FAQ

TLXOS Security Features: An Overview

TLXOS, developed by ThinLinX Pty Ltd, is a lightweight, Debian-based thin client operating system designed with security in mind, particularly for remote access, and digital signage. Its architecture emphasizes immutability, isolation, and controlled access to minimize vulnerabilities. These features make TLXOS suitable for environments requiring robust protection, such as enterprise remote desktops or public displays.

1. Read-Only Core with RAM Disk Overlay (Immutability and Tamper Resistance)

TLXOS operates as a “very secure small custom Debian Linux based Operating System” with a core file system that is inherently resistant to persistent changes. It uses a tmpfs (temporary file system) mounted on /run for any runtime modifications, such as installing additional software or temporary configs. This RAM-based overlay ensures that changes are volatile—lost on reboot—preventing malware or unauthorized alterations from surviving power cycles.
  • How it works: The tmpfs can be resized dynamically (e.g., via mount -o remount,size=85% /run) to allocate more RAM for storage, but it defaults to a minimal footprint (<1GB RAM total system requirement).
  • Benefits: This design makes it “impossible to brick” the device, as the base OS remains untouched. It’s ideal for kiosks or shared devices where security breaches could otherwise persist.

2. Easy Factory Reset Mechanisms

To recover from potential issues or enforce compliance, TLXOS supports quick resets to factory defaults, erasing all user configurations and customizations.
  • Methods:
    • Local shortcut: Press Ctrl + Alt + r twice within 2 seconds from the desktop.
    • Remote via TMS: Use the free ThinLinX Management Software (TMS) to trigger a reset over the network.
    • Console access: Available in ThinLinX Firmware Maintenance (TFM) mode, which activates post-trial if licensing fails.
This feature ensures rapid recovery without physical intervention, reducing downtime and exposure to compromised states.

3. VPN Support for Secure Remote Connections

TLXOS integrates VPN capabilities to encrypt traffic, especially useful for the RePC Live USB mode, which boots in isolation from the host OS.
  • WireGuard: Built-in kernel module since version 4.10.0 (including 5.0.3 and 5.2.3). Configure manually as root by editing /etc/wireguard/wg0.conf with private/public keys (generated via wg genkey and wg pubkey). Enable with systemctl enable wg-quick@wg0 and reboot. This provides lightweight, high-performance encryption for tunneling to remote desktops or apps.
  • OpenVPN: Supported for pre-configured secure tunnels, particularly in work-from-home setups via RePC Live USB. IT admins can deploy it via TMS for encrypted access to corporate resources.
These options ensure data in transit remains protected, even over untrusted networks.

4. Secure Remote Access and Shadowing (VNC with SSL)

For administrative shadowing or remote support, TLXOS uses encrypted VNC protocols.
  • VNC Shadowing: Initiate locally with Ctrl + Alt + s, requiring user consent (background changes to ochre during session). Configure the device as a VNC server with SSL encryption via stunnel, using command-line arguments like “-listen” on port 5500. This works through firewalls and NAT, with sessions ending on reboot.
  • TMS Integration: All remote management (reboots, upgrades, hotfixes) occurs over secure SSL connections, allowing global device discovery and control without exposing ports unnecessarily.
  • RDP Enhancements: For Microsoft RDP/RemoteFX, enable Network Level Authentication (NLA) via TMS to prevent unauthorized access.
Unencrypted modes are available for non-interactive uses (e.g., signage) but are discouraged.

5. Access Controls and Authentication

TLXOS layers multiple controls to restrict unauthorized changes.
  • Tlxconfig Password Protection: Set a “Restricted Feature Password” via TMS or the Misc Tab in Tlxconfig. Once enabled, local configuration access requires the password, blocking casual tampering.
  • Licensing Security: 30-day trials activate via encrypted keys from https://tls.thinlinx.com. Permanent licenses are revocable, preventing reuse on stolen devices. Proxy/firewall configs ensure secure activation.
  • Root Access: Limited to SSH sessions (e.g., via PuTTY from TMS) with passcodes, used only for advanced tasks like VPN setup.

6. Isolation in Live and Diskless Modes

  • RePC Live USB: Boots entirely in RAM, isolated from the host PC’s OS, preventing cross-contamination. Remove the USB to revert to the local system—perfect for secure, temporary remote work.
  • Diskless PXE Boot: Supports network booting (e.g., on Raspberry Pi 3B+/4/5) without local storage, reducing physical attack surfaces. Enable PXE server mode on devices, but avoid concurrent use with remote desktops for added security.

7. Additional Security Layers

  • AUFS Layering: Uses a custom kernel for overlay file systems, enhancing the base Debian (Bookworm) or Raspbian core with secure layering for updates without altering the root.
  • Hotfix and Update Management: Delivered via USB or TMS, with admin-only installation to patch vulnerabilities quickly.
  • Development Expertise: Backed by engineers with backgrounds in defense and network security, ensuring a focus on reliability.
In summary, TLXOS prioritizes a “fail-safe” design: immutable by default, easy to reset, and encrypted where it counts. For deployments in sensitive environments, combine these with TMS for centralized oversight. Please read our Knowledge base articles available at the link below before reading the FAQ’s below Knowledge base articles are available here Latest FAQ’s are at this link   TLXOS User Guide ThinLinX Management Software User Guide Digital Signage Quick Start Guide