Subgraph

Subgraph OS Review: Simple on the Surface, Solid at the Core

Ever wished that digital security was more accessible?

That you could effectively protect your files and data from threats without spending half your time looking up technical terms?

Or that your OS itself could provide you with all the security you need by default?

You’re not alone. We’re crazy about security, but even we have to admit that the barrier to entry is pretty high.

And yet, in this era of constant threats, advanced malware and daily OS exploits, it’s never been more important for all computer users to stay secure.

Many partial solutions exist. Antivirus software, secure web browsers and VPNs protect us from certain types of danger.

But if you’re using a popular OS, the latest attacks constantly jeopardize your security and privacy. The only solution is to use a secure OS — but most of them are simply too technical for the average user.

Enter Subgraph OS, an operating system that’s designed to bring the strongest security to the wider public. Computer novices and seasoned pros alike can benefit from its unique features, no advanced degrees required.

And it’s received high accolades from one of the biggest cybersecurity advocates in history: Edward Snowden.

We’ve got the lowdown on Subgraph OS, what’s special about it and how to get the most out of it.

What Is Subgraph OS?

Subgraph is a Linux distro based on Debian and created by a team of cybersecurity experts. It’s open-source and operates on the principle that software should be free for all to inspect and use.

Generally, you can split Linux into two types of distros: everyday ones like Ubuntu and secure, specialized ones like Kali Linux.

The latter sacrifice user-friendliness and full consumer functionality for the latest and greatest security tools and features. They’re great for professionals, but the average user will find them bewildering and ineffective for typical uses.

Subgraph OS aims to bridge the gap between secure and user-friendly distros.

It features a locked-down system that’s ultra-secure by default. You can use it normally and enjoy automatic advanced protection.

What’s Different About Subgraph OS?

File System Encryption

Subgraph OS sets itself apart right from the moment you install it. With Subgraph, file system encryption is mandatory — you have no choice but to lock down your hard drive.

File system encryption is an advanced setting on most OSes, and most users never opt for it. But encrypting your file system prevents it from being compromised by a hacker with physical access to your computer.

Without it, a hacker could simply hook your drive up to their computer and steal your files. But encryption renders those stolen files useless, as they can’t be read without the proper key.

Privilege Escalation Attack Prevention

Subgraph OS itself is fortified against all kinds of attacks from its very core.

It’s built with grsecurity, a special Linux patch that prevents privilege escalation attacks.

Hackers and malware can exploit vulnerabilities to gain administrator or root access privileges on your computer. This grants them access to all of your personal and system files, opening the door for even more sinister attacks.

The grsecurity patch modifies the core OS files to protect against these types of attacks. Closing these security holes protects you from both known and future rootkit attacks.

Application Sandboxing with Oz

Normally, when you run a program on Windows, it’s able to interact with other programs and your system.

Some programs use this function innocently and require it for certain features to work. But malware also relies heavily on it, and the consequences can be disastrous.

One bad program is all it takes to potentially wreak havoc on your computer. It could steal your files, cause other apps to malfunction and even corrupt your entire OS.

Subgraph OS prevents this by sandboxing programs with a technology it calls Oz..

In tech-speak, sandboxing refers to quarantining apps and limiting their resources. They’re prevented from accessing the system files or other apps, greatly reducing the amount of damage they can do.

When sandboxed, apps are also given a limited amount of memory and hard drive space. Their network access privileges may be limited or eliminated to prevent any sketchy background downloads or uploads.

This stops many types of malware from functioning correctly.

Cryptocurrency miners, for example, won’t be able to hijack your resources and slow your computer to a halt.

Keyloggers won’t be able to record your keystrokes in other apps, keeping your passwords and credit card numbers safe.

And spyware won’t be able to scan your files and secretly upload them back to its devious creator.

Sandboxes typically require specialized software and configuration to work. But Subgraph OS automatically sandboxes apps for you, no extra steps needed — just click the app as usual and you’re all set.

Tor Network Integration

Tor is possibly the world’s most infamous browser, but it’s also one of the most secure. It encrypts traffic and routes it through the Onion Network, where it passes through several nodes before reaching its destination.

This obscures your real IP address, makes your traffic unreadable and prevents anyone from tracing your activity back to you.

It also stops invasive and annoying web trackers and fingerprinters from following you around the internet.

The problem is that the Tor browser only protects the traffic that passes through it. Other traffic from other browsers or apps remains unencrypted and is not rerouted.

Subgraph, however, automatically sends all traffic through the Tor network. All network activity, Tor browser-based or not, is protected by Tor’s secure protocols.

What Software Comes with Subgraph OS?

You’re free to install whatever apps you like on Subgraph — most apps that support Debian should work. But the OS’s default software should take care of most of your needs out of the box.

Icedove is an email client that’s based on Mozilla Thunderbird. It comes with two add-ons: TorBirdy (which anonymizes your email transmissions via Tor) and Enigmail (which supports PGP encryption for emails).

Tor browser is Subgraph’s default browser, as you might expect.

It’s paired with OnionShare, a secure, encrypted file-sharing program that works over the Onion Network. Upload a file and you’ll get a .onion link that the recipient can open in Tor to download the file.

LibreOffice is Subgraph’s office suite, with a word processor, spreadsheet creator, slideshow designer and more. It’s an efficient, secure and open-source alternative to Microsoft Office.

Subgraph Firewall is an application firewall that lets you manage incoming and outgoing traffic on a per-app basis. If an app attempts to send or receive unexpected traffic, you’ll be alerted and given details.

You’ll be able to see where the traffic is coming from or going to. Then you can decide whether or not to allow the traffic to go through.

This stops malware from performing as intended. It also helps you maintain control over any data that apps attempt to collect surreptitiously for telemetry and analytics.

Are There Alternatives to Subgraph OS?

If you’re looking to switch OSes in the name of security, Subgraph is a good option. But it isn’t perfect.

Subgraph OS is still in alpha, which means it’s very much a work-in-progress. You’re likely to experience bugs and glitches, and you may need some advanced Linux knowledge to fix them yourself.

Additionally, the last major Subgraph update was in 2017 — over two years ago. It’s not clear what the current status of the OS is or when the next update will arrive.

For now, we recommend that the average user try a more stable secure Linux distro. Qubes OS and Parrot OS are great options.

Alternatively, rather than starting from scratch with a new OS, you can get a big security boost by installing a VPN.

VPNs help prevent many types of network-based attacks by locking down your internet. They encrypt your traffic so it’s unreadable by anyone who intercepts it — hackers, ISPs, governments, you name it.

With a VPN, you can anonymize yourself by masking your IP address. Website owners and trackers won’t see your real IP — they’ll see one from the city or country of your choice, instead.

And many VPNs include built-in firewalls and malware blockers. These features protect you from unwanted connections, dangerous sites, suspicious downloads, phishing attempts and more.

Private Internet Access is one of our favorite VPNs for its affordability, great speeds, and reliable servers. Its integrated firewall with Netfilter protects you from potentially malicious unexpected connections.

NordVPN is another excellent VPN, and its CyberSec ad and malware blocker is among the best in the biz. It blocks malicious sites and downloads and can even prevent existing malware from accessing your network.

Final Thoughts

Subgraph OS aims to bring digital security to the mainstream. It makes advanced features like sandboxing easy and features a fortified kernel for hardcore protection.

Privacy Angel Comment Policy

We welcome relevant, respectful comments.
Scroll to Top