I’ve delayed making the transition to a fully “secure” set up until upgrading my PC and moving to a Linux distro from windows. now that that is happening and my parts are in the mail, what does the Lemmy community recommend for my personal network data to remain as eyes free as possible from potential hostile gov & non gov entities?
For context, I have 2 years of Ubuntu experience on a non daily driver laptop, recently acquired a CCNA, and have a deeply seated hatred & paranoia of being spied on. I have many hours of security content bookmarked, but am curious to hear the Lemming communities recommendations. I am currently studying for my AWS cloud practitioner cert, then Linux+, then my CCNP.
TLDR me Lemmy 🤣
Oh boy. First off, unless you’re a high profile activist, a high profile government agent, or a high profile hacker, your threat model isn’t really targeted to you specifically. For a regular person, you usually just want to try to keep some amount of privacy on the internet and not be the lowest hanging fruit for bots and scripts.
Any of the big name Linux distros will all be fine, Ubuntu, Debian, fedora, Linux mint, etc, etc. With exception of arch, its fine, but make sure you’re in a position to update regularly, and possibly deal with some breakage and fixing after an update with arch. (don’t use it for server)
Anyway, these are the things I do, if you’d like to take inspiration:
I use LUKS for full disk encryption on my laptop. Not because of paranoia about the government, but because its nice to know if you’re in a cafe working and someone steals your laptop while you get up to go to the restroom or something, your data is safe from prying eyes.
I use an opnsense firewall for my network, for flexibility and control over my devices and connections.
I use an openWRT WiFi router,again for flexibility and control over my WiFi connections.
I use a Firefox based browser, (firefox, fennec, ice raven, etc) its hardened enough I’m sure there’s some crazy hardened version of chrome or whatever, but for the safety of the web, I like supporting a browser that’s not chrome, there’s really only 3 big players and one of them is Google, they alllmost have a monopoly on the web. All the other browsers are using Chrome’s rendering engine except Firefox and I think safari.
Use Ublock Origin firefox or chrome extension for ad blocking
For a phone, I’d probably use a pixel device that supports grapheneOS, but right now i’m just using LineageOS, again in use Firefox for android with ublock origin extension.
For passwords, I use keepassxc, and sync it across my devices with syncthing
Oh, and don’t use google for your search engine.
Have you used graphene os? I like the idea but I’m kind of afraid of bricking my phone and also I’m not entirely sure how I’m supposed to move over 2 factor auth entication stuff properly when I (probably?) need to wipe my phone to install graphene.
I haven’t, I use my phone as a medical device, so I haven’t taken the grapheneOS plunge yet as I’m not sure if the medical app would work. Yes, you’d have to wipe your phone to install GrapheneOS. For authenticator, if the app you used doesn’t allow exporting them, you have to disable 2 factor on all services and websites that use the authenticator 2 factor codes, switch to the new phone and new app, and re-enable on all services to get the new authenticate code. Pretty shitty, that some authenticator apps don’t give you a way to export (I don’t think the google app allows you to, correct?)
I never really thought to check if there is some way to export but I suppose that will be the way I’ll go about this. Thanks for your input :)
Graphene is awesome, super easy to install with their web tool.
For 2FA if you’re still using G00gle’s there is no way to export to try and keep you locked in. Go ahead and start switching all your stuff over to Aegis now (my recommendation, or another that’s on fdroid and allows exports) and then you literally just export the file to your secure backup (I use filen) and then import on your new graphene install. Super easy. This allows you to keep manual backups as you please as well.
luckily I’m not using google but all this sounds very promising. I might try it out this weekend!
LUKS for sure. If you’re really paranoid and want some extra protection, look into something with Coreboot. You can go wild with it’s configurables.