football/docs/PRD.md

KNEL-Football Secure OS - Product Requirements Document (PRD)

Version: 1.0 Status: Active Copyright: © 2026 Known Element Enterprises LLC License: GNU Affero General Public License v3.0 only Last Updated: 2026-02-19

---

Executive Summary

KNEL-Football Secure OS is a hardened Debian 13 Linux distribution designed for secure tier0 infrastructure access. The system implements a defense-in-depth security architecture with full disk encryption as a mandatory requirement, ensuring data protection against physical access attacks and unauthorized disclosure.

Key Differentiators

• Mandatory Full Disk Encryption (FDE) - LUKS-based encryption for all system storage
• Network Isolation - VPN-only access with WireGuard
• Minimal Attack Surface - Only essential services and applications
• Hardware Disabled - WiFi and Bluetooth permanently disabled
• Immutable Configuration - Package management disabled by default
• Privacy-Focused - No telemetry, no user data collection

System Architecture

IMPORTANT CLARIFICATION: KNEL-Football OS serves as a secure remote terminal for accessing tier0 infrastructure. It does NOT directly access tier0 infrastructure itself.

Architecture:

┌─────────────────┐
│ KNEL-Football OS│  ← Secure workstation with FDE
│ (Remote Terminal)│
└────────┬──────────┘
         │
         │ SSH/WireGuard
         │
         ▼
┌─────────────────┐
│ Privileged Access │  ← Physical workstation in secure facility
│   Workstation   │
└────────┬──────────┘
         │
         │ Direct Access
         │
         ▼
┌─────────────────┐
│  Tier0 Network │  ← Protected infrastructure
│   Infrastructure│
└─────────────────┘

Access Model:

1. User boots KNEL-Football OS on secure laptop (FDE required)
2. OS connects via WireGuard VPN to secure network
3. User uses SSH/Remmina to access privileged workstation
4. Privileged workstation (physical) accesses tier0 infrastructure
5. No direct tier0 access from KNEL-Football OS

This creates a two-factor security model:

• Factor 1: Physical possession of KNEL-Football OS workstation
• Factor 2: Access to privileged workstation in secure facility

---

Product Vision

To provide the most secure, compliant, and user-friendly operating system for tier0 infrastructure access, protecting sensitive data and systems through comprehensive encryption, network isolation, and defense-in-depth security controls.

---

Product Scope

In Scope

• Full disk encryption (LUKS) for all storage devices
• Debian 13 base system with security hardening
• IceWM desktop environment
• WireGuard VPN client with QR code import
• Network firewall with default-deny policy
• SSH client for outbound remote access
• USB device automount with restrictions
• Automated ISO build process
• Comprehensive security testing suite

Out of Scope

• General-purpose computing applications
• Internet browsing capabilities
• Application package manager
• Wireless networking support
• Bluetooth support
• Cloud storage integration
• Multi-user support (single-user system)

---

Functional Requirements

FR-001: Full Disk Encryption (MANDATORY)

Priority: P0 (Critical) Status: Required

Description: The system MUST implement full disk encryption using LUKS (Linux Unified Key Setup) to protect all data at rest. Encryption must be mandatory and cannot be bypassed during installation.

Requirements:

1. LUKS2 Format - Use LUKS2 with Argon2id key derivation
2. AES-XTS Encryption - AES-256-XTS cipher with 512-bit key size
3. Boot Partition Encryption - Root filesystem must be encrypted
4. Separate Boot Partition - Unencrypted /boot for bootloader (UEFI requirement)
5. Key Recovery - Support for multiple passphrases/key slots
6. Integrity Protection - Authenticated encryption or dm-integrity layer
7. Secure Key Storage - No plaintext keys stored anywhere on the system

Encryption Passphrase Requirements (MANDATORY):

