.

Anonymity Verifier

The flagship live tool: “See What the Web Sees.” Tor status, proxy detection, WebRTC leak, session & user checks, security signals, all in one report.

Open verifier
IP Info & Fingerprint

Your public IP intel (ASN, geolocation, reverse DNS, blacklist, datacenter / Tor exit) plus the browser fingerprint every site can see: canvas, fonts, WebGL, audio, screen. One page, before and after activating Kodachi.

Check IP & fingerprint
DNS Leak Checker

Live DNS leak test. Detects rogue resolvers, transparent proxies, unencrypted lookups, and resolver fingerprints visible to remote sites.

Test DNS
System Freshness Checker

Verify your running Kodachi install is current, untampered, and matches the signed release. Live proof you’re booting the real thing.

Check my system
DNS Propagation

Query a domain across resolvers worldwide to spot DNS censorship, GeoDNS splits, and propagation gaps in real time.

Check a domain
Domain Security Analyzer

Inspect a domain’s full security posture: DNS records, MX/SPF/DMARC/DKIM mail config, TLS chain, header hygiene, blacklist status, and exposure footprint.

Analyze a domain
IP Queries Analytics

Aggregated IP-intel analytics from the verifier: query volumes, top ASNs and countries, datacenter vs residential mix, and trend lines over time.

View analytics
File Hash Verify

Verify any ISO or binary against Kodachi’s signed release manifests, with BLAKE3 primary and SHA-256 fallback. Confirms what you have is what I actually shipped.

Verify a file
System Status

Live operational status for Kodachi services: verifier APIs, IP/DNS endpoints, mirrors, and update channels. Real-time uptime, response times, and incident notes.

Check status
Verifier User Guide

Step-by-step walkthrough of every Anonymity Verifier signal: what each check means, how it’s computed, and how to fix anything the verifier flags red.

Read the guide
API Docs

REST API reference for programmatic access to Kodachi’s verifier and IP/DNS intelligence: endpoints, parameters, auth, rate limits, and example responses.

Browse the API
Every package, every script, every binary was chosen so the first boot is already a defensible position.
Design rationale // hardened by default
H Exhibit // the signing chain

Verify, don’t trust.

Privacy software has to earn trust. Here is how to check ours: sources, signatures, canaries, and where to find the maintainer. Every Rust binary, every ISO, and the binary tarball are signed with an RSA-4096 key, with the public key published for independent verification.

Chain of custody // 28 signed artifacts
SOURCE github.com/WMAL BUILD live-build + cargo SIGN RSA-4096 MANIFEST BLAKE3 + SHA-256 VERIFY your device

Signed set of 28 artifacts: 26 Kodachi-authored binaries (17 services, 8 AI, 1 dashboard) plus 2 signed third-party components (oniux, tun2socks). The CLI manifest documents the 25 command-line binaries plus the 2 companions; the dashboard is the GUI binary. Verify any ISO or binary against the signed release manifests, BLAKE3 primary with SHA-256 fallback. What you have is confirmed to be what was actually shipped.

I Exhibit // recognition and record

Built in the open, since 2013.

Field record entries drawn from the public trail: independent tracking, an identified maintainer, and a distribution footprint that predates most privacy distros shipping today.

Record // MaintainerVERIFIED

Built by Warith Al Maawali (digi77.com). Same person, same name, since 2013. No anonymous shell.

Record // DistroWatchTRACKED

An independent public record of releases, packages, and project longevity, useful for sanity-checking what Kodachi claims here.

Record // CommunityACTIVE

Discord and Matrix channels for issues, OPSEC discussion, and live help. The author replies.

Record // LicensingOPEN

Free for personal use. Professional and organizational use needs an annual license. Plain English, in the open.

942K+
Total downloads
224
Countries & territories served
12+
Years active
11
Routing protocols
96+
Workflows
25
Signed Rust binaries
§ Field record // current builds

Live build stamps.

Every edition is built and signed. These cards reflect the latest stamped versions and build numbers, pulled automatically from the live release feed.

Shared stamp: loading…

§ Requisition // clearance levels

Three paths. One privacy stack.

Same hardened core, three deployment shapes. Pick the clearance that matches how you work.

Level 1 // full field kit

Kodachi Desktop

Full XFCE privacy OS, dev-ready

Permanent install of the full Kodachi experience. Privacy-hardened Debian 13 XFCE with the dashboard, all 11 protocols, all 25 binaries, all dev tools, and Secure Boot, pre-configured from first boot.

  • FormInstalled desktop
  • ProtocolsAll 11
  • BinariesAll 25
  • Secure BootBundled

Best for: daily users, crypto holders, journalists, researchers, developers, and anyone who needs a secure desktop without months of manual setup.

Level 2 // headless

Terminal Server

Headless, live, gateway

Minimal live ISO for headless privacy operations. Boot as a SOCKS gateway, run a privacy lab, stage VM exit nodes, or operate a hardened jump host, with no GUI overhead and the full backend stack.

  • FormLive ISO
  • InterfaceHeadless
  • BackendFull stack
  • RoleGateway / lab

Best for: power users, VPS operators, VM labs, SOCKS gateways, and pen-test infrastructure.

Level 3 // components

Binary Suite

25 Rust binaries, signed

The 25 documented Rust binaries that power Kodachi, usable on any compatible Debian-based system. Bring the Kodachi engine to your existing OS without committing to the full distribution.

  • FormSigned tarball
  • Binaries25 documented
  • SignatureRSA-4096
  • HostAny Debian-based

Best for: sysadmins, advanced users, and developers who want individual Kodachi components or to integrate Kodachi into their own stack.

Requisition   form LK9-REQ authorization // self-serve

Boot it. It’s already configured.

Pick your edition, write the ISO, and the first time you reach the desktop the dashboard is already running, routing your traffic, watching for threats, and ready to respond.

Line item 01 // acquisition
Download Kodachi 9
Personal use is free. Desktop, Terminal, or Binary Suite, verify the file before use.
Line item 02 // funding
Buy a license
An annual subscription that funds continued development. Independent, built for over a decade by the people who use it.

Free runs the full OS. Premium adds low-density managed nodes, commercial rights, and priority support ($99/yr). Dedicated adds isolated single-tenant infrastructure.

Authorized by Warith Al Maawali Origin digi77.com Since 2013 Signature RSA-4096
Download Wiki FAQ Verify GitHub
LINUX KODACHI 9 // CAPABILITY BRIEF // END OF FILE