Linux Distribution: Lightweight Portable Security

Lightweight Portable Security is a LiveCD distro designed by the US Department of Defense to function as a secure end node, in other words, a safe environment from which to access the web or a remote desktop host. The focus is on security, and for this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and a few other small tools.

The Lightweight Portable Security distribution was created by the Software Protection Initiative under the direction of the Air Force Research Laboratory and the US Department Of Defense. The idea behind it is that government workers can use a CDROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker’s own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so leaves no trace of the user’s activities behind.

If it all sounds a bit cloak and dagger, consider that anyone who wants to quickly establish a secure setup on a PC of unknown security status could have a use for a distribution such as LPS. For example, you may understand computer security, but does the staff of your local library or a hotel?

The first thing that greets you when you first launch the CD is the boot screen, the bottom area of which is dominated by the respective seals of The Department Of Defense, The Air Force Research Research Laboratory and the Anti-Tamper Software Protection Initiative. Helpfully, there is also a note telling you that hitting F2 brings up the startup messages, which mostly consist of a list of loaded Linux kernel modules. LPS supports WiFi interfaces but doesn't current have support for printers or sound hardware.

Following this, you are dumped into a very simple desktop that makes use of IceWM. The layout is the familiar combination of application launcher and task switcher bar along the bottom the screen. Perusing the installed applications reveals that this is a very minimalist desktop indeed. You are given the Firefox web browser, a text editor and a file manager that can manipulate files in the RAMdisk or a flash drive. There is also a remote desktop client that works with RDP or Citrix hosts and a tool to deal with files that have been AES encrypted.

There doesn’t seem to be any obvious scope for adding applications to the distribution. In fact, the website advises the user to contact the development team with feature requests, reasoning that if one person wants the feature, other people might also.

Loading up Firefox, I was a little surprised to find that it was a fairly up to date, stable build and it included the Flash plugin, but I suppose, most web workers need Flash at some point, these days. It also comes with plugins to change the browser agent string, send encrypted messages via Gmail, work with encrypted files and to synchronise bookmarks with an online server.



LPS is obviously a niche distro. If your needs are specific, and you just just need a basic web browser and a remote desktop client on a disc or to hand out to someone who might get lost with a more complex live CD, this might be the distro for you. It also offers an interesting insight into how organisations are creating custom Linux builds to meet niche requirements. The website itself goes into quite a lot of detail about the rationale behind LPS.

The LPS website.


UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hardware keylogger

Hardware keylogger's picture

Is Linux provide security to save our key stroke with both harware and software key loggers?

Has anybody found the backdoor?

Hamburn's picture

from the US Department of Defense ?

sorry guys, but why should anybody trust them?

it would be ridiculous

Same ideal different OS

Anonymous's picture

I have been using browser Linux a puppy decedent for the same purpose, but I just don't save the session at the end. I imagine this has better security though.

Special hardware?

Horsebones's picture

Guys, why are you talking about USB CCID-compliant CAC/PIV smartreaders in the comments. I didn't see it mentioned in the article. Do you need this special hardware to run this distro then?

I was also wondering if this ran in some kind of VM on the current Windows OS? I mean the article indicates you can use it in hotel and library PCs, but I have a suspicion you'll have to boot this and I tell you, my library really wouldn't appreciate me waltzing in and booting my own OS from their machines. They'd be like, "Hey, you! GTFO!" :D

Not secure.

WorBlux's picture

Running it as a guest of a compromised OS isn't going to provide much security. Beside providing no no defense against a software key logger, your standard windows machine that does a memory dump to hard disk whenever you run into an error. You will have your data easily available to inspection by those in the know. It would provide a small amount of data security, but nothing very strong.

Even this distro is still vulnerable to a hardware key-logger, or a BIOS key-logger, or a BIOS hack that dumps memory to hard drive every time you shut it off. It's vastly superior using a unsecured windows box to check security related e-mail, but not as good as having a machine which has always been in trusted possession.

Slap my head, Why didn't I think of that?

Anonymous's picture

This is just too obvious, too simple! 'LPS is a simple Linux LiveCD that only runs in RAM and can't read/write the harddrive.' I get it!

Instantly one gets rids of Advanced Persistent Threats, keyloggers, malbots and all that other nasty malware, whether its in the PC's storage (avoided) or just downloaded (disappears when turning off). That protects me.

But it also protects MY NETWORK. If I could get my telecommuting co-workers to use this, then I'd no longer clean up all the crap they unknowingly infect my servers with AND the time-suck of reviewing logs of what people downloaded to their home PCs goes away.

Updates rolled regularly....

