style: Add title card background color

2026-05-27 13:49:22 +00:00 · 2026-05-19 13:39:48 -05:00
parent 236b62ae02
commit c04418b10e
49 changed files with 630 additions and 3 deletions
@@ -25,6 +25,8 @@ We recommend installing GrapheneOS if you have a Google Pixel as it provides imp

 ## GrapheneOS

+{{< title-card >}}
+
 **GrapheneOS** is the best choice when it comes to privacy and security.

 GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported.
@@ -34,6 +36,8 @@ GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wik
  {{< card link="https://grapheneos.org/faq#privacy-policy" title="Privacy Policy" icon="eye" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 GrapheneOS supports [sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs Google Play Services fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as push notifications, while giving you full control over their permissions and access, and while containing them to a specific [work profile](../_index.md#work-profile) or [user profile](../_index.md#user-profiles) of your choice.

 [Google Pixel phones](../../../hardware/mobile-phones/index.md#google-pixel) are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#future-devices). The Pixel 8 and later support ARM's Memory Tagging Extension (MTE), a hardware security enhancement that drastically lowers the probability of exploits occurring through memory corruption bugs. GrapheneOS greatly expands the coverage of MTE on supported devices. Whereas the stock OS only allows you to opt in to a limited implementation of MTE via a developer option or Google's Advanced Protection Program, GrapheneOS features a more robust implementation of MTE by default in the system kernel, default system components, and their Vanadium web browser and its WebView.
@@ -22,6 +22,8 @@ We recommend a wide variety of Android apps throughout this site. The apps liste

 If your device is on Android 15 or greater, we recommend using the native [Private Space](../_index.md#private-space) feature instead, which provides nearly the same functionality without needing to place trust in and grant powerful permissions to a third-party app.

+{{< title-card >}}
+
 **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device.

 Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)).
@@ -31,6 +33,8 @@ Shelter supports blocking contact search cross profiles and sharing files across
  {{< card link="https://patreon.com/PeterCxy" title="Contribute" icon="heart" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 > [!WARNING]
 > When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile.

@@ -42,6 +46,8 @@ Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular) a
 <small>Protects against the following threat(s):</small>
 [{{< badge content="Public Exposure" color="green" >}}](../../../../wiki/basics/common-threats/index.md#limiting-public-information)

+{{< title-card >}}
+
 **Secure Camera** is a camera app focused on privacy and security which can capture images, videos, and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices.

 {{< cards >}}
@@ -49,6 +55,8 @@ Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular) a
  {{< card link="https://grapheneos.org/usage#camera" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 [{{< badge content="Google Play" color="green" >}}](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play)
 [{{< badge content="GitHub" >}}](https://github.com/GrapheneOS/Camera/releases)
 [{{< badge content="GrapheneOS App Store" >}}](https://github.com/GrapheneOS/Apps/releases)
@@ -70,6 +78,8 @@ Main privacy features include:
 <small>Protects against the following threat(s):</small>
 [{{< badge content="Targeted Attacks" color="red" >}}](../../../../wiki/basics/common-threats/index.md#attacks-against-specific-individuals)

+{{< title-card >}}
+
 **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [WebView](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files.

 [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content.
@@ -79,6 +89,8 @@ Main privacy features include:
  {{< card link="https://grapheneos.org/donate" title="Contribute" icon="heart" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 [{{< badge content="Google Play" color="green" >}}](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play)
 [{{< badge content="GitHub" >}}](https://github.com/GrapheneOS/PdfViewer/releases)
 [{{< badge content="GrapheneOS App Store" >}}](https://github.com/GrapheneOS/Apps/releases)
@@ -18,6 +18,8 @@ There are many ways to obtain Android apps privately, even from the Play Store,

 ## Obtainium

+{{< title-card >}}
+
 **Obtainium** is an app manager which allows you to install and update apps directly from the developer's own releases page (i.e. GitHub, GitLab, the developer's website, etc.), rather than a centralized app store/repository. It supports automatic background updates on Android 12 and higher.

 {{< cards >}}
@@ -25,6 +27,8 @@ There are many ways to obtain Android apps privately, even from the Play Store,
  {{< card link="https://github.com/ImranR98/Obtainium/wiki" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 [{{< badge content="GitHub" >}}](https://github.com/ImranR98/Obtainium/releases)

 Obtainium allows you to download APK installer files from a wide variety of sources, and it is up to you to ensure those sources and apps are legitimate. For example, using Obtainium to install Signal from [Signal's APK landing page](https://signal.org/android/apk) should be fine, but installing from third-party APK repositories like Aptoide or APKPure may pose additional risks. The risk of installing a malicious *update* is lower, because Android itself verifies that all app updates are signed by the same developer as the existing app on your phone before installing them.
@@ -37,6 +41,8 @@ GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Ap

 The Google Play Store requires a Google account to log in, which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store.