• Minimum Length: 14 characters (20+ characters strongly recommended)
• Character Classes: Minimum 3 of 4 required:
  • Uppercase letters (A-Z) - At least 1 required
  • Lowercase letters (a-z) - At least 1 required
  • Digits (0-9) - At least 1 required
  • Special characters (!@#$%^&*) - At least 1 required
• Prohibited Patterns:
  • No common words (password, secret, admin, root, etc.)
  • No sequential characters (123, abc, qwerty)
  • No repeated characters (maximum 2 consecutive)
• Security Notes:
  • Passphrase is required at EVERY system boot
  • No backdoor or recovery mechanism without valid passphrase
  • Loss of passphrase = permanent data loss
  • Store passphrase in secure password manager

Implementation Details:

/dev/sda1    512M   EFI System Partition (ESP)
/dev/sda2    512M   /boot (ext4, unencrypted)
/dev/sda3    Remainder   LUKS2 encrypted partition
  └─ cryptroot    AES-256-XTS    / (ext4)

Security Properties:

• Data unreadable without correct passphrase
• No backdoors or recovery mechanisms by default
• Protected against cold boot attacks
• Protected against disk imaging attacks
• Compliant with NIST SP 800-111

FR-002: Operating System Base

Priority: P0 Status: Required

Requirements:

1. Base Distribution - Debian 13 (Trixie) Testing
2. Architecture - AMD64 (x86_64) only
3. Kernel - Latest stable kernel with security patches
4. Security Patches - All available security patches applied
5. Minimal Packages - Only essential packages installed

FR-003: Desktop Environment

Priority: P1 Status: Required

Requirements:

1. Window Manager - IceWM (minimal resource footprint)
2. Display Manager - LightDM with privacy mode
3. Theme - Dark, privacy-focused theme
4. Applications - Remmina (remote desktop), Mousepad (text editor)

Privacy Features:

• Hide usernames in login screen
• Disable guest account
• Disable auto-login
• Disable user list display

FR-004: Network Isolation

Priority: P0 Status: Required

Requirements:

1. WireGuard VPN - Required for all network access
2. No Direct Internet - All traffic through VPN tunnel
3. Firewall Rules - Default deny, specific allow rules
4. QR Code Import - Easy VPN configuration import
5. Dynamic Firewall - Rules adapt to VPN endpoints

Allowed Traffic:

• WireGuard VPN traffic to configured endpoints
• DNS through VPN tunnel only
• Outbound through VPN interface only

FR-005: Hardware Control

Priority: P0 Status: Required

Requirements:

1. WiFi Disabled - Permanently disabled via kernel module blacklist
2. Bluetooth Disabled - Permanently disabled via kernel module blacklist
3. USB Restricted - Controlled automount with security restrictions
4. No Wireless Cards - System should not have wireless hardware

Blacklisted Modules:

• WiFi: rtl*, iwl*, ath*, brcm*, mwifi*, rt2*
• Bluetooth: btusb, bluetooth

FR-006: SSH Client (Outbound Only)

Priority: P1 Status: Required

Requirements:

1. SSH Client Only - No SSH server, no inbound SSH access
2. Key-Based Authentication - SSH keys for connecting to remote systems
3. Hardened Client Config - Modern ciphers, strict host key checking
4. No Password Auth - Public key authentication only for outbound connections
5. Key Management - Secure storage of user SSH private keys

Important: This system accepts NO inbound connections. SSH is client-only for initiating outbound connections to privileged access workstations.

