Machine Owner Key signing

kldload generates a unique RSA-2048 MOK keypair during installation. Every ZFS kernel module is automatically signed. DKMS is configured to sign future builds. On Secure Boot systems, the MOK enrollment happens on first boot via the standard MokManager.

This means ZFS works on Secure Boot systems out of the box. No disabling Secure Boot. No unsigned modules. No warnings.

Zero internet. Zero phone home. Zero dependency.

Every ISO ships with a complete package mirror baked in. Installation requires no internet connection, no DNS, no DHCP from an upstream network. The ISO is the deployment. The bytes that leave your build host are the bytes that boot on the target.

Chain of custody is absolute. SHA-256 checksum at build time. Byte-identical at deploy time. No transformation, no last-mile download, no "please wait while we fetch 400 packages."

Live mode writes nothing to disk

The live desktop runs entirely from RAM. No swap, no disk writes, no persistent state. When you power off, everything is gone. SSH keys, WireGuard keys, browser history — gone.

kpoof goes further: it actively scrubs sensitive material from RAM before shutdown. Shreds CA keys, zeroes WireGuard private keys, clears temp files, and drops the page cache.

Critical packages can't be accidentally upgraded

The kernel, ZFS modules, bootloader, and Secure Boot tools are marked as held. Automatic updates won't touch them. When you're ready to upgrade these, kupgrade handles it with an automatic pre-upgrade snapshot. If the upgrade breaks boot, roll back.

Every line of code is a readable bash script

No compiled binaries. No vendor SDKs. No obfuscation. The installer is bash. The tools are bash. The web UI is Python. cat any of them and read what they do. If you don't trust it, audit it. If you want to change it, fork it. That's what open source means.