+{{< title-card >}}
+
 **Aurora Store** is a Google Play Store client which does not require a Google account, Google Play Services, or microG to download apps.

 {{< cards >}}
@@ -44,6 +50,8 @@ The Google Play Store requires a Google account to log in, which is not great fo
  {{< card link="https://gitlab.com/AuroraOSS/AuroraStore/-/blob/master/POLICY.md" title="Privacy Policy" icon="eye" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 [{{< badge content="GitLab" >}}](https://gitlab.com/AuroraOSS/AuroraStore/-/releases)

 Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google. However, you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device.
@@ -31,6 +31,8 @@ Linux distributions are commonly recommended for privacy protection and software

 ### Fedora Linux

+{{< title-card >}}
+
 **Fedora Linux** is our recommended desktop distribution for people new to Linux. Fedora generally adopts newer technologies (e.g., [Wayland](https://wayland.freedesktop.org) and [PipeWire](https://pipewire.org)) before other distributions. These new technologies often come with improvements in security, privacy, and usability in general.

 {{< cards >}}
@@ -38,12 +40,16 @@ Linux distributions are commonly recommended for privacy protection and software
  {{< card link="https://docs.fedoraproject.org/en-US/docs" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 Fedora comes in two primary desktop editions, [Fedora Workstation](https://fedoraproject.org/workstation), which uses the GNOME desktop environment, and [Fedora KDE Plasma Desktop](https://fedoraproject.org/kde), which uses KDE. Historically, Fedora Workstation has been more popular and widely recommended, but KDE has been gaining in popularity and provides an experience more similar to Windows, which may make transitioning to Linux easier for some. The security and privacy benefits of both editions are very similar, so it mostly comes down to personal preference.

 Fedora has a semi-rolling release cycle. While some packages like the desktop environment are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.

 ### openSUSE Tumbleweed

+{{< title-card >}}
+
 **openSUSE Tumbleweed** is a stable rolling release distribution.

 openSUSE Tumbleweed uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem.
@@ -53,12 +59,16 @@ openSUSE Tumbleweed uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapp
  {{< card link="https://doc.opensuse.org" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 As with the recommendation to avoid X11 in our [criteria](#criteria) for Linux distributions, we recommend avoiding desktop environments that support only the legacy X11 window system (for example, Xfce). Currently, KDE Plasma defaults to X11, but Wayland is supported.

 Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality.

 ### Arch Linux

+{{< title-card >}}
+
 **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution, meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions).

 {{< cards >}}
@@ -66,6 +76,8 @@ Tumbleweed follows a rolling release model where each update is released as a sn
  {{< card link="https://wiki.archlinux.org" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.

 Being a DIY distribution, you are [expected to set up and maintain](../../../wiki/os/linux/index.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier.
@@ -78,6 +90,8 @@ A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org)

 ### Fedora Atomic Desktops

+{{< title-card >}}
+
 **Fedora Atomic Desktops** are variants of Fedora which use the `rpm-ostree` package manager and have a strong focus on containerized workflows and Flatpak for desktop applications. All of these variants follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.

 {{< cards >}}
@@ -85,6 +99,8 @@ A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org)
  {{< card link="https://docs.fedoraproject.org/en-US/emerging" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 [Fedora Atomic Desktops](https://fedoramagazine.org/introducing-fedora-atomic-desktops) come in a variety of flavors depending on the desktop environment you prefer. As with the recommendation to avoid X11 in our [criteria](#criteria) for Linux distributions, we recommend avoiding flavors that support only the legacy X11 window system.

 These operating systems differ from Fedora Workstation as they replace the [DNF](https://docs.fedoraproject.org/en-US/quick-docs/dnf) package manager with a much more advanced alternative called [`rpm-ostree`](https://coreos.github.io/rpm-ostree). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.
@@ -97,6 +113,8 @@ As an alternative to Flatpaks, there is the option of [Toolbx](https://docs.fedo

 ### NixOS

+{{< title-card >}}
+
 **NixOS** is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability.

 {{< cards >}}
@@ -104,6 +122,8 @@ As an alternative to Flatpaks, there is the option of [Toolbx](https://docs.fedo
  {{< card link="https://nixos.org/learn.html" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only.

 NixOS also provides atomic updates. It first downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation: you can tell NixOS to activate it after reboot, or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system.
@@ -118,6 +138,8 @@ Nix is a source-based package manager; if there’s no pre-built available in th

 ### Whonix

+{{< title-card >}}
+
 **Whonix** is based on [Kicksecure](#kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and [anonymity](../../../wiki/basics/common-threats/index.md#anonymity-vs-privacy) on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os).

 {{< cards >}}
@@ -125,6 +147,8 @@ Nix is a source-based package manager; if there’s no pre-built available in th
  {{< card link="https://whonix.org/wiki/Documentation" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden.