FR-007: System Hardening

Priority: P0 Status: Required

Requirements:

1. Password Policy - 14+ character minimum, complexity required
2. Audit Logging - Comprehensive system activity logging
3. Resource Limits - Prevent resource exhaustion attacks
4. Service Hardening - Disable unnecessary services
5. Kernel Parameters - Secure kernel parameter tuning

Disabled Services:

• avahi-daemon (zeroconf)
• cups (printing)
• bluetooth service
• NetworkManager (managed via scripts)

FR-008: USB Device Handling

Priority: P1 Status: Required

Requirements:

1. Automount Support - Automatic USB device mounting
2. Restricted Permissions - No auto-execution
3. User Mount Points - /media/username/device
4. Filesystem Support - FAT32, exFAT, NTFS, ext4
5. Audit Logging - Track USB device insertion/removal

Security Restrictions:

• No automatic program execution
• No symbolic links from USB
• No device special files from USB
• Read-only mode for untrusted USB (optional)

FR-009: System Immutability

Priority: P1 Status: Required

Requirements:

1. Package Management Disabled - No apt/dpkg commands for users
2. Immutable Configuration - Critical files have immutable attributes
3. No Auto-Updates - Updates via ISO rebuild only
4. Configuration Tracking - Detect configuration tampering

Protected Directories:

• /etc (system configuration)
• /usr (system binaries)
• /boot (bootloader)
• /bin, /sbin (essential binaries)

FR-010: ISO Build Process

Priority: P1 Status: Required

Requirements:

1. Reproducible Builds - Identical outputs from identical inputs
2. Docker-Based - All build operations in Docker containers
3. Checksum Verification - SHA256 and MD5 checksums for ISO
4. Build Logging - Complete build audit trail
5. Automated Testing - Comprehensive test suite execution

Build Artifacts:

• ISO image (~1-2 GB)
• SHA256 checksum file
• MD5 checksum file
• Build report (optional)

FR-011: Host System Full Disk Encryption (MANDATORY)

Priority: P0 (Critical) Status: Required

Description: The host system used to build or test KNEL-Football ISO images MUST have full disk encryption enabled. Building a secure operating system on an unencrypted host defeats the entire security model and creates a supply chain risk.

Requirements:

1. LUKS Encryption Required - Host must use LUKS for disk encryption
2. Build Enforcement - ./run.sh iso command MUST fail if host FDE not detected
3. VM Test Enforcement - ./run.sh test:iso commands MUST fail if host FDE not detected
4. No Bypass - This check cannot be disabled or bypassed
5. Clear Error Message - Users receive clear guidance on how to enable FDE

Detection Methods:

• Check for LUKS devices via lsblk -o TYPE,FSTYPE
• Check /etc/crypttab for configured encrypted partitions
• Check if root filesystem is on a dm-crypt device
• Check for dm-crypt devices in /sys/block/dm-*

Rationale:

• An unencrypted build host could be compromised, affecting all built ISOs
• An unencrypted test host exposes the secure OS to attacks during testing
• Supply chain security requires securing the entire build pipeline
• Defense in depth requires protection at every layer

User Guidance (if FDE not detected):

1. Backup all data
2. Reinstall with "Guided - use entire disk and set up encrypted LVM"
3. Or use tools like encrypt-existing-debian for in-place encryption

---

Non-Functional Requirements

NFR-001: Security

Priority: P0 Requirements:

• Full disk encryption (LUKS2, AES-256-XTS)
• Defense-in-depth architecture
• Zero-trust network model
• Compliance with security frameworks (NIST, ISO 27001)
• No backdoors or secret keys

NFR-002: Performance

Priority: P2 Requirements:

• Boot time < 60 seconds (including LUKS passphrase prompt)
• Disk I/O overhead < 5% with encryption
• Memory usage < 2 GB at idle
• CPU usage < 5% at idle

NFR-003: Reliability

Priority: P1 Requirements:

• Mean time between failures (MTBF) > 720 hours
• Graceful degradation on errors
• Comprehensive error handling
• Automatic recovery where possible

NFR-004: Usability

Priority: P1 Requirements:

• Intuitive installation process
• Clear error messages
• Comprehensive documentation
• Minimal training required

NFR-005: Maintainability

Priority: P1 Requirements:

• Clean code structure
• Comprehensive testing
• Well-documented configuration
• Automated build and deployment

NFR-006: Compliance

Priority: P0 Requirements:

