Features
NubiferOS is built for cloud engineers who manage multiple accounts and need security they can trust. Here's what sets it apart.
Security by Default
These components are always installed and cannot be disabled. They form the security foundation.
| Component | What It Does | Why It Matters |
|---|---|---|
| LUKS Disk Encryption | Encrypts entire disk with AES-256 | Laptop stolen? Data unreadable. |
| GPG + pass | Encrypts credentials at rest | No plaintext ~/.aws/credentials |
| Firejail | Isolates workspaces | Prod credentials invisible to dev workspace |
| Wayland | Modern display server | Apps can't keylog each other |
| AppArmor | Limits application access | Compromised app can't escape |
β Learn more about security architecture
Encrypted Credentials
Traditional setups store credentials in plaintext files. NubiferOS doesn't.
# Traditional (INSECURE)
cat ~/.aws/credentials
# Shows plaintext keys to any process
# NubiferOS
cat ~/.aws/credentials
# File doesn't exist - credentials in GPG-encrypted pass store
When you run aws s3 ls, our CLI wrapper:
- Fetches credentials from encrypted pass store
- Injects them directly into the CLI process
- Logs the access for audit
β How credential security works
Workspace Isolation
Each workspace runs in isolated Linux namespaces via Firejail:
| What's Isolated | Security Benefit |
|---|---|
| Filesystem | Each workspace sees only its own credentials |
| Processes | Can't see or signal other workspace processes |
| IPC | No shared memory attacks between workspaces |
β How workspace isolation works
Read-Only Mode
Lock workspaces to prevent destructive operations:
# Lock workspace (no sudo needed)
nubifer-workspace ro
# Or use the shortcut: nw ro
# Unlock for 15 minutes (requires sudo, auto-reverts)
sudo nubifer-workspace rw -d 15
# Or: sudo nw rw -d 15
| Mode | Indicator | Behavior |
|---|---|---|
| Read-Only | π RO (green) | Destructive commands blocked |
| Read-Write | π RW (red) | All commands allowed |
β Workspace management guide
Security Dashboard
Monitor your security posture:
| Check | What It Verifies |
|---|---|
| CPU Mitigations | Spectre, Meltdown, RETBleed protection |
| Disk Encryption | LUKS enabled and configured |
| Network Security | Firewall active, default-deny policy |
| Credential Status | Vault status, credential count |
# Launch dashboard
nubifer-dashboard
# Quick CLI check
sudo verify-security
Cloud Tools (50+)
Choose what you need during installation. Don't need Azure tools? Don't install them.
| Category | Examples |
|---|---|
| Cloud CLIs | AWS CLI, Azure CLI, gcloud |
| Infrastructure as Code | Terraform, Pulumi, Ansible |
| Containers & K8s | Docker, kubectl, Helm, k9s |
| CI/CD & GitOps | GitHub CLI, ArgoCD, Flux |
| IDEs | VS Code, IntelliJ, PyCharm |
β Full tool list
Battle-Tested Tools
We use proven, audited toolsβnot custom implementations:
| Tool | Purpose | In Use Since |
|---|---|---|
| GPG | Credential encryption | 1999 (25+ years) |
| pass | Password management | 2012 |
| Firejail | Application sandboxing | 2014 |
| AppArmor | Mandatory access control | 2007 |
| LUKS | Disk encryption | 2004 |
Privacy First
| Aspect | NubiferOS Approach |
|---|---|
| Telemetry | None. Zero data collection. |
| Network calls | Credentials never leave your machine |
| External services | No cloud dependencies for security |
| Audit | All code is open source (GPL-3.0) |
Get Started
Download NubiferOS Quick Start Guide
Learn More
| Topic | Link |
|---|---|
| Why NubiferOS? | How we compare to alternatives |
| Security Architecture | Defense-in-depth details |
| Built with AI | Our AI-assisted development story |
| About | Project philosophy and roadmap |