🛡️ NoID Privacy Workstation 44 The Fully-Hardened Security + Privacy OS for Dev . Admin . Creator . AI Workflows

Fedora 44 · GNOME 50 40 Hardening Modules Zero Telemetry

Hardened. Locked down. Still fully alive.

A LAN-isolated, WAN-only hardening of Fedora Workstation 44. 40 modules layer defense across kernel, network, identity, integrity, firmware and browser — LUKS2 encryption, SELinux enforcing, auditd, AIDE, USBGuard and a VPN killswitch — in one reproducible-from-source ISO. Hardening is additive: Flatpak, NetworkManager, Firefox + uBO and a ready VSCodium + Claude Code workspace stay intact.

NoID Privacy Workstation 44 — hardened Fedora 44 / GNOME 50 desktop with the NoID Privacy Setup dialog open
⬇ Download ISO (v1.2, ~3 GB) Source on GitHub →

🔒 x86_64 · UEFI + Secure Boot · TPM 2.0 • GPL-3.0 • reproducible from source

🔐 Verify your download

A hardened OS is only as trustworthy as the file you booted. Always check the GPG signature and the checksum before writing the ISO to a USB stick.

Release signing key fingerprint:
1ACB FCE4 9687 FEBB 9101  0E52 F8E3 F11D 6962 256F

verify the download
# 1. import the release key (first time only) gpg --import noid-privacy-release.asc # 2. confirm the fingerprint matches the one above, then verify the signature gpg --verify SHA256SUMS.asc SHA256SUMS # → "Good signature" # 3. verify the ISO matches the (now-trusted) checksum sha256sum -c SHA256SUMS # → "OK"

The signature proves the checksum file really came from NoID Privacy (not a tampered mirror or a compromised host); the checksum then proves the ISO is byte-for-byte intact. Both must pass.

SHA256SUMS SHA256SUMS.asc release key (.asc)

🏰 What You Get

Defense layered across the whole stack — on by default, reversible by design

🔥
LAN Isolation
block-lan-out drops every RFC1918 / multicast egress + firewalld DROP inbound + ARP hardening → invisible on café / hotel / office WiFi. Surgical per-IP allow-list via the noid-network app.
🛰️
VPN Killswitch
Provider-neutral (Proton / Mullvad / IVPN / WireGuard / OpenVPN). Tunnel drops → traffic stops. No hardcoded provider dependency.
🧠
Kernel & Sysctl
120 install-time sysctl params, 52 kernel-cmdline tokens, 109 module blacklists, 35+ sandboxed systemd services (KSPP + Kicksecure security-misc + NoID Privacy).
🔍
Integrity & Audit
SELinux enforcing (+ custom NoID Privacy module), auditd immutable (63 rules, -e 2), AIDE daily scans, one-screen noid-status. Detection layers catch what hardening can't prevent.
🦊
Browser & Silent Machine
Firefox hardening (arkenfox-derived) + uBO + Quad9 DoH + FPP. 98 systemd units masked, 6 GNOME telemetry channels closed, no auto-update timers, no phone-home.
💾
Storage & Rollback
LUKS2 AES-XTS-512 + Argon2id (passphrase-only by design), Btrfs + Snapper pre-update snapshots with one-command rollback, 30-day forensic retention.

Substantially reduces attack surface — a pragmatic hardening tier, hardened by default while you stay in control. NoID, not ParaNoID: privacy + surveillance-resistance on any network you join, not state-level anonymity.

🤖 AI-Agent-Ready Workspace

Built for the people who live in a terminal + IDE + AI-agent loop — opt-in, telemetry-off, local-AI capable

⌨️
Ready on First Boot
Hardened VSCodium (telemetry / auto-update / AI-surfaces off) with the Claude Code extension pre-staged — the AI panel works on first launch, no marketplace needed.
🔒
Privacy Defaults
Claude Code ships with non-essential traffic off, working directory hidden from the banner, and 7-day transcript retention. No Anthropic traffic until you invoke it.
🖥️
Fully-Local Path
Prefer your AI never leaves the box? A local stack (Ollama / LM Studio / RamaLama + Continue.dev) is documented — plus 39 AI-navigable docs an agent can read on demand.