• NIST SP 800-53 (Security Controls)
• NIST SP 800-111 (Disk Encryption)
• ISO/IEC 27001 (Information Security)
• CIS Benchmarks for Debian Linux
• DISA STIG for Linux

---

Security Architecture

Encryption Layer

Full Disk Encryption (FDE)

• Cipher: AES-256-XTS
• Key Size: 512 bits
• Mode: LUKS2
• KDF: Argon2id (PBKDF2 fallback)
• Integrity: dm-integrity layer (optional)

Key Management

• Primary: User passphrase (required during boot)
• Recovery: Optional key slot for emergency recovery
• Storage: Keys never stored in plaintext
• Rotation: Key change support via cryptsetup

Network Security Layer

VPN-Only Access

• Protocol: WireGuard
• Encryption: ChaCha20-Poly1305
• Authentication: Public/private key pairs
• Configuration: Dynamic endpoint-based firewall rules

Firewall Rules

Default Policy: DROP ALL

Inbound Rules:
- NONE (all inbound traffic denied)
- Established/related connections allowed (for return traffic only)

Outbound Rules:
- WireGuard VPN traffic to endpoints only
- DNS through VPN tunnel only
- ALL traffic through VPN interface only

System Security Layer

Kernel Hardening

• Module blacklisting (WiFi, Bluetooth)
• Secure kernel parameters
• Restricted ptrace scope
• Kernel address space layout randomization (KASLR)

Process Security

• Resource limits (ulimits)
• Service hardening (systemd sandboxing)
• Mandatory access control (optional SELinux/AppArmor)

Access Control Layer

Authentication

• Password Policy: 14+ characters, complexity required
• SSH: Client-only, key-based authentication for outbound connections
• Sudo: Limited sudo access for authorized users

Authorization

• User Groups: Minimal necessary groups only
• File Permissions: Secure default permissions
• Sudo Configuration: Specific command permissions
• Audit Logging: Track all privilege usage

---

Data Requirements

DR-001: Data at Rest

Priority: P0 Requirements:

• All system data encrypted at rest (LUKS2)
• Encryption key protected by user passphrase
• No plaintext data storage
• Secure deletion of temporary files

DR-002: Data in Transit

Priority: P0 Requirements:

• All network traffic encrypted via VPN
• SSH encryption for remote access
• TLS for any HTTPS traffic (if applicable)
• No plaintext protocols allowed

DR-003: Data Retention

Priority: P2 Requirements:

• Log retention: 90 days minimum
• User data: User-controlled
• System data: Until reinstallation
• Secure wipe on decommission

---

User Requirements

UR-001: Target Users

1. Tier0 Infrastructure Engineers - Primary users
2. System Administrators - Secondary users
3. Security Auditors - Compliance verification users

UR-002: User Scenarios

Scenario 1: Initial System Installation

1. Boot ISO on target hardware
2. Configure disk encryption passphrase
3. Complete automated installation
4. Reboot into encrypted system
5. Configure WireGuard VPN

Scenario 2: Daily System Use

1. System prompts for encryption passphrase at boot
2. User logs in (username/password)
3. VPN automatically connects
4. User accesses infrastructure via SSH/Remmina

Scenario 3: USB Data Transfer

1. User inserts USB device
2. System automatically mounts to /media/username/device
3. User copies files to/from USB
4. User safely removes USB device

Scenario 4: VPN Configuration

1. User scans QR code with camera
2. System imports WireGuard configuration
3. Firewall rules updated automatically
4. VPN connection established

UR-003: User Interface Requirements

Login Screen:

• Display system name only
• No user list (privacy mode)
• Require username entry
• Require password entry
• No guest account option

Desktop Environment:

• Minimal interface (IceWM)
• Application launcher
• System tray (VPN status indicator)
• Terminal access
• No unnecessary widgets

---

Technical Requirements

TR-001: System Requirements

Minimum Hardware:

