~/setups/hardened

Hardened Setup

last updated 2026-06-12 · weeks, then a practice · ~€15/mo + hardware · what changed

Maximum practical security for people with real threats. Who this is for: journalists protecting sources, activists, abuse survivors with a determined ex, researchers in hostile jurisdictions, anyone for whom a specific someone is part of the model. The friction here is real and daily. If you're here out of curiosity, read on; if you're here out of need, also seek advice specific to your situation: this page is a strong baseline, not a complete answer.

read this first At this tier, habits beat tools. A perfect setup operated carelessly loses to a decent setup operated with discipline. The most common failure isn't cryptographic: it's reusing an identity across compartments, once. Prerequisites: beginner and standard, fully internalized.

the setup

GrapheneOS on a Pixel

phone
~€350+ hardware~3 hcategory page

The most hardened consumer OS, with Google optional and sandboxed. Why it's here: the phone is the sensor package in your pocket, and at this tier it has to be trustworthy, not just tidy.

  1. Buy a supported Pixel: in cash, in person, if purchase records are in your model.
  2. Install via the official web installer (grapheneos.org) from a computer you trust; verify the fingerprints it shows.
  3. Skip sandboxed Play if you can live on F-Droid + Aurora Store; install it in a separate profile if you can't.
  4. Set a strong unlock passphrase (not just biometrics), enable the duress PIN, and set auto-reboot (Settings → Security) so a seized phone returns to before-first-unlock encryption.
  5. Per-app: deny network to anything that doesn't need it; use storage scopes instead of full storage access.

Compartmentalized identities

method, not software
freeongoing disciplinethe actual hard part

Separate identities for separate contexts (activism, work, personal) with no shared emails, phone numbers, payment methods, usernames, or writing quirks across them. Why it's here: most deanonymization isn't broken crypto, it's one careless link between two lives.

  1. Write down your compartments and what belongs in each. On paper. Two is manageable; four is a part-time job, be honest.
  2. Each compartment gets its own email (separate provider accounts, not aliases of one), its own passwords, its own browser profile or device.
  3. Sensitive compartments get their own payment rail: cash, Monero, or prepaid cards bought with cash.
  4. Never cross the streams: no logging into compartment A from compartment B's browser, no shared profile photos, no same turns of phrase. One crossover can retroactively link years of history.

Qubes OS (or hardened Fedora)

desktop
free · capable hardwarea weekendcategory page

Qubes runs every task in its own disposable VM: compartmentalization enforced by architecture instead of willpower. Why it's here: it makes the identity separation above mechanical. If your hardware or patience won't carry Qubes, hardened Fedora is the honest fallback.

  1. Check the Qubes hardware compatibility list first: 16GB+ RAM, and it's picky. Install with full-disk encryption (default).
  2. Create one qube per compartment, color-coded; route the sensitive ones through the built-in Whonix/Tor qubes.
  3. Open every attachment and unknown link in a disposable VM: this habit alone retires the most common attack on people like you.
  4. Fedora fallback: FDE at install, automatic updates, Firefox or LibreWolf, separate user accounts per compartment, USBGuard for unknown devices.

Tails on a USB stick

the sessions that can't exist
free + ~€10 stick~1 hcategory page

Boots on nearly any computer, routes everything through Tor, forgets everything at shutdown. Why it's here: for research, contact, or whistleblowing where the work must leave no trace on the machine, including a machine that isn't yours.

  1. Flash Tails to a quality USB stick following tails.net's verified instructions.
  2. Boot it once at home to learn the ropes before you need it under pressure.
  3. Add encrypted persistent storage only if you must keep state; amnesia is the feature.
  4. If sources contact you, learn SecureDrop/OnionShare on top, and test the workflow end-to-end with a friend first.

Anonymous-grade communications

messaging
free~1 hcategory page

Signal with hardened settings for daily life; SimpleX where even a phone number is too much identifier; Briar where servers or the internet itself can't be trusted. Why it's here: at this tier metadata (who, when, how often) is as sensitive as content.

  1. Signal: username sharing only, disappearing messages default (1 day), registration lock PIN on, "sealed sender from anyone" enabled, relay calls through Signal's servers.
  2. If the phone number itself is a risk, register Signal on a number that isn't yours (a burner or VoIP number set up inside the right compartment), or move that compartment to SimpleX, which has no user identifiers at all.
  3. Install Briar as the fallback channel with your closest contacts, agreed on before the day the internet gets weird.
  4. Email for anything sensitive: don't. If unavoidable, PGP between consenting adults who both know what they're doing, and still assume the metadata leaks.

Money & footprint hygiene

the unglamorous layer
variesongoingboring, decisive

Payments and public records betray more than packets do. Why it's here: the adversaries this tier worries about subpoena databases and search people-finder sites; they rarely break TLS.

  1. Mullvad paid with cash by post (or Monero) inside the sensitive compartment; always-on, kill switch locked.
  2. Scrub people-search/data-broker sites, manually or via a removal service, and re-check quarterly; they regrow like weeds.
  3. Mail forwarding or a PO box so your street address stops appearing on shipping labels and registrations.
  4. Lock your credit file (or your country's equivalent): it's free and closes the identity-theft branch of the tree.
  5. Physical safety where your model calls for it: hardware keys on your person, devices never left unattended at borders, and a rehearsed answer for "unlock this, please."

after setup

Drill the failure modes. What happens if the phone is seized today? If the laptop is stolen? If a key is lost? Walk each scenario while calm, and the answers should be "annoying," never "catastrophic." Where one is catastrophic, that's the next thing to fix.

Schedule maintenance like it's rent. Monthly: updates everywhere, broker-site re-check, backup verification (restore one file: a backup you've never restored is a hope, not a backup). Quarterly: compartment audit (what leaked across? What got lazy?)

Common pitfall: the convenience relapse. Hardened setups erode one "just this once" at a time. When friction genuinely exceeds the threat, don't cheat silently: re-model and downgrade deliberately. An honest Standard beats a leaky Hardened.

You don't have to do this alone. Access Now's Digital Security Helpline, the EFF's Surveillance Self-Defense guides, and Freedom of the Press Foundation's training materials are free, current, and written by people who do this professionally. For intimate-partner threats, the Coalition Against Stalkerware lists vetted local resources.

checklist