~/setups/standard

Standard Setup

last updated 2026-06-12 · a weekend + slow migration · ~€10/mo · what changed

Balanced security and usability for someone who's done the basics and wants the structural changes too. Who this is for: you've decided that ad-tech holding your whole life is itself the problem, not just thieves and leaks. Costs about two coffees a month and one weekend of focus.

prerequisite This tier assumes the beginner setup is done: password manager in daily use, 2FA on critical accounts, Brave, Signal, encrypted DNS. If any of those are missing, do them first: they're the foundation this tier builds on.

the setup

Your own domain

foundation
~€10/yr~30 minany reputable registrar

A domain you own means your email address is portable forever. Why it's here: it converts every later choice from a commitment into a preference: switch providers and nobody ever knows.

  1. Buy a boring domain at a reputable registrar (Porkbun, Namecheap, Gandi, ~€10/year). Nothing cute; you'll say it out loud at front desks for a decade.
  2. Turn on WHOIS privacy (usually free and default now).
  3. That's it for today: the next step connects it.

Proton Mail

email
~€4/mo~2 h + months of driftcategory page

Email a provider can't read, on an address you own. Why it's here: your inbox is the master key to everything else; it's the recovery address for every account you have. (Mailbox.org if you'd rather keep IMAP and any client.)

  1. Sign up for Mail Plus, add your domain (Settings → Domains), follow the DNS records it gives you.
  2. Create you@yourdomain as the primary address.
  3. Set Gmail to forward everything to it, don't delete Gmail; let it become an empty hallway.
  4. Move the heavy hitters this weekend: banks, government, employer, and every account's recovery address. The long tail migrates itself as forwarded mail reveals it.

SimpleLogin aliases

email hygiene
included w/ proton plans~30 minunique address per signup

Every site gets its own address that forwards to your real one. Why it's here: leaks become traceable ("ah, the airline sold me") and revocable (kill the alias, spam ends). Your real address becomes something only humans know.

  1. SimpleLogin comes with Proton paid plans: log in with your Proton account.
  2. Install its browser extension; it offers an alias on every signup form.
  3. Rule going forward: humans get the real address, companies get an alias. Don't retrofit old accounts; migrate them when they email you.

YubiKey ×2

hardware 2fa
~€110 one-off~1 hcategory page

Phishing-proof login for the accounts that unlock the rest. Why it's here: app codes can be phished in real time, hardware keys can't. Two keys because one key is a lockout waiting to happen.

  1. Buy two YubiKey 5s (one USB-C/NFC for daily use, one for the drawer). Nitrokey if open firmware matters to you.
  2. Register both keys on: Proton, your password manager (1Password supports keys natively; Bitwarden needs premium, ~$10/yr), Google (while it exists), banking where supported.
  3. Where keys are registered, remove SMS as a fallback method.
  4. Backup key goes somewhere that isn't your bag. It only works if it exists when the primary doesn't.

Proton VPN

network
~€5/mo (less bundled)~20 mincategory page

Audited no-logs, fast, and it bundles with the Proton Mail plan you just bought at a meaningful discount; at this tier the suite deal is hard to beat. Why it's here: your ISP stops seeing where you go, and public Wi-Fi stops being a consideration at all. (Mullvad instead if anonymous payment matters more than ecosystem value.)

  1. Upgrade to Proton Unlimited (or add VPN Plus) from your existing Proton account, compare against paying separately; the bundle usually wins.
  2. Install the app on phone and computer, sign in.
  3. Turn on the kill switch and NetShield (Proton's DNS-level ad/tracker blocking).
  4. Set it to auto-connect on untrusted Wi-Fi at minimum; always-on if speeds hold up for you.

Filen + Syncthing

files
from ~€2/mo · free~1 hcategory page

Photos and sharing on a zero-knowledge E2EE cloud with proper clients on every OS, Linux included; working folders synced device-to-device with no cloud at all. Why it's here: "Google can read my files" stops being true, without losing sync. (On a Proton Unlimited bundle, Proton Drive covers the photo-backup half, unless you're on Linux, where it has no sync client.)

  1. Create a Filen account (10GB free covers the trial run) and turn on camera upload on your phone; let it run overnight.
  2. Install Syncthing on computer + phone, sync one folder (documents or notes) to feel the magic.
  3. Start the Google Takeout export now: it takes days to arrive, and the photos archive is the thing people regret not having.
  4. Keep one versioned backup outside the sync loop: an external drive plus restic/BorgBackup, monthly.

AdGuard DNS (private)

dns upgrade
~$3/mo (or stay free)~30 mincategory page

The public resolver from the beginner tier, upgraded: a private config adds custom rules, per-device profiles, and analytics that show you what your devices whisper at 3am. Why it's here: network-level blocking for the gadgets a browser can't reach. (Skip if Proton VPN runs always-on: NetShield covers most of this; NextDNS if you want even deeper knobs.)

  1. Create a private config at adguard-dns.io; the default blocklist is sane, resist stacking five more.
  2. Set log retention to whatever your model likes, including zero.
  3. Apply it: Private DNS string on Android, profile on iOS, DoH on the desktop, router if you're brave.
  4. First week: when something breaks, check the query log and allowlist it. Takes seconds; teaches you what's actually noisy.

after setup

The email migration is a season, not a step. Three months of forwarded mail will surface accounts you forgot existed. Each one: log in, change address (or alias it), move on. The day forwarding goes quiet is the day you've actually left.

Don't delete the Google account. Empty it, secure it with a key, and keep it: old recovery paths, the odd service that demands it, and YouTube comments you forgot about all live there. An account you control is safer than one recycled.

Common pitfall: alias sprawl without notes. Name each alias after the service in SimpleLogin's note field as you create it, or in six months you'll be scared to delete any of them.

Going further: if your threat model includes a specific someone, or you want your phone itself out of the ecosystem, the hardened setup is next. For most people, though, this tier is the destination. Maintain it and live your life.

checklist