System must be airgapped. Which makes our task easier.
Which would be the best distro for this?
Requirements -
Persistence is a must.
No networking
very secure
privacy? (i don’t know, is privacy essential? Security is a priority)
No root permissions
AppArmor (tails has apparmor i think)
Tails makes it hard to install packages, there are only the ones from the debian repository and they too re-install every time. They are also very outdated. All in all, the system is slow and old which hampers my workflow.
Is there a distro tailored for offline use for such a task OR is there a guide? How do i go about it? tips and advice?
If you are truly operating an airgapped system, any distro will work. Just do your work without access to the net. Any packages you need will have to be copied to external media and then installed.
If it’s that classified, why use a computer at all. Typewriters are still available and the documents can be locked up.
You should consider encryption with a hardware key as well.
As Akito mentioned, Qubes is a good choice but the off switch is better.
Remember, no wire, no way and make sure there is no wifi hardware or capability on the system and that includes bluetooth.
This is just an idea and I have not tried at all, but last version of Ventoy (1.0.62 at the time I’m writing this) have not only the availability to create a USB boot drive with several partitions, but also the option to make persistent changes.
Some months ago I’ve created with the help of Ventoy (1.0.42) a USB Pendrive with 3 partitions; a very small for Ventoy boot files (required), one larger (required; normally the whole available space of the drive after creating the boot drive) for the ISO images you want to use (40GB in my case, since I used the Ventoy assistant option to create more partitions) and I’ve created a third optional partition for the rest of the available storage (70GB, since the drive is 128GB of capacity) for my personal stuff, ciphered with Veracrypt.
Since Ventoy 1.0.62 can help you to make persistence changes, perhaps you could customize any AppArmor compatible distro (such as Debian, Ubuntu, OpenSuse…) adding your own changes, and using the ciphered partition to store any sensitive information. If you install UFW in persistent mode, you’ll sure nobody connect to Internet in case someone try to work in non airgapped mode. Finally, in the ISO partition you can put the necessary .deb/.rpm files or sources/updates (such as Veracrypt program in order to read and access to the ciphered partition and nobody will install programs if you configure properly the sudoers group/users [remember these changes should be persistent]) or .appimage in order to use portable programs on your favorite distro…
As I mentioned above, this is just an idea. I really not tried the persistence mode (and I’ll don’t, since this mean format my drive, loosing all my customizations and starting again from scratch), but it might be a good option for you if you want a secure/portable OS…
Best,
Benny.