• CPU: x86_64 (AMD64), 2 cores
• RAM: 4 GB (8 GB recommended)
• Storage: 64 GB SSD (128 GB recommended)
• Network: Ethernet (1 Gbps recommended)
• UEFI: UEFI 2.3+ firmware

Recommended Hardware:

• CPU: x86_64 (AMD64), 4+ cores
• RAM: 8 GB
• Storage: 256 GB NVMe SSD
• Network: Ethernet 10 Gbps
• UEFI: UEFI 2.7+ with Secure Boot

Unsupported Hardware:

• 32-bit systems (x86, ARM32)
• Legacy BIOS systems
• Systems without UEFI firmware
• Systems with < 4 GB RAM
• Systems with < 64 GB storage

TR-002: Software Requirements

Included Software:

• Debian 13 base system
• Linux kernel (latest stable)
• IceWM window manager
• LightDM display manager
• WireGuard and tools
• OpenSSH client
• nftables firewall
• Remmina (remote desktop)
• Mousepad (text editor)
• zbar-tools (QR code scanning)

Excluded Software:

• Package managers (apt/dpkg for users)
• Wireless drivers and tools
• Bluetooth stack
• Printing system (CUPS)
• Cloud storage clients
• Media players
• Web browsers

TR-003: Encryption Requirements

LUKS2 Configuration:

• Cipher: aes-xts-plain64
• Key size: 512 bits (256-bit keys for XTS)
• Hash: SHA-512
• KDF: Argon2id (with appropriate iterations)
• Salt size: 512 bits
• Key slots: 8 maximum (default: 1 used)

Partition Layout (UEFI):

/dev/sda1    512M    EFI System Partition (FAT32)
/dev/sda2    512M    /boot (ext4, unencrypted)
/dev/sda3    Remainder    LUKS2 encrypted container
  └─ cryptroot (mapped device)    / (ext4)

Boot Process:

1. UEFI firmware loads GRUB from EFI System Partition
2. GRUB loads kernel and initramfs from /boot
3. initramfs prompts for encryption passphrase
4. LUKS container unlocked with passphrase
5. Root filesystem mounted
6. System boots normally

---

Compliance Requirements

CR-001: Regulatory Compliance

NIST SP 800-53 (Security and Privacy Controls)

• AC-2: Account Management
• AC-3: Access Enforcement
• AC-6: Least Privilege
• AU-2: Audit Events
• AU-3: Content of Audit Records
• AU-6: Audit Review, Analysis, and Reporting
• CM-3: Configuration Change Control
• CM-7: Least Functionality
• CM-8: System Components Inventory
• CP-7: Alternate Storage Site
• CP-9: System Backup
• CP-10: Information System Recovery and Reconstitution
• IA-2: Identification and Authentication
• IA-5: Authenticator Management
• SC-8: Transmission Confidentiality and Integrity
• SC-12: Cryptographic Key Establishment and Management
• SC-13: Cryptographic Protection
• SC-28: Protection of Information at Rest

NIST SP 800-111 (Guide to Storage Encryption)

• Full disk encryption implementation
• Cryptographic algorithm selection
• Key management procedures
• Authentication requirements

ISO/IEC 27001:2013 (Information Security)

• A.9 Access Control
• A.10 Cryptography
• A.12 Operations Security
• A.14 System Acquisition, Development, and Maintenance

CIS Benchmarks for Debian Linux

• Initial setup guidelines
• Logging and monitoring
• Network configuration
• System access, authentication, and authorization

DISA STIG for Linux

• Firewall configuration
• System services configuration
• File permissions and ownership

CR-002: Security Compliance

Encryption Standards:

• FIPS 140-2 Level 1 (certified algorithms)
• FIPS 197 (AES encryption)
• FIPS 180-4 (SHA hash functions)
• FIPS 202 (SHA-3 hash functions)

Cryptographic Protocols:

• TLS 1.3 (for any HTTPS)
• WireGuard protocol (VPN)
• SSH-2 protocol

Key Management:

