Operational Security Guide

DEFENDYOUR DATA_

Every person has a threat model. Whether you're protecting passwords from data breaches or your identity from state-level adversaries — there's a security stack for you.

Level 1 — Baseline Level 2 — Enhanced Level 3 — Advanced Level 4 — High Risk Level 5 — Journalist
Scroll
// Why This Matters

Know Your
Threat Model

Security is not one-size-fits-all. A threat model is a structured way of thinking about who might want your data, what they can do with it, and how capable they are of getting it.

A journalist in an authoritarian country faces radically different threats than someone trying to avoid ad-tracking. The tools and effort should match the risk — over-engineering creates friction that leads to abandonment; under-engineering leaves you exposed.

This guide presents five stacks, each building on the last. Start where you are. Move up when your threat model demands it.

// Common Adversaries
🏢

Data Brokers

Companies that harvest, aggregate, and sell your personal information from public records, apps, and tracking pixels.

🎣

Phishing & Scammers

Opportunistic attackers using social engineering, fake emails, and malicious links to steal credentials or money.

🔓

Data Breaches

When services you use are compromised and your credentials or personal data are leaked onto the dark web.

📡

ISP & Network

Your internet service provider can log every site you visit. Public Wi-Fi exposes traffic to anyone on the network.

🏛️

Government

Law enforcement, intelligence agencies, or foreign governments who can compel platforms to hand over your data.

🎯

Targeted Attacks

Sophisticated adversaries — corporate spies, stalkers, nation-state actors — who focus resources specifically on you.

// Security Stacks

Choose Your
Level

Click any level to expand the full stack. Each level includes all protections from the levels below it.

01 / 05

Baseline Hygiene

Everyday user — Protection from common threats
Beginner
Who this is for: Anyone using the internet. This stack defends against the most common threats: data breaches, password theft, phishing, and ad-tracking. Estimated setup time: 2–4 hours.
Browser
Firefox or Brave
Privacy-respecting browsers with built-in tracker blocking. Avoid Chrome — Google harvests browsing data extensively.
Browser Extension
uBlock Origin
The gold-standard ad and tracker blocker. Uses filter lists to block malicious scripts and third-party surveillance.
Password Manager
Bitwarden
Free, open-source, end-to-end encrypted. Generates unique strong passwords for every site so breaches stay isolated.
Two-Factor Auth
Authenticator App (TOTP)
Use Aegis (Android) or Raivo (iOS). TOTP codes expire every 30 seconds, blocking most credential-stuffing attacks.
Search Engine
DuckDuckGo or Startpage
No search profile building. DuckDuckGo doesn't track queries; Startpage proxies Google results without the tracking.
DNS
1.1.1.1 (Cloudflare) or NextDNS
Encrypted DNS-over-HTTPS stops your ISP from logging every domain you visit. NextDNS adds customisable blocking.

// Key Principles

  • Unique passwords everywhere. If one site is breached, attackers try the same password elsewhere.
  • Never use SMS for 2FA if you can avoid it — SIM-swapping is trivial for attackers.
  • Keep software updated. Most compromises exploit known, patched vulnerabilities.
  • Check haveibeenpwned.com to see if your email addresses appear in known breaches.
Setup Effort
Daily Friction
Protection Level
02 / 05

VPN + Hardened Browser

Privacy-conscious user — Block ISP surveillance & fingerprinting
Intermediate
Who this is for: People concerned about ISP monitoring, public Wi-Fi eavesdropping, and browser fingerprinting. Adds a VPN layer and hardens the browser against advanced tracking. Includes everything from Level 1. Setup time: 3–6 hours.
VPN
Mullvad or ProtonVPN
Audited no-log VPNs. Mullvad accepts cash/crypto and requires no account email. Encrypts traffic between you and the exit node, hiding your IP from websites and browsing habits from your ISP.
Browser
Firefox (Hardened Config)
Apply user.js from arkenfox project. Disables WebRTC leaks, restricts canvas fingerprinting, tightens JS restrictions, and spoofs common browser attributes.
Extension
Privacy Badger + Cookie AutoDelete
Automatically blocks trackers that follow you across sites. Cookie AutoDelete wipes cookies from closed tabs, reducing tracking persistence.
Email
ProtonMail or Tutanota
End-to-end encrypted email. Messages at rest and in transit are encrypted. No selling of email content to advertisers.
Email Aliases
SimpleLogin or AnonAddy
Create unique forwarding addresses for every service. When a site sells your address or is breached, you delete just that alias.
Phone
GrapheneOS (Pixel)
Hardened Android with sandboxed Google Play. Dramatically reduces the attack surface of your mobile device. Only install what you need.

// Key Principles

  • VPNs shift trust, not eliminate it. You're trusting the VPN provider instead of your ISP — choose one with independent audits.
  • Browser fingerprinting can track you even without cookies. Arkenfox reduces your uniqueness.
  • Compartmentalise browsing: use different browser profiles for work, social, and sensitive activity.
  • Check for WebRTC leaks at browserleaks.com — some VPNs expose your real IP through WebRTC.
Setup Effort
Daily Friction
Protection Level
03 / 05

Encrypted Everything

Advanced user — Full encryption at rest & in transit
Advanced
Who this is for: Activists, professionals handling sensitive data, people in high-surveillance jurisdictions, or anyone who wants strong end-to-end encryption of all communications and storage. Includes everything from Levels 1–2. Setup time: 1–2 days.
Messaging
Signal
Signal Protocol encryption is the gold standard. Enable disappearing messages. Use Signal for all sensitive communications — it's audited, open-source, and collects minimal metadata.
Disk Encryption
VeraCrypt / FileVault / LUKS
Full-disk encryption means your data is unreadable without your passphrase — even if a device is physically seized. VeraCrypt supports hidden volumes for plausible deniability.
Cloud Storage
Cryptomator + Proton Drive
Cryptomator encrypts files client-side before they hit any cloud storage. Proton Drive stores files zero-knowledge. Never trust cloud providers with unencrypted sensitive data.
Hardware Key
YubiKey
Physical hardware security key for 2FA. Phishing-resistant FIDO2/WebAuthn. Even if someone has your password, they cannot log in without the physical key.
Network
Tor Browser (Selective Use)
Routes traffic through three encrypted hops. Use for sensitive research, anonymous access to sites, or whistleblowing. Slower than VPN but far more anonymous.
OS
Qubes OS (Optional)
Compartmentalises activity into isolated virtual machines. A compromised "work" VM can't access your "personal" VM. Steep learning curve but extraordinary isolation.
# Verify Signal fingerprint with your contact in person
$ signal-cli safety-numbers --verify
# Create encrypted container with VeraCrypt
$ veracrypt --create /secure/vault.vc --size 2G --encryption AES --hash SHA-512

// Key Principles

  • Verify Signal safety numbers in person or via a separate channel — prevents MITM attacks.
  • Encrypt before uploading to any cloud service, even "private" ones.
  • Separate identities: use different email accounts, devices, or VMs for different life areas.
  • Physical key = last resort protection. Keep a backup YubiKey in a secure, separate location.
Setup Effort
Daily Friction
Protection Level
04 / 05

Anonymity Stack

High-risk user — Unlinkable identity & metadata scrubbing
Expert
Who this is for: Whistleblowers, dissidents in hostile states, investigative researchers, or anyone whose real identity must remain completely detached from their online activities. This stack focuses on unlinkability — ensuring actions cannot be tied back to your real identity. Includes everything from Levels 1–3. Setup time: several days to a week.
Operating System
Tails OS (Live USB)
Amnesic OS that runs from USB. Leaves zero trace on the host machine. All traffic forced through Tor. Every session starts fresh with no persistent state.
Browser
Tor Browser (within Tails)
Bundled with Tails. Standardises fingerprint across all users to prevent individual identification. Do not maximise the window — it reveals screen resolution.
Connectivity
Public Wi-Fi + MAC Spoofing
Connect from locations not tied to your identity (cafes, libraries). Tails automatically randomises your MAC address. Never use home or work internet for sensitive operations.
Communications
Briar or OnionShare
Briar routes messages over Tor with no central server — works even without internet (Bluetooth/Wi-Fi mesh). OnionShare transfers files through ephemeral .onion addresses.
Payments
Monero (XMR)
Ring signatures and stealth addresses make Monero transactions unlinkable and untraceable. Bitcoin's blockchain is fully public — avoid it for sensitive financial privacy.
Metadata
MAT2 — Metadata Scrubber
Strips metadata from documents, images, and files before sharing. Photos contain GPS, device info, and timestamps. Documents embed author names, revision history, and more.
# Strip metadata before sharing any file
$mat2--inplace document.pdf image.jpg
# Share file anonymously via OnionShare
$onionshare--receive --tor-log /path/to/file.pdf
# Verify MAC randomisation on Tails
$ip link show| grep -A1 "link/ether"

// Key Principles

  • Never mix identities. Never log into personal accounts on the same session as sensitive work.
  • Traffic analysis is real. Even Tor can be partially defeated by timing attacks at the network level — use unpredictable times and locations.
  • Physical OPSEC matters. Don't discuss sensitive work near phones. CCTV is everywhere — consider appearance.
  • Tails leaves no trace, but the machine you boot from could have a keylogger. Use trusted hardware.
Setup Effort
Daily Friction
Protection Level
05 / 05

Journalist Stack

Maximum threat model — Air-gapped, amnesic, physically isolated
Maximum
Who this is for: Investigative journalists, human rights lawyers, security researchers, or those under active surveillance by well-resourced nation-state actors. This stack assumes your adversary has the capability to compromise standard internet-connected machines. The core principle is physical separation between online and offline activity — the air gap. Setup time: weeks of planning and practice.
Offline Machine
Air-Gapped Computer
A dedicated computer that has never connected to the internet and never will. Wi-Fi and Bluetooth hardware physically removed or disabled in firmware. Used exclusively for writing, analysis, and storing sensitive source material.
Offline OS
Qubes OS on Air-Gap Machine
Qubes isolates every application in its own VM. Even if one app is compromised, it cannot reach other VMs. The air-gap ensures no network exfiltration is possible regardless.
Data Transfer
One-Way USB Protocol
Data moves from online to offline machine via write-once optical media (CDs/DVDs) or carefully controlled USB — never in both directions on the same drive. Files are inspected and verified before crossing the gap.
Online Machine
Tails OS (Live USB)
The internet-facing machine runs Tails — amnesic, Tor-routed, never storing anything sensitive. Think of it as a contaminated environment: assume it is compromised and never put source material on it.
Secure Drop
SecureDrop
Open-source whistleblower submission system used by major news organisations. Sources submit documents and communicate via Tor .onion addresses with no account required.
Key Management
PGP on Air-Gap Machine
Private PGP keys never touch an internet-connected machine. Sign and decrypt on the air-gap; move only ciphertext across the gap. Publish public keys via keyservers.
Communications
Signal on Hardened Phone
GrapheneOS device with Signal, used only on trusted networks. Source communications happen via SecureDrop. Phone kept physically separate from sensitive discussions; battery removed when not in use if discussing classified material.
Physical Security
TSCM Sweep + Faraday Bag
Technical Surveillance Countermeasures for sensitive locations. Phones in Faraday bags during sensitive meetings. Assume any room with active electronics can be compromised.
# Air-gap workflow: receive encrypted file on Tails (online)
$gpg--verify document.pdf.sig document.pdf.gpg
# Write to optical media for air-gap transfer
$cdrecord-v speed=4 dev=/dev/cdrom document.pdf.gpg
# On air-gap machine: decrypt with offline private key
$gpg--decrypt document.pdf.gpg > document.pdf
# Verify file hash matches what source provided
$sha256sumdocument.pdf

// The Air Gap Doctrine

  • The air gap is absolute. Any network connection — even "just once" — destroys the security model permanently.
  • Optical media only. USB drives can carry malware (BadUSB); burned optical media is read-only and cannot carry executable firmware attacks.
  • Assume the online machine is compromised. Never put anything sensitive on it. Its only job is receiving encrypted ciphertext.
  • Compartmentalise your sources. Each source should have a unique PGP key pair and communication channel so that compromise of one channel doesn't expose others.
  • Operational security is holistic. The weakest link is often human — social engineering, physical surveillance, or a compromised colleague.
  • Test your procedures. Run dry drills. The middle of a crisis is not the time to learn your setup doesn't work.
Setup Effort
Daily Friction
Protection Level
// At a Glance

Feature
Comparison

Protection L1 Baseline L2 VPN L3 Encrypted L4 Anonymous L5 Journalist
Strong unique passwords
2-Factor Authentication
Ad & tracker blocking
ISP traffic hidden
IP address hidden ~ ~
End-to-end encrypted messaging
Encrypted storage at rest
Metadata-free file transfers
Unlinkable identity
Air-gapped offline machine
Amnesic OS (no trace)
Protection from physical seizure ~ ~

✓ Full protection  ·  ~ Partial protection  ·  ✗ Not covered

// Get Started

Your Security
Checklist

Tick items off as you complete them. These are ordered by impact-to-effort ratio.