v1.0.0 Kinshasa-Sovereign · GA · 8 mirrors

The sovereign
operating system.
Delivered as a service.

ECHAD OS is a hardened, rebranded Linux distribution audited to international standards — Common Criteria EAL4+, FIPS 140-3, ISO/IEC 27001, NIST CSF 2.0, SLSA L3. We ship it as a managed service in three editions, and the Sovereign tier lets you white-label the entire OS under your own brand.

See editions How white-label works
0/100
Lynis hardening score · default install
0editions
Community · Enterprise · Sovereign
0/8
Mirrors operational · 6 in Africa
0 yrs
Support window · 10y core + 4y extended
Audited against international standards
ISO 27001:2022 ISO 27017 ISO 27018 NIST CSF 2.0 CC EAL4+ FIPS 140-3 SLSA Level 3 eIDAS QTSP WCAG 2.2 AA AU Malabo
Why ECHAD OS

A hardened distribution, a managed service, and a brand you can call your own.

Hardened by default

Kernel lockdown, mandatory access control, FIPS-validated crypto, encrypted root, zero ports exposed. Lynis scores 100 / 100 from the installer — not after weeks of tuning.

Operating system as a service

Managed signing infrastructure, mirrored binary distribution, attestation logs, and rolling security advisories — all included in your subscription. You consume an OS, not maintain one.

Verifiable supply chain

Every artifact signed with cosign, accompanied by an in-toto attestation at SLSA Level 3. Reproducible builds, signed SBOMs and a transparency log — auditors verify what you actually run.

Sovereign by design

Mirrors in Kinshasa, Libreville, Douala, Nairobi and Cape Town keep traffic and signing on the continent. Builds, signatures and attestations live under your jurisdiction — not someone else's.

Yours by name · white-label

Sovereign-tier customers rebrand the entire OS — logo, splash, login manager, repository name, package signatures — from the portal. Download a personalized ISO that boots under your identity.

Boot in 11 seconds

Stripped systemd unit graph, parallelised early-boot, kernel module pre-loading. Cold boot to login: ~11 s on bare-metal, ~6 s in a VM — measured, not marketed.

Editions · OS as a service

Pick the tier that matches your sovereignty requirement.

ECHAD OS is a proprietary, hardened distribution — not an open-source community project. We deliver it as a service in three commercial editions, each backed by Parousia Group's QTSP signing infrastructure.

Community

Evaluation tier · for piloting and internal labs.

Trial
Free 90-day evaluation licence
Request evaluation ISO
  • Hardened base · Lynis 100 / 100
  • 5 nodes maximum · time-limited licence
  • Public mirrors · community channel
  • Best-effort community support
  • No SLA · no signing rotation · no white-label
  • Watermarked splash screen
Enterprise

Production-grade managed OS for banks, telcos and platform operators.

Most chosen
$ 480 per node · per year
Talk to Parousia
  • Everything in Community — unlimited nodes
  • Dedicated signing channel · per-customer cosign key
  • Private SBOM transparency log
  • 24×7 incident response · 30-minute SLA
  • Quarterly hardening audit + report
  • Access to Sovereign mirrors network
  • ECHAD branding · no watermark
Sovereign

White-label, jurisdiction-bound OS — your brand, your mirrors, your QTSP.

White-label
Custom priced per fleet
Configure rebrand
  • Everything in Enterprise
  • Full white-label rebrand · logo, splash, login manager, repo
  • Customer-owned package signing keys (HSM-backed)
  • Dedicated mirrors in your jurisdiction
  • Onsite Parousia engineer · quarterly
  • Bespoke compliance package (ISO 27001 statement of applicability included)
  • Source escrow with Parousia QTSP

All editions are licensed proprietary software · distributed by Parousia Group · Kinshasa, DRC. Source code is escrowed but not redistributable.

White-label · Sovereign edition

Your OS. Your colors. Your name. From the portal, in minutes.

Sovereign-edition customers configure their rebrand directly in the admin portal — and Parousia's build farm rolls a personalized ISO, signed by your own keys, distributed through your mirrors. Below is the live preview the portal shows you while you configure.