📊 How It Compares

A different optimum — the balance of privacy, security, reversibility and usability

Feature NoID Privacy WS 44 secureblue Kicksecure
Base Fedora Workstation (mutable) Fedora Atomic (immutable) Debian (reconfigured)
Hostile-LAN isolation ✅ block-lan-out + ARP ⚠️ partial
File integrity (AIDE daily)
Reversible (Snapper rollback) ⚠️ image-mode
AI-agent workspace ✅ Claude Code + VSCodium
Default browser hardening ✅ Firefox + arkenfox + uBO ✅ Trivalent (Chromium) ⚠️ Firefox-ESR
Hardened memory allocator ❌ deliberate (Firefox-incompat) ✅ hardened_malloc ❌ deprecated upstream
Gaming (one-toggle) ✅ Gaming-Mode ⚠️ clunky ⚠️ not oriented

secureblue and Kicksecure are excellent, deeper on raw prevention primitives. NoID Privacy is the reversible, auditable, AI-ready daily-driver with privacy co-equal to security — and LAN-isolation + daily file-integrity that neither ships by default.

⚙️ Requirements

A modern UEFI + TPM 2.0 machine

🖥️
x86_64
UEFI + Secure Boot capable
🔐
TPM 2.0
BootGuard / fwupd attestation
🧠
8 GB RAM
16 GB recommended
💾
30 GB Disk
60+ GB recommended

Same speed. More privacy. Less heat. More free RAM.

Not for: ARM / Raspberry Pi · non-UEFI hardware · multi-user / family systems (LAN-iso blocks shared services) · enterprise AD / LDAP. Not a replacement for Tails / Whonix anonymity or Qubes VM-isolation.

🐧 Already inside the image: NoID Privacy for Linux

Workstation 44 ships with the NoID Privacy for Linux audit built in — the same read-only, zero-dependency Bash auditor that also runs standalone on any distro (Fedora, Ubuntu, Debian, RHEL). On Workstation it runs out of the box; everywhere else it's one curl command.

🔒
Read-only by default
It audits and explains — it changes nothing without you. 420+ checks across 42 sections: kernel, firewall, browser telemetry, DNS leaks, VPN killswitch, webcam.
🤖
AI-explained fixes
The --ai flag generates a structured prompt — paste it into Claude, ChatGPT or Gemini and it explains each finding and suggests fix commands.
One file, zero deps
Pure Bash, no Python / Ruby / npm. --json for CI/CD, GitHub Action available. Read every line yourself — GPL-3.0.

Pre-installed on Workstation 44 (just run noid-privacy-linux.sh --ai). On any other distro — one command:

install & run — any distro
$ curl -fsSL https://github.com/NexusOne23/noid-privacy-linux/raw/main/noid-privacy-linux.sh -o noid-privacy-linux.sh $ sudo bash noid-privacy-linux.sh --ai
View the audit tool on GitHub →

❓ Frequently Asked Questions

Is NoID Privacy Workstation 44 affiliated with Fedora or Red Hat?

No. It is an independent derivative built on Fedora Workstation 44 — not affiliated with, endorsed by, or sponsored by the Fedora Project or Red Hat. "Fedora" is a registered trademark of Red Hat. NoID Privacy ships its own hardening, branding, apps and a reproducible-from-source kickstart recipe.

How is it different from secureblue or Kicksecure?

NoID Privacy competes on balance, not raw depth. It is a mutable Fedora desktop with LAN-isolation by default, AIDE daily file-integrity monitoring, Firefox-side hardening, a ready AI-agent workspace and Snapper rollback — privacy co-equal with security, and every hardening change reversible.

Is NoID Privacy Workstation 44 really free?

Yes. The build code is GPL-3.0-or-later and the ISO is a free download. It ships zero OS telemetry, is reproducible from source, and keeps the entire disable-list in the open kickstart tree so you can audit every change yourself before installing.

Will the hardening break my daily-driver workflow?

Hardening is additive. GNOME 50, Flatpak, NetworkManager and Firefox + uBO stay intact; Bluetooth, camera, microphone and location are one-toggle opt-in; and an opt-in Gaming-Mode relaxes the two real blockers for Steam/Proton while SELinux stays enforcing.

Does it include the NoID Privacy for Linux audit tool?

Yes. The read-only NoID Privacy for Linux audit (noid-privacy-linux.sh --ai, 420+ checks across 42 sections) is built into the image and runs out of the box. The same single Bash file with zero dependencies also runs standalone on any other Linux distribution.

🔗 Complete Your Security Ecosystem

Workstation 44 is the hardened OS in a family that spans every platform. Same philosophy everywhere: You own your system.

Windows Pro → Android App →

Ready to harden your daily driver?

40 modules. LUKS2 + Secure Boot. Zero telemetry. Reproducible from source.

⬇ Download NoID Privacy Workstation 44