LPS Linux now TENS – Trusted End Node Security


Trusted End Node Security
Last Update: 2018-03-24 02:03 UTC

[Trusted End Node Security]

OS Type: Linux
Based on: Thinstation
Origin: USA
Architecture: i386
Desktop: Xfce
Category: Live Medium, Privacy, Security
Status: Active
Popularity: 212 (34 hits per day)

Trusted End Node Security (TENS), previously called Lightweight Portable Security (LPS), is a Linux-based live CD with a goal of allowing users to work on a computer without the risk of exposing their credentials and private data to malware, key loggers and other Internet-era ills. It includes a minimal set of applications and utilities, such as the Firefox web browser or an encryption wizard for encrypting and decrypting personal files. The live CD is a product produced by the United States of America’s Department of Defence and is part of that organization’s Software Protection Initiative.

Popularity (hits per day): 12 months: 175 (47), 6 months: 212 (34), 3 months: 198 (36), 4 weeks: 165 (39), 1 week: 173 (41)

Average visitor rating: 6.88/10 from 8 review(s).

This was, as LPS, a “live CD” that I’d use if I wanted a pretty much secure disposable desktop for browsing on an alien machine, such as in a library or on a random PC at a worksite. It’s sort of a hardened Knoppix with less stuff in it. You get a browser, LibreOffice, and an encryption engine.

I’d expect it to be pretty much secure against most outside attacks, but I’d also expect there would be an NSA supplied backdoor in it somewhere (since it is being made publicly available and we just know the NSA would not want a sister agency locking them out of things…). So I’d not trust it to keep me secure and private from US Government TLAs. But it is pretty darned good for making that old PC in the corner into a “no tracking no malware” workstation for a day. Or, put it on a USB stick and you can have files persist over sessions.

I ran into this rebranding in an article here:


Why TENS is the secure bootable Linux you need

If you’re looking for a security-minded live Linux distribution, TENS makes desktop protection incredibly simple.

By Jack Wallen | October 3, 2018, 10:45 AM PST

TENS stands for Trusted End Node Security. TENS is a non-installable, bootable Linux distribution that creates a secure end node from trusted media on almost any Intel-based computer, before booting into the operating system. No hard drive is mounted, no installer is offered. It’s temporary, it’s easy to use, and it turns an untrusted system into a trusted network client.

Before you get too excited, TENS isn’t a pen-testing distro for admins to use to harden their network. TENS is a live desktop Linux distribution that gives the user a level of security they would not have with a standard desktop. That means it’s great to use in places where network security is questionable, or when you need to submit sensitive data, and you don’t trust a standard desktop operating system. In other words, anytime you need to use a network for the transmission of sensitive data, TENS Linux could easily be a top choice for users.
There are three different versions of TENS. Each edition is developed for (and used by) the US Department of Defence, but the developers do provide public versions. The three versions are:

TENS-Public is a safe, general-purpose solution for using web-based applications and accessing CAC and PIV-enabled web pages. This version of TENS includes a standard and Deluxe version. TENS-Public Deluxe includes the open-source LibreOffice software suite. Both the standard and Deluxe versions are available to download for free on the TENS Download Page. This version of TENS is not intended to be an obfuscation tool, but rather to be a safe operating environment for web-based activity. The Encryption Wizard Public Edition is included in TENS-Public.

TENS-Professional is similar to TENS-Public but is offered exclusively to non-DoD federal organizations. It is customized by TENS engineers to include specific applications, pre-configured settings for VPN and/or VDI, firewall configuration, web proxy, time zone, desktop background, browser bookmarks, etc. Encryption Wizard Government Edition is included in this build.

Bootable Media is the secure, DoD version of TENS. Bootable Media has a strong legacy of providing secure remote access to DoD civilian, military, and contractor personnel.

The article then does a test drive complete with screen shots and a short “HowTo” on encrypting files.

It would be a quick and easy way to exchange private messages. Boot this, type up the message, drop it into the encryption engine, then email the result to a friend who also boots a copy, then decrypts it. You just need an “out of band” password exchange. Such as by phone, or physically handing them a “one off book”, or just a pre-agreed strategy / system:

Use the King James Bible, I’ll say a page, line and word count. So 5-23-6 would be the fifth page, 23 line, first 6 words. Then maybe once a year or so you change the agreed book (send the ISBN in an encrypted file…) That kind of thing. Or just agree to use the name of the Playboy Bunny for each month ;-) (Though I’ve heard they are / have gotten rid of pictures, but have not confirmed that… I think internet porn has put a crimp in their former market…)

Note that “pen-testing” is short for penetration testing, where a systems admin boots a Linux with a load of hacking tools and looks for exposures and weaknesses. (Yes, I’ve done that. Got to review a list of exposures at a large site where I was employed as a PM Project Manager, then nag the folks until the exposures were closed.)

Since this installs nothing and saves nothing to your disk, should someone decide to confiscate your computer to see what you’ve been doing, they get nothing. Just don’t leave the USB stick laying around with the un-encrypted files on it… (I’d use a micro-SD card in a USB adapter and then put that dinky little chip somewhere easy to trash, hard to find. Like on top of an anvil with a sledge hammer near it ;-)

One amusing side note:

In Firefox, when I went to download TENS, I got a stern warning about how the certificate issuer was “unknown”!! Yes, the US Government Military is unknown… Now I know some folks have a jihad on against “self signed certificates” demanding everyone pony up money to the few ‘recognized’ cert issuing companies, but really…

Certificate Warning for the DOD .mil site

Certificate Warning for the DOD .mil site

Looking at the cert, it looked OK to me. Maybe I’m missing something, but I think it’s pretty clear it is just a US Gov self signed cert.

Inspecting the DOD certificate

Inspecting the DOD certificate

Also of interest, their users manual was last updated in 2015 and still calls it LPS (61 page pdf):


They seem to have the same “stuff” up at a couple of URLs. Here’s the “home page” that Distrowatch points at:


Trusted End Node Security

Trusted End Node Security (TENS™) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). TENS™ boots a thin Linux operating system from removable media without mounting a local hard drive. Administrator privileges are not required; nothing is installed. TENS™ turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity or malware can be written to the local computer. Simply plug in your USB smart card reader to access CAC and PIV-restricted US government websites.

TENS™ differs from traditional operating systems in that it isn’t continually patched. TENS™ is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session. A user can improve security by rebooting between sessions, or when about to undertake a sensitive transaction. For example, boot TENS™ immediately before performing any online banking transactions. TENS™ should also be rebooted immediately after visiting any risky websites, or when the user has reason to suspect malware might have been loaded. In any event, rebooting when idle is an effective strategy to ensure a clean computing session.

TENS™ is updated on a regular basis. Be sure to update to the latest version to have the latest protection and most recent drivers.

Each of the TENS™ products (TENS-Public, TENS-Professional, and Bootable Media) was created to address particular use cases.

TENS-Public is a safe, general-purpose solution for using web-based applications and accessing CAC and PIV-enabled web pages. TENS-Public Deluxe includes the open-source LibreOffice software suite. Both operating systems are available to download for free on the TENS™ website, as we contribute to the open source community. CAC middleware is integrated into the TENS™ operating system. TENS-Public is not intended to be an obfuscation tool; it is designed to be a safe operating environment for web-based activity. Encryption Wizard Public Edition is included in TENS-Public. Customizations are not available for this product.

TENS-Professional is similar to TENS-Public but is offered exclusively to non-DoD federal organizations. It is customized by TENS™ engineers. Customization options include selecting specific applications, pre-configured settings for VPN and/or VDI, firewall configuration, web proxy, time zone, desktop background, browser bookmarks, etc. Encryption Wizard Government Edition is included in this build. TENS-Professional is currently used by several Federal organizations, primarily to help remote users securely connect to their organization’s private networks.

Bootable Media is the secure, DoD version of TENS™. Bootable Media has a strong legacy of providing secure remote access to DoD civilian, military, and contractor personnel. Bootable Media is the TENS™ flagship product and has a supported user base numbering in the hundreds of thousands. Development, sustainment, and configuration is centrally funded by DISA, so each DoD organization doesn’t need to pay for this product. Customization is available and completed for all the features included in TENS-Professional, in addition to including DoD-specific accreditation controls. Bootable Media has an Authorization to Operate (ATO) for DoD networks.
Operating Requirements

In order to use TENS™, you need:

A computer system with x86 processor supporting Physical Address Extensions (PAE). TENS™ is supported on standard PCs and Intel-based Macs. Beginning with the next major release, TENS™ will be a 64-bit-only OS and thus will be incompatible with 32-bit hardware.
1 GB RAM (1.5 GB for Deluxe). Remember that system RAM will be used for the in-memory filesystem as well as for running whatever software you use.
For networking, any of (a) wired Ethernet, (b) wireless (Wifi) connectivity, or (c) tethered cellular broadband, is supported. We highly recommend providing some kind of DHCP service.
The ability to boot from either USB or CD/DVD; TENS™ is usable from either medium. This may require changing BIOS settings and is not something that TENS™ can perform automatically.
For accessing CAC/PIV-enabled websites,
a CAC/PIV (the TENS™ office does not provide these)
a USB CCID-complient smartcard reader with updated firmware
For printing, either a networked or a local USB-connected printer.

Configure your BIOS to either ask which boot media to use (often pressing F12 or F9 during boot) or to always attempt to boot from USB or CD-ROM. Ensure that the boot media is inserted. Power up or boot the computer.

Once booted, you will be presented with a desktop environment with a Start menu. The applications may be started either from the menu or by double-clicking desktop icons. The Firefox web browser is a good place to begin using TENS™.

These are the instructions for using USB sticks, either for storing your own data while running TENS™, or for booting TENS™ itself from a USB device. We also have some introductory notes on burning the ISO image to a CD.

And while the Distrowatch page points to this “download mirror”:


A web search sent me to this location (also a .mil site):


I suppose if I cared enough I could download from both sites and compare the binaries to see if they are, in fact, identical. But I don’t care that much. I rarely use any i86 machines anymore. I have saved a copy of the recent release as they state it is the last one that will support 32 bit CPUs. The next one will be 64 bit only. So this is the last one that will work on all-but-one of my old PC boxes.

The distrowatch package list includes SystemD, but under init system it says “other”. Not sure what that means. I may see if one of the older releases is pre-SystemD (though it would be lacking recent security patches…). Then again, for a live CD or USB Stick, I’m not really going to be configuring it and doing maintenance on it, so if it is SystemD I’ll generally not interact with that part. For a “disposable system” I likely don’t care that much what init it uses.

In Conclusion:

If you have an Intel based PC or use one in a public place (one where you can reboot it onto your supplied OS…) this can be a nice way to “leave no fingerprints” on the file system of the machine.

It is likely to support a fairly broad set of computers as the DOD expects this to be used all over the place on who knows what hardware.

I’d not use if for anything that a Government Three Letter Agency might consider “of interest”, at least not without checking if it does any kind o “Phone Home” at start-up (put a sniffer on the network or have your IDS / IPS tattle on it…); or just use it with the network unplugged and copy the encrypted file to another machine for the sending of email.

I would be quite happy to use it as a simple way to send email that Google Gmail and others can’t snoop into.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , . Bookmark the permalink.

1 Response to LPS Linux now TENS – Trusted End Node Security

  1. E.M.Smith says:

    Feeling guilty about my DNS server not doing encryption, I decided to look up what it would take to add it. Found a “how to” guide. It includes some interesting and caustic comments about Windows 10:


    A lot of the words in the original of this text are links to other places describing the horrors of Windows 10 snoop level in more detail.

    Blocking Microsoft Telemetry on the network by domain

    It seems Microsoft has added a whole bunch of telemetry (spyware) analytics to Windows itself, whereby the OS now calls home with various information regarding it’s usage. Back porting to previous versions of Windows is not an option, because the telemetry patches have also been back ported to 7/8.1.

    Changing the knobs in Windows to stop this activity doesn’t silence it completely, and they can always be reset with another update from Microsoft. It is however unlikely they will change the domains that are looked up. More information about that can be found here. You should also consider ditching Windows entirely and using a proper operating system that does not contain intrusive malware here are a few choices to consider.

    As this is a network router, it might be prudent to block those domains.

    This script takes in a list of domains and produces a filter file. We are directing all lookups to “” which is an invalid IP and should fail immediately, unlike localhost. There are lists of the addresses in various places such as the tools people use to do this locally on Windows, ie Destroy-Windows-10-Spying, DisableWinTracking, Debloat-Windows-10 and Dominator.Windows10. I have prepared the list further down: Linux Router with VPN on a Raspberry Pi#/etc/unbound/filter.conf

    You could also use this to block advertising, but that’s probably easier to do in a web browser with something like uBlock Origin.

    Another way is to disable this stuff with a group policy see Manage connections from Windows operating system components to Microsoft services only for Windows 10 Enterprise, version 1607 and newer and Windows Server 2016.

    I’m just soooo glad I don’t “do” Windows ;-)

    The conf file is a few pages long, all just to stop MS Spying…

    I like the idea of using a broken IP instead of local host. I use local host to suppress ad sites and sometimes, even with a mini-web-server running on the Pi, it takes time for the fetch of the page to fail. So “whenever” I get around to doing the encryption change I’m going to swap the returned address too.

    Their link to preferred OSs to replace MS is interesting as a site. It also has a couple of interesting privacy and security oriented choices:



    Don’t use Windows 10 – It’s a privacy nightmare

    Worth Mentioning

    OpenBSD – A project that produces a free, multi-platform 4.4BSD-based UNIX-like operating system. Emphasizes portability, standardization, correctness, proactive security and integrated cryptography.
    Arch Linux – A simple, lightweight Linux distribution. It is composed predominantly of free and open-source software, and supports community involvement. Parabola is a completely open source version of Arch Linux.
    Whonix – A Debian GNU/Linux based security-focused Linux distribution. It aims to provide privacy, security and anonymity on the internet. The operating system consists of two virtual machines, a “Workstation” and a Tor “Gateway”. All communication are forced through the Tor network to accomplish this.
    Subgraph OS – Another Debian based Linux distribution, it features security hardening which makes it more resistant to security vulnerabilities. Subgraph runs many desktop applications in a security sandbox to limit their risk in case of compromise. By default, it anonymizes Internet traffic by sending it through the Tor network. Note: It is still in alpha, and much testing and bug fixing still has to be done.

    That “nightmare” link says:

    Don’t use Windows 10 – It’s a privacy nightmare
    Microsoft introduced a lot of new features in Windows 10 such as Cortana. However, most of them are violating your privacy.

    Data syncing is by default enabled.
    Browsing history and open websites.
    Apps settings.
    WiFi hotspot names and passwords.
    Your device is by default tagged with a unique advertising ID.
    Used to serve you with personalized advertisements by third-party advertisers and ad networks.
    Cortana can collect any of your data.
    Your keystrokes, searches and mic input.
    Calendar data.
    Music you listen to.
    Credit Card information.
    Microsoft can collect any personal data.
    Your identity.
    Interests and habits.
    Usage data.
    Contacts and relationships.
    Location data.
    Content like emails, instant messages, caller list, audio and video recordings.

    Your data can be shared.
    When downloading Windows 10, you are authorizing Microsoft to share any of above mentioned data with any third-party, with or without your consent.

    This tool uses some known methods that attempt to disable major tracking features in Windows 10.
    Some good news

    WindowsSpyBlocker – Open source tool that blocks data collection.
    Comparison of Windows 10 Privacy tools – ghacks.net
    Fix Windows 10 privacy. – fix10.isleaked.com
    Windows 10 doesn’t offer much privacy by default: Here’s how to fix it. – Ars Technica.
    Guide: How to disable data logging in W10.

    More bad news

    Windows 10 Sends Your Data 5500 Times Every Day Even After Tweaking Privacy Settings – The Hacker News.
    Even when told not to, Windows 10 just can’t stop talking to Microsoft. It’s no wonder that privacy activists are up in arms. – Ars Technica.
    Windows 10 Reserves The Right To Block Pirated Games And ‘Unauthorized’ Hardware. – Techdirt.

    Friends don’t let friends run Windows…

Comments are closed.