• Secure key generation (CSPRNG)
• Secure key storage
• Key rotation support
• Secure key destruction

---

Testing Requirements

TST-001: Unit Testing

Coverage:

• All security hardening scripts
• Configuration generation scripts
• Key management functions
• Firewall rule generation

Test Cases:

• WiFi/Bluetooth module blacklisting verification
• SSH configuration validation
• Firewall rule validation
• Password policy enforcement

TST-002: Integration Testing

Test Scenarios:

• Complete ISO build process
• Installation in virtual machine
• Encryption setup and verification
• VPN configuration and connectivity
• USB device handling

TST-003: Security Testing

Test Areas:

• Full disk encryption verification
• Network isolation testing
• Firewall rule validation
• Authentication mechanism testing
• Privilege escalation prevention

TST-004: Compliance Testing

Validation:

• NIST SP 800-53 control coverage
• NIST SP 800-111 encryption guidelines
• CIS Benchmark compliance
• Security configuration validation

TST-005: Performance Testing

Metrics:

• Boot time with encryption
• Disk I/O performance impact
• Memory usage at idle
• Network throughput over VPN

---

Quality Assurance

QA-001: Code Quality

Standards:

• Shell scripts: Shellcheck compliant
• Configuration: Follow Debian conventions
• Documentation: Clear and complete
• Version control: Git with meaningful commits

QA-002: Build Quality

Requirements:

• Reproducible builds
• Clean build logs
• No build warnings
• Automated checksum verification

QA-003: Release Quality

Criteria:

• All tests passing
• Security scan clean
• Documentation complete
• Signed release artifacts

---

Documentation Requirements

DOC-001: User Documentation

Required Documents:

1. User Manual (installation and daily use)
2. Troubleshooting Guide
3. Security Configuration Guide
4. VPN Configuration Guide

DOC-002: Technical Documentation

Required Documents:

1. System Architecture Documentation
2. Security Model Documentation
3. Build Process Documentation
4. API/Configuration Documentation

DOC-003: Developer Documentation

Required Documents:

1. Contributor Guidelines
2. Code Style Guide
3. Testing Guidelines
4. Release Process Documentation

DOC-004: Compliance Documentation

Required Documents:

1. Security Control Implementation Guide
2. Compliance Matrix (NIST, ISO, CIS)
3. Risk Assessment Report
4. Penetration Test Reports

---

Deployment Requirements

DEP-001: Distribution

Distribution Methods:

• ISO image download (official website)
• Secure distribution (HTTPS, verified checksums)
• GPG signature verification
• Release announcement channels

DEP-002: Installation

Installation Methods:

• USB bootable media (recommended)
• Virtual machine deployment (testing)
• Automated installation (preseed configuration)
• Manual installation (expert mode)

Installation Requirements:

• UEFI firmware (mandatory)
• 64-bit AMD64 architecture
• Minimum 64 GB storage
• Minimum 4 GB RAM
• Ethernet network interface

DEP-003: Updates

Update Strategy:

• Major updates: New ISO release
• Security patches: New ISO release
• Configuration changes: New ISO release
• No in-place system updates

Update Frequency:

• Major releases: Quarterly
• Security releases: As needed
• Emergency releases: Critical vulnerabilities only

---

Risk Management

RISK-001: Security Risks

High Priority Risks:

1. Encryption Bypass - Attackers attempt to bypass encryption

   • Mitigation: LUKS2, strong passphrase, secure key management

2. Physical Access - Attackers gain physical access to hardware

   • Mitigation: Full disk encryption, secure boot, TPM (optional)

3. VPN Compromise - VPN endpoint or configuration compromised

   • Mitigation: Key rotation, endpoint hardening, audit logging

Medium Priority Risks: 4. USB Attacks - Malicious USB devices inserted

• Mitigation: Restricted mounting, no auto-execution, audit logging

5. Privilege Escalation - Users attempt to gain root access

   • Mitigation: Strong passwords, sudo restrictions, audit logging

6. Configuration Drift - System configuration modified

   • Mitigation: Immutable attributes, audit logging, compliance checks

RISK-002: Operational Risks

Risks:

• Lost encryption passphrase (data loss)
• System corruption (reinstallation required)
• Hardware failure (recovery procedures needed)
• User error (documentation and training)

Mitigations:

• Backup key slot recommendation
• Comprehensive recovery documentation
• Regular system backups (if applicable)
• Clear user documentation

---

Success Criteria

SC-001: Technical Success

• Full disk encryption implemented and functional (MANDATORY)
• ISO builds successfully (reproducible)
• All tests passing (100% pass rate)
• Security controls implemented (100% coverage)

SC-002: Security Success

• Full disk encryption verified (LUKS2, AES-256-XTS)
• Compliance achieved (NIST, ISO, CIS)
• Security assessment passed (critical vulnerabilities = 0)
• Penetration test passed (high-severity issues = 0)

SC-003: Operational Success

• System boots within 60 seconds (with passphrase prompt)
• Disk I/O overhead < 5% with encryption
• User can complete common tasks without issues
• Documentation is comprehensive and accurate

---

Future Enhancements

FE-001: Potential Enhancements

1. TPM Integration - Use TPM for passphrase storage (optional)
2. Smart Card Support - Smart card-based authentication
3. Hardware Security Module (HSM) - Enterprise key management
4. Trusted Platform Module (TPM) - Boot attestation
5. Secure Boot - Full secure boot chain verification
6. SELinux/AppArmor - Mandatory access control
7. Multi-User Support - Multiple user accounts (future consideration)
8. Automated Backup - Encrypted backup solution
9. Remote Wipe - Secure data destruction capability
10. Hardware Inventory - Automatic hardware inventory tracking

FE-002: Research Areas

1. Alternative Encryption - Evaluate dm-crypt with dm-integrity
2. Post-Quantum Cryptography - Quantum-resistant algorithms
3. Hardware Enclaves - Intel SGX or AMD SEV
4. Containerization - Application-level isolation
5. Zero Trust Networking - Enhanced zero-trust model

---

Appendix A: Terminology

Term	Definition
FDE	Full Disk Encryption - Encryption of entire storage device
LUKS	Linux Unified Key Setup - Disk encryption specification
LUKS2	Second version of LUKS with enhanced features
AES-XTS	Advanced Encryption Standard in XEX-based Tweaked CodeBook mode
KDF	Key Derivation Function - Derives encryption keys from password
UEFI	Unified Extensible Firmware Interface - Modern firmware interface
ESP	EFI System Partition - FAT32 partition for UEFI boot files
VPN	Virtual Private Network - Encrypted network tunnel
WireGuard	Modern, high-performance VPN protocol
nftables	Linux packet filtering framework
IceWM	Ice Window Manager - Lightweight window manager
LightDM	Light Display Manager - Cross-desktop display manager

---

Appendix B: References

1. NIST SP 800-53: Security and Privacy Controls for Information Systems
2. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices
3. ISO/IEC 27001:2013: Information Security Management Systems
4. CIS Benchmarks: Center for Internet Security Security Configuration Guides
5. DISA STIG: Defense Information Systems Agency Security Technical Implementation Guides
6. LUKS Specification: https://gitlab.com/cryptsetup/LUKS2-docs
7. WireGuard Protocol: https://www.wireguard.com/protocol/
8. Debian Live Manual: https://live-team.pages.debian.net/live-manual/

---

Appendix C: Change History

Version	Date	Author	Changes
1.0	2026-01-28	KNEL-Football Team	Initial PRD with mandatory full disk encryption

---

Copyright © 2026 Known Element Enterprises LLC License: GNU Affero General Public License v3.0 only

This PRD is maintained as part of the KNEL-Football project and is updated when requirements change or new features are added.