FreezeOS — Secure. Immutable. Fleet-Managed.

// capabilities

Built for the Edge

Every component engineered for zero-trust environments where reliability is non-negotiable.

Immutable Root

Read-only squashfs base with a persistent overlay. The core system cannot be modified at runtime — only via verified OTA updates.

A/B System Updates

Dual system slots enable zero-downtime OTA updates. Automatic rollback after 3 failed boot attempts protects against bad updates.

Full-Disk Encryption

AES-XTS with 512-bit keys on every partition. Server tokens unlock system; user PIN derives keys for personal data via PBKDF2.

Fleet Management

Central enrollment, provisioning, and health monitoring. Manage thousands of devices from a single API with revoke and suspend controls.

Hardware Diagnostics

17+ component tests covering CPU, GPU, storage, memory, and network. Health scoring from 0–100 with automated reporting to fleet.

Recovery Modes

Network recovery re-provisions from fleet server. Safe mode bypasses overlay. Manual rollback reverts to previous system slot.

FreezeLog

Remote debug sharing via encrypted HTTP. Capture boot logs, install traces, and system diagnostics — streamed to your log receiver.

Tron Desktop

Custom XFCE theme with cyan glow borders, wireframe icons, compositor effects, and a purpose-built wallpaper. Beauty meets function.

// encryption architecture

Security Deep-Dive

Every byte on disk is encrypted. Two independent key domains isolate system integrity from user privacy.

9-Partition Layout

ESP

512 MB • FAT32
EFI Boot

/boot

1 GB • ext4
Kernels, configs, tokens

System A ↔ System B

8 GB each • LUKS • Server-key unlock
Immutable squashfs • A/B dual-slot

Apps

4–12 GB • LUKS
Persistent overlay upper

App Data

4–12 GB • LUKS
PIN-derived key

User Storage

Remainder • LUKS • PIN-derived key
/home — personal data

Swap

RAM-based • LUKS
PIN-derived key

BIOS Boot

2 MB
Legacy grub

Server-key partitions PIN-derived partitions

AES-XTS-512

Disk Encryption

600,000

PBKDF2 Iterations

RSA-4096

Device Certificates

HMAC-SHA256

Token Signing

Boot Authentication Flow

Token Validation

System token read from /boot, HMAC-SHA256 signature verified, expiry checked. Expired tokens accepted for key extraction; invalid tokens halt boot.

LUKS Decrypt

Server-provided AES key extracted from token payload. System partition unlocked via LUKS. On failure, recovery mode initiated.

Integrity Verify

SHA-256 hash of squashfs image compared against signed manifest. Mismatch triggers automatic rollback to alternate slot.

Overlay Mount

Read-only squashfs as lower, apps partition as persistent upper. User config and PAM hooks injected. switch_root to systemd.

PIN Unlock

User enters PIN at LightDM login. PBKDF2-HMAC-SHA256 derives 64-byte key from PIN + certificate fingerprint + salt. Unlocks data, appdata, and swap.

Factor 1: Server Token

Fleet-issued, time-limited token contains encrypted LUKS key. Automatic at boot — no user interaction required. Unlocks system and apps partitions.

Factor 2: User PIN

Knowledge factor entered at login. Combined with device certificate fingerprint via PBKDF2 to derive unique encryption key for personal data.

// fleet management

Command Your Fleet

Enroll, provision, monitor, and update every device from a single control plane.

Enrollment Pipeline

Boot ISO on target device↓

Run hardware diagnostics↓

Receive tokens + signed cert↓

Partition & install OS↓

Device online & checking in

Dashboard Controls

Enroll new devices

Revoke compromised nodes

Suspend & re-provision

View health cards (0–100)

Push OTA updates

Monitor checkin history

OTA Update Pipeline

Download squashfs image↓

SHA-256 integrity verify↓

Write to inactive slot (B)↓

Flip A/B active slot↓

Reboot into new system↓

Auto-rollback if 3 failures

Token Lifecycle

System Token7-day expiry

Apps Token30-day expiry

Tokens auto-refresh on device checkin. Expired tokens still decrypt (key is valid) — only tampered tokens are rejected. Revoked devices get empty token response, locking system on next boot.

// system architecture

Under the Hood

A vertically-integrated boot chain from GRUB to desktop, engineered for integrity at every layer.

Boot Flow

GRUB EFI

→

initramfs

→

Token Validate

→

LUKS Decrypt

→

SHA-256 Verify

→

Overlay Mount

→

switch_root

→

systemd

→

LightDM

→

PIN Unlock

→

Desktop

A/B Slot Design

Active

Slot A

version: 2.9.30
verified: true
boot_attempts: 0
status: running

Slot B

version: 2.9.28
verified: true
boot_attempts: 0
status: standby

Immutable OS Model

Overlay Upper (Apps partition, persistent) Read-Write

OverlayFS Merge — unified root filesystem

SquashFS Lower (System partition, immutable) Read-Only

User-installed packages and config changes write to the overlay upper on the Apps partition. The base system image is never modified. Safe mode boots with a tmpfs overlay, bypassing all user modifications. Factory reset wipes the overlay, restoring pristine state.