 Some of its features include Tor Stream Isolation, [keystroke anonymization](https://whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/roddhjav/apparmor.d) and a [sandboxed app launcher](https://whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system.
@@ -133,6 +157,8 @@ Whonix is best used [in conjunction with Qubes](https://whonix.org/wiki/Qubes/Wh

 ### Tails

+{{< title-card >}}
+
 **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](../../software/tor/index.md) to preserve privacy and [anonymity](../../../wiki/basics/common-threats/index.md#anonymity-vs-privacy) while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off.

 {{< cards >}}
@@ -140,6 +166,8 @@ Whonix is best used [in conjunction with Qubes](https://whonix.org/wiki/Qubes/Wh
  {{< card link="https://tails.net/doc/index.en.html" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 > [!WARNING]
 > Tails [doesn't erase](https://gitlab.tails.boum.org/tails/tails/-/issues/5356) the [video memory](https://en.wikipedia.org/wiki/Dual-ported_video_RAM) when shutting down. When you restart your computer after using Tails, it might briefly display the last screen that was displayed in Tails. If you shut down your computer instead of restarting it, the video memory will erase itself automatically after being unpowered for some time.

@@ -156,6 +184,8 @@ By design, Tails is meant to completely reset itself after each reboot. Encrypte

 ### Qubes OS

+{{< title-card >}}
+
 **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing through secure virtual machines (or "qubes"). Qubes is based on Xen, the X Window System, and Linux. It can run most Linux applications and use most of the Linux drivers.

 {{< cards >}}
@@ -163,12 +193,16 @@ By design, Tails is meant to completely reset itself after each reboot. Encrypte
  {{< card link="https://qubes-os.org/privacy" title="Privacy Policy" icon="eye" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 Qubes OS secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate *qubes*. Should one part of the system be compromised via an exploit in a [targeted attack](../../../wiki/basics/common-threats/index.md#attacks-against-specific-individuals), the extra isolation is likely to protect the rest of the *qubes* and the core system.

 For further information about how Qubes works, read our full [Qubes OS overview](../../../wiki/os/qubes/index.md) page.

 ### Secureblue

+{{< title-card >}}
+
 **Secureblue** is a security-focused operating system based on [Fedora Atomic Desktops](#fedora-atomic-desktops). It includes a number of [security features](https://secureblue.dev/features) intended to proactively defend against the exploitation of both known and unknown vulnerabilities, and ships with [Trivalent](https://github.com/secureblue/Trivalent), their hardened, Chromium-based web browser.

 {{< cards >}}
@@ -176,6 +210,8 @@ For further information about how Qubes works, read our full [Qubes OS overview]
  {{< card link="https://secureblue.dev/install" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 **Trivalent** is Secureblue's hardened Chromium for desktop Linux inspired by [GrapheneOS](../android/distributions/index.md#grapheneos)'s Vanadium browser.

 Secureblue also provides GrapheneOS's [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) and enables it globally (including for Flatpaks).
@@ -184,6 +220,8 @@ Secureblue also provides GrapheneOS's [hardened memory allocator](https://github

 While we [recommend against](../../../wiki/os/linux/index.md#release-cycle) "perpetually outdated" distributions like Debian for desktop use in most cases, Kicksecure is a Debian-based operating system which has been hardened to be much more than a typical Linux install.

+{{< title-card >}}
+
 **Kicksecure**—in oversimplified terms—is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. It also serves as the base OS for [Whonix](#whonix).

 {{< cards >}}
@@ -191,6 +229,8 @@ While we [recommend against](../../../wiki/os/linux/index.md#release-cycle) "per
  {{< card link="https://kicksecure.com/wiki/Privacy_Policy" title="Privacy Policy" icon="eye" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 ## Criteria

 Choosing a Linux distro that is right for you will come down to a huge variety of personal preferences, and this page is **not** meant to be an exhaustive list of every viable distribution. Our Linux overview page has some advice on [choosing a distro](../../../wiki/os/linux/index.md#choosing-your-distribution) in more detail. The distros on *this* page do all generally follow the guidelines we covered there, and all meet these standards:
@@ -20,6 +20,8 @@ Below are a few alternative operating systems that can be used on routers, Wi-Fi

 ## OpenWrt

+{{< title-card >}}
+
 **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All the components have been optimized for home routers.

 {{< cards >}}
@@ -27,10 +29,14 @@ Below are a few alternative operating systems that can be used on routers, Wi-Fi
  {{< card link="https://openwrt.org/docs/start" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported.

 ## OPNsense

+{{< title-card >}}
+
 **OPNsense** is an open-source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint.

 {{< cards >}}
@@ -38,6 +44,8 @@ You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to
  {{< card link="https://docs.opnsense.org/index.html" title="Documentation" icon="document-text" >}}
 {{< /cards >}}

+{{< /title-card >}}
+
 OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project.

 ## Criteria