RunByCoffee

@runbycoffee

IT guy with an interest in security, privacy, OSINT, dreams, and coffee.

Thank Guestbook

My Privacy and Security Tools

In my quest for privacy and security, I've made use of a great many different tools. It seemed wise to document these for others, to save time and provide options that may not have been considered before.

  • 2 Factor Auth - YubiKey has been my staple for 2FA for a long time now. Initially I started off using it just for TOTP, but have progress to FIDO2 as services have supported it. Additionally, my Yubi is compatible for many of the services I list below (including BitWarden, GNU Pass, dm-crypt, etc). I now use my YubiKey for GPG also, as it holds my private keys (which were generated + stored offline), and for doors at work (thanks to RFID) as well as any operations on my phone via NFC.
  • Signing Security, Identity Management, Email/File Encryption - I also use the YubiKey, as mentioned above, for holding my GPG keys. I generated these on an offline PC, and moved the secret keys over to the YubiKey. Now I use those keys for git code signing, file encryption, etc as the keys are secured to the highest possible level whilst remaining functional still (i.e. signing everything on the offline PC would likely be the only more secure option than this - however, having a device that supports write-only for the secure element is secure enough for my risk profile). This works well with OpenKeychain for encryption and decryption on the mobile, and ties in with the standard Linux GPG utilities via the SmartCard service.
  • Password Manager - BitWarden. I'd considered and tried a few different password managers, including LastPass in the past, one 1Password more recently. I was never particularly please with LastPass from both a functionality and security perspective, but 1Password did rate highly in my tests. However, the ability to self-host BitWarden, as well as support for most of the features I loved about 1Password (notes, family accounts, icons) drove me to BitWarden (and I haven't looked back). I also previously used GNU Pass with git for a good many years, however, I wanted just a little more "functionality" with a similar level of security (and by self-hosting, the only downside is symmetric key vs. asymmetric - i.e one password/key unlocks the lot, vs. GNU Pass where every item is individually decrypted; this is an acceptable risk for my risk profile)
  • Encryption - dm-crypt with CryptSetup for Linux, VeraCrypt for Windows. Whilst I'm predominantly running on Linux, I do occasionally need to access encrypted space on Windows. I used to use TrueCrypt for this, and did stick on the known good 7.1a version for a time - however, since VeraCrypt completed an audit, and some time has passed, I have switched over to them. I'd love for dm-crypt to support password and keyfile requirement, instead of just one or the other. However, the ability to use YubiKey with my Full Disk Encryption (via the mkinitcpio-ykfde project) has been a positive. Shoutout to the Tomb wrapper script here as well.
  • Git - Gitea. I've found self hosting my Git server the most effective way to keep my code private, and secured (in the sense of being able to guarantee it's backed up effectively and consistently). I did previously utilise Gitlab, however, for a more personal service, I decided on Gitea (much lighter on resources) after having also tried Gogs.
  • Backups - restic and duplicacy. I used restic for a long time, and there's a lot I like about it - however, I recently moved to duplicacy, and will be sticking with it. Restic does a lot right - the ability to mount your backups locally and browse as a fuse system, the ability to take backups of whatever file you want on-the-fly just be specifying it, etc. However, it's just not quite fast enough for my liking - duplicacy performs far quicker (especially on subsequent backups) as well as properly supporting multiple machines to a single repo, and compression (which restic doesn't yet support). I have also tried duplicati, borg, duplicity, bup, obnam, and rdiff-backup. I use minio for local file storage, and Backblaze B2 for a low cost cloud storage destination.
  • VPN and Firewall - NordVPN and pfSense Community. I have a pfSense firewall at the edge of my network (on a dedicated box) which I use for protecting all of my devices. I push all my traffic out through NordVPN, and also have the mobile client for when I'm out and about. I've found Nord to be most affordable, with one of the better privacy policies out there, and great performance (and selection of servers). The pfSense is configured with a "kill switch" so that if my service goes down, no traffic escapes my network. I used to use Private Internet Access as well, settled on Nord as they had a few more supported protocols at the time.
  • Chat - Signal and Wire. I've used and appreciated both of these - I like the fact that Wire doesn't require a phone number, and is therefore slightly more private; however, I find the Signal client to be much better designed (and easier to get friends and family on board with, which was important to me in order to make this actually feasible). For public group chats, I like what the Matrix protocol offers, but the default "Synapse Server" memory usage was too high, so I settled on Mattermost community edition for chat rooms (private, but not encrypted).
  • Contacts, Calendars, and Tasks - EteSync. Massive shout out to the work EteSync have done here - drop in replacement for your Google Account (or similar), syncs seamlessly, has a change journal (so you can revert any mistakes), and supports vCard 4.0 . Highly recommended - can be self hosted, but I use the hosted version to support the project devs. I use my phones built-in Calendar and Contacts app with this, but use OpenTasks for the Task support.
  • Notes - StandardNotes. Simple, private, and secure note taking app. Free for basic, but extended offers many features worth paying for. I've opted for the 5 year plan (again, a project worth supporting), and use it extensively.
  • Mail - ProtonMail, Mailcow, and Tutanota. I use (and have used) each of these at various times for various reasons. Would highly recommend them all - especially ProtonMail and Tutanota if their encryption + privacy manifesto's are to be believe. Mailcow is a plus if you want self hosted - it makes it incredibly easy.
  • CryptoCurrency - Monero and Ledger. Monero has been one of the most private crypto's I've come across, and the Ledger is a great device to securely store your private keys. I use both extensively.
  • Operating System - ArchLinux. I've opted for Linux over Windows or Mac, due to the level of control you get over your privacy. I used to use Ubuntu, but opted for a "rolling release" distribution. I've not noticed any of the oft-toted issues of updates breaking things; in fact, it's been more stable for me than Ubuntu ever was. Additionally the package structure makes sense to me, which has enabled me to contribute to the AUR ecosystem in ways I never would have with Ubuntu's equivalents. Would strongly recommend.

I'll update this list as I add new tools (or remember ones that I've forgotten to add in here). Please feel free to contact me (perhaps via the Guestbook) if you've got any suggestoins!


You'll only receive email when RunByCoffee publishes a new post

More from RunByCoffee: