July 22, 2019•1,317 words
In my quest for privacy and security, I've made use of a great many different tools. It seemed wise to document these for others, to save time and provide options that may not have been considered before.
- 2 Factor Auth - YubiKey has been my staple for 2FA for a long time now. Initially I started off using it just for TOTP, but have progress to FIDO2 as services have supported it. Additionally, my Yubi is compatible for many of the services I list below (including BitWarden, GNU Pass, dm-crypt, etc). I now use my YubiKey for GPG also, as it holds my private keys (which were generated + stored offline), and for doors at work (thanks to RFID) as well as any operations on my phone via NFC.
- Signing Security, Identity Management, Email/File Encryption - I also use the YubiKey, as mentioned above, for holding my GPG keys. I generated these on an offline PC, and moved the secret keys over to the YubiKey. Now I use those keys for git code signing, file encryption, etc as the keys are secured to the highest possible level whilst remaining functional still (i.e. signing everything on the offline PC would likely be the only more secure option than this - however, having a device that supports write-only for the secure element is secure enough for my risk profile). This works well with OpenKeychain for encryption and decryption on the mobile, and ties in with the standard Linux GPG utilities via the SmartCard service.
- Password Manager - 1password. I'd considered and tried a few different password managers, including LastPass in the past, and BitWarden most recently. I was never particularly pleased with LastPass from both a functionality and security perspective, but 1Password did rate highly in my tests - their security whitepaper and design was fantastic, and covered all of my use cases/threat models. Additionally, the integration with all systems I've tried it on has been fantastic. For a long time, I used self-hosted BitWarden, which had most of the same features as 1password - not all of them, but most. I self hosted using bitwarden-rs and that still comes with my recommendations. I also previously used GNU Pass with git for a good many years, however, I wanted just a little more "functionality" with a similar level of security (and versus self-hosting, the only downside is symmetric key vs. asymmetric - i.e one password/key unlocks the lot, vs. GNU Pass where every item is individually decrypted; this is an acceptable risk for my risk profile)
- Encryption - dm-crypt with CryptSetup for Linux, VeraCrypt for Windows. Whilst I'm predominantly running on Linux, I do occasionally need to access encrypted space on Windows. I used to use TrueCrypt for this, and did stick on the known good 7.1a version for a time - however, since VeraCrypt completed an audit, and some time has passed, I have switched over to them. I'd love for dm-crypt to support password and keyfile requirement, instead of just one or the other. However, the ability to use YubiKey with my Full Disk Encryption (via the mkinitcpio-ykfde project) has been a positive. Shoutout to the Tomb wrapper script here as well.
- Git - Gitea. I've found self hosting my Git server the most effective way to keep my code private, and secured (in the sense of being able to guarantee it's backed up effectively and consistently). I did previously utilise Gitlab, however, for a more personal service, I decided on Gitea (much lighter on resources) after having also tried Gogs.
- Backups - restic and borg. I used restic for a long time, and there's a lot I like about it - however, I recently moved to borg, and will be sticking with it. Restic does a lot right - the ability to mount your backups locally and browse as a fuse system, the ability to take backups of whatever file you want on-the-fly just by specifying it, etc. However, it was a little shaky in the long term with multiple iterations of backups. Honorable mention to duplicacy which performs far quicker (especially on subsequent backups) as well as properly supporting multiple machines to a single repo, and compression (which restic doesn't yet support). I have also tried duplicati, duplicity, bup, obnam, and rdiff-backup. I use minio for local file storage, and Backblaze B2 for a low cost cloud storage destination, as well as rsync.net and BorgBase.
- VPN and Firewall - Mullvad and pfSense Community. I have a pfSense firewall at the edge of my network (on a dedicated box) which I use for protecting all of my devices. I push all my traffic out through Mullvad, and also have the mobile client for when I'm out and about. I've found Mullvad to be the fastest, and one of the most affordable, with anonymous sign up and a great selection of servers. The pfSense is configured with a "kill switch" so that if my service goes down, no traffic escapes my network. I used to use NordVPN as well, but settled on Mullvad due to the privacy aspect, cryptocurrency payment options, and Wireguard support.
- Chat - Signal and Wire. I've used and appreciated both of these - I like the fact that Wire doesn't require a phone number, and is therefore slightly more private; however, I find the Signal client to be much better designed (and easier to get friends and family on board with, which was important to me in order to make this actually feasible). For public group chats, I was using Keybase - end to end encrypted, and it's a great all round platform for file storage and sharing, but was recently bought out by Zoom. Time will tell if I maintain this or not.
- Contacts, Calendars, and Tasks - EteSync. Massive shout out to the work EteSync have done here - drop in replacement for your Google Account (or similar), syncs seamlessly, has a change journal (so you can revert any mistakes), and supports vCard 4.0 . Highly recommended - can be self hosted, but I use the hosted version to support the project devs. I use my phones built-in Calendar and Contacts app with this, but use OpenTasks for the Task support.
- Notes - StandardNotes (link is a referral link). Simple, private, and secure note taking app. Free for basic, but extended offers many features worth paying for. I've opted for the 5 year plan (again, a project worth supporting), and use it extensively.
- Mail - ProtonMail, Mailcow, and Tutanota. I use (and have used) each of these at various times for various reasons. Would highly recommend them all - especially ProtonMail and Tutanota if their encryption + privacy manifesto's are to be believed. Mailcow is a plus if you want self hosted - it makes it incredibly easy. I opt for either MailMate or mutt depending on which system I'm on.
- CryptoCurrency - Monero and Ledger. Monero has been one of the most private crypto's I've come across, and the Ledger is a great device to securely store your private keys. I use both extensively.
- Operating System - ArchLinux. I've opted for Linux over Windows or Mac, due to the level of control you get over your privacy. I used to use Ubuntu, but opted for a "rolling release" distribution. I've not noticed any of the oft-toted issues of updates breaking things; in fact, it's been more stable for me than Ubuntu ever was. Additionally the package structure makes sense to me, which has enabled me to contribute to the AUR ecosystem in ways I never would have with Ubuntu's equivalents. Would strongly recommend.
I'll update this list as I add new tools (or remember ones that I've forgotten to add in here). Please feel free to contact me (perhaps via the Guestbook) if you've got any suggestions!