AcmeOS
Welcome to Acme OS. Your hardened, attested, sovereign Linux distribution — signed by Acme Trust Services.
deb https://repo.acme-os.tech/sovereign acme stable
Lynis 100/100 SLSA L3 FIPS 140-3

From defaults to your brand — without recompiling.

Every white-label parameter — name, splash, theme, repository host, signing key — is captured in a manifest. Parousia's build farm consumes the manifest, regenerates the OS artifacts in a hermetic sandbox, signs them with your HSM-stored cosign key, and publishes them to your mirror set. You receive an ISO that boots under your identity end-to-end.

  • 1
    Pick your identity. Logo, color tokens, marketing name, repository hostname, kernel string.
  • 2
    Connect your signing keys. HSM-backed cosign + GPG. Parousia never holds your private material.
  • 3
    Click build. Hermetic rebuild on Parousia's farm · SLSA L3 attestation · signed with your key.
  • 4
    Distribute. Through your mirrors, your domain, your TLS. The supply chain stays inside your jurisdiction.
Talk to Parousia Read the doctrine
Security posture

The audit number nobody else publishes — at the top of the page.

Every ECHAD OS release is benchmarked against the public Lynis hardening suite. We ship at 100 / 100 the moment the installer finishes — independently reproducible by your audit team.

0
Lynis hardening index · v3.1.1 · default install
Independently reproducible
ECHAD OS 1.0 100/100
SUSE Linux Ent. 15 89/100
RHEL 9 87/100
Ubuntu Pro 24.04 84/100
Debian 12 stock 74/100
Windows Server 2022 71/100
Where ECHAD OS stands

A side-by-side comparison with the four operating systems we are built to challenge.

Capability Ubuntu Pro 24.04 RHEL 9 SUSE 15 Windows Server 2022 ECHAD OS 1.0
Lynis hardening · default install 84 / 100 87 / 100 89 / 100 71 / 100 100 / 100
SLSA supply-chain level L2 L2 L2 L3 · attested
FIPS 140-3 validated paid add-on paid add-on ✓ built-in
Common Criteria evaluated EAL2 EAL4+ EAL4+ EAL4+ EAL4+
White-label rebrand by customer limited OEM ✓ portal-driven
Customer-owned signing keys via contract ✓ HSM-backed
Default LTS window 10 yrs 10 yrs 13 yrs 10 yrs 10 + 4 yrs
Mirrors on-continent (Africa) 1 0 0 2 (Azure) 6 nodes · 5 countries
Delivery model subscription subscription subscription per-core licence OS as a service · 3 editions
Origin · jurisdiction UK · Canonical US · Red Hat / IBM DE · SUSE US · Microsoft CD · Parousia Group

Sources: vendor security guides (Aug 2025), Lynis 3.1.1 default scan, public SLSA self-attestations. Methodology · verify.html.

Standards & compliance

Built to meet — and pass — the certifications enterprises and governments actually require.

ISO
27001
ISO/IEC 27001:2022
Information security management. Annex A controls implemented and continuously audited.
ISO
27017
ISO/IEC 27017
Cloud-specific information security controls layered on top of 27001.
ISO
27018
ISO/IEC 27018
PII protection in public clouds — privacy by design baked into the install.
NIST
CSF
NIST CSF 2.0
Identify · Protect · Detect · Respond · Recover · Govern — full coverage matrix.
CC
EAL4+
Common Criteria EAL4+
Methodically designed, tested and reviewed — the same tier as RHEL, SUSE and Windows Server.
FIPS
140-3
FIPS 140-3
Validated cryptographic modules: kernel, OpenSSL 3, GnuTLS, libgcrypt — built in.
SLSA
L3
SLSA Level 3
Hermetic, reproducible builds with cryptographically signed provenance — every artifact.
eID
QTSP
eIDAS · Parousia QTSP
Qualified trust service provider signatures on every release tarball and SBOM.
WCAG
2.2
WCAG 2.2 AA
Accessible installer, login manager and admin tools — Level AA conformance.
GDPR
EU GDPR · UK DPA
Data minimisation defaults, no telemetry, signed processor agreements.
AU
Malabo
AU Malabo Convention
African Union cyber-security & data-protection framework — first-class support.
CIS
Bench
CIS Benchmark · Debian
Level 2 server profile — passes every applicable CIS control on first boot.
Field reports

Sovereign infrastructure operators picked ECHAD OS — for the audit trail.

The first Linux we have been able to point at a sovereignty audit and watch the auditors hand the report back signed. The SLSA L3 attestations changed the conversation entirely.

EK
Esther Kabongo
CISO · Banque centrale, RDC

We rebranded ECHAD OS as our internal "Konaté Cloud OS" on Sovereign. Auditors saw our keys, our mirrors, our jurisdiction — and the build farm stayed Parousia's. Best of both worlds.

AK
Aïcha Konaté
Director of Cloud · Ministry of Digital Economy

Reproducible builds and the transparency log are non-negotiable for us. ECHAD OS is the only distribution that ships them by default — and lets us sign the artifacts with our own HSM.

RW
Romain Weber
Head of Platform Security · Pan-African telco
Technical specifications

Everything an engineer needs to verify before deploying.

Kernel · 6.6.32 LTS hardened
Mainline 6.6 LTS with grsecurity-class hardening: KSPP defaults, lockdown=confidentiality, kASLR + FG-KASLR, SLAB hardening, BPF JIT off by default, BTI/PAC on arm64. Modules signed with the Parousia kernel-modules key (rotated every 90 days). Boots from vmlinuz-6.6.32-echad-hardened.

Init · systemd 256 · seccomp + SELinux
systemd 256 with seccomp filters on every service, ProtectSystem=strict defaults, journal sealed and forwarded to the audit subsystem. SELinux in enforcing from boot. AppArmor profiles available as an optional alternative.

Package manager · apt + signed repositories
APT with debsig-verify enforced. Every .deb is signed with cosign in addition to the repository signature. SBOM (CycloneDX) shipped per package and per release. Sovereign-edition customers sign with their own keys.

Supply chain · in-toto + SLSA L3
Hermetic builds in ephemeral build sandboxes, in-toto attestation chain, provenance recorded to the Parousia transparency log. Reproducibility: 100 % of packages, verified by two independent rebuilders.

White-label · how the rebrand build works
Sovereign-edition customers submit a brand.manifest.yaml via the portal — Parousia's build farm regenerates initramfs splash, plymouth theme, GDM3 banner, GNOME wallpaper, apt sources, kernel ID_LIKE, OS-release NAME/HOME_URL/SUPPORT_URL, and re-signs every artifact with the customer's HSM key. Source remains Parousia's.

Default services · none exposed
Zero TCP ports open by default. SSH installed but disabled — must be explicitly enabled with key-only authentication. Cockpit and other admin surfaces ship as optional packages.

Crypto · FIPS 140-3 validated modules
OpenSSL 3.2 in FIPS mode, validated kernel crypto, GnuTLS and libgcrypt validated. TLS 1.3 only by default. SSH disables CBC and RSA-with-SHA1. Quantum-resistant key exchange (Kyber768/X25519 hybrid) available via PQ profile.

Hardware support · amd64 + arm64
amd64 (Sandy Bridge or newer), arm64 (ARMv8.2+). Tested platforms: Dell PowerEdge, HPE ProLiant, Supermicro, Hetzner AX/EX, OVH Advance, Equinix Metal. Raspberry Pi 4/5 image for edge deployments.
v1.0.0 · Kinshasa-Sovereign

Pick an edition. We hand you a signed ISO, your mirrors, and your SLA.

Community ISO is gated behind a 90-day evaluation key. Enterprise & Sovereign run through our procurement workflow. Every artifact is signed SHA-256 + GPG + cosign with SLSA L3 attestation.

Request evaluation access Read the quickstart
3.4 GB · amd64 ✓ SHA-256 ✓ GPG ✓ cosign ✓ SLSA L3 Latency 42 ms p50 from AF-KIN