Anonymous's picture

Noticed LPS distro's posted every few months, therefore I suspect that's how they update, but burning a CD for each build sux. The release notes suggested big smartcard (CAC and PIV) problems awhile ago but nothing recent - appears fixed; they advertise full capatibility. About licenses, its GNU GPL (Thinstation Linux) and plus a folder has many for its components - Citrix, Firefox, etc. Ran LPS in VMware and monitored its activity - noticed nothing suspicious, actually exceptionally very little. Typical scans don't show anything either. (Anyone notice anything?) What is odd, its from the AF Lab? Kinda strange a bunch plane & rocket scientists are publishing Linux and winning many awards (just google "Lightweight Portable Security LPS award"). The Labs invent stuff but don't retail like this. Digging into it, the already thin thinstation its really been stripped down more.

Why would you think there

Nate210's picture

Why would you think there would be anything suspicious in a Linux distro put out by the AirForce? They're on our side... And I can assure you the "plane & rocket scientists" aren't the one's who worked on this. The AirForce has a world class IT program.

The last time I tried this

3D0X2's picture

The last time I tried this anorexic distro it did not fully support some standard CAC readers and there problems talking ICCD and CCID to smartcards. That coupled with the fact that there was no package manager or GCC made it pretty damn difficult to troubleshoot. Without CAC support it's pretty useless.

I'm surprised to find LJ reviewing it. Perhaps I'll give it another go.

No CAC support?

David Lane's picture

Now that I find very odd, especially considering it was developed by a group that pretty much has to use the CAC cards to go to the bathroom....

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack


Michael Reed's picture

According to the site, it has CAC support.

UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.

Interesting article but......

Anonymous's picture

Looks pretty much like Puppy Linux to me.

Nice idea ... but I'll pass

bcnewman's picture

I really like the idea of this distro but there is no way in hell I'm running software created by our government. I didn't see any mention of the license or the availability of source code.

It's GPL

Anonymous's picture

It doesn't say what version, but the user manual (section 6.2) cites that it's GPL:

"LPS-Public uses free software components under the GNU Public License (GPL). The standard
LPS software can be freely distributed without restriction."

The AirForce is the one branch I actually do trust with this.

Nate210's picture

I'm not a Govm't fanboy but the AirForce is a very capable and trust worthy branch of the DOD. I'm excited to see the military show more interest in Linux. I've been advocating it for a couple years now. DOD wide. I personally think they need to make a DOD Linux for everyday operations. (This one isn't it... It's good for what it's used for...)


Anonymous's picture

I noticed in the manual you will agree to a license to proceed during the loading process, I didn't see anything concerning what type of license or a link to review the terms in advance.
It may be too much to hope that it's a simple GNU GPL type.

Thanks you

xado7525's picture

Thanks for this article.


Anonymous's picture

I'm just downloading this now and I've looked through the manual, I didn't see any mention of creating VPN connections though.
Does anybody know if they have set this up as an option?


Scribe63's picture

This distro sounds interesting from a security perspective, with the usage of the smart cards and what not. Wish i has one of those USB Smartcard devices to learn and test it out.

They do also have a custom version that has a VPN capabilities. It is called "LPS-Remote Access", you have to make a request for it though.

$10 smartcard reader

Anonymous's picture

USB CCID-compliant CAC/PIV smartreaders are actually quite common & cheap, $10-$20 on Amazon /eBay, look for SCR331 and SCR3310. Even an old one will work since LPS has the OEM's firmware updater built in

Thank you...

JShuford's picture

Nice review.

I think you would be better served to Dl ANY of the many LIVE Distro's available! Update: Needs 1Gb RAM; looks official!

Looks alot like Windows Classic!

Got an award for it too!

...I'm not just a "troll", but also a subscriber!

Good use of Linux

Anonymous's picture

Thanks for writing about this, It's good to see the military putting some trust in Linux. Bypassing a malware-prone disk-based install is a good way to ensure your running system is clean when security is a primary concern.


United States Department of Defence or Defense?

metalx2000's picture

Are we sure this is really made by the United States Department of Defense? You wrote "Defence" with a "C".

Is this a typo, or is that how they wrote it on their site?

I don't really trust it.
Of course, I'm a little paranoid when it comes to unfamiliar distros.
Everything you ever need to know about Free Software.

Yes it's really is created by

Nate210's picture

Yes it's really is created by the AirForce/DOD. I use it at work.


Michael Reed's picture

Corrected. As David says, I got a bit confused between the British and American spelling.

UK based freelance writer Michael Reed writes about technology, retro computing, geek culture and gender politics.

It's a UK thing...

David Lane's picture

Given that Michael is a Brit, I suspect it is a typo...they spell defence correctly ;)

The LPS site is a US DOD military web site.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack


Anonymous's picture

hello, j' would like to know how can one speak about sécuriter when one calls same upon google if c' is encrypté, knowing that google guard